# Help with IE, Windows Media Player, etc



## jonpistone2 (Oct 5, 2007)

Please help....i have had trouble with my comptuer in the past off and on but now things have gotten really bad for me.

The major problem i recently have had is loading I.E. ...it will load without a problem, but after i put a web address in (clearly using a different computer to type this), it closes down right away without warning...i noticed it does the same thing when i tried opening/using Windows Media player and most recently when i tried to log into yahoo messenger...not sure if these are related or different issues but they all close down as soon as i start trying to use the program---im not sure if i have some kinda virus that is overloading the system and windows is shutting it down for safety or what the problem is...

on a side note, i ran some type of scan to evaluate the programs running when i open windows and found the ntos.exe file along side it saying that this is not the original microsoft file but its also not active---i found that this could be a virus causing major problems--again, not sure if its related but i wanted to give as much info as i could--feel free to ask or email me or post whatever you can to help, it would be greatly appreciated!! thank you so much for spending the time with me!!
Jon


----------



## MikeSwim07 (Apr 28, 2007)

Download and Run HijackThis
Download *HJTInstall.exe* to your Desktop.

Doubleclick *HJTInstall.exe* to install it.
By default it will install to *C:\Program Files\Trend Micro\HijackThis* .
Click on *Install*.
It will create a HijackThis icon on the desktop.
Once installed, it will launch *Hijackthis*.
Click on the *Do a system scan and save a logfile* button. It will scan and the log should open in notepad.
*Copy/Paste the log to your next reply please.*
*Don't* use the *Analyse This* button, its findings are dangerous if misinterpreted.
*Don't* have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


----------



## jonpistone2 (Oct 5, 2007)

Thanks again for such a quick reply!!!! I did what you said, and below i have pasted everything from the notepad that opened...please let me know if there is anything that could be done---thanks again SO much!!
Jon

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:37 PM, on 10/5/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\MBOLS~1\winspool.exe
C:\Documents and Settings\Jonathan\Application Data\A?pPatch\n?lookup.exe
C:\Program Files\WinAble\winable.exe
C:\Program Files\Insider\Insider.exe
C:\Program Files\Words\Words.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Documents and Settings\Jonathan\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\Jonathan\Application Data\Microsoft\Windows\xgqgsrwk.exe
c:\windows\system32\rlvknlg.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\Reg.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://216.76.114.124/exchweb/bin/auth/owalogon.asp?url=https://216.76.114.124/exchange&reason=0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {41D17845-E3F1-B620-A04B-EE2B2C928CED} - C:\WINDOWS\System32\hmadf.dll (file missing)
O2 - BHO: (no name) - {48BABDEA-7104-29A2-7167-0CB2696C8AEB} - C:\WINDOWS\System32\lsth.dll (file missing)
O2 - BHO: (no name) - {4CECB995-7121-78A6-7766-7CB21A688ABB} - C:\WINDOWS\System32\cqg.dll (file missing)
O2 - BHO: (no name) - {60E5AD16-31F6-6974-A34B-6EE34FEDAEE2} - C:\WINDOWS\System32\rcv.dll (file missing)
O2 - BHO: (no name) - {64B3A83A-6CD4-6E25-A34A-1EE33CE8FFE9} - C:\WINDOWS\System32\hqt.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\System32\HOf3A5q6.dll
O2 - BHO: (no name) - {9997FB5E-34BF-6B38-EC5F-3F76666F50E1} - C:\WINDOWS\System32\nvldybze.dll (file missing)
O2 - BHO: (no name) - {A088FDF2-374F-39CE-1F30-39C62D4E67B0} - (no file)
O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [{340BB4A5-0958-1033-1018-040305130001}] "C:\Program Files\Common Files\{340BB4A5-0958-1033-1018-040305130001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [{340BB4A5-0957-1033-1018-040305130001}] "C:\Program Files\Common Files\{340BB4A5-0957-1033-1018-040305130001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\tsitra11.exe 61A847B5BBF72813338B2B27128065E9C084320161C4661227A755E9C2933154389A284662EA4EBF968951185EFC412806867680AEC1775663CF781373F80FB68AD6
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Bjidejp] C:\Program Files\Common Files\??sembly\?ttrib.exe
O4 - HKCU\..\Run: [romo] C:\PROGRA~1\COMMON~1\romo\romom.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Cbqyfnhd] "C:\Documents and Settings\Jonathan\My Documents\W?nSxS\?hkdsk.exe"
O4 - HKCU\..\Run: [Jbkd] "C:\Documents and Settings\Jonathan\Application Data\??sembly\n?tepad.exe"
O4 - HKCU\..\Run: [Fgsgkchb] "C:\Program Files\??pPatch\?ttrib.exe"
O4 - HKCU\..\Run: [Vrmlob] "C:\Program Files\Common Files\??mbols\n?tepad.exe"
O4 - HKCU\..\Run: [Cezo] "C:\Documents and Settings\Jonathan\Application Data\F?nts\w?nspool.exe"
O4 - HKCU\..\Run: [Irub] C:\WINDOWS\system32\??crosoft\??anregw.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Documents and Settings\Jonathan\Desktop\draft demo\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [PCTAVApp] "C:\Documents and Settings\Jonathan\Desktop\draft demo\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\MBOLS~1\winspool.exe" -vt yazb
O4 - HKCU\..\Run: [Qru] "C:\Documents and Settings\Jonathan\Application Data\A?pPatch\n?lookup.exe"
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [Words] C:\Program Files\Words\Words.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Jonathan\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Jonathan\Application Data\Microsoft\Windows\xgqgsrwk.exe
O4 - Startup: winupdate01690527[1].exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Documents and Settings\Jonathan\Desktop\hyplay\New Briefcase\Hello\PicasaCapture.dll (file missing)
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Documents and Settings\Jonathan\Desktop\hyplay\New Briefcase\Hello\PicasaCapture.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159136193374
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://www.youbet.net/wr_5_8/controls/ybrequest.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159136039112
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://www.youbet.net/wr_5_8/controls/YBUICtrl.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_games/tikgames/cinematycoon/cinematycoon.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm9uYXRoYW4\command.exe (file missing)
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 13121 bytes


----------



## jonpistone2 (Oct 5, 2007)

I am sure you may be busy with others...but I was just wondering if you are still available to help me with this problem? Even if it is too complex to help me quickly and you are busy working to help me--i was told by an administrator to send you another "reply" just in case you lost the link to this forum.
Thanks!!!


----------



## Cookiegal (Aug 27, 2003)

*Download the LSP Fix:*

http://cexx.org/lspfix.htm

Launch the application, and click the *I know what I'm doing
* checkbox.

Check all instances of *rlls.dll* (and nothing else), and move them to the "Remove" pane.

Then click Finish.

Download *ComboFix* and save it to your desktop.

***Note: It is important that it is saved directly to your desktop***


Close any open browsers. 
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. 
Double click on *combofix.exe* and follow the prompts.

When finished, it will produce a report for you. Please post the *C:\ComboFix.txt* along with a *new HijackThis log* for further review.

Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.


----------



## jonpistone2 (Oct 5, 2007)

about how long does "combofix" take?
i started it (by typing 1)...and it created a new restore point for me....

now its just a blue box with a C:\ in the top left corner and the curser just below it blinking....screen is blank---its been doing this for about 5 min (i already ran the first lspfix program you told me to....pleaes let me know what i should do now with this combofix...thank you so much for your reply and help!!


----------



## Cookiegal (Aug 27, 2003)

It sounds like you're trying to run it from the C: root rather than the desktop. You can't run it from there as it just deletes itself. Please make sure it's on the desktop.


----------



## jonpistone2 (Oct 5, 2007)

yes it was on desktop...after a bit (just a moment ago)...an error message came up and asked me to "send report" or "close down" the NIRCMD.CFEXE file....for unknown reasons...
it was the same window that often comes up with my yahoo messenger or other items before they close down...sometimes with I.E. though other times IE just closes on its own without any error report...
so i clicked "close" without any other real opttions givin to me---and the AutoScan started to run...

at the top though ti said "Loading c:\documents and settings....etc\ntuser.dat" to "hku\@administrator" was not successful

so far it has also said
"completed stage 1"
"completed stage 2"

...i should be able to have this info for you shortly----thank you for such a quick reply earlier!!! 
Jon


----------



## jonpistone2 (Oct 5, 2007)

another error message came up
top left corner says NirCmd
then it reads
"NirDmd has encountered a problem and needs to close. We are sorry for the inconvenience."
and at the bottom right corner gives two options again
"Send Error Report" or "dont send"

the AutoScan still reads "completed stage_2" as the last things written...

after i clicked "dont send"

The AutoScan then said "completed stage_3" and now 4...5....6....etc...not sure how many stages there are but i should hopefully have a report for you soon---thanks!!


----------



## Cookiegal (Aug 27, 2003)

There are several stages so as long as it's progressing allow it to run. I'll check back tomorrow.


----------



## jonpistone2 (Oct 5, 2007)

the same error message came up for the 3rd time....just after "stage_6" and before "stage_6A".....that went on until after "completed stage_15" when the error message came up again and after closing that, it said "completed stage_15A".....then thru stage_23 and it happened yet again before saying "completed stage_24"....and then one more time...but after that it continued though until a new window opened...ending in cmd.exe ---thats going on now...ill keep you updated, thank you for being patient thru this long process


----------



## jonpistone2 (Oct 5, 2007)

that 2nd blue window was open...i didnt see much happen...and then everything started to close down...all the desktop icons, the bottom windows bar....both blue windows....everyhting.

all i see now is the backround picture that i ahd....i held ctl/alt/del and that worked so i was able to see the Task Manager...but thats it...
its my 2nd comptuer (and i have this as my primary one)...so im gonna leave it on and open and not touch anything so i dont mess anything up.
when u get a chance in the morning, please let me know what i should do---if i need to hold down the powerbutton to turn it off or if there is something else i need to do...ill wait to hear from you---thank you so much again for all this time you are giving to me!!
have a wonderful night 
Jon


----------



## Cookiegal (Aug 27, 2003)

Open the Task Manager and click on File and "New Task (run)" and type this in the box and click OK:

*explorer.exe*

Does this give you your start menu back?


----------



## jonpistone2 (Oct 5, 2007)

okay great!! that worked, thanks 
now what...do u start running that combofix program again or something else??? i noticed a zip file on my desktop that wasnt there before called "catchme" as well as a new shortcut icon to I.E. that wasnt there either....

let me know what the next step is---buti have my desktop icons back, etc...thanks!


----------



## Cookiegal (Aug 27, 2003)

CatchMe is run along with ComboFix. Did ComboFix produce a log? It would be in C:\ComboFix.txt.


----------



## jonpistone2 (Oct 5, 2007)

i dont see a log---when i clicked on combofix.exe it just opened the blue screen again and started to "run" once again....so i am letting it run unless you tell me differently, cause i dont want to mess things up as its starting its process--thanks


----------



## jonpistone2 (Oct 5, 2007)

here is the combofix log:

ComboFix 07-10-10.1 - Jonathan 2007-10-10 16:28:18.3 - NTFSx86 
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.318 [GMT -4:00]
Running from: C:\Documents and Settings\Jonathan\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini 
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Documents and Settings\All Users.\documents\settings\partnership.dll
C:\Documents and Settings\All Users.\documents\settings\partnership.dll 
C:\Documents and Settings\Jonathan\Application Data\APPATC~1
C:\Documents and Settings\Jonathan\Application Data\APPATC~1\n?lookup.exe
C:\Documents and Settings\Jonathan\Application Data\APPATC~1\n?lookup.exe
C:\Documents and Settings\Jonathan\Application Data\APPATC~1\n?lookup.exe
C:\Documents and Settings\Jonathan\Application Data\APPATC~1\n?lookup.exe
C:\Documents and Settings\Jonathan\Application Data\ASKS~1
C:\Documents and Settings\Jonathan\Application Data\DOBE~1 
C:\Documents and Settings\Jonathan\Application Data\FNTS~1
C:\Documents and Settings\Jonathan\Application Data\ICROSO~1
C:\Documents and Settings\Jonathan\Application Data\install.dat
C:\Documents and Settings\Jonathan\Application Data\install.dat 
C:\Documents and Settings\Jonathan\Application Data\install.dat
C:\Documents and Settings\Jonathan\Application Data\install.dat
C:\Documents and Settings\Jonathan\Application Data\install.dat
C:\Documents and Settings\Jonathan\Application Data\install.dat 
C:\Documents and Settings\Jonathan\Application Data\install.dat
C:\Documents and Settings\Jonathan\Application Data\install.dat
C:\Documents and Settings\Jonathan\Application Data\PPPATC~1
C:\Documents and Settings\Jonathan\Application Data\SEMBLY~1 
C:\Documents and Settings\Jonathan\Application Data\STEM32~1
C:\Documents and Settings\Jonathan\Application Data\WinTouch\config.cfg.fee193ac88bf66fd2cf0af189435cd8d
C:\Documents and Settings\Jonathan\Application Data\WinTouch\config.cfg.fee193ac88bf66fd2cf0af189435cd8d 
C:\Documents and Settings\Jonathan\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\Jonathan\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\Jonathan\Application Data\WinTouch\wintouch.cfg 
C:\Documents and Settings\Jonathan\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\Jonathan\Application Data\WinTouch\WTUninstaller.exe
C:\Documents and Settings\Jonathan\Application Data\WinTouch\WTUninstaller.exe 
C:\Documents and Settings\Jonathan\Application Data\WinTouch\WTUninstaller.exe
C:\Documents and Settings\Jonathan\Application Data\WinTouch\WTUninstaller.exe
C:\Documents and Settings\Jonathan\Application Data\YMBOLS~1 
C:\Documents and Settings\Jonathan\My Documents\ASKS~1
C:\Documents and Settings\Jonathan\My Documents\CROSOF~1
C:\Documents and Settings\Jonathan\My Documents\CURITY~1
C:\Documents and Settings\Jonathan\My Documents\CURITY~1\r?gedit.exe 
C:\Documents and Settings\Jonathan\My Documents\CURITY~1\r?gedit.exe
C:\Documents and Settings\Jonathan\My Documents\CURITY~1\r?gedit.exe
C:\Documents and Settings\Jonathan\My Documents\CURITY~1\r?gedit.exe
C:\Documents and Settings\Jonathan\My Documents\DOBE~1 
C:\Documents and Settings\Jonathan\My Documents\ICROSO~1.NET
C:\Documents and Settings\Jonathan\My Documents\PPATCH~1
C:\Documents and Settings\Jonathan\My Documents\RACLE~1
C:\Documents and Settings\Jonathan\My Documents\SEMBLY~1 
C:\Documents and Settings\Jonathan\My Documents\STEM~1
C:\Documents and Settings\Jonathan\My Documents\STEM32~1
C:\Documents and Settings\Jonathan\My Documents\TSKS~1
C:\Documents and Settings\Jonathan\My Documents\WNSXS~1 
C:\Documents and Settings\Jonathan\My Documents\YMBOLS~1
C:\Documents and Settings\Jonathan\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Jonathan\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Jonathan\Start Menu\Programs\Outerinfo\Terms.lnk 
C:\Documents and Settings\Jonathan\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\Jonathan\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\{340BB~1
C:\Program Files\Common Files\{340BB~2 
C:\Program Files\Common Files\asembl~1
C:\Program Files\Common Files\crosof~1.net
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\mbols~1
C:\Program Files\Common Files\pppatc~1
C:\Program Files\Common Files\racle~1 
C:\Program Files\Common Files\sembly~1
C:\Program Files\Common Files\stem32~1
C:\Program Files\Common Files\WinSoftware
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe 
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe 
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\cowabanga
C:\Program Files\cowabanga\License.txt 
C:\Program Files\cowabanga\License.txt
C:\Program Files\cowabanga\uninstaller.exe
C:\Program Files\cowabanga\uninstaller.exe
C:\Program Files\fnts~1
C:\Program Files\icroso~1.net
C:\Program Files\inetget2 
C:\Program Files\Insider
C:\Program Files\Insider\bak\Insider.exe
C:\Program Files\Insider\bak\Insider.exe
C:\Program Files\Insider\Insider.exe
C:\Program Files\Insider\Insider.exe
C:\Program Files\Insider\UnInstall.exe 
C:\Program Files\Insider\UnInstall.exe
C:\Program Files\ISM
C:\Program Files\ISM\dictionary.gz
C:\Program Files\ISM\dictionary.gz
C:\Program Files\ISM\dictionary.gz
C:\Program Files\ISM\dictionary.gz
C:\Program Files\ISM\targets.gz
C:\Program Files\ISM\targets.gz
C:\Program Files\ISM\targets.gz
C:\Program Files\ISM\targets.gz
C:\Program Files\mantec~1
C:\Program Files\mbols~1
C:\Program Files\Microsoft Help\Microsoft.System.Help.dll 
C:\Program Files\Microsoft Help\Microsoft.System.Help.dll
C:\Program Files\network monitor
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\PestTrap 
C:\Program Files\PestTrap\PestTrap.exe
C:\Program Files\PestTrap\PestTrap.exe
C:\Program Files\ppatch~1
C:\Program Files\ssembl~1
C:\Program Files\sstem3~1
C:\Program Files\webhancer
C:\Program Files\webhancer\Programs\license.txt 
C:\Program Files\webhancer\Programs\license.txt
C:\Program Files\webhancer\Programs\readme.txt
C:\Program Files\webhancer\Programs\readme.txt
C:\Program Files\webhancer\Programs\webhdll(2)(2).dll
C:\Program Files\webhancer\Programs\webhdll(2)(2).dll 
C:\Program Files\webhancer\Programs\webhdll(3).dll
C:\Program Files\webhancer\Programs\webhdll(3).dll
C:\Program Files\webhancer\Programs\webhdll(4)(2).dll
C:\Program Files\webhancer\Programs\webhdll(4)(2).dll 
C:\Program Files\webhancer\Programs\whagent(2).exe
C:\Program Files\webhancer\Programs\whagent(2).exe
C:\Program Files\webhancer\Programs\whagent(3).exe
C:\Program Files\webhancer\Programs\whagent(3).exe
C:\Program Files\webhancer\Programs\whagent(4).exe 
C:\Program Files\webhancer\Programs\whagent(4).exe
C:\Program Files\webhancer\Programs\whiehlpr(2).dll
C:\Program Files\webhancer\Programs\whiehlpr(2).dll
C:\Program Files\webhancer\Programs\whiehlpr(3).dll
C:\Program Files\webhancer\Programs\whiehlpr(3).dll
C:\Program Files\webhancer\Programs\whiehlpr(4).dll
C:\Program Files\webhancer\Programs\whiehlpr(4).dll
C:\Program Files\WinAble
C:\Program Files\WinAble\bak\winable.exe 
C:\Program Files\WinAble\bak\winable.exe
C:\Program Files\WinAble\winable.exe
C:\Program Files\WinAble\winable.exe
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1187219579.old
C:\Program Files\WinBudget\bin\crap.1187219579.old 
C:\Program Files\WinBudget\bin\matrix.dll
C:\Program Files\WinBudget\bin\matrix.dll
C:\Program Files\Words
C:\Program Files\Words\bak\Words.exe
C:\Program Files\Words\bak\Words.exe
C:\Program Files\Words\list.txt 
C:\Program Files\Words\list.txt
C:\Program Files\Words\script.txt
C:\Program Files\Words\script.txt
C:\Program Files\Words\UnInstall.exe
C:\Program Files\Words\UnInstall.exe
C:\Program Files\Words\Words.exe 
C:\Program Files\Words\Words.exe
C:\Program Files\ymante~1
C:\Program Files\ystem~1
C:\temp\tn3
C:\WINDOWS\b103.exe
C:\WINDOWS\b103.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\b122.exe 
C:\WINDOWS\b122.exe
C:\WINDOWS\b128.exe
C:\WINDOWS\b128.exe
C:\WINDOWS\b129.exe
C:\WINDOWS\b129.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\b143.exe 
C:\WINDOWS\b143.exe
C:\WINDOWS\b147.exe
C:\WINDOWS\b147.exe
C:\WINDOWS\dobe~1
C:\WINDOWS\dobe~2
C:\WINDOWS\fnts~1
C:\WINDOWS\icroso~1
C:\WINDOWS\mbols~1
C:\WINDOWS\mbols~1\??mbols\
C:\WINDOWS\mbols~1\??mbols\ 
C:\WINDOWS\mbols~1\bak\winspool.exe
C:\WINDOWS\mbols~1\bak\winspool.exe
C:\WINDOWS\mbols~1\winspool.exe
C:\WINDOWS\mbols~1\winspool.exe
C:\WINDOWS\retadpu11.exe
C:\WINDOWS\retadpu11.exe
C:\WINDOWS\ssembl~1 
C:\WINDOWS\stem~1
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\1_exception.nls
C:\WINDOWS\system32\1_exception.nls
C:\WINDOWS\system32\appatc~1
C:\WINDOWS\system32\atmtd.dll 
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\crosof~1
C:\WINDOWS\system32\curity~1
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\drivers\fad.sys 
C:\WINDOWS\system32\drivers\secdrv.sys
C:\WINDOWS\system32\drivers\secdrv.sys
C:\WINDOWS\system32\drivers\Sjgo43.sys
C:\WINDOWS\system32\drivers\Sjgo43.sys
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\drivers\symavc32.sys 
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\KB45468523.exe
C:\WINDOWS\system32\KB45468523.exe
C:\WINDOWS\system32\KB58614410.exe
C:\WINDOWS\system32\KB58614410.exe
C:\WINDOWS\system32\keg.dll
C:\WINDOWS\system32\keg.dll 
C:\WINDOWS\system32\koos.exe
C:\WINDOWS\system32\koos.exe
C:\WINDOWS\system32\kprof
C:\WINDOWS\system32\kprof
C:\WINDOWS\system32\ldpackage.dll
C:\WINDOWS\system32\ldpackage.dll
C:\WINDOWS\system32\model.dat 
C:\WINDOWS\system32\model.dat
C:\WINDOWS\system32\poof
C:\WINDOWS\system32\poof
C:\WINDOWS\system32\rlls.dll
C:\WINDOWS\system32\rlls.dll
C:\WINDOWS\system32\rlvknlg.exe
C:\WINDOWS\system32\rlvknlg.exe 
C:\WINDOWS\system32\rlxf.dll
C:\WINDOWS\system32\rlxf.dll
C:\WINDOWS\system32\silc_dll.dll
C:\WINDOWS\system32\silc_dll.dll
C:\WINDOWS\system32\test.exe
C:\WINDOWS\system32\test.exe
C:\WINDOWS\system32\tsuninst.exe 
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\unsvchosts.lzma
C:\WINDOWS\system32\unsvchosts.lzma
C:\WINDOWS\system32\wintcc.exe
C:\WINDOWS\system32\wintcc.exe
C:\WINDOWS\system32\wintcc.exe
C:\WINDOWS\system32\wintcc.exe 
C:\WINDOWS\system32\wintisv.exe
C:\WINDOWS\system32\wintisv.exe
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\audio.dll.cla
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\system32\ystem3~1 
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\WebAssist.dll
C:\WINDOWS\WebAssist.dll
C:\WINDOWS\wr.txt
C:\WINDOWS\wr.txt
C:\wsusupd.exe
C:\wsusupd.exe
C:\WINDOWS\system32\wsnpoem

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_COM+_MESSAGES
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\cmdService
-------\COM+ Messages
-------\Network Monitor 
-------\runtime

-------\LEGACY_CMDSERVICE
-------\LEGACY_COM+_MESSAGES
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\cmdService
-------\COM+ Messages
-------\Network Monitor 
-------\runtime

((((((((((((((((((((((((( Files Created from 2007-09-10 to 2007-10-10 )))))))))))))))))))))))))))))))
.

2007-10-09 20:24 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-07 20:10 7,395 --a------ C:\sysxenm.exe
2007-10-07 20:03 7,810 --a------ C:\syslkxe.exe
2007-10-07 18:02 7,810 --a------ C:\sysinzn.exe
2007-10-07 18:01 7,810 --a------ C:\syscahw.exe 
2007-10-05 21:49 d-------- C:\WINDOWS\bak
2007-10-05 20:09 d-------- C:\Program Files\Trend Micro
2007-10-05 17:51 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan 
2007-10-05 17:11 1,559,040 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-10-05 17:11 163,840 --a------ C:\WINDOWS\system32\unrar.dll
2007-10-02 10:11 d--hs---- C:\Documents and Settings\NetworkService\Application Data\wsnpoem 
2007-09-30 11:45 7,804 --a------ C:\sysxlbi.exe
2007-09-29 22:16 d-------- C:\Program Files\Temporary
2007-09-27 13:13 d-------- C:\Program Files\Microsoft Help
2007-09-27 02:32 153 --a------ C:\WINDOWS\system32\delFSF.bat 
2007-09-26 20:38 54,424 --a------ C:\WINDOWS\system32\systemd6.exe
2007-09-24 14:15 184,320 --a------ C:\WINDOWS\system32\HOf3A5q6.dll
2007-09-16 02:51 6,656 --a------ C:\syssdcb.exe
2007-09-15 16:14 7,816 --a------ C:\syslpri.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-09 03:04 --------- d-----w C:\Program Files\mIRC
2007-10-06 01:56 --------- d-----w C:\Program Files\SymNetDrv 
2007-10-06 01:56 --------- d-----w C:\Program Files\iTunes
2007-10-06 01:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-06 01:56 --------- d-----w C:\Program Files\AIM
2007-10-05 09:51 --------- d-----w C:\Documents and Settings\Jonathan\Application Data\OpenOffice.org2 
2007-10-05 09:51 --------- d-----w C:\Documents and Settings\Jonathan\Application Data\OpenOffice.org2
2007-10-03 04:28 --------- d-----w C:\Program Files\QuickTime
2007-10-03 03:50 --------- d--h--w C:\Program Files\InstallShield Installation Information 
2007-09-28 02:15 2,028 ----a-w C:\Documents and Settings\Jonathan\Application Data\wklnhst.dat
2007-09-28 02:15 2,028 ----a-w C:\Documents and Settings\Jonathan\Application Data\wklnhst.dat
2007-09-16 07:13 --------- d--h--r C:\Documents and Settings\Jonathan\Application Data\yahoo! 
2007-09-16 07:13 --------- d--h--r C:\Documents and Settings\Jonathan\Application Data\yahoo!
2007-09-16 07:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-09-16 06:58 --------- d-----w C:\Program Files\Absolute Poker Basic 
2007-09-07 21:25 184,320 ----a-w C:\WINDOWS\system32\uQP7Jy03.dll
2007-09-07 21:25 184,320 ----a-w C:\WINDOWS\system32\q633FLwP.dll
2007-09-07 02:42 184,320 ----a-w C:\WINDOWS\system32\qm2U0L0N.dll
2007-09-06 19:27 712,704 ----a-w C:\WINDOWS\system32\rlph.dll 
2007-09-06 02:26 184,320 ----a-w C:\WINDOWS\system32\i10oUVF4.dll
2007-08-30 05:38 26,176 ----a-w C:\WINDOWS\system32\Tfy6e514.exe
2007-08-25 05:53 --------- d-----w C:\Program Files\PacificPoker
2007-08-25 01:09 --------- d-----w C:\Program Files\Norton SystemWorks 
2007-08-24 23:48 --------- d-----w C:\Program Files\Symantec
2007-08-24 23:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-08-24 23:41 --------- d-----w C:\Program Files\Ahead 
2007-08-24 23:27 --------- d-----w C:\Program Files\Canasis
2007-08-23 01:36 --------- d-----w C:\Program Files\OpenOffice.org 2.2
2007-08-22 22:13 --------- d-----w C:\Program Files\MSECache
2007-08-20 19:22 --------- d-----w C:\Program Files\Google 
2007-08-20 19:00 --------- d-----w C:\Documents and Settings\Jonathan\Application Data\PC Tools
2007-08-20 19:00 --------- d-----w C:\Documents and Settings\Jonathan\Application Data\PC Tools
2007-08-20 01:53 --------- d-----w C:\Program Files\Common Files\romo 
2007-08-20 00:00 7,818 ----a-w C:\syshrbr.exe
2007-08-19 23:41 --------- d-----w C:\Documents and Settings\Jonathan\Application Data\Uniblue
2007-08-19 23:41 --------- d-----w C:\Documents and Settings\Jonathan\Application Data\Uniblue 
2007-08-19 23:04 7,818 ----a-w C:\sysgonp.exe
2007-08-19 23:02 --------- d-----w C:\Program Files\MSN Messenger
2007-08-18 19:55 --------- d-----w C:\Program Files\Microsoft Works
2007-08-18 19:50 --------- d-----w C:\Program Files\iPod 
2007-08-18 19:50 --------- d-----w C:\Program Files\GoldPocket
2007-08-18 19:47 --------- d-----w C:\Program Files\Broadcom Management Programs
2007-08-18 19:47 --------- d-----w C:\Documents and Settings\LocalService\Application Data\NetMon 
2007-08-18 18:49 --------- d--h--w C:\Documents and Settings\Jonathan\Application Data\Move Networks
2007-08-18 18:49 --------- d--h--w C:\Documents and Settings\Jonathan\Application Data\Move Networks
2007-01-06 08:48 64,864 ----a-w C:\Documents and Settings\Jonathan\Application Data\GDIPFONTCACHEV1.DAT 
2007-01-06 08:48 64,864 ----a-w C:\Documents and Settings\Jonathan\Application Data\GDIPFONTCACHEV1.DAT
2006-12-30 00:13 3,932 ----a-w C:\Documents and Settings\Jonathan\Application Data\LMLayout.dat
2006-12-30 00:13 3,932 ----a-w C:\Documents and Settings\Jonathan\Application Data\LMLayout.dat 
2006-12-30 00:13 268 ----a-w C:\Documents and Settings\Jonathan\Application Data\LMCPaper.dat
2006-12-30 00:13 268 ----a-w C:\Documents and Settings\Jonathan\Application Data\LMCPaper.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 313,472 2006-03-30 20:45:08 C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe 
----a-w 27,660 2007-10-06 01:54:07 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

----a-w 67,112 2006-08-01 20:35:36 C:\Program Files\AIM\bak\aim.exe
----a-w 27,660 2007-10-06 01:54:07 C:\Program Files\AIM\aim.exe

----a-w 335,872 2003-07-29 20:30:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
----a-w 27,660 2007-10-06 01:54:07 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

----a-w 69,632 2004-04-13 10:07:18 C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe
----a-w 27,660 2007-10-06 01:54:07 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

----a-w 196,608 2004-04-17 16:41:30 C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe
----a-w 27,660 2007-10-06 01:54:07 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

----a-w 58,992 2005-07-15 01:16:00 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 27,660 2007-10-06 01:54:07 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

----a-w 218,240 2004-11-02 20:59:52 C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe

----a-w 53,248 2005-02-23 20:19:56 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe
----a-w 27,660 2007-10-06 01:54:07 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

----a-w 278,528 2005-05-14 04:20:50 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 27,660 2007-10-06 01:54:07 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 32,881 2005-01-15 16:24:18 C:\Program Files\Java\j2re1.4.2_07\bin\bak\jusched.exe

----a-w 77,824 2007-08-23 01:35:39 C:\Program Files\Java\jre1.6.0\bin\bak\jusched.exe
----a-w 27,660 2007-10-06 01:54:07 C:\Program Files\Java\jre1.6.0\bin\jusched.exe

----a-w 132,248 2004-09-10 02:12:00 C:\Program Files\Norton SystemWorks\bak\cfgwiz.exe

----a-w 98,304 2005-06-05 19:26:41 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 684,032 2002-12-17 16:28:00 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe

----a-w 100,056 2005-08-14 19:51:58 C:\Program Files\SymNetDrv\bak\SNDMon.exe
----a-w 27,660 2007-10-06 01:54:07 C:\Program Files\SymNetDrv\SNDMon.exe

----a-w 536,576 2004-05-14 16:35:50 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe
----a-w 27,660 2007-10-06 01:54:07 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

----a-w 98,304 2004-05-14 02:23:56 C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe
----a-w 27,660 2007-10-06 01:54:07 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

----a-w 110,080 2007-09-17 05:29:27 C:\qoobox\Quarantine\C\Program Files\Insider\bak\Insider.exe.vir
----a-w 27,660 2007-10-06 01:54:07 C:\qoobox\Quarantine\C\Program Files\Insider\Insider.exe.vir

----a-w 61,440 2007-10-04 00:56:08 C:\qoobox\Quarantine\C\Program Files\WinAble\bak\winable.exe.vir
----a-w 27,660 2007-10-06 01:54:07 C:\qoobox\Quarantine\C\Program Files\WinAble\winable.exe.vir

----a-w 77,824 2007-09-17 05:34:29 C:\qoobox\Quarantine\C\Program Files\Words\bak\Words.exe.vir
----a-w 27,660 2007-10-06 01:54:07 C:\qoobox\Quarantine\C\Program Files\Words\Words.exe.vir

----a-w 72,704 2007-09-16 05:05:00 C:\qoobox\Quarantine\C\WINDOWS\MBOLS~1\bak\winspool.exe.vir
----a-w 71,680 2007-10-06 17:38:40 C:\qoobox\Quarantine\C\WINDOWS\MBOLS~1\winspool.exe.vir

----a-w 420,421 2006-06-28 17:24:04 C:\WINDOWS\system32\bak\6u21i9jn.exe

----a-w 45,056 2002-09-05 14:05:46 C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\LMPDPSRV.EXE
----a-w 27,660 2007-10-06 01:54:07 C:\WINDOWS\system32\spool\drivers\w32x86\3\LMPDPSRV.EXE

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{41D17845-E3F1-B620-A04B-EE2B2C928CED}]
C:\WINDOWS\System32\hmadf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{48BABDEA-7104-29A2-7167-0CB2696C8AEB}]
C:\WINDOWS\System32\lsth.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CECB995-7121-78A6-7766-7CB21A688ABB}]
C:\WINDOWS\System32\cqg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60E5AD16-31F6-6974-A34B-6EE34FEDAEE2}]
C:\WINDOWS\System32\rcv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64B3A83A-6CD4-6E25-A34A-1EE33CE8FFE9}]
C:\WINDOWS\System32\hqt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
2007-09-24 14:15 184320 --a------ C:\WINDOWS\System32\HOf3A5q6.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9997FB5E-34BF-6B38-EC5F-3F76666F50E1}]
C:\WINDOWS\System32\nvldybze.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A088FDF2-374F-39CE-1F30-39C62D4E67B0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 19:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-10-05 21:54] 
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-10-05 21:54]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-05 21:54]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-10-05 21:54] 
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-10-05 21:54]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-10-05 21:54]
"LMPDPSRV"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bak\LMPDPSRV.EXE" [2002-09-05 10:05] 
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-10-05 21:54]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2007-10-05 21:54] 
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2007-10-05 21:54]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-10-05 21:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18]
"Bjidejp"="C:\Program Files\Common Files\??sembly\?ttrib.exe" [] 
"romo"="C:\PROGRA~1\COMMON~1\romo\romom.exe" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2007-10-05 21:54]
"AIM"="C:\Program Files\AIM\aim.exe" [2007-10-05 21:54] 
"Cbqyfnhd"="C:\Documents and Settings\Jonathan\My Documents\W?nSxS\?hkdsk.exe" []
"Jbkd"="C:\Documents and Settings\Jonathan\Application Data\??sembly\n?tepad.exe" []
"Fgsgkchb"="C:\Program Files\??pPatch\?ttrib.exe" [] 
"Vrmlob"="C:\Program Files\Common Files\??mbols\n?tepad.exe" []
"Cezo"="C:\Documents and Settings\Jonathan\Application Data\F?nts\w?nspool.exe" []
"Irub"="C:\WINDOWS\system32\??crosoft\??anregw.exe" [] 
"Uniblue RegistryBooster 2"="C:\Documents and Settings\Jonathan\Desktop\draft demo\RegistryBooster 2\RegistryBooster.exe" []
"PCTAVApp"="C:\Documents and Settings\Jonathan\Desktop\draft demo\PC Tools AntiVirus\PCTAV.exe" [] 
"Qru"="C:\Documents and Settings\Jonathan\Application Data\A?pPatch\n?lookup.exe" []

C:\Documents and Settings\Jonathan\Start Menu\Programs\Startup\
winupdate01690527[1].exe [2006-04-27 00:52:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 02:05:26]
D-Link AirPlus G Wireless Utility.lnk - C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe [2005-11-23 18:17:46]
D-Link REG Utility.lnk - C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\Reg.exe [2005-11-23 18:17:46]
Lexmark X125 Settings Utility.lnk - C:\Program Files\Lexmark X125\LEX125SU.exe [2005-08-20 17:37:38]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

S2 DgiVecp;DgiVecp;\??\C:\WINDOWS\System32\Drivers\DgiVecp.sys
S3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\System32\DRIVERS\BCMSM.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-10 04:01:00 C:\WINDOWS\Tasks\At1.job"
"2007-10-10 13:03:00 C:\WINDOWS\Tasks\At10.job"
"2007-10-10 14:03:00 C:\WINDOWS\Tasks\At11.job" 
"2007-10-10 15:03:00 C:\WINDOWS\Tasks\At12.job"
"2007-10-10 16:03:00 C:\WINDOWS\Tasks\At13.job"
"2007-10-10 17:03:00 C:\WINDOWS\Tasks\At14.job"
"2007-10-10 18:03:00 C:\WINDOWS\Tasks\At15.job" 
"2007-10-10 19:03:00 C:\WINDOWS\Tasks\At16.job"
"2007-10-10 20:03:00 C:\WINDOWS\Tasks\At17.job"
"2007-10-05 21:01:00 C:\WINDOWS\Tasks\At18.job"
"2007-10-07 22:02:07 C:\WINDOWS\Tasks\At19.job" 
"2007-10-10 05:01:00 C:\WINDOWS\Tasks\At2.job"
"2007-10-07 23:01:00 C:\WINDOWS\Tasks\At20.job"
"2007-10-08 00:01:00 C:\WINDOWS\Tasks\At21.job"
"2007-10-10 01:01:59 C:\WINDOWS\Tasks\At22.job" 
"2007-10-10 02:01:00 C:\WINDOWS\Tasks\At23.job"
"2007-10-10 03:01:00 C:\WINDOWS\Tasks\At24.job"
"2007-10-10 06:01:00 C:\WINDOWS\Tasks\At3.job"
"2007-10-10 07:03:00 C:\WINDOWS\Tasks\At4.job" 
"2007-10-10 08:03:00 C:\WINDOWS\Tasks\At5.job"
"2007-10-10 09:03:00 C:\WINDOWS\Tasks\At6.job"
"2007-10-10 10:03:00 C:\WINDOWS\Tasks\At7.job"
"2007-10-10 11:03:00 C:\WINDOWS\Tasks\At8.job" 
"2007-10-10 12:03:00 C:\WINDOWS\Tasks\At9.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-10 16:30:04
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-10 16:30:40
.
--- E O F ---


----------



## jonpistone2 (Oct 5, 2007)

and here is the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:32 PM, on 10/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe 
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe 
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bak\LMPDPSRV.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe 
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Java\jre1.6.0\bin\bak\jusched.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe 
c:\program files\internet explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://216.76.114.124/exchweb/bin/auth/owalogon.asp?url=https://216.76.114.124/exchange&reason=0 
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll 
O2 - BHO: (no name) - {41D17845-E3F1-B620-A04B-EE2B2C928CED} - C:\WINDOWS\System32\hmadf.dll (file missing)
O2 - BHO: (no name) - {48BABDEA-7104-29A2-7167-0CB2696C8AEB} - C:\WINDOWS\System32\lsth.dll (file missing) 
O2 - BHO: (no name) - {4CECB995-7121-78A6-7766-7CB21A688ABB} - C:\WINDOWS\System32\cqg.dll (file missing)
O2 - BHO: (no name) - {60E5AD16-31F6-6974-A34B-6EE34FEDAEE2} - C:\WINDOWS\System32\rcv.dll (file missing)
O2 - BHO: (no name) - {64B3A83A-6CD4-6E25-A34A-1EE33CE8FFE9} - C:\WINDOWS\System32\hqt.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\System32\HOf3A5q6.dll
O2 - BHO: (no name) - {9997FB5E-34BF-6B38-EC5F-3F76666F50E1} - C:\WINDOWS\System32\nvldybze.dll (file missing) 
O2 - BHO: (no name) - {A088FDF2-374F-39CE-1F30-39C62D4E67B0} - (no file)
O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx 
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe 
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" 
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bak\LMPDPSRV.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup 
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" 
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background 
O4 - HKCU\..\Run: [Bjidejp] C:\Program Files\Common Files\??sembly\?ttrib.exe
O4 - HKCU\..\Run: [romo] C:\PROGRA~1\COMMON~1\romo\romom.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe " AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Cbqyfnhd] "C:\Documents and Settings\Jonathan\My Documents\W?nSxS\?hkdsk.exe"
O4 - HKCU\..\Run: [Jbkd] "C:\Documents and Settings\Jonathan\Application Data\??sembly\n?tepad.exe" 
O4 - HKCU\..\Run: [Fgsgkchb] "C:\Program Files\??pPatch\?ttrib.exe"
O4 - HKCU\..\Run: [Vrmlob] "C:\Program Files\Common Files\??mbols\n?tepad.exe"
O4 - HKCU\..\Run: [Cezo] "C:\Documents and Settings\Jonathan\Application Data\F?nts\w?nspool.exe" 
O4 - HKCU\..\Run: [Irub] C:\WINDOWS\system32\??crosoft\??anregw.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Documents and Settings\Jonathan\Desktop\draft demo\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [PCTAVApp] "C:\Documents and Settings\Jonathan\Desktop\draft demo\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN 
O4 - HKCU\..\Run: [Qru] "C:\Documents and Settings\Jonathan\Application Data\A?pPatch\n?lookup.exe"
O4 - Startup: winupdate01690527[1].exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe 
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll 
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe 
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Documents and Settings\Jonathan\Desktop\hyplay\New Briefcase\Hello\PicasaCapture.dll (file missing)
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Documents and Settings\Jonathan\Desktop\hyplay\New Briefcase\Hello\PicasaCapture.dll (file missing) 
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing) 
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm 
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE 
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab 
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab 
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159136193374 
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab 
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://www.youbet.net/wr_5_8/controls/ybrequest.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159136039112
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab 
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://www.youbet.net/wr_5_8/controls/YBUICtrl.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_games/tikgames/cinematycoon/cinematycoon.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe 
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe 
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe 
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe 
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10572 bytes


----------



## Cookiegal (Aug 27, 2003)

We will come back to ComboFix but first please do this:

You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups and then restore them.

Download FindAWF.exe from *here* or *here* and save it to your desktop.

Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with the following Menu.
1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT​
*Select option 1*, then press Enter
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in Notepad called AWF.txt.
Please copy and paste the contents of the AWF.txt file in your next reply.


----------



## jonpistone2 (Oct 5, 2007)

oh wow---that sounds like a pretty serious virus...i have your AWF.txt file pasted below---thanks!!!

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Wed 10/10/2007 
The current time is: 18:27:43.14


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\AIM\BAK

08/01/2006 04:35 PM 67,112 aim.exe
1 File(s) 67,112 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

05/14/2005 12:20 AM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\NORTON~2\BAK

09/09/2004 10:12 PM 132,248 cfgwiz.exe
1 File(s) 132,248 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/05/2005 03:26 PM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

08/14/2005 03:51 PM 100,056 SNDMon.exe
1 File(s) 100,056 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

06/28/2006 01:24 PM 420,421 6u21i9jn.exe
1 File(s) 420,421 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

07/29/2003 04:30 PM 335,872 atiptaxx.exe
1 File(s) 335,872 bytes

Directory of C:\PROGRA~1\COMMON~1\ROMO\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

07/14/2005 09:16 PM 58,992 ccApp.exe
1 File(s) 58,992 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

02/23/2005 04:19 PM 53,248 DVDLauncher.exe
1 File(s) 53,248 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

05/14/2004 12:35 PM 536,576 SynTPEnh.exe
05/13/2004 10:23 PM 98,304 SynTPLpr.exe
2 File(s) 634,880 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~1.0\READER\BAK

03/30/2006 04:45 PM 313,472 AdobeUpdateManager.exe
1 File(s) 313,472 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

04/13/2004 06:07 AM 69,632 issch.exe
04/17/2004 12:41 PM 196,608 ISUSPM.exe
2 File(s) 266,240 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK

11/02/2004 04:59 PM 218,240 UsrPrmpt.exe
 1 File(s) 218,240 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

01/15/2005 12:24 PM 32,881 jusched.exe
1 File(s) 32,881 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0\BIN\BAK

08/22/2007 09:35 PM 77,824 jusched.exe
1 File(s) 77,824 bytes


12/17/2002 12:28 PM 684,032 DirectCD.exe
1 File(s) 684,032 bytes

Directory of C:\DOCUME~1\JONATHAN\APPLIC~1\MICROS~1\WINDOWS\BAK

0 File(s) 0 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\INSIDER\BAK

09/17/2007 01:29 AM 110,080 Insider.exe.vir
1 File(s) 110,080 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\WINABLE\BAK

10/03/2007 08:56 PM 61,440 winable.exe.vir
1 File(s) 61,440 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\WORDS\BAK

09/17/2007 01:34 AM 77,824 Words.exe.vir
1 File(s) 77,824 bytes

Directory of C:\QOOBOX\QUARAN~1\C\WINDOWS\MBOLS~1\BAK

09/16/2007 01:05 AM 72,704 winspool.exe.vir
1 File(s) 72,704 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

09/05/2002 10:05 AM 45,056 LMPDPSRV.EXE
1 File(s) 45,056 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

27660 Oct 5 2007 "C:\Program Files\AIM\aim.exe"
67112 Aug 1 2006 "C:\Program Files\AIM\bak\aim.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\iTunesHelper.exe1191635345" 
278528 May 14 2005 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Feb 3 2007 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
132248 Aug 17 2004 "C:\Program Files\Norton AntiSpam\CfgWiz.exe"
132248 Sep 9 2004 "C:\Program Files\Norton SystemWorks\bak\cfgwiz.exe"
188480 Aug 4 2004 "C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\cfgwiz.exe" 
98304 Jun 5 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
27660 Oct 5 2007 "C:\Program Files\SymNetDrv\SNDMon.exe"
100056 Aug 14 2005 "C:\Program Files\SymNetDrv\bak\SNDMon.exe" 
420421 Jun 28 2006 "C:\WINDOWS\system32\bak\6u21i9jn.exe"
27660 Oct 5 2007 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
335872 Jul 29 2003 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe" 
27660 Oct 5 2007 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
58992 Jul 14 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
27660 Oct 5 2007 "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" 
53248 Feb 23 2005 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
536576 May 14 2004 "C:\DELL\drivers\R81989\SynTPEnh.exe"
27660 Oct 5 2007 "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" 
536576 May 14 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
536576 May 14 2004 "C:\Program Files\Synaptics\SynTP\Media\SynTPEnh.exe"
98304 May 13 2004 "C:\DELL\drivers\R81989\SynTPLpr.exe" 
27660 Oct 5 2007 "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
98304 May 13 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
98304 May 13 2004 "C:\Program Files\Synaptics\SynTP\Media\SynTPLpr.exe" 
27660 Oct 5 2007 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
27660 Oct 5 2007 "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" 
69632 Apr 13 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
27660 Oct 5 2007 "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe"
196608 Apr 17 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe" 
75520 May 2 2007 "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
27660 Oct 5 2007 "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
32881 Jan 15 2005 "C:\Program Files\Java\j2re1.4.2_07\bin\bak\jusched.exe" 
77824 Aug 22 2007 "C:\Program Files\Java\jre1.6.0\bin\bak\jusched.exe"
75520 May 2 2007 "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
27660 Oct 5 2007 "C:\Program Files\Java\jre1.6.0\bin\jusched.exe" 
32881 Jan 15 2005 "C:\Program Files\Java\j2re1.4.2_07\bin\bak\jusched.exe"
77824 Aug 22 2007 "C:\Program Files\Java\jre1.6.0\bin\bak\jusched.exe"
684032 Dec 17 2002 "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe" 
27660 Oct 5 2007 "C:\qoobox\Quarantine\C\Program Files\Insider\Insider.exe.vir"
110080 Sep 17 2007 "C:\qoobox\Quarantine\C\Program Files\Insider\bak\Insider.exe.vir"
27660 Oct 5 2007 "C:\qoobox\Quarantine\C\Program Files\WinAble\winable.exe.vir" 
61440 Oct 3 2007 "C:\qoobox\Quarantine\C\Program Files\WinAble\bak\winable.exe.vir"
27660 Oct 5 2007 "C:\qoobox\Quarantine\C\Program Files\Words\Words.exe.vir"
77824 Sep 17 2007 "C:\qoobox\Quarantine\C\Program Files\Words\bak\Words.exe.vir" 
71680 Oct 6 2007 "C:\qoobox\Quarantine\C\WINDOWS\MBOLS~1\winspool.exe.vir"
72704 Sep 16 2007 "C:\qoobox\Quarantine\C\WINDOWS\MBOLS~1\bak\winspool.exe.vir"
45056 Sep 5 2002 "C:\Program Files\Lexmark X125\Setup\LMpdpsrv.exe" 
27660 Oct 5 2007 "C:\WINDOWS\system32\spool\drivers\w32x86\3\LMPDPSRV.EXE"
45056 Sep 5 2002 "C:\WINDOWS\system32\spool\drivers\w32x86\lexmarkx1258974\LMpdpsrv.exe"
45056 Sep 5 2002 "C:\WINDOWS\system32\spool\drivers\WIN40\0\LMPDPSRV.EXE" 
45056 Sep 5 2002 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\LMPDPSRV.EXE"


end of report


----------



## Cookiegal (Aug 27, 2003)

Also, with the multiple infections you have, you should change any passwords, bank account number and other sensitive information that you may have stored in your computer as it may have been compromised.


Open HijackThis and click on "Config" and then on the "Misc Tools" button. Click on the "Open Uninstall Manager" button. Click the "Save List" botton. Copy and paste that list here please.


----------



## jonpistone2 (Oct 5, 2007)

okay--ill start going thru all my passwords---thank you for the tip/info!


here is that list:


Adobe Flash Player ActiveX
Adobe Reader 7.0.8
AOL Instant Messenger
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
BCM V.92 56K Modem
Broadcom 440x Driver Installer
Broadcom Advanced Control Suite 
Broadcom Driver Installer
Broadcom Management Programs
ccCommon
C-Major Audio
Crash Analysis Tool
Dell Picture Studio - Dell Image Expert
Dell ResourceCD
D-Link AirPlus G Wireless Adapter 
Hello (remove only) 
HijackThis 2.0.2
Internal Network Card Power Management
iPod Updater 2004-11-15
IpWins
iTunes
J2SE Runtime Environment 5.0 Update 12
Java 2 Runtime Environment, SE v1.4.2_07
Java(TM) SE Runtime Environment 6 
K-Lite Codec Pack 3.4.5 Basic
Lexmark X125
Macromedia Shockwave Player
Microsoft Works
mIRC
Move Networks Player for Internet Explorer
Mozilla Firefox (2.0.0.7)
My DSC 
Norton AntiSpam
Norton AntiSpam
Norton AntiSpam
Norton AntiSpam
Norton AntiSpam Help
OIN
OpenOffice.org 2.2
Paint Shop Pro 7
PowerDVD 5.5
RelevantKnowledge
RTC Client API v1.2
SymNet
Synaptics Pointing Device Driver
TechConnect
Ultra soft
Viewpoint Media Player
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10


----------



## Cookiegal (Aug 27, 2003)

Please post the uninstall list before continuing as well.


----------



## jonpistone2 (Oct 5, 2007)

i think that was the uninstall list--wasnt it???

the file that popped up was called uninstall_list.txt ..thats what i cut and pasted for you


----------



## Cookiegal (Aug 27, 2003)

Yes and I see a problem with that list in that there are no Microsoft critical updates installed on this computer. So I have to ask you, is this version of the OS genuine?


----------



## jonpistone2 (Oct 5, 2007)

im not sure what you mean by that...are u asking if its illegal or something? if thats the question then no--not at all. i got this computer directly from dell about 4-5 years ago...i have had troubles with my motherboard and they have had to take my comptuer from me to put a new one in...and there was an issue after that in which i had to use the windows CD to reformat my hard drive...but because i didnt have the cd's to install my drivers...and cuse they no longer make my type of comptuer...they had to have me walk thru the web page with a tech guy on the phone and figure things out part by part----im not sure if thats what u are talking about at all or if that could help explain any of those things...
is that what u meant at all or is there a better way for me to answer your question?? either way, everything about my comptuer and windows is legal and directly from the store and under my name...
hope that helps, thanks


----------



## Cookiegal (Aug 27, 2003)

So if I understand correctly you did the reformat yourself under their guidance? Did they not tell you that you need to get the Microsoft updates and Service Packs right away or you leave your computer open to infection? This is why you are so terribly infected now. Those updates and service packs patch vulnerabilities that can be exploited by malware. Let's run this validation tool just to be sure that the operating system is genuine. Since you got it from Dell, it should be fine.

Please run the MGA Diagnostic Tool and post back the report it creates:
Download *MGADiag* to your desktop.
Double-click on MGADiag.exe to launch the program
Click "Continue"
Ensure that the "Windows" tab is selected (it should be by default).
Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
Paste the MGA Diagnostic Report back here in your next reply.

*Do not try to download the service packs at this time as installing SP2 on an infected computer will cause other serious problems.*


----------



## jonpistone2 (Oct 5, 2007)

I continue to hit copy but nothing is coming up...is it okay to just copy everything i see on the screen and type it back to you???

Validation info:
Validation status: Genuine
Validation code: 0
Product Key: *****_*****_GD6GR-K6DP3-4C8MT
Product Key Hash: s2kt66ZJWfV4nS1wFD5F9bxTSDw=
Product ID: 55277-OEM-2111907-00102
Product ID TYpe 2 - OEM SLP
Windows OS version: 5.1.2006.2.00010300.1.0.hom
CSVLK Server NA
CSVLK PID NA
ID: {9C2DF586-8BDE-4EDC-96FE-208DE88884B0}(3)
Administrator: Yes
Test Cab: 0x0
WGA Version: Registered, 1.7.36.0
Signed By: Microsoft
PRoduct Name: NA
Arichitecture and build: NA NA
TTS Error NA
Vaidation Diagnostic: 025D1FF3-171-1
Resolution Status NA

(the last part "resolution status" is in gray thow the rest is in black)
also what u said before is correct---Dell walked me thru evertyhign and that was in the spring i dont remember sutff about a service pack but they may have--that i dont recall....
hope this helps what i wrote above--thank you!!


----------



## Cookiegal (Aug 27, 2003)

OK, that's fine. Let's continue to clean this up and then when we're done, you will get SP2 installed and any updates that followed.

Go to Control Panel - Add/Remove programs and remove these:

*IpWins
OIN
RelevantKnowledge
Viewpoint Media Player*

Copy the file paths below to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy):

*"C:\Program Files\AIM\bak\aim.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\Norton SystemWorks\bak\cfgwiz.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\SymNetDrv\bak\SNDMon.exe" 
"C:\Program Files\Java\jre1.6.0\bin\bak\jusched.exe"
"C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe" 
"C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
"C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
"C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
"C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe" 
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe" 
"C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\LMPDPSRV.EXE"
*

Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
*Select option 2* from the menu and press Enter.
Press any key to continue.
A Notepad document *FindAWF.txt* will appear with instructions to click below the line and paste the list of files to be restored.
Right click below this line and select* Paste*, to paste the list of files copied to the clipboard earlier. Save and close the document.
The program will proceed to move the legit files and will perform another scan for bak folders.
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in Notepad called *AWF.txt*.
Please copy and paste the contents of the *AWF.txt* file in your next reply.

Locate and delete these folders:

C:\Program Files\Java\*jre1.5.0_12* 
C:\Program Files\Java\*j2re1.4.2_07 *
C:\*qoobox*


----------



## jonpistone2 (Oct 5, 2007)

I did the Add/Remove as you said----then i followed your instructions on the AWF (which i will paste below)...but after doing that, i noticed the two folders you wanted me to delete....i DID delete them, but AFTER i ran the AWF program....i hope thats not a problem or if that info is still in that report, know that i deleted both those two folders...thanks!!!   



Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Thu 10/11/2007 
The current time is: 20:51:11.54


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\AIM\BAK

08/01/2006 04:35 PM 67,112 aim.exe
1 File(s) 67,112 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

05/14/2005 12:20 AM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\NORTON~2\BAK

09/09/2004 10:12 PM 132,248 cfgwiz.exe
1 File(s) 132,248 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/05/2005 03:26 PM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

08/14/2005 03:51 PM 100,056 SNDMon.exe
1 File(s) 100,056 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

06/28/2006 01:24 PM 420,421 6u21i9jn.exe
1 File(s) 420,421 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

07/29/2003 04:30 PM 335,872 atiptaxx.exe
1 File(s) 335,872 bytes

Directory of C:\PROGRA~1\COMMON~1\ROMO\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

07/14/2005 09:16 PM 58,992 ccApp.exe
1 File(s) 58,992 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

02/23/2005 04:19 PM 53,248 DVDLauncher.exe
1 File(s) 53,248 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

05/14/2004 12:35 PM 536,576 SynTPEnh.exe
05/13/2004 10:23 PM 98,304 SynTPLpr.exe
2 File(s) 634,880 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~1.0\READER\BAK

03/30/2006 04:45 PM 313,472 AdobeUpdateManager.exe
1 File(s) 313,472 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

04/13/2004 06:07 AM 69,632 issch.exe
04/17/2004 12:41 PM 196,608 ISUSPM.exe
2 File(s) 266,240 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK

11/02/2004 04:59 PM 218,240 UsrPrmpt.exe
1 File(s) 218,240 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

01/15/2005 12:24 PM 32,881 jusched.exe
1 File(s) 32,881 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0\BIN\BAK

08/22/2007 09:35 PM 77,824 jusched.exe
1 File(s) 77,824 bytes


12/17/2002 12:28 PM 684,032 DirectCD.exe
1 File(s) 684,032 bytes

Directory of C:\DOCUME~1\JONATHAN\APPLIC~1\MICROS~1\WINDOWS\BAK

0 File(s) 0 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\INSIDER\BAK

09/17/2007 01:29 AM 110,080 Insider.exe.vir
1 File(s) 110,080 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\WINABLE\BAK

10/03/2007 08:56 PM 61,440 winable.exe.vir
1 File(s) 61,440 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\WORDS\BAK

09/17/2007 01:34 AM 77,824 Words.exe.vir
1 File(s) 77,824 bytes

Directory of C:\QOOBOX\QUARAN~1\C\WINDOWS\MBOLS~1\BAK

09/16/2007 01:05 AM 72,704 winspool.exe.vir
1 File(s) 72,704 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

09/05/2002 10:05 AM 45,056 LMPDPSRV.EXE
1 File(s) 45,056 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

67112 Aug 1 2006 "C:\Program Files\AIM\aim.exe"
67112 Aug 1 2006 "C:\Program Files\AIM\bak\aim.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\iTunesHelper.exe1191635345" 
278528 May 14 2005 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Feb 3 2007 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
132248 Sep 9 2004 "C:\Program Files\Norton SystemWorks\cfgwiz.exe"
132248 Aug 17 2004 "C:\Program Files\Norton AntiSpam\CfgWiz.exe"
132248 Sep 9 2004 "C:\Program Files\Norton SystemWorks\bak\cfgwiz.exe" 
188480 Aug 4 2004 "C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\cfgwiz.exe"
98304 Jun 5 2005 "C:\Program Files\QuickTime\qttask.exe"
98304 Jun 5 2005 "C:\Program Files\QuickTime\bak\qttask.exe" 
100056 Aug 14 2005 "C:\Program Files\SymNetDrv\SNDMon.exe"
100056 Aug 14 2005 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
420421 Jun 28 2006 "C:\WINDOWS\system32\bak\6u21i9jn.exe" 
335872 Jul 29 2003 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
335872 Jul 29 2003 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
58992 Jul 14 2005 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" 
58992 Jul 14 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
53248 Feb 23 2005 "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
53248 Feb 23 2005 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe" 
536576 May 14 2004 "C:\DELL\drivers\R81989\SynTPEnh.exe"
536576 May 14 2004 "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
536576 May 14 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe" 
536576 May 14 2004 "C:\Program Files\Synaptics\SynTP\Media\SynTPEnh.exe"
98304 May 13 2004 "C:\DELL\drivers\R81989\SynTPLpr.exe"
98304 May 13 2004 "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" 
98304 May 13 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
98304 May 13 2004 "C:\Program Files\Synaptics\SynTP\Media\SynTPLpr.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
69632 Apr 13 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" 
69632 Apr 13 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
196608 Apr 17 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe"
196608 Apr 17 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"
75520 May 2 2007 "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
77824 Aug 22 2007 "C:\Program Files\Java\jre1.6.0\bin\jusched.exe" 
32881 Jan 15 2005 "C:\Program Files\Java\j2re1.4.2_07\bin\bak\jusched.exe"
 77824 Aug 22 2007 "C:\Program Files\Java\jre1.6.0\bin\bak\jusched.exe"
75520 May 2 2007 "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe" 
77824 Aug 22 2007 "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
32881 Jan 15 2005 "C:\Program Files\Java\j2re1.4.2_07\bin\bak\jusched.exe"
77824 Aug 22 2007 "C:\Program Files\Java\jre1.6.0\bin\bak\jusched.exe" 
684032 Dec 17 2002 "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
684032 Dec 17 2002 "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe"
27660 Oct 5 2007 "C:\qoobox\Quarantine\C\Program Files\Insider\Insider.exe.vir" 
110080 Sep 17 2007 "C:\qoobox\Quarantine\C\Program Files\Insider\bak\Insider.exe.vir"
27660 Oct 5 2007 "C:\qoobox\Quarantine\C\Program Files\WinAble\winable.exe.vir"
61440 Oct 3 2007 "C:\qoobox\Quarantine\C\Program Files\WinAble\bak\winable.exe.vir" 
27660 Oct 5 2007 "C:\qoobox\Quarantine\C\Program Files\Words\Words.exe.vir"
77824 Sep 17 2007 "C:\qoobox\Quarantine\C\Program Files\Words\bak\Words.exe.vir"
71680 Oct 6 2007 "C:\qoobox\Quarantine\C\WINDOWS\MBOLS~1\winspool.exe.vir" 
72704 Sep 16 2007 "C:\qoobox\Quarantine\C\WINDOWS\MBOLS~1\bak\winspool.exe.vir"
45056 Sep 5 2002 "C:\Program Files\Lexmark X125\Setup\LMpdpsrv.exe"
45056 Sep 5 2002 "C:\WINDOWS\system32\spool\drivers\w32x86\3\LMPDPSRV.EXE" 
45056 Sep 5 2002 "C:\WINDOWS\system32\spool\drivers\w32x86\lexmarkx1258974\LMpdpsrv.exe"
45056 Sep 5 2002 "C:\WINDOWS\system32\spool\drivers\WIN40\0\LMPDPSRV.EXE"
45056 Sep 5 2002 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\LMPDPSRV.EXE" 


end of report


----------



## jonpistone2 (Oct 5, 2007)

is it a problem that i deleted those files AFTER i ran that program--should i run it again and re-post something for you???


----------



## Cookiegal (Aug 27, 2003)

Well, doing it the way I asked would have made my job a lot easier but it's done now.

Copy the file paths below to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy):

*C:\Program Files\AIM\bak
C:\Program Files\iTunes\bak
C:\Program Files\Norton SystemWorks\bak
C:\Program Files\QuickTime\bak
C:\Program Files\SymNetDrv\bak
C:\WINDOWS\system32\bak
C:\Program Files\ATI Technologies\ATI Control Panel\bak
C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\CyberLink\PowerDVD\bak
C:\Program Files\Synaptics\SynTP\bak
C:\Program Files\Synaptics\SynTP\bak
C:\Program Files\Adobe\Acrobat 7.0\Reader\bak
C:\Program Files\Common Files\InstallShield\UpdateService\bak
C:\Program Files\Common Files\Symantec Shared\Security Center\bak
C:\Program Files\Java\jre1.6.0\bin\bak
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak
C:\WINDOWS\system32\spool\drivers\w32x86\3\bak
C:\WINDOWS\BAK
C:\Program Files\MSN Messenger\bak
*


Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
*Select option 3* from the menu and press Enter.
Press any key to continue. 
A Notepad document *FindAWF.txt* will appear with instructions to click below the line and paste the list of folders to be removed.
Right click below this line and select* Paste*, to paste the list of folders copied to the clipboard earlier. Save and close the document.
The program will proceed to remove the bad folders and will perform another scan for bak folders.
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in Notepad called AWF.txt.
Please copy and paste the contents of the AWF.txt file in your next reply.


----------



## jonpistone2 (Oct 5, 2007)

i am VERY sorry if i made things harder for you  clearly not my intent...i just didnt understand as i followed the order of things---and didnt realize it till after i started that u had listed things below....very sorry about that!!!

thanks for all your continued help!!! here is the list below from the latest scan:

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Fri 10/12/2007 
The current time is: 16:38:33.14


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\ROMO\BAK

0 File(s) 0 bytes

Directory of C:\DOCUME~1\JONATHAN\APPLIC~1\MICROS~1\WINDOWS\BAK

0 File(s) 0 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\INSIDER\BAK

09/17/2007 01:29 AM 110,080 Insider.exe.vir
1 File(s) 110,080 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\WINABLE\BAK

10/03/2007 08:56 PM 61,440 winable.exe.vir
1 File(s) 61,440 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\WORDS\BAK

09/17/2007 01:34 AM 77,824 Words.exe.vir
1 File(s) 77,824 bytes

Directory of C:\QOOBOX\QUARAN~1\C\WINDOWS\MBOLS~1\BAK

09/16/2007 01:05 AM 72,704 winspool.exe.vir
1 File(s) 72,704 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

27660 Oct 5 2007 "C:\qoobox\Quarantine\C\Program Files\Insider\Insider.exe.vir"
110080 Sep 17 2007 "C:\qoobox\Quarantine\C\Program Files\Insider\bak\Insider.exe.vir"
27660 Oct 5 2007 "C:\qoobox\Quarantine\C\Program Files\WinAble\winable.exe.vir" 
61440 Oct 3 2007 "C:\qoobox\Quarantine\C\Program Files\WinAble\bak\winable.exe.vir"
27660 Oct 5 2007 "C:\qoobox\Quarantine\C\Program Files\Words\Words.exe.vir"
77824 Sep 17 2007 "C:\qoobox\Quarantine\C\Program Files\Words\bak\Words.exe.vir" 
71680 Oct 6 2007 "C:\qoobox\Quarantine\C\WINDOWS\MBOLS~1\winspool.exe.vir"
72704 Sep 16 2007 "C:\qoobox\Quarantine\C\WINDOWS\MBOLS~1\bak\winspool.exe.vir"


end of report


----------



## Cookiegal (Aug 27, 2003)

That's OK. No worries.  


Now, please run ComboFix again in normal mode and post the log.


----------



## jonpistone2 (Oct 5, 2007)

it kept saying "REG.EXE" had a problem...as i kept clicking the "dont send" option a few times---it then said i dont have Admin to run the program...i had to restart---and then after running the program...it ran thru for quite awhile...and i saw quite a lot of info on the blue screen....after checking on it a few min later though it said that it was going to restart windows and to not do anything and let ComboFix restart it---so i waited and after a bit it DID restart windows...

i waited awhile and saw nothing come up...so again i double clicked on ComboFix and ran the program again---this happened again as the program started to run...but then the when i checked on it later---the comp restarted again...

ill shut down for a moment and wait a lil while and try again with the program---any tips if you get this before i can post a log file for you??
thanks!


----------



## Cookiegal (Aug 27, 2003)

See if you can get it to run in safe mode.


----------



## jonpistone2 (Oct 5, 2007)

it worked this time...
though it DID restart again--this time the blue window came up without me touching anything...and it gave me this log:

ComboFix 07-10-10.1 - Jonathan 2007-10-12 22:23:02.6 - NTFSx86 
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.313 [GMT -4:00]
Running from: C:\Documents and Settings\Jonathan\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\UGA6P\
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Desktop\AVSystemCare.lnk
C:\Documents and Settings\Jonathan\Application Data.\AVSystemCare
C:\Documents and Settings\Jonathan\Application Data.\AVSystemCare\avtasks.dat
C:\Documents and Settings\Jonathan\Application Data.\AVSystemCare\Logs\av.log
C:\Documents and Settings\Jonathan\Application Data.\AVSystemCare\Logs\ga6Support.log
C:\Documents and Settings\Jonathan\Application Data.\AVSystemCare\Logs\update.log
C:\Documents and Settings\Jonathan\ResErrors.log
C:\Program Files\AOD\vigylenyz4444.dll
C:\Program Files\AOD\vigylenyz83122.dll
C:\Program Files\AVSystemCare
C:\Program Files\AVSystemCare\Activate.exe
C:\Program Files\AVSystemCare\Config\pgs.xml
C:\Program Files\AVSystemCare\Dat\Activate.dat
C:\Program Files\AVSystemCare\Dat\BkSites.dat
C:\Program Files\AVSystemCare\Dat\bnlink.dat
C:\Program Files\AVSystemCare\Dat\incmp.dat
C:\Program Files\AVSystemCare\Dat\index.dat
C:\Program Files\AVSystemCare\Dat\pv.dat
C:\Program Files\AVSystemCare\Engines\AWBase\database\enemies.dat
C:\Program Files\AVSystemCare\Engines\AWBase\vbpv.dat
C:\Program Files\AVSystemCare\Engines\PGBase\vbpv.dat
C:\Program Files\AVSystemCare\Engines\plugins\BORLNDMM.DLL
C:\Program Files\AVSystemCare\Engines\plugins\SCANADWR.DLL
C:\Program Files\AVSystemCare\Engines\plugins\SCANBCDR.DLL
C:\Program Files\AVSystemCare\Engines\plugins\SCANDLDR.DLL
C:\Program Files\AVSystemCare\Engines\plugins\SCANDOS1.DLL
C:\Program Files\AVSystemCare\Engines\plugins\SCANEMUL.DLL
C:\Program Files\AVSystemCare\Engines\plugins\SCANFUNC.DLL
C:\Program Files\AVSystemCare\Engines\plugins\SCANKRNL.DLL
C:\Program Files\AVSystemCare\Engines\plugins\SCANMCR1.DLL
C:\Program Files\AVSystemCare\Engines\plugins\SCANOTHR.DLL
C:\Program Files\AVSystemCare\Engines\plugins\SCANSCR.DLL
C:\Program Files\AVSystemCare\Engines\plugins\SCANTOOL.DLL
C:\Program Files\AVSystemCare\Engines\plugins\SCANTROJ.DLL
C:\Program Files\AVSystemCare\Engines\plugins\SCANWIN1.DLL
C:\Program Files\AVSystemCare\Engines\plugins\UNACPU.DLL
C:\Program Files\AVSystemCare\Engines\plugins\UNADBX.DLL
C:\Program Files\AVSystemCare\Engines\plugins\unamscan.dll
C:\Program Files\AVSystemCare\Engines\plugins\UNMIME.DLL
C:\Program Files\AVSystemCare\Engines\plugins\UNPACK.DLL
C:\Program Files\AVSystemCare\Engines\plugins\UNPACKS.DLL
C:\Program Files\AVSystemCare\Engines\plugins\UNPACKS2.DLL
C:\Program Files\AVSystemCare\Engines\plugins\UNPEPACK.DLL
C:\Program Files\AVSystemCare\Engines\plugins\UpDate\UA27601.DLL
C:\Program Files\AVSystemCare\Engines\plugins\UpDate\UA27602.DLL
C:\Program Files\AVSystemCare\Engines\plugins\UpDate\UA27603.DLL
C:\Program Files\AVSystemCare\Engines\plugins\UpDate\UA27604.DLL
C:\Program Files\AVSystemCare\Engines\plugins\UpDate\UADAILY.DLL
C:\Program Files\AVSystemCare\Engines\plugins\vbpv.dat
C:\Program Files\AVSystemCare\FMTR.sys
C:\Program Files\AVSystemCare\fopnl.dll
C:\Program Files\AVSystemCare\FWSettings.bin
C:\Program Files\AVSystemCare\Graphics\cross.gif
C:\Program Files\AVSystemCare\Graphics\ga6p.gif
C:\Program Files\AVSystemCare\Graphics\kb.url
C:\Program Files\AVSystemCare\Graphics\main.ico
C:\Program Files\AVSystemCare\Graphics\mini.ico
C:\Program Files\AVSystemCare\Graphics\Online.url
C:\Program Files\AVSystemCare\Graphics\rm.url
C:\Program Files\AVSystemCare\Graphics\support.ico
C:\Program Files\AVSystemCare\Graphics\Support.url
C:\Program Files\AVSystemCare\Graphics\uninstall.ico
C:\Program Files\AVSystemCare\history.db
C:\Program Files\AVSystemCare\LA\lapv.dat
C:\Program Files\AVSystemCare\LA\License.rtf
C:\Program Files\AVSystemCare\pgs.exe
C:\Program Files\AVSystemCare\ResErrors.log
C:\Program Files\AVSystemCare\Restart.exe
C:\Program Files\AVSystemCare\rpt.dll
C:\Program Files\AVSystemCare\RTasks.exe
C:\Program Files\AVSystemCare\scnkrnl.dll
C:\Program Files\AVSystemCare\settings.ini
C:\Program Files\AVSystemCare\sqlite3.dll
C:\Program Files\AVSystemCare\sr.log
C:\Program Files\AVSystemCare\Tools\IEFWBHO.dll
C:\Program Files\AVSystemCare\Tools\pg.dll
C:\Program Files\AVSystemCare\unins000.dat
C:\Program Files\AVSystemCare\unins000.exe
C:\Program Files\AVSystemCare\Up\ASupdater.dat
C:\Program Files\AVSystemCare\Up\gup.exe
C:\Program Files\AVSystemCare\Up\PGupdater.dat
C:\Program Files\AVSystemCare\Up\UBupdater.dat
C:\Program Files\AVSystemCare\Up\up.dat
C:\Program Files\AVSystemCare\Up\updater.dat
C:\Program Files\Common Files\AVSystemCare
C:\Program Files\Common Files\AVSystemCare\bm.exe
C:\Program Files\Common Files\AVSystemCare\ugcw.exe
C:\Program Files\ISM
C:\Program Files\ISM\BndDrive5.dll
C:\Program Files\ISM\BndDrive5.dll
C:\Program Files\ISM\bndloader.exe
C:\Program Files\ISM\bndloader.exe
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\Jasc Software Inc\dibos.html
C:\Program Files\Jasc Software Inc\zyrif.dll
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\web buying
C:\Program Files\web buying\v1.8.5\wbuninst.exe
C:\Program Files\web buying\v1.8.5\webbuying.exe
C:\Program Files\WinAble
C:\Program Files\WinAble\winable.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\b122.exe
C:\WINDOWS\b147.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\Sm9uYXRoYW4\asappsrv.dll
C:\WINDOWS\Sm9uYXRoYW4\command.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\awtqool.dll
C:\WINDOWS\system32\cbxxx.dll
C:\WINDOWS\system32\fccaxus.dll
C:\WINDOWS\system32\h1
C:\WINDOWS\system32\h1\wr12drver.exe
C:\WINDOWS\system32\hgdeiwx.dll
C:\WINDOWS\system32\hggdbbc.dll
C:\WINDOWS\system32\hngcfuqx.ini
C:\WINDOWS\system32\mtbdkiun.dll
C:\WINDOWS\system32\myxsrpnf.exe
C:\WINDOWS\system32\p1
C:\WINDOWS\system32\p1\dnwldr132.exe
C:\WINDOWS\system32\q21
C:\WINDOWS\system32\q21\aded83122.exe
C:\WINDOWS\system32\xlhkvubq.dll
C:\WINDOWS\system32\xqufcgnh.dll
C:\WINDOWS\system32\xxxbc.bak1
C:\WINDOWS\system32\xxxbc.bak1
C:\WINDOWS\system32\xxxbc.ini
C:\WINDOWS\system32\xxxbc.ini
C:\WINDOWS\tk58.exe
C:\WINDOWS\tsitra572.exe
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\uninstall_nmon.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\DomainService
-------\Network Monitor

((((((((((((((((((((((((( Files Created from 2007-09-13 to 2007-10-13 )))))))))))))))))))))))))))))))
.

2007-10-11 09:43 d--------	C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-10-11 03:57 d--hs----	C:\UGA6P
2007-10-11 03:56	46,592	--a------	C:\WINDOWS\system32\drivers\FMTR.sys
2007-10-11 03:56	24,064	--a------	C:\WINDOWS\system32\msxml3a.dll
2007-10-11 03:36 d--------	C:\WINDOWS\system32\vMW02a
2007-10-11 03:36 d--------	C:\WINDOWS\system32\ipd2
2007-10-11 03:36 d--------	C:\WINDOWS\system32\dricom1
2007-10-11 03:36 d--------	C:\Temp\xOe
2007-10-11 03:36 d--------	C:\Program Files\ISM2
2007-10-11 03:36 d--------	C:\Documents and Settings\NetworkService\Application Data\NetMon
2007-10-11 03:36	35,840	--a------	C:\WINDOWS\tsitra1000106.exe
2007-10-11 03:27	8,704	--a--c---	C:\WINDOWS\system32\dllcache\kbdjpn.dll
2007-10-11 03:27	8,192	--a--c---	C:\WINDOWS\system32\dllcache\kbdkor.dll
2007-10-11 03:27	6,144	--a--c---	C:\WINDOWS\system32\dllcache\kbd106.dll
2007-10-11 03:27	6,144	--a--c---	C:\WINDOWS\system32\dllcache\kbd101c.dll
2007-10-11 03:27	6,144	--a--c---	C:\WINDOWS\system32\dllcache\kbd101b.dll
2007-10-11 03:27	5,632	--a--c---	C:\WINDOWS\system32\dllcache\kbd103.dll
2007-10-09 20:24	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-10-07 20:10	7,395	--a------	C:\sysxenm.exe
2007-10-07 20:03	7,810	--a------	C:\syslkxe.exe
2007-10-07 18:02	7,810	--a------	C:\sysinzn.exe
2007-10-07 18:01	7,810	--a------	C:\syscahw.exe
2007-10-05 20:09 d--------	C:\Program Files\Trend Micro
2007-10-05 17:51 d--------	C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-10-05 17:11	1,559,040	--a------	C:\WINDOWS\system32\xvidcore.dll
2007-10-05 17:11	163,840	--a------	C:\WINDOWS\system32\unrar.dll
2007-10-02 10:11 d--hs----	C:\Documents and Settings\NetworkService\Application Data\wsnpoem
2007-09-30 11:45	7,804	--a------	C:\sysxlbi.exe
2007-09-29 22:16 d--------	C:\Program Files\Temporary
2007-09-27 13:13 d--------	C:\Program Files\Microsoft Help
2007-09-27 02:32	153	--a------	C:\WINDOWS\system32\delFSF.bat
2007-09-26 20:38	54,424	--a------	C:\WINDOWS\system32\systemd6.exe
2007-09-24 14:15	184,320	--a------	C:\WINDOWS\system32\HOf3A5q6.dll
2007-09-16 02:51	6,656	--a------	C:\syssdcb.exe
2007-09-15 16:14	7,816	--a------	C:\syslpri.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-13 01:57	---------	d-----w	C:\Program Files\Jasc Software Inc
2007-10-13 01:57	---------	d-----w	C:\Program Files\AOD
2007-10-13 01:05	---------	d-----w	C:\Program Files\mIRC
2007-10-12 20:38	---------	d-----w	C:\Program Files\SymNetDrv
2007-10-12 20:38	---------	d-----w	C:\Program Files\QuickTime
2007-10-12 20:38	---------	d-----w	C:\Program Files\Norton SystemWorks
2007-10-12 20:38	---------	d-----w	C:\Program Files\iTunes
2007-10-12 20:38	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2007-10-12 20:38	---------	d-----w	C:\Program Files\AIM
2007-10-12 00:46	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-05 09:51	---------	d-----w	C:\Documents and Settings\Jonathan\Application Data\OpenOffice.org2
2007-10-05 09:51	---------	d-----w	C:\Documents and Settings\Jonathan\Application Data\OpenOffice.org2
2007-10-03 03:50	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-09-28 02:15	2,028	----a-w	C:\Documents and Settings\Jonathan\Application Data\wklnhst.dat
2007-09-28 02:15	2,028	----a-w	C:\Documents and Settings\Jonathan\Application Data\wklnhst.dat
2007-09-16 07:13	---------	d--h--r	C:\Documents and Settings\Jonathan\Application Data\yahoo!
2007-09-16 07:13	---------	d--h--r	C:\Documents and Settings\Jonathan\Application Data\yahoo!
2007-09-16 07:13	---------	d-----w	C:\Documents and Settings\All Users\Application Data\yahoo!
2007-09-16 06:58	---------	d-----w	C:\Program Files\Absolute Poker Basic
2007-08-25 05:53	---------	d-----w	C:\Program Files\PacificPoker
2007-08-24 23:48	---------	d-----w	C:\Program Files\Symantec
2007-08-24 23:43	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2007-08-24 23:41	---------	d-----w	C:\Program Files\Ahead
2007-08-24 23:27	---------	d-----w	C:\Program Files\Canasis
2007-08-23 01:36	---------	d-----w	C:\Program Files\OpenOffice.org 2.2
2007-08-22 22:13	---------	d-----w	C:\Program Files\MSECache
2007-08-20 19:22	---------	d-----w	C:\Program Files\Google
2007-08-20 19:00	---------	d-----w	C:\Documents and Settings\Jonathan\Application Data\PC Tools
2007-08-20 19:00	---------	d-----w	C:\Documents and Settings\Jonathan\Application Data\PC Tools
2007-08-20 01:53	---------	d-----w	C:\Program Files\Common Files\romo
2007-08-20 00:00	7,818	----a-w	C:\syshrbr.exe
2007-08-19 23:41	---------	d-----w	C:\Documents and Settings\Jonathan\Application Data\Uniblue
2007-08-19 23:41	---------	d-----w	C:\Documents and Settings\Jonathan\Application Data\Uniblue
2007-08-19 23:04	7,818	----a-w	C:\sysgonp.exe
2007-08-19 23:02	---------	d-----w	C:\Program Files\MSN Messenger
2007-08-18 19:55	---------	d-----w	C:\Program Files\Microsoft Works
2007-08-18 19:50	---------	d-----w	C:\Program Files\iPod
2007-08-18 19:50	---------	d-----w	C:\Program Files\GoldPocket
2007-08-18 19:47	---------	d-----w	C:\Program Files\Broadcom Management Programs
2007-08-18 19:47	---------	d-----w	C:\Documents and Settings\LocalService\Application Data\NetMon
2007-08-18 19:47	---------	d-----w	C:\Documents and Settings\LocalService\Application Data\NetMon
2007-08-18 19:47	---------	d-----w	C:\Documents and Settings\LocalService\Application Data\NetMon
2007-08-18 18:49	---------	d--h--w	C:\Documents and Settings\Jonathan\Application Data\Move Networks
2007-08-18 18:49	---------	d--h--w	C:\Documents and Settings\Jonathan\Application Data\Move Networks
2007-01-06 08:48	64,864	----a-w	C:\Documents and Settings\Jonathan\Application Data\GDIPFONTCACHEV1.DAT
2007-01-06 08:48	64,864	----a-w	C:\Documents and Settings\Jonathan\Application Data\GDIPFONTCACHEV1.DAT
2006-12-30 00:13	3,932	----a-w	C:\Documents and Settings\Jonathan\Application Data\LMLayout.dat
2006-12-30 00:13	3,932	----a-w	C:\Documents and Settings\Jonathan\Application Data\LMLayout.dat
2006-12-30 00:13	268	----a-w	C:\Documents and Settings\Jonathan\Application Data\LMCPaper.dat
2006-12-30 00:13	268	----a-w	C:\Documents and Settings\Jonathan\Application Data\LMCPaper.dat
2005-07-29 20:24:26	472	--sha-r	C:\WINDOWS\Sm9uYXRoYW4\mA6RsrlCsqb.vbs
.

((((((((((((((((((((((((((((( [email protected]_16.30.06.63 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 233,472 2007-10-13 02:23:01 C:\WINDOWS\system32\config\systemprofile\ntuser.dat
----a-w 16,384 2007-10-13 02:20:49 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-10-13 02:20:49 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 49,152 2007-10-13 02:20:49 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 294,667 2007-09-28 21:29:44 C:\WINDOWS\system32\dricom1\iscrven33.exe
----a-w 45,056 2002-09-05 14:05:46 C:\WINDOWS\system32\spool\drivers\w32x86\3\LMPDPSRV.EXE
----a-w 32,768 2007-09-24 02:27:26 C:\WINDOWS\system32\vMW02a\vMW02a1065.exe
.
----a-w 233,472 2007-10-10 20:28:15 C:\WINDOWS\system32\config\systemprofile\ntuser.dat
----a-w 16,384 2007-10-10 20:26:42 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-10-10 20:26:42 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 49,152 2007-10-10 20:26:42 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 27,660 2007-10-06 01:54:07 C:\WINDOWS\system32\spool\drivers\w32x86\3\LMPDPSRV.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{41D17845-E3F1-B620-A04B-EE2B2C928CED}]
C:\WINDOWS\System32\hmadf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{48BABDEA-7104-29A2-7167-0CB2696C8AEB}]
C:\WINDOWS\System32\lsth.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CECB995-7121-78A6-7766-7CB21A688ABB}]
C:\WINDOWS\System32\cqg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60E5AD16-31F6-6974-A34B-6EE34FEDAEE2}]
C:\WINDOWS\System32\rcv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64B3A83A-6CD4-6E25-A34A-1EE33CE8FFE9}]
C:\WINDOWS\System32\hqt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
2007-09-24 14:15	184320	--a------	C:\WINDOWS\System32\HOf3A5q6.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9997FB5E-34BF-6B38-EC5F-3F76666F50E1}]
C:\WINDOWS\System32\nvldybze.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A088FDF2-374F-39CE-1F30-39C62D4E67B0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 19:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 16:30]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 22:23]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 12:35]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-08-22 21:35]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-07-14 21:16]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-08-14 15:51]
"LMPDPSRV"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bak\LMPDPSRV.EXE" []
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 12:41]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 06:07]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-05-14 00:20]
"ugcw"="C:\PROGRA~1\COMMON~1\AVSYST~1\ugcw.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18]
"Bjidejp"="C:\Program Files\Common Files\??sembly\?ttrib.exe" []
"romo"="C:\PROGRA~1\COMMON~1\romo\romom.exe" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 16:35]
"Cbqyfnhd"="C:\Documents and Settings\Jonathan\My Documents\W?nSxS\?hkdsk.exe" []
"Jbkd"="C:\Documents and Settings\Jonathan\Application Data\??sembly\n?tepad.exe" []
"Fgsgkchb"="C:\Program Files\??pPatch\?ttrib.exe" []
"Vrmlob"="C:\Program Files\Common Files\??mbols\n?tepad.exe" []
"Cezo"="C:\Documents and Settings\Jonathan\Application Data\F?nts\w?nspool.exe" []
"Irub"="C:\WINDOWS\system32\??crosoft\??anregw.exe" []
"Uniblue RegistryBooster 2"="C:\Documents and Settings\Jonathan\Desktop\draft demo\RegistryBooster 2\RegistryBooster.exe" []
"PCTAVApp"="C:\Documents and Settings\Jonathan\Desktop\draft demo\PC Tools AntiVirus\PCTAV.exe" []
"Qru"="C:\Documents and Settings\Jonathan\Application Data\A?pPatch\n?lookup.exe" []
"ISMPack6"="C:\Program Files\ISM2\ISMPack6.exe" [2007-09-28 09:27]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"<NO NAME>"=

C:\Documents and Settings\Jonathan\Start Menu\Programs\Startup\
winupdate01690527[1].exe [2006-04-27 00:52:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 02:05:26]
D-Link AirPlus G Wireless Utility.lnk - C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe [2005-11-23 18:17:46]
D-Link REG Utility.lnk - C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\Reg.exe [2005-11-23 18:17:46]
Lexmark X125 Settings Utility.lnk - C:\Program Files\Lexmark X125\LEX125SU.exe [2005-08-20 17:37:38]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

R0 fmtr;fmtr;C:\WINDOWS\System32\Drivers\FMTR.sys
S2 DgiVecp;DgiVecp;\??\C:\WINDOWS\System32\Drivers\DgiVecp.sys
S3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\System32\DRIVERS\BCMSM.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-12 04:03:00 C:\WINDOWS\Tasks\At1.job"
"2007-10-12 13:03:00 C:\WINDOWS\Tasks\At10.job"
"2007-10-12 14:03:00 C:\WINDOWS\Tasks\At11.job"
"2007-10-12 15:03:00 C:\WINDOWS\Tasks\At12.job"
"2007-10-12 16:03:00 C:\WINDOWS\Tasks\At13.job"
"2007-10-12 17:03:00 C:\WINDOWS\Tasks\At14.job"
"2007-10-12 18:03:00 C:\WINDOWS\Tasks\At15.job"
"2007-10-12 19:03:00 C:\WINDOWS\Tasks\At16.job"
"2007-10-12 20:03:00 C:\WINDOWS\Tasks\At17.job"
"2007-10-12 21:03:00 C:\WINDOWS\Tasks\At18.job"
"2007-10-12 22:03:00 C:\WINDOWS\Tasks\At19.job"
"2007-10-12 05:03:00 C:\WINDOWS\Tasks\At2.job"
"2007-10-12 23:03:00 C:\WINDOWS\Tasks\At20.job"
"2007-10-13 00:03:00 C:\WINDOWS\Tasks\At21.job"
"2007-10-13 01:03:00 C:\WINDOWS\Tasks\At22.job"
"2007-10-13 02:02:04 C:\WINDOWS\Tasks\At23.job"
"2007-10-12 03:03:00 C:\WINDOWS\Tasks\At24.job"
"2007-10-12 06:03:00 C:\WINDOWS\Tasks\At3.job"
"2007-10-12 07:03:00 C:\WINDOWS\Tasks\At4.job"
"2007-10-12 08:03:00 C:\WINDOWS\Tasks\At5.job"
"2007-10-12 09:03:00 C:\WINDOWS\Tasks\At6.job"
"2007-10-12 10:03:00 C:\WINDOWS\Tasks\At7.job"
"2007-10-12 11:03:00 C:\WINDOWS\Tasks\At8.job"
"2007-10-12 12:03:00 C:\WINDOWS\Tasks\At9.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-12 22:26:01
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-12 22:27:26 - machine was rebooted 
C:\ComboFix2.txt ... 2007-10-10 16:30
.
--- E O F ---


----------



## jonpistone2 (Oct 5, 2007)

ty for the quick reply though--i wouldnt have thought of running it in safe mode without your help....this worked though (i think) ....let me know if this log came out correctly and what step is next for me

thanks!!


----------



## jonpistone2 (Oct 5, 2007)

the difference may have been that this last time i took my wireless card out of the comp...so it couldnt connect to the net---then restarted the comp...then ran the program (just a thought)...


----------



## Cookiegal (Aug 27, 2003)

Go to *Start* - *Search* - *All Files and Folders* and under *More advanced search options*. 
Make sure there is a check by *Search System Folders* and *Search hidden files and folders* and *Search system subfolders*.

Next click on *My Computer*. Go to *Tools* - *Folder Options*. Click on the View tab and make sure that *Show hidden files and folders* is checked. Also uncheck *Hide protected operating system files* and *Hide extensions for known file types*. Now click *Apply to all folders*. Click *Apply* then *OK*.

Now, go to the following link and upload each of the following files for analysis and let me know what the results are please. This is normally a valid file but was installed at the same time as malware so I want to be sure about it:

http://virusscan.jotti.org/

*C:\WINDOWS\system32\msxml3a.dll*

This is a very big fix and your computer has been severely compromised and as a result is very unstable so I suggest that you back up any important data before doing this as there is always a possibility when removing so much malware that the system will fail and not recover.

Open Notepad and copy and paste the text in the quote box below into it:



> File::
> C:\WINDOWS\system32\drivers\FMTR.sys
> C:\sysxenm.exe
> C:\syslkxe.exe
> ...


Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## jonpistone2 (Oct 5, 2007)

When i typed: C:\WINDOWS\system32\msxml3a.dll into the virusscan.jotti.org web page...the Bit9 Reports said: No threat detected....and below that there was "nothing found" on all of the items listed below....

this is the combofix log:

ComboFix 07-10-10.1 - Jonathan 2007-10-13 17:34:03.7 - NTFSx86 
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.273 [GMT -4:00]
Running from: C:\Documents and Settings\Jonathan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jonathan\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\Documents and Settings\Jonathan\Start Menu\Programs\Startup\winupdate01690527[1].exe
C:\syscahw.exe
C:\sysgonp.exe
C:\syshrbr.exe
C:\sysinzn.exe
C:\syslkxe.exe
C:\syslpri.exe
C:\syssdcb.exe 
C:\sysxenm.exe
C:\sysxlbi.exe
C:\WINDOWS\Sm9uYXRoYW4\mA6RsrlCsqb.vbs
C:\WINDOWS\System32\cqg.dll
C:\WINDOWS\system32\delFSF.bat
C:\WINDOWS\system32\drivers\FMTR.sys
C:\WINDOWS\System32\hmadf.dll
C:\WINDOWS\system32\HOf3A5q6.dll 
C:\WINDOWS\System32\HOf3A5q6.dll
C:\WINDOWS\System32\hqt.dll
C:\WINDOWS\System32\lsth.dll
C:\WINDOWS\System32\nvldybze.dll
C:\WINDOWS\System32\rcv.dll
C:\WINDOWS\system32\systemd6.exe
C:\WINDOWS\Tasks\At1.job 
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job 
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job 
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\tsitra1000106.exe 
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\Jonathan\Start Menu\Programs\Startup\winupdate01690527[1].exe
C:\Documents and Settings\LocalService\Application Data\NetMon 
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Documents and Settings\NetworkService\Application Data\wsnpoem 
C:\Documents and Settings\NetworkService\Application Data\wsnpoem\video.dll
C:\Program Files\Common Files\romo
C:\Program Files\Common Files\romo\romoa.lck
C:\Program Files\Common Files\romo\romod\class-barrel 
C:\Program Files\Common Files\romo\romod\romoc.dll
C:\Program Files\Common Files\romo\romod\vocabulary
C:\Program Files\Common Files\romo\romoh
C:\Program Files\Common Files\romo\romol.lck
C:\Program Files\Common Files\romo\romom.lck 
C:\Program Files\Common Files\romo\romop.cfg
C:\Program Files\Common Files\romo\romop.lck
C:\Program Files\ISM2
C:\Program Files\ISM2\dictionary.gz
C:\Program Files\ISM2\ISMPack6.exe
C:\Program Files\ISM2\targets.gz 
C:\syscahw.exe
C:\sysgonp.exe
C:\syshrbr.exe
C:\sysinzn.exe
C:\syslkxe.exe
C:\syslpri.exe
C:\syssdcb.exe
C:\sysxenm.exe
C:\sysxlbi.exe
C:\Temp\xOe
C:\Temp\xOe\tOasF.log
C:\UGA6P\
C:\UGA6P\ 
C:\WINDOWS\Sm9uYXRoYW4\mA6RsrlCsqb.vbs
C:\WINDOWS\system32\delFSF.bat
C:\WINDOWS\system32\dricom1
C:\WINDOWS\system32\dricom1\iscrven33.exe
C:\WINDOWS\system32\drivers\FMTR.sys
C:\WINDOWS\System32\HOf3A5q6.dll 
C:\WINDOWS\system32\HOf3A5q6.dll
C:\WINDOWS\system32\ipd2
C:\WINDOWS\system32\systemd6.exe
C:\WINDOWS\system32\vMW02a
C:\WINDOWS\system32\vMW02a\vMW02a1065.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job 
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job 
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job 
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\tsitra1000106.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FMTR
-------\fmtr

((((((((((((((((((((((((( Files Created from 2007-09-13 to 2007-10-13 )))))))))))))))))))))))))))))))
.

2007-10-13 09:31 264 --a------ C:\WINDOWS\system32\miglibgt.dat
2007-10-13 09:31 264 --a------ C:\WINDOWS\system32\kbddgkqf.dat
2007-10-13 09:31 264 --a------ C:\WINDOWS\system32\clusaviz.dat
2007-10-13 09:31 0 --a------ C:\WINDOWS\system32\shgitaeq.dat 
2007-10-13 09:29 9,308 --a------ C:\WINDOWS\system32\ersvmczq.dat
2007-10-13 09:29 4,129 --a------ C:\WINDOWS\system32\MSCTCAG.dat
2007-10-13 09:29 2,009 --a------ C:\WINDOWS\system32\fonteetc.dat
2007-10-13 09:29 432 --a------ C:\WINDOWS\system32\hnetmoa.dat 
2007-10-13 09:29 0 --a------ C:\WINDOWS\system32\mll_mtl.dat
2007-10-11 09:43 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-10-11 03:57 d--hs---- C:\UGA6P 
2007-10-11 03:56 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-10-11 03:27 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2007-10-11 03:27 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll 
2007-10-11 03:27 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2007-10-11 03:27 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
2007-10-11 03:27 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll 
2007-10-11 03:27 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
2007-10-09 20:24 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-05 20:09 d-------- C:\Program Files\Trend Micro
2007-10-05 17:51 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan 
2007-10-05 17:11 1,559,040 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-10-05 17:11 163,840 --a------ C:\WINDOWS\system32\unrar.dll
2007-09-29 22:16 d-------- C:\Program Files\Temporary
2007-09-27 13:13 d-------- C:\Program Files\Microsoft Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-13 03:38 --------- d-----w C:\Program Files\mIRC
2007-10-13 01:57 --------- d-----w C:\Program Files\Jasc Software Inc 
2007-10-13 01:57 --------- d-----w C:\Program Files\AOD
2007-10-12 20:38 --------- d-----w C:\Program Files\SymNetDrv
2007-10-12 20:38 --------- d-----w C:\Program Files\QuickTime
2007-10-12 20:38 --------- d-----w C:\Program Files\Norton SystemWorks 
2007-10-12 20:38 --------- d-----w C:\Program Files\iTunes
2007-10-12 20:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-12 20:38 --------- d-----w C:\Program Files\AIM
2007-10-05 09:51 --------- d-----w C:\Documents and Settings\Jonathan\Application Data\OpenOffice.org2 
2007-10-05 09:51 --------- d-----w C:\Documents and Settings\Jonathan\Application Data\OpenOffice.org2
2007-10-03 03:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-28 02:15 2,028 ----a-w C:\Documents and Settings\Jonathan\Application Data\wklnhst.dat 
2007-09-28 02:15 2,028 ----a-w C:\Documents and Settings\Jonathan\Application Data\wklnhst.dat
2007-09-16 07:13 --------- d--h--r C:\Documents and Settings\Jonathan\Application Data\yahoo!
2007-09-16 07:13 --------- d--h--r C:\Documents and Settings\Jonathan\Application Data\yahoo! 
2007-09-16 07:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-09-16 06:58 --------- d-----w C:\Program Files\Absolute Poker Basic
2007-08-25 05:53 --------- d-----w C:\Program Files\PacificPoker 
2007-08-24 23:48 --------- d-----w C:\Program Files\Symantec
2007-08-24 23:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-08-24 23:41 --------- d-----w C:\Program Files\Ahead 
2007-08-24 23:27 --------- d-----w C:\Program Files\Canasis
2007-08-23 01:36 --------- d-----w C:\Program Files\OpenOffice.org 2.2
2007-08-22 22:13 --------- d-----w C:\Program Files\MSECache
2007-08-20 19:22 --------- d-----w C:\Program Files\Google 
2007-08-20 19:00 --------- d-----w C:\Documents and Settings\Jonathan\Application Data\PC Tools
2007-08-20 19:00 --------- d-----w C:\Documents and Settings\Jonathan\Application Data\PC Tools
2007-08-19 23:41 --------- d-----w C:\Documents and Settings\Jonathan\Application Data\Uniblue 
2007-08-19 23:41 --------- d-----w C:\Documents and Settings\Jonathan\Application Data\Uniblue
2007-08-19 23:02 --------- d-----w C:\Program Files\MSN Messenger
2007-08-18 19:55 --------- d-----w C:\Program Files\Microsoft Works 
2007-08-18 19:50 --------- d-----w C:\Program Files\iPod
2007-08-18 19:50 --------- d-----w C:\Program Files\GoldPocket
2007-08-18 19:47 --------- d-----w C:\Program Files\Broadcom Management Programs
2007-08-18 18:49 --------- d--h--w C:\Documents and Settings\Jonathan\Application Data\Move Networks 
2007-08-18 18:49 --------- d--h--w C:\Documents and Settings\Jonathan\Application Data\Move Networks
2007-01-06 08:48 64,864 ----a-w C:\Documents and Settings\Jonathan\Application Data\GDIPFONTCACHEV1.DAT
2007-01-06 08:48 64,864 ----a-w C:\Documents and Settings\Jonathan\Application Data\GDIPFONTCACHEV1.DAT 
2006-12-30 00:13 3,932 ----a-w C:\Documents and Settings\Jonathan\Application Data\LMLayout.dat
2006-12-30 00:13 3,932 ----a-w C:\Documents and Settings\Jonathan\Application Data\LMLayout.dat
2006-12-30 00:13 268 ----a-w C:\Documents and Settings\Jonathan\Application Data\LMCPaper.dat 
2006-12-30 00:13 268 ----a-w C:\Documents and Settings\Jonathan\Application Data\LMCPaper.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\Microsoft Help ----

---- Directory of C:\Program Files\Temporary ----

((((((((((((((((((((((((((((( [email protected]_16.30.06.63 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 233,472 2007-10-13 21:34:01 C:\WINDOWS\system32\config\systemprofile\ntuser.dat 
----a-w 16,384 2007-10-13 21:37:18 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-10-13 21:37:18 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat 
----a-w 32,768 2007-10-13 21:37:18 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 45,056 2002-09-05 14:05:46 C:\WINDOWS\system32\spool\drivers\w32x86\3\LMPDPSRV.EXE 
.
----a-w 233,472 2007-10-10 20:28:15 C:\WINDOWS\system32\config\systemprofile\ntuser.dat
----a-w 16,384 2007-10-10 20:26:42 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-10-10 20:26:42 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat 
----a-w 49,152 2007-10-10 20:26:42 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 27,660 2007-10-06 01:54:07 C:\WINDOWS\system32\spool\drivers\w32x86\3\LMPDPSRV.EXE 
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 19:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 16:30] 
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 22:23]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 12:35]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-08-22 21:35] 
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-07-14 21:16]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-08-14 15:51]
"LMPDPSRV"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bak\LMPDPSRV.EXE" [] 
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 12:41]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 06:07] 
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-05-14 00:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 16:35]
"Uniblue RegistryBooster 2"="C:\Documents and Settings\Jonathan\Desktop\draft demo\RegistryBooster 2\RegistryBooster.exe" [] 
"PCTAVApp"="C:\Documents and Settings\Jonathan\Desktop\draft demo\PC Tools AntiVirus\PCTAV.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"<NO NAME>"=

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 02:05:26]
D-Link AirPlus G Wireless Utility.lnk - C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe [2005-11-23 18:17:46]
D-Link REG Utility.lnk - C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\Reg.exe [2005-11-23 18:17:46]
Lexmark X125 Settings Utility.lnk - C:\Program Files\Lexmark X125\LEX125SU.exe [2005-08-20 17:37:38]

S2 DgiVecp;DgiVecp;\??\C:\WINDOWS\System32\Drivers\DgiVecp.sys
S3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\System32\DRIVERS\BCMSM.sys

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-13 17:37:41
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-13 17:39:03 - machine was rebooted 
C:\ComboFix2.txt ... 2007-10-12 22:27
C:\ComboFix3.txt ... 2007-10-10 16:30 
.
--- E O F ---


----------



## jonpistone2 (Oct 5, 2007)

and this is the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:40:43 PM, on 10/13/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe 
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe 
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe 
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe 
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe 
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe 
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://216.76.114.124/exchweb/bin/auth/owalogon.asp?url=https://216.76.114.124/exchange&reason=0 
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll 
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file) 
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe 
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe" 
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bak\LMPDPSRV.EXE 
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start 
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" 
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Documents and Settings\Jonathan\Desktop\draft demo\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [PCTAVApp] "C:\Documents and Settings\Jonathan\Desktop\draft demo\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN 
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll 
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Documents and Settings\Jonathan\Desktop\hyplay\New Briefcase\Hello\PicasaCapture.dll (file missing) 
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Documents and Settings\Jonathan\Desktop\hyplay\New Briefcase\Hello\PicasaCapture.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing) 
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm 
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE 
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab 
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab 
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159136193374 
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab 
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://www.youbet.net/wr_5_8/controls/ybrequest.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159136039112
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab 
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://www.youbet.net/wr_5_8/controls/YBUICtrl.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_games/tikgames/cinematycoon/cinematycoon.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe 
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe 
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe 
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe 
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9203 bytes


----------



## jonpistone2 (Oct 5, 2007)

thanks


----------



## Cookiegal (Aug 27, 2003)

Things are looking much better. 

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

*O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab*

Open Notepad and copy and paste the text in the quote box below into it:



> File::
> C:\WINDOWS\system32\miglibgt.dat
> C:\WINDOWS\system32\kbddgkqf.dat
> C:\WINDOWS\system32\clusaviz.dat
> ...


Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## jonpistone2 (Oct 5, 2007)

as you know (though im sure it doent hurt to remind you)....things are only looking A LOT better cause of you---ALL cause of you!! 
thank you so much for spending this time with me and on this issue...its a GREAT help!!!!


----------



## Cookiegal (Aug 27, 2003)

It's my pleasure.


----------



## jonpistone2 (Oct 5, 2007)

here is the combofix log:

ComboFix 07-10-10.1 - Jonathan 2007-10-13 20:20:08.8 - NTFSx86 
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.290 [GMT -4:00]
Running from: C:\Documents and Settings\Jonathan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jonathan\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\clusaviz.dat
C:\WINDOWS\system32\ersvmczq.dat
C:\WINDOWS\system32\fonteetc.dat
C:\WINDOWS\system32\hnetmoa.dat
C:\WINDOWS\system32\kbddgkqf.dat
C:\WINDOWS\system32\miglibgt.dat
C:\WINDOWS\system32\mll_mtl.dat
C:\WINDOWS\system32\MSCTCAG.dat
C:\WINDOWS\system32\shgitaeq.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\UGA6P
C:\WINDOWS\system32\clusaviz.dat
C:\WINDOWS\system32\ersvmczq.dat
C:\WINDOWS\system32\fonteetc.dat
C:\WINDOWS\system32\hnetmoa.dat
C:\WINDOWS\system32\kbddgkqf.dat
C:\WINDOWS\system32\miglibgt.dat
C:\WINDOWS\system32\mll_mtl.dat
C:\WINDOWS\system32\MSCTCAG.dat
C:\WINDOWS\system32\shgitaeq.dat

.
((((((((((((((((((((((((( Files Created from 2007-09-14 to 2007-10-14 )))))))))))))))))))))))))))))))
.

2007-10-13 20:20	0	--a------	C:\WINDOWS\system32\syncendj.dat
2007-10-13 20:20	0	--a------	C:\WINDOWS\system32\LMBGstT.dat
2007-10-13 20:20	0	--a------	C:\WINDOWS\system32\kbdew.dat
2007-10-13 20:20	0	--a------	C:\WINDOWS\system32\dx8vmdk.dat
2007-10-13 09:29	153	--a------	C:\WINDOWS\system32\hnetmoa.dat
2007-10-11 09:43 d--------	C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-10-11 03:56	24,064	--a------	C:\WINDOWS\system32\msxml3a.dll
2007-10-11 03:27	8,704	--a--c---	C:\WINDOWS\system32\dllcache\kbdjpn.dll
2007-10-11 03:27	8,192	--a--c---	C:\WINDOWS\system32\dllcache\kbdkor.dll
2007-10-11 03:27	6,144	--a--c---	C:\WINDOWS\system32\dllcache\kbd106.dll
2007-10-11 03:27	6,144	--a--c---	C:\WINDOWS\system32\dllcache\kbd101c.dll
2007-10-11 03:27	6,144	--a--c---	C:\WINDOWS\system32\dllcache\kbd101b.dll
2007-10-11 03:27	5,632	--a--c---	C:\WINDOWS\system32\dllcache\kbd103.dll
2007-10-09 20:24	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-10-05 20:09 d--------	C:\Program Files\Trend Micro
2007-10-05 17:51 d--------	C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-10-05 17:11	1,559,040	--a------	C:\WINDOWS\system32\xvidcore.dll
2007-10-05 17:11	163,840	--a------	C:\WINDOWS\system32\unrar.dll
2007-09-29 22:16 d--------	C:\Program Files\Temporary
2007-09-27 13:13 d--------	C:\Program Files\Microsoft Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-13 23:09	---------	d-----w	C:\Program Files\mIRC
2007-10-13 01:57	---------	d-----w	C:\Program Files\Jasc Software Inc
2007-10-13 01:57	---------	d-----w	C:\Program Files\AOD
2007-10-12 20:38	---------	d-----w	C:\Program Files\SymNetDrv
2007-10-12 20:38	---------	d-----w	C:\Program Files\QuickTime
2007-10-12 20:38	---------	d-----w	C:\Program Files\Norton SystemWorks
2007-10-12 20:38	---------	d-----w	C:\Program Files\iTunes
2007-10-12 20:38	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2007-10-12 20:38	---------	d-----w	C:\Program Files\AIM
2007-10-05 09:51	---------	d-----w	C:\Documents and Settings\Jonathan\Application Data\OpenOffice.org2
2007-10-05 09:51	---------	d-----w	C:\Documents and Settings\Jonathan\Application Data\OpenOffice.org2
2007-10-03 03:50	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-09-28 02:15	2,028	----a-w	C:\Documents and Settings\Jonathan\Application Data\wklnhst.dat
2007-09-28 02:15	2,028	----a-w	C:\Documents and Settings\Jonathan\Application Data\wklnhst.dat
2007-09-16 07:13	---------	d--h--r	C:\Documents and Settings\Jonathan\Application Data\yahoo!
2007-09-16 07:13	---------	d--h--r	C:\Documents and Settings\Jonathan\Application Data\yahoo!
2007-09-16 07:13	---------	d-----w	C:\Documents and Settings\All Users\Application Data\yahoo!
2007-09-16 06:58	---------	d-----w	C:\Program Files\Absolute Poker Basic
2007-09-07 21:25	184,320	----a-w	C:\WINDOWS\system32\uQP7Jy03.dll
2007-09-07 21:25	184,320	----a-w	C:\WINDOWS\system32\q633FLwP.dll
2007-09-07 02:42	184,320	----a-w	C:\WINDOWS\system32\qm2U0L0N.dll
2007-09-06 19:27	712,704	----a-w	C:\WINDOWS\system32\rlph.dll
2007-09-06 02:26	184,320	----a-w	C:\WINDOWS\system32\i10oUVF4.dll
2007-08-30 05:38	26,176	----a-w	C:\WINDOWS\system32\Tfy6e514.exe
2007-08-25 05:53	---------	d-----w	C:\Program Files\PacificPoker
2007-08-24 23:48	---------	d-----w	C:\Program Files\Symantec
2007-08-24 23:43	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2007-08-24 23:41	---------	d-----w	C:\Program Files\Ahead
2007-08-24 23:27	---------	d-----w	C:\Program Files\Canasis
2007-08-23 01:36	---------	d-----w	C:\Program Files\OpenOffice.org 2.2
2007-08-22 22:13	---------	d-----w	C:\Program Files\MSECache
2007-08-20 19:22	---------	d-----w	C:\Program Files\Google
2007-08-20 19:00	---------	d-----w	C:\Documents and Settings\Jonathan\Application Data\PC Tools
2007-08-20 19:00	---------	d-----w	C:\Documents and Settings\Jonathan\Application Data\PC Tools
2007-08-19 23:41	---------	d-----w	C:\Documents and Settings\Jonathan\Application Data\Uniblue
2007-08-19 23:41	---------	d-----w	C:\Documents and Settings\Jonathan\Application Data\Uniblue
2007-08-19 23:02	---------	d-----w	C:\Program Files\MSN Messenger
2007-08-18 19:55	---------	d-----w	C:\Program Files\Microsoft Works
2007-08-18 19:50	---------	d-----w	C:\Program Files\iPod
2007-08-18 19:50	---------	d-----w	C:\Program Files\GoldPocket
2007-08-18 19:47	---------	d-----w	C:\Program Files\Broadcom Management Programs
2007-08-18 18:49	---------	d--h--w	C:\Documents and Settings\Jonathan\Application Data\Move Networks
2007-08-18 18:49	---------	d--h--w	C:\Documents and Settings\Jonathan\Application Data\Move Networks
2007-01-06 08:48	64,864	----a-w	C:\Documents and Settings\Jonathan\Application Data\GDIPFONTCACHEV1.DAT
2007-01-06 08:48	64,864	----a-w	C:\Documents and Settings\Jonathan\Application Data\GDIPFONTCACHEV1.DAT
2006-12-30 00:13	3,932	----a-w	C:\Documents and Settings\Jonathan\Application Data\LMLayout.dat
2006-12-30 00:13	3,932	----a-w	C:\Documents and Settings\Jonathan\Application Data\LMLayout.dat
2006-12-30 00:13	268	----a-w	C:\Documents and Settings\Jonathan\Application Data\LMCPaper.dat
2006-12-30 00:13	268	----a-w	C:\Documents and Settings\Jonathan\Application Data\LMCPaper.dat
.

((((((((((((((((((((((((((((( [email protected]_16.30.06.63 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 233,472 2007-10-14 00:20:06 C:\WINDOWS\system32\config\systemprofile\ntuser.dat
----a-w 16,384 2007-10-13 21:37:18 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-10-13 21:37:18 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 32,768 2007-10-13 21:37:18 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 45,056 2002-09-05 14:05:46 C:\WINDOWS\system32\spool\drivers\w32x86\3\LMPDPSRV.EXE
.
----a-w 233,472 2007-10-10 20:28:15 C:\WINDOWS\system32\config\systemprofile\ntuser.dat
----a-w 16,384 2007-10-10 20:26:42 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-10-10 20:26:42 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 49,152 2007-10-10 20:26:42 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 27,660 2007-10-06 01:54:07 C:\WINDOWS\system32\spool\drivers\w32x86\3\LMPDPSRV.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 19:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 16:30]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 22:23]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 12:35]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-08-22 21:35]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-07-14 21:16]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-08-14 15:51]
"LMPDPSRV"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bak\LMPDPSRV.EXE" []
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 12:41]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 06:07]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-05-14 00:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 16:35]
"Uniblue RegistryBooster 2"="C:\Documents and Settings\Jonathan\Desktop\draft demo\RegistryBooster 2\RegistryBooster.exe" []
"PCTAVApp"="C:\Documents and Settings\Jonathan\Desktop\draft demo\PC Tools AntiVirus\PCTAV.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 02:05:26]
D-Link AirPlus G Wireless Utility.lnk - C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe [2005-11-23 18:17:46]
D-Link REG Utility.lnk - C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\Reg.exe [2005-11-23 18:17:46]
Lexmark X125 Settings Utility.lnk - C:\Program Files\Lexmark X125\LEX125SU.exe [2005-08-20 17:37:38]

S2 DgiVecp;DgiVecp;\??\C:\WINDOWS\System32\Drivers\DgiVecp.sys
S3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\System32\DRIVERS\BCMSM.sys

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-13 20:20:54
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-13 20:21:22
C:\ComboFix2.txt ... 2007-10-13 17:39
C:\ComboFix3.txt ... 2007-10-12 22:27
.
--- E O F ---


----------



## jonpistone2 (Oct 5, 2007)

and here is the HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:12 PM, on 10/13/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Java\jre1.6.0\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://216.76.114.124/exchweb/bin/auth/owalogon.asp?url=https://216.76.114.124/exchange&reason=0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bak\LMPDPSRV.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Documents and Settings\Jonathan\Desktop\draft demo\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [PCTAVApp] "C:\Documents and Settings\Jonathan\Desktop\draft demo\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Documents and Settings\Jonathan\Desktop\hyplay\New Briefcase\Hello\PicasaCapture.dll (file missing)
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Documents and Settings\Jonathan\Desktop\hyplay\New Briefcase\Hello\PicasaCapture.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159136193374
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://www.youbet.net/wr_5_8/controls/ybrequest.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159136039112
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://www.youbet.net/wr_5_8/controls/YBUICtrl.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_games/tikgames/cinematycoon/cinematycoon.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8593 bytes


----------



## Cookiegal (Aug 27, 2003)

Download GMER from: http://gmer.net/index.php

Save it somewhere on your hard drive and unzip it to desktop.

Double click the gmer.exe to run it and select the rootkit tab and press scan. When the scan is done, click *Copy*. This will copy the report to the clipboard. Paste it into Notepad and save it and also paste the log report back here please.

Download *WinPFind3U.exe* to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.

In the *Processes * group click *ALL* 
In the *Win32 Services * group click *ALL* 
In the *Driver Services * group click *ALL* 
In the *Registry * group click *ALL* 
In the *Files Created Within* group click *60 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *Files Modified Within* group select *30 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *File String Search* group select *ALL*
in the *Additional Scans* sections please press select *ALL* 
Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file but click on the "Format" menu and make sure that "word wrap" is not checked. If it is then click on it to uncheck it.
Please post the resulting log here as an attachment.


----------



## jonpistone2 (Oct 5, 2007)

here is the first part from GMER 1.0.13 (it had to be broken into a few parts)

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-10-13 21:07:58
Windows 5.1.2600 Service Pack 1

---- System - GMER 1.0.13 ----

SSDT 8220F218 ZwConnectPort

---- Kernel code sections - GMER 1.0.13 ----

.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [ 06 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 188 80502604 4 Bytes [ 18, F2, 20, 82 ]
? ComboFix.sys The system cannot find the file specified.
? C:\DOCUME~1\Jonathan\LOCALS~1\Temp\catchme.sys The system cannot find the file specified.
? C:\WINDOWS\System32\Drivers\PROCEXP90.SYS  The system cannot find the file specified.
.text ntdll.dll!NtCreateSection 77F75A21 1 Byte [ E9 ]
.text ntdll.dll!NtCreateSection + 2 77F75A23 3 Bytes [ 12, 0C, FA ]

---- User code sections - GMER 1.0.13 ----

.text C:\Documents and Settings\Jonathan\Desktop\gmer.exe[3348] ntdll.dll!NtCreateSection 77F75A21 1 Byte [ E9 ]
.text C:\Documents and Settings\Jonathan\Desktop\gmer.exe[3348] ntdll.dll!NtCreateSection + 2 77F75A23 3 Bytes [ 12, 0C, FA ]

---- User IAT/EAT - GMER 1.0.13 ----

IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] 7FF82A20
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] 7FF82A90
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] 7FF82340
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateFileW] 7FF82220
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] 7FF82A20
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress]  7FF82340
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] 7FF82A90
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!CreateFileW] 7FF82220
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateFileA] 7FF821C0
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] 7FF82A90
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!OpenFile] 7FF82300
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateFileW] 7FF82220
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] 7FF82A20
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] 7FF82340
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateFileW] 7FF82220
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] 7FF82A20
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] 7FF82A90
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] 7FF82340
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\RPCRT4.dll [ADVAPI32.dll!RegSetValueExA] 7FF81FE0
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateFileW] 7FF82220
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateFileA] 7FF821C0
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] 7FF82A90
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] 7FF82A20
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] 7FF82340
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageA] 7FF81EF0
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageW] 7FF81F40
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageA]  7FF81E50
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageW] 7FF81EA0
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\SHLWAPI.dll [ADVAPI32.dll!RegSetValueExW] 7FF82060
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\SHLWAPI.dll [ADVAPI32.dll!RegSetValueExA] 7FF81FE0
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!PeekMessageW] 7FF81EA0
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetMessageW] 7FF81F40
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 7FF81F90
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] 7FF82A20
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] 7FF82A90
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] 7FF82340
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateFileW]  7FF82220
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!RegSetValueExW] 7FF82060
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileW] 7FF82220
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 7FF82A90
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 7FF82A20
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress]


----------



## jonpistone2 (Oct 5, 2007)

7FF82340
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 7FF81F90
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetMessageW] 7FF81F40
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!PeekMessageW] 7FF81EA0
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegSetValueExW] 7FF82060
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\WININET.dll [ADVAPI32.dll!RegSetValueExW] 7FF82060
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\WININET.dll [ADVAPI32.dll!RegSetValueExA] 7FF81FE0
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] 7FF82A90
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetProcAddress] 7FF82340
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] 7FF82A20
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!CreateFileA] 7FF821C0
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegSetValueExA] 7FF81FE0
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegSetValueExW]  7FF82060
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] 7FF82340
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] 7FF82A20
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!CreateFileA] 7FF821C0
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!CreateFileW] 7FF82220
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\System32\Secur32.dll [KERNEL32.dll!LoadLibraryA] 7FF82A20
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\System32\Secur32.dll [KERNEL32.dll!CreateFileW] 7FF82220
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\System32\Secur32.dll [KERNEL32.dll!LoadLibraryW] 7FF82A90
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\System32\Secur32.dll [KERNEL32.dll!GetProcAddress] 7FF82340
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\System32\Secur32.dll [ADVAPI32.dll!RegSetValueExW] 7FF82060
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\System32\WS2_32.dll [ADVAPI32.dll!RegSetValueExA] 7FF81FE0
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\System32\WS2_32.dll [KERNEL32.dll!GetProcAddress] 7FF82340
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\System32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] 7FF82A20
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\System32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] 7FF82340
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\System32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] 7FF82A20
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\userenv.dll [ADVAPI32.dll!RegSetValueExW] 7FF82060
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryW] 7FF82A90
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!CreateFileW] 7FF82220
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!GetProcAddress] 7FF82340
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryA] 7FF82A20
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\System32\netapi32.dll [ADVAPI32.dll!RegSetValueExW] 7FF82060
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\System32\netapi32.dll [KERNEL32.dll!LoadLibraryW]  7FF82A90
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\System32\netapi32.dll [KERNEL32.dll!LoadLibraryA] 7FF82A20
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\System32\netapi32.dll [KERNEL32.dll!GetProcAddress] 7FF82340
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\System32\netapi32.dll [KERNEL32.dll!CreateFileW] 7FF82220
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2760] @ C:\WINDOWS\System32\SAMLIB.dll [ADVAPI32.dll!RegSetValueExA] 7FF81FE0
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateFileA] 7FF821C0
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] 7FF82A90
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!OpenFile] 7FF82300
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateFileW] 7FF82220
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] 7FF82A20
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress]  7FF82340
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateFileW] 7FF82220
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] 7FF82A20
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] 7FF82A90
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] 7FF82340
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\RPCRT4.dll [ADVAPI32.dll!RegSetValueExA] 7FF81FE0
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] 7FF82A20
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] 7FF82340
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] 7FF82A90
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!CreateFileW] 7FF82220
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] 7FF82A20
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW]  7FF82A90
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] 7FF82340
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateFileW] 7FF82220
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateFileW] 7FF82220
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateFileA] 7FF821C0
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] 7FF82A90
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] 7FF82A20
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] 7FF82340
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageA] 7FF81EF0
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageW] 7FF81F40
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageA]  7FF81E50
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageW] 7FF81EA0
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\SHLWAPI.dll [ADVAPI32.dll!RegSetValueExW] 7FF82060
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\SHLWAPI.dll [ADVAPI32.dll!RegSetValueExA] 7FF81FE0
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!PeekMessageW] 7FF81EA0
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetMessageW] 7FF81F40
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 7FF81F90
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] 7FF82A20
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW]


----------



## jonpistone2 (Oct 5, 2007)

7FF82A90
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] 7FF82340
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateFileW] 7FF82220
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!RegSetValueExW] 7FF82060
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileW] 7FF82220
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 7FF82A90
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 7FF82A20
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 7FF82340
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 7FF81F90
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetMessageW]  7FF81F40
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!PeekMessageW] 7FF81EA0
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegSetValueExW] 7FF82060
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\System32\Secur32.dll [KERNEL32.dll!LoadLibraryA] 7FF82A20
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\System32\Secur32.dll [KERNEL32.dll!CreateFileW] 7FF82220
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\System32\Secur32.dll [KERNEL32.dll!LoadLibraryW] 7FF82A90
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\System32\Secur32.dll [KERNEL32.dll!GetProcAddress] 7FF82340
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\System32\Secur32.dll [ADVAPI32.dll!RegSetValueExW] 7FF82060
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\System32\WS2_32.dll [ADVAPI32.dll!RegSetValueExA] 7FF81FE0
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\System32\WS2_32.dll [KERNEL32.dll!GetProcAddress] 7FF82340
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\System32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] 7FF82A20
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\System32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] 7FF82340
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\System32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] 7FF82A20
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\WININET.dll [ADVAPI32.dll!RegSetValueExW] 7FF82060
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\WININET.dll [ADVAPI32.dll!RegSetValueExA] 7FF81FE0
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] 7FF82A90
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetProcAddress] 7FF82340
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] 7FF82A20
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!CreateFileA] 7FF821C0
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegSetValueExA] 7FF81FE0
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegSetValueExW] 7FF82060
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress]  7FF82340
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] 7FF82A20
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!CreateFileA] 7FF821C0
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!CreateFileW] 7FF82220
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\USERENV.dll [ADVAPI32.dll!RegSetValueExW] 7FF82060
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryW] 7FF82A90
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!CreateFileW] 7FF82220
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] 7FF82340
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] 7FF82A20
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\System32\NETAPI32.dll [ADVAPI32.dll!RegSetValueExW] 7FF82060
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\System32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] 7FF82A90
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\System32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] 7FF82A20
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\System32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] 7FF82340
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\System32\NETAPI32.dll [KERNEL32.dll!CreateFileW] 7FF82220
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\System32\SAMLIB.dll [ADVAPI32.dll!RegSetValueExA]  7FF81FE0
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\iphlpapi.dll [ADVAPI32.dll!RegSetValueExA] 7FF81FE0
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!CreateFileW] 7FF82220
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!CreateFileA] 7FF821C0
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] 7FF82A20
IAT C:\WINDOWS\explorer.exe[2764] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] 7FF82340

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [EBF84260] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [EBF84260] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [EBF84260] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [EBF84300] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE  [EBF84370] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [EBF84260] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [EBF84260] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [EBF84260] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [EBF84260] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [EBF84260] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [EBF84260] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [EBF84260] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [EBF84260] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [EBF84260] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL


----------



## jonpistone2 (Oct 5, 2007)

[EBF84260] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [EBF84260] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [EBF84260] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [EBF84260] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [EBF84260] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT  [EBF84260] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [EBF84260] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [EBF84260] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [EBF84260] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [EBF84260] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [EBF84260] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [EBF84260] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [EBF84260] SYMEVENT.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE  [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL  [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER  [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION  [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL  [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE  [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL


----------



## jonpistone2 (Oct 5, 2007)

[EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT  [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE  [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL  [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER  [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [EBFBFCCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [EBFBFCCC] SYMTDI.SYS

---- Files - GMER 1.0.13 ----

ADS C:\Documents and Settings\Jonathan\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{0CFDE673-A72C-9E83-FD2C-40F2488B3A12}\01\12-{0CFDE673-A72C-9E83-FD2C-40F2488B3A12}-v1-{B5375BAD-A940-447D-9424-0BC2F021091A}-v12-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 
ADS C:\Documents and Settings\Jonathan\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{0CFDE673-A72C-9E83-FD2C-40F2488B3A12}\11\11-{73E266A0-B4DA-4165-9BDD-40BA82880BC9}-v11-{73E266A0-B4DA-4165-9BDD-40BA82880BC9}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 
ADS C:\Documents and Settings\Jonathan\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{0CFDE673-A72C-9E83-FD2C-40F2488B3A12}\11\11-{73E266A0-B4DA-4165-9BDD-40BA82880BC9}-v11-{73E266A0-B4DA-4165-9BDD-40BA82880BC9}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 
ADS C:\Documents and Settings\Jonathan\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{0CFDE673-A72C-9E83-FD2C-40F2488B3A12}\12\12-{73E266A0-B4DA-4165-9BDD-40BA82880BC9}-v12-{73E266A0-B4DA-4165-9BDD-40BA82880BC9}-v12-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 
ADS C:\Documents and Settings\Jonathan\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{DB4156DE-CE78-CE98-4F92-E42BEA6FD67D}\01\10-{DB4156DE-CE78-CE98-4F92-E42BEA6FD67D}-v1-{B5375BAD-A940-447D-9424-0BC2F021091A}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

---- EOF - GMER 1.0.13 ----


----------



## jonpistone2 (Oct 5, 2007)

i put them both into an attachment form, first is the GMER file---sorry for the long posts earlier...
Jon


----------



## Cookiegal (Aug 27, 2003)

No worries.  

That only contains the GMER log though so you'll also have to upload the WinpFind3u log.

I won't be able to look at it until sometime tomorrow as I'm signing off for the night now.


----------



## jonpistone2 (Oct 5, 2007)

this file was 688K and it said the max attachment was 500K...so i broke it into two parts for you....


----------



## jonpistone2 (Oct 5, 2007)

okay...this should have the other log that you wanted (though as i said i had to break it off into two parts so it would fit)...thanks again!! have a nice night 
when you get a chance tomorrow, let me know what it is you want me to do next


----------



## Cookiegal (Aug 27, 2003)

Do you recognize this picture on your desktop? It seems to have arrived on the same date as part of the infection and it's suspect. If you don't, then delete it manually:

*Rajs Great Picture.bmp*

Disconnect from the Internet and disable your anti-virus and firewall programs. *Be sure to remember to re-start them before going on-line again.*

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program. Copy and paste the information in the code box below into the pane where it says "Paste fix here" and then click the Run Fix button. The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.

Post the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log) back here along with a new HijackThis log please.


```
[Kill Explorer]
[Unregister Dlls]
[Registry - All]
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {7E853D72-626A-48EC-A868-BA8D5E23E045} [HKLM] -> Reg Data - Value does not exist [Reg Data - Value does not exist]
< Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {11B97CF9-C40E-4127-801D-0FE00EB35705} [HKLM] -> %ProgramFiles%\ISM\BndDrive5.dll [Internet Speed Monitor]
[Registry - Additional Scans - All]
< Uninstall List > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
YN -> {3248F0A8-6813-11D6-A77B-00B0D0150120} -> J2SE Runtime Environment 5.0 Update 12
YN -> {7148F0A8-6813-11D6-A77B-00B0D0142070} -> Java 2 Runtime Environment, SE v1.4.2_07
YN -> ISM -> Internet Speed Monitor
[Files/Folders - Created Within 60 days]
NY -> 15B.tmp -> %SystemDrive%\15B.tmp
NY -> 15D.tmp -> %SystemDrive%\15D.tmp
NY -> 160.tmp -> %SystemDrive%\160.tmp
NY -> 162.tmp -> %SystemDrive%\162.tmp
NY -> 16A.tmp -> %SystemDrive%\16A.tmp
NY -> 16C.tmp -> %SystemDrive%\16C.tmp
NY -> 172.tmp -> %SystemDrive%\172.tmp
NY -> 50.tmp -> %SystemDrive%\50.tmp
NY -> 51.tmp -> %SystemDrive%\51.tmp
NY -> 66E.tmp -> %SystemDrive%\66E.tmp
NY -> 66F.tmp -> %SystemDrive%\66F.tmp
NY -> 671.tmp -> %SystemDrive%\671.tmp
NY -> 680.tmp -> %SystemDrive%\680.tmp
NY -> 682.tmp -> %SystemDrive%\682.tmp
NY -> 685.tmp -> %SystemDrive%\685.tmp
NY -> A83.tmp -> %SystemDrive%\A83.tmp
NY -> A84.tmp -> %SystemDrive%\A84.tmp
NY -> A9D.tmp -> %SystemDrive%\A9D.tmp
NY -> C5.tmp -> %SystemDrive%\C5.tmp
NY -> C6.tmp -> %SystemDrive%\C6.tmp
NY -> C7.tmp -> %SystemDrive%\C7.tmp
NY -> C8.tmp -> %SystemDrive%\C8.tmp
NY -> retadpu11.exe.tmp -> %SystemRoot%\retadpu11.exe.tmp
NY -> System32KBRunOnce2.tm_ -> %System32%KBRunOnce2.tm_
NY -> System32KBRunOnce2.t__ -> %System32%KBRunOnce2.t__
NY -> coedgagi.ini -> %System32%\coedgagi.ini
NY -> dpmodeex.dat -> %System32%\dpmodeex.dat
NY -> dx8vmdk.dat -> %System32%\dx8vmdk.dat
NY -> hnetmoa.dat -> %System32%\hnetmoa.dat
NY -> i10oUVF4.dll -> %System32%\i10oUVF4.dll
NY -> inetcamm.dat -> %System32%\inetcamm.dat
NY -> kbdew.dat -> %System32%\kbdew.dat
NY -> KBRunOnce2.t__ -> %System32%\KBRunOnce2.t__
NY -> LMBGstT.dat -> %System32%\LMBGstT.dat
NY -> mchgrpoi.dat -> %System32%\mchgrpoi.dat
NY -> q633FLwP.dll -> %System32%\q633FLwP.dll
NY -> qm2U0L0N.dll -> %System32%\qm2U0L0N.dll
NY -> sspdwwru.tmp -> %System32%\sspdwwru.tmp
NY -> syncendj.dat -> %System32%\syncendj.dat
NY -> Tfy6e514.exe -> %System32%\Tfy6e514.exe
NY -> uQP7Jy03.dll -> %System32%\uQP7Jy03.dll
NY -> usrlyva.dat -> %System32%\usrlyva.dat
NY -> KB_2874.tpk -> %UserDesktop%\KB_2874.tpk
NY -> klcodec345b.exe -> %UserDesktop%\klcodec345b.exe
NY -> klcp_codec_log.txt -> %UserDesktop%\klcp_codec_log.txt
[Files/Folders - Modified Within 30 days]
NY -> 15B.tmp -> %SystemDrive%\15B.tmp
NY -> 15D.tmp -> %SystemDrive%\15D.tmp
NY -> 160.tmp -> %SystemDrive%\160.tmp
NY -> 162.tmp -> %SystemDrive%\162.tmp
NY -> 16A.tmp -> %SystemDrive%\16A.tmp
NY -> 16C.tmp -> %SystemDrive%\16C.tmp
NY -> 172.tmp -> %SystemDrive%\172.tmp
NY -> 50.tmp -> %SystemDrive%\50.tmp
NY -> 51.tmp -> %SystemDrive%\51.tmp
NY -> C5.tmp -> %SystemDrive%\C5.tmp
NY -> C6.tmp -> %SystemDrive%\C6.tmp
NY -> C7.tmp -> %SystemDrive%\C7.tmp
NY -> C8.tmp -> %SystemDrive%\C8.tmp
NY -> Sm9uYXRoYW4 -> %SystemRoot%\Sm9uYXRoYW4
NY -> System32KBRunOnce2.tm_ -> %System32%KBRunOnce2.tm_
NY -> System32KBRunOnce2.t__ -> %System32%KBRunOnce2.t__
NY -> coedgagi.ini -> %System32%\coedgagi.ini
NY -> dpmodeex.dat -> %System32%\dpmodeex.dat
NY -> dx8vmdk.dat -> %System32%\dx8vmdk.dat
NY -> hnetmoa.dat -> %System32%\hnetmoa.dat
NY -> inetcamm.dat -> %System32%\inetcamm.dat
NY -> kbdew.dat -> %System32%\kbdew.dat
NY -> KBRunOnce2.t__ -> %System32%\KBRunOnce2.t__
NY -> LMBGstT.dat -> %System32%\LMBGstT.dat
NY -> mchgrpoi.dat -> %System32%\mchgrpoi.dat
NY -> sspdwwru.tmp -> %System32%\sspdwwru.tmp
NY -> syncendj.dat -> %System32%\syncendj.dat
NY -> systemdrv32.aso -> %System32%\systemdrv32.aso
NY -> usrlyva.dat -> %System32%\usrlyva.dat
[File String Scan - All]
NY -> UPX! , -> %SystemDrive%\160.tmp
NY -> SAHAgent , -> %SystemRoot%\0e3uch7b.exe
NY -> UPX! , -> %SystemRoot%\retadpu11.exe.tmp
NY -> PEC2 , PECompact2 , -> %System32%\efcuiv.dll
NY -> PEC2 , PECompact2 , -> %System32%\frudo.dll
NY -> UPX! , UPX0 , -> %System32%\hnetmoa.dIl
NY -> UPX! , UPX0 , -> %System32%\Tfy6e514.exe
NY -> PEC2 , PECompact2 , -> %System32%\trcok.dll
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```


----------



## jonpistone2 (Oct 5, 2007)

yes, thats a piture a friend of mine took on his digital camera and then sent me in an email--its of our friends at a recent wedding (i deleted it thught just in case)...

i had norton anti virus but (as u may be able to see) i was trying to remove it cause i heard mixed reviews about it...and have been searching online for good anti virus protection (at a low cost)...could u suggest any please?? (or even a trial version i could get online until i get to the store to buy one?)


----------



## jonpistone2 (Oct 5, 2007)

this is the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:32 PM, on 10/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://216.76.114.124/exchweb/bin/auth/owalogon.asp?url=https://216.76.114.124/exchange&reason=0
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bak\LMPDPSRV.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Documents and Settings\Jonathan\Desktop\draft demo\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [PCTAVApp] "C:\Documents and Settings\Jonathan\Desktop\draft demo\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Documents and Settings\Jonathan\Desktop\hyplay\New Briefcase\Hello\PicasaCapture.dll (file missing)
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Documents and Settings\Jonathan\Desktop\hyplay\New Briefcase\Hello\PicasaCapture.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159136193374
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://www.youbet.net/wr_5_8/controls/ybrequest.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159136039112
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://www.youbet.net/wr_5_8/controls/YBUICtrl.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_games/tikgames/cinematycoon/cinematycoon.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8589 bytes


----------



## jonpistone2 (Oct 5, 2007)

and the log from winpfind3u:

Explorer killed successfully
[Registry - All]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{11B97CF9-C40E-4127-801D-0FE00EB35705} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11B97CF9-C40E-4127-801D-0FE00EB35705} deleted successfully.
[Registry - Additional Scans - All]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0150120} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7148F0A8-6813-11D6-A77B-00B0D0142070} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ISM deleted successfully.
[Files/Folders - Created Within 60 days]
C:\15B.tmp moved successfully.
C:\15D.tmp moved successfully.
C:\160.tmp moved successfully.
C:\162.tmp moved successfully.
C:\16A.tmp moved successfully.
C:\16C.tmp moved successfully.
C:\172.tmp moved successfully.
C:\50.tmp moved successfully.
C:\51.tmp moved successfully.
C:\66E.tmp moved successfully.
C:\66F.tmp moved successfully.
C:\671.tmp moved successfully.
C:\680.tmp moved successfully.
C:\682.tmp moved successfully.
C:\685.tmp moved successfully.
C:\A83.tmp moved successfully.
C:\A84.tmp moved successfully.
C:\A9D.tmp moved successfully.
C:\C5.tmp moved successfully.
C:\C6.tmp moved successfully.
C:\C7.tmp moved successfully.
C:\C8.tmp moved successfully.
C:\WINDOWS\retadpu11.exe.tmp moved successfully.
C:\WINDOWS\SYSTEM32KBRunOnce2.tm_ moved successfully.
C:\WINDOWS\SYSTEM32KBRunOnce2.t__ moved successfully.
C:\WINDOWS\SYSTEM32\coedgagi.ini moved successfully.
C:\WINDOWS\SYSTEM32\dpmodeex.dat moved successfully.
File move failed. C:\WINDOWS\SYSTEM32\dx8vmdk.dat scheduled to be moved on reboot.
C:\WINDOWS\SYSTEM32\hnetmoa.dat moved successfully.
C:\WINDOWS\SYSTEM32\i10oUVF4.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\i10oUVF4.dll moved successfully.
C:\WINDOWS\SYSTEM32\inetcamm.dat moved successfully.
File move failed. C:\WINDOWS\SYSTEM32\kbdew.dat scheduled to be moved on reboot.
C:\WINDOWS\SYSTEM32\KBRunOnce2.t__ moved successfully.
File move failed. C:\WINDOWS\SYSTEM32\LMBGstT.dat scheduled to be moved on reboot.
C:\WINDOWS\SYSTEM32\mchgrpoi.dat moved successfully.
C:\WINDOWS\SYSTEM32\q633FLwP.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\q633FLwP.dll moved successfully.
C:\WINDOWS\SYSTEM32\qm2U0L0N.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\qm2U0L0N.dll moved successfully.
C:\WINDOWS\SYSTEM32\sspdwwru.tmp moved successfully.
File move failed. C:\WINDOWS\SYSTEM32\syncendj.dat scheduled to be moved on reboot.
C:\WINDOWS\SYSTEM32\Tfy6e514.exe moved successfully.
C:\WINDOWS\SYSTEM32\uQP7Jy03.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\uQP7Jy03.dll moved successfully.
C:\WINDOWS\SYSTEM32\usrlyva.dat moved successfully.
C:\Documents and Settings\Jonathan\Desktop\KB_2874.tpk moved successfully.
C:\Documents and Settings\Jonathan\Desktop\klcodec345b.exe moved successfully.
C:\Documents and Settings\Jonathan\Desktop\klcp_codec_log.txt moved successfully.
[Files/Folders - Modified Within 30 days]
File C:\15B.tmp not found!
File C:\15D.tmp not found!
File C:\160.tmp not found!
File C:\162.tmp not found!
File C:\16A.tmp not found!
File C:\16C.tmp not found!
File C:\172.tmp not found!
File C:\50.tmp not found!
File C:\51.tmp not found!
File C:\C5.tmp not found!
File C:\C6.tmp not found!
File C:\C7.tmp not found!
File C:\C8.tmp not found!
C:\WINDOWS\Sm9uYXRoYW4 moved successfully.
File C:\WINDOWS\SYSTEM32KBRunOnce2.tm_ not found!
File C:\WINDOWS\SYSTEM32KBRunOnce2.t__ not found!
File C:\WINDOWS\SYSTEM32\coedgagi.ini not found!
File C:\WINDOWS\SYSTEM32\dpmodeex.dat not found!
File move failed. C:\WINDOWS\SYSTEM32\dx8vmdk.dat scheduled to be moved on reboot.
File C:\WINDOWS\SYSTEM32\hnetmoa.dat not found!
File C:\WINDOWS\SYSTEM32\inetcamm.dat not found!
File move failed. C:\WINDOWS\SYSTEM32\kbdew.dat scheduled to be moved on reboot.
File C:\WINDOWS\SYSTEM32\KBRunOnce2.t__ not found!
File move failed. C:\WINDOWS\SYSTEM32\LMBGstT.dat scheduled to be moved on reboot.
File C:\WINDOWS\SYSTEM32\mchgrpoi.dat not found!
File C:\WINDOWS\SYSTEM32\sspdwwru.tmp not found!
File move failed. C:\WINDOWS\SYSTEM32\syncendj.dat scheduled to be moved on reboot.
C:\WINDOWS\SYSTEM32\systemdrv32.aso moved successfully.
File C:\WINDOWS\SYSTEM32\usrlyva.dat not found!
[File String Scan - All]
File C:\160.tmp not found!
C:\WINDOWS\0e3uch7b.exe moved successfully.
File C:\WINDOWS\retadpu11.exe.tmp not found!
C:\WINDOWS\SYSTEM32\efcuiv.dll unregistered successfully.
C:\WINDOWS\SYSTEM32\efcuiv.dll moved successfully.
C:\WINDOWS\SYSTEM32\frudo.dll unregistered successfully.
C:\WINDOWS\SYSTEM32\frudo.dll moved successfully.
C:\WINDOWS\SYSTEM32\hnetmoa.dIl moved successfully.
File C:\WINDOWS\SYSTEM32\Tfy6e514.exe not found!
C:\WINDOWS\SYSTEM32\trcok.dll unregistered successfully.
C:\WINDOWS\SYSTEM32\trcok.dll moved successfully.
[Empty Temp Folders]
C:\DOCUME~1\Jonathan\LOCALS~1\Temp\ -> emptied.
C:\Documents and Settings\Jonathan\Local Settings\Temporary Internet Files\Content.IE5\ -> emptied
RecycleBin -> emptied.
Explorer started successfully
< End of log >
Created on 10/14/2007 16:30:28


----------



## Cookiegal (Aug 27, 2003)

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

*R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bak\LMPDPSRV.EXE*

Delete these folders:
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\*bak*
C:\*Qoobox*

With regards to an anti-virus programs, most cost around the same. I recommend Nod32 or Kaspersky as they are two of the best. Or if you want a free one, AVG is very good. If you choose Nod32 or AVG you will also need a firewall and can get Zone Alaram which is free. If you choose Kaspersky, you can get the suite that has a firewall included.

I would like you to run Option 1 of FindAWF again please as there may be some leftovers to remove. I will repeat the instructions here so you don't have to go looking back in the thread.


Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with the following Menu.
1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT​
*Select option 1*, then press Enter
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in Notepad called AWF.txt.
Please copy and paste the contents of the AWF.txt file in your next reply.


----------



## jonpistone2 (Oct 5, 2007)

what do u think of McAfee???? how does that rank in relation to the free options you gave me above???

also...when i tried to delete the foldres above you told me to, i was able to delete C:\Qoobox but when i searched for C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bak --it didnt work...so i just searched for W32X86...found folder option 3...clicked on that...and inside there was nothing starting with the letter B let alone named BAK

as for the log, it was very short and i think thats a good thing, at least i hope it is---this is what it said: 

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sun 10/14/2007 
The current time is: 20:01:52.40


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\DOCUME~1\JONATHAN\APPLIC~1\MICROS~1\WINDOWS\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report


----------



## Cookiegal (Aug 27, 2003)

There are two *BAK *folders left to remove.

Navigate to these and delete theme:

C:\Program Files\MSN Messenger\*bak*

C:\Documents and Settings\Jonathan\Application Data\MICROS~1\*bak*
The above MICROS~1 folder will be called Microsoft and another word but it's been truncated so I can't tell what it is. There shouldn't be many folders in there with Microsoft in the names.


----------



## Cookiegal (Aug 27, 2003)

Oh yeah, regarding McAfee, I'd prefer the free AVG over it.


----------



## jonpistone2 (Oct 5, 2007)

i found this file 
C:\Program Files\Messenger\bak not 
C:\Program Files\MSN Messenger\bak


also i found C:\Documents and Settings\Jonathan\Application Data\MICROSOFT\WINDOWS\bak


were those the two you wnated me to delete???

when i did a general search for the folder titled BAK...i also found 4 folders (all empty) that were under: c:\RECYCLERS\S-1-5-21-1177238915-1708537768-1343024091-1004 (that was for 2 of them...the other two had the same info except 1004 at the end is replaced with 500)...should i be doing anything with those two??

I am going to download AVG now---did u say i needed a firewall or other software along with AVG or will all that be included???

is everything good with the computer now--do u need me to run any more scans??
thank you so much for all your time and help!! you have been most wonderful!!! is there a place i can send a gift or something of that sort by chance to show you how thankful ive been!!!

also, last question, i have a laptop and its been banged around a bit--and the screen has troulbe staying flipped open without being too lose--are there ways to take it to a store and get the "insides" replaced to a new "outside" and is it at a decent cost?? thanks again so much!!! let me know what i have to do next (if anything)


----------



## jonpistone2 (Oct 5, 2007)

also--u said before about not having Service Pack 1 or 2 or something---do i need to get updates or download other things to make sure my comptuer stays more safe in the future?? --thanks!


----------



## ~Candy~ (Jan 27, 2001)

As for the laptop, depending on how old it is, and what kind of $ you want to invest in it, I'd just find a couple of tooth picks and prop the screen up like that  Problems solved, cheap. 

As for the service packs, yes, you need to do all Windows updates, including Service Pack 2.

From the sounds of it, it looks like everything else is taken care of.


----------



## jonpistone2 (Oct 5, 2007)

one last question...i have I.E.....any thoughts on getting Mozilla or another browswer?? which is best/safest/etc???


----------



## jonpistone2 (Oct 5, 2007)

thank you AcaCandy---how can i get these updates that i need???

and yes..lol...tooth picks are an intresting solution---they must make them stronger today then when i was growing up if they are able to hold up comp. screens now---lol


----------



## ~Candy~ (Jan 27, 2001)

I think all of the security folks use Mozilla  if that tells you anything  I use IE myself.....

Start, programs, windows updates should take you to Windows updates.

As for the tooth picks, get the round ones, not the cheapie thin ones....I guess popsicle sticks may work too


----------



## Cookiegal (Aug 27, 2003)

Yes, you should now get SP2 and any available critical updates from Microsoft.

Please go ahead and delete these two folders:

C:\Program Files\Messenger\*bak*
C:\Documents and Settings\Jonathan\Application Data\MICROSOFT\WINDOWS\*bak*

As for the others, just empty your recycling bin.

You should get a third party firewall as they are more efficient than the XP one which only blocks incoming packets. You can get ZoneAlarm free here:

http://majorgeeks.com/ZoneAlarm_Free_d388.html

Thank you for your kind offer of a gift but I have more than enough reward in knowing that we're beating the bad guys and helping people. That is why I do this. 

If you're not having any more problems then you should be fine now.

You can delete the ComboFix utility and delete this folder, which is where ComboFix stores deleted files as backups:

C:\*Qoobox*

Here are some final instructions for you.

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.


----------



## jonpistone2 (Oct 5, 2007)

THANK YOU SOOOOOO MUCH FOR EVERYTHING!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

one last question...sometimes my internet is slow (cable wireless connection)...and i think its cause my system gets pretty hot....which i thought was cause i had lots of programs running when i start my comptuer and is also why my battery lasts only about 20 min before i start having problems....though there could be other issues---do u know of any programs i can run to either test the reasons for these slow interenet connections (usually after my computer is left on for a few hours or days--though not always)...or a program to speed things up on the net? ...jsut wondering--ty for all the advice, ive downloaded all those programs and am putting them to GREAT use!!!!! 
THANKS AGAIN SOOO MUCH!!!!!!!!
Jon


----------



## jonpistone2 (Oct 5, 2007)

another question--this has happened to me in the past and i thought it was from all the virus problems i had...but now that my comp is clean and that i have installed all the updates (thanks to you) as well as my new anti virus software, etc...i was shocked to see it happen today.
what happens is: windows starts, the desktop shows...then then screen turns fully blue with white text and it is talking about deleting some sort of memory and it counts from 1 up to 100....i wrote it down this time so i could ask you--cause it says the problem is due to a file named ar5211.sys ---any suggestions/tips/help you could offer...or do u even know what im talking about? thanks!


----------



## Cookiegal (Aug 27, 2003)

You're welcome.

That sounds like hardware issues.

Please go to *Start *- *Run *- type in *eventvwr.msc* to open the event viewer. Look under both "application" and "system" for recent errors shown in red and if found, do this for each one.

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.


----------



## jonpistone2 (Oct 5, 2007)

I didnt expect there to be sooooooo many---i hope u arent sorry you asked for this list---this is the Applications part...im working on the System now and will have that for you soon...wanted to send this first since i had it done....thanks!!


----------



## jonpistone2 (Oct 5, 2007)

These are the errors in System (again, there were Warnings also but not included):
(also when i tried to save it in notepad it said that the "unicode" would be lost...or something like that---so i wanted to cut/paste it for you and hope everything gets sent the way it should)

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 10/6/2007
Time: 12:52:48 AM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The IPSEC Services service terminated with the following error: 
The attempted operation is not supported for the type of object referenced.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/12/2007
Time: 10:06:44 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/6/2007
Time: 12:56:40 AM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The COM+ Messages service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/6/2007
Time: 12:56:40 AM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/6/2007
Time: 12:56:40 AM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The Network Monitor service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 10/6/2007
Time: 12:56:40 AM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The IPSEC Services service terminated with the following error: 
The attempted operation is not supported for the type of object referenced.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/6/2007
Time: 1:01:30 AM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The COM+ Messages service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/6/2007
Time: 1:01:30 AM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/6/2007
Time: 1:01:30 AM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The Network Monitor service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 10/6/2007
Time: 1:01:30 AM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The IPSEC Services service terminated with the following error: 
The attempted operation is not supported for the type of object referenced.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/12/2007
Time: 10:01:05 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The combofix service failed to start due to the following error: 
The service did not respond to the start or control request in a timely fashion.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/6/2007
Time: 1:35:44 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The COM+ Messages service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/6/2007
Time: 1:35:44 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/6/2007
Time: 1:35:44 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The Network Monitor service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 10/6/2007
Time: 1:35:44 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The IPSEC Services service terminated with the following error: 
The attempted operation is not supported for the type of object referenced.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7009
Date: 10/12/2007
Time: 10:01:05 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
Timeout (30000 milliseconds) waiting for the combofix service to connect.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/6/2007
Time: 2:17:56 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The COM+ Messages service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/6/2007
Time: 2:17:56 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/6/2007
Time: 2:17:56 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The Network Monitor service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 10/6/2007
Time: 2:17:56 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The IPSEC Services service terminated with the following error: 
The attempted operation is not supported for the type of object referenced.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10005
Date: 10/6/2007
Time: 2:25:27 PM
User: NT AUTHORITY\SYSTEM
Computer:	JONATHAN-ZMY5MS
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7034
Date: 10/12/2007
Time: 9:56:29 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The Network Monitor service terminated unexpectedly. It has done this 1 time(s).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10005
Date: 10/6/2007
Time: 2:25:57 PM
User: NT AUTHORITY\SYSTEM
Computer:	JONATHAN-ZMY5MS
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10005
Date: 10/6/2007
Time: 2:26:16 PM
User: JONATHAN-ZMY5MS\Administrator
Computer:	JONATHAN-ZMY5MS
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service netman with arguments "" in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7001
Date: 10/6/2007
Time: 2:26:51 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: 
A device attached to the system is not functioning.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7001
Date: 10/6/2007
Time: 2:26:51 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: 
A device attached to the system is not functioning.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7001
Date: 10/6/2007
Time: 2:26:51 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: 
A device attached to the system is not functioning.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7026
Date: 10/6/2007
Time: 2:26:51 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The following boot-start or system-start driver(s) failed to load: 
Fips
IPSec
MRxSmb
NetBIOS
NetBT
OMCI
Processor
RasAcd
Rdbss
SYMTDI
Tcpip

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10005
Date: 10/6/2007
Time: 2:27:37 PM
User: NT AUTHORITY\SYSTEM
Computer:	JONATHAN-ZMY5MS
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/6/2007
Time: 2:30:24 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The COM+ Messages service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/6/2007
Time: 2:30:24 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/6/2007
Time: 2:30:24 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The Network Monitor service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 10/6/2007
Time: 2:30:26 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The IPSEC Services service terminated with the following error: 
The attempted operation is not supported for the type of object referenced.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/6/2007
Time: 11:12:06 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The COM+ Messages service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/6/2007
Time: 11:12:06 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/6/2007
Time: 11:12:06 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The Network Monitor service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 10/6/2007
Time: 11:12:06 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The IPSEC Services service terminated with the following error: 
The attempted operation is not supported for the type of object referenced.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7034
Date: 10/12/2007
Time: 9:56:11 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DomainService service terminated unexpectedly. It has done this 1 time(s).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Dhcp
Event Category:	None
Event ID:	1002
Date: 10/7/2007
Time: 5:57:51 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The IP address lease 192.168.1.101 for the Network Card with network address 00134621A5AC has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/12/2007
Time: 9:16:28 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/7/2007
Time: 5:58:06 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The COM+ Messages service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/7/2007
Time: 5:58:06 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/7/2007
Time: 5:58:06 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The Network Monitor service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 10/7/2007
Time: 5:58:06 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The IPSEC Services service terminated with the following error: 
The attempted operation is not supported for the type of object referenced.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/11/2007
Time: 3:57:11 AM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The fmtr service failed to start due to the following error: 
The specified driver is invalid.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/8/2007
Time: 10:13:07 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The COM+ Messages service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/8/2007
Time: 10:13:07 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/8/2007
Time: 10:13:07 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The Network Monitor service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 10/8/2007
Time: 10:13:07 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The IPSEC Services service terminated with the following error: 
The attempted operation is not supported for the type of object referenced.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/10/2007
Time: 4:26:52 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/10/2007
Time: 4:15:22 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/8/2007
Time: 10:41:00 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The COM+ Messages service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7009
Date: 10/12/2007
Time: 10:16:01 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
Timeout (30000 milliseconds) waiting for the combofix service to connect.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/8/2007
Time: 10:41:00 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/8/2007
Time: 10:41:00 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The Network Monitor service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 10/8/2007
Time: 10:41:00 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The IPSEC Services service terminated with the following error: 
The attempted operation is not supported for the type of object referenced.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7009
Date: 10/8/2007
Time: 10:47:01 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
Timeout (30000 milliseconds) waiting for the WMI Performance Adapter service to connect.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/8/2007
Time: 10:47:01 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The WMI Performance Adapter service failed to start due to the following error: 
The service did not respond to the start or control request in a timely fashion.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/8/2007
Time: 10:59:39 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The COM+ Messages service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/8/2007
Time: 10:59:39 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## jonpistone2 (Oct 5, 2007)

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/8/2007
Time: 10:59:39 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The Network Monitor service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 10/8/2007
Time: 10:59:39 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The IPSEC Services service terminated with the following error: 
The attempted operation is not supported for the type of object referenced.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/12/2007
Time: 10:16:01 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The combofix service failed to start due to the following error: 
The service did not respond to the start or control request in a timely fashion.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	PlugPlayManager
Event Category:	None
Event ID:	11
Date: 10/10/2007
Time: 4:12:25 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The device Root\LEGACY_RUNTIME2\0000 disappeared from the system without first being prepared for removal.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/9/2007
Time: 2:30:44 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The COM+ Messages service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/9/2007
Time: 2:30:44 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/9/2007
Time: 2:30:44 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The Network Monitor service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 10/9/2007
Time: 2:30:44 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The IPSEC Services service terminated with the following error: 
The attempted operation is not supported for the type of object referenced.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	PlugPlayManager
Event Category:	None
Event ID:	11
Date: 10/10/2007
Time: 4:12:25 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The device Root\LEGACY_RUNTIME\0000 disappeared from the system without first being prepared for removal.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/9/2007
Time: 8:19:02 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The COM+ Messages service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/9/2007
Time: 8:19:02 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/9/2007
Time: 8:19:02 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The Network Monitor service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 10/9/2007
Time: 8:19:02 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The IPSEC Services service terminated with the following error: 
The attempted operation is not supported for the type of object referenced.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/10/2007
Time: 4:12:25 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The combofix service failed to start due to the following error: 
The service did not respond to the start or control request in a timely fashion.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7009
Date: 10/9/2007
Time: 10:28:46 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
Timeout (30000 milliseconds) waiting for the combofix service to connect.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/9/2007
Time: 10:28:46 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The combofix service failed to start due to the following error: 
The service did not respond to the start or control request in a timely fashion.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/9/2007
Time: 10:28:46 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The combofix service failed to start due to the following error: 
The service did not respond to the start or control request in a timely fashion.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/9/2007
Time: 10:28:58 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The Application Layer Gateway Service service failed to start due to the following error: 
The service did not respond to the start or control request in a timely fashion.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7009
Date: 10/10/2007
Time: 4:12:25 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
Timeout (30000 milliseconds) waiting for the combofix service to connect.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/12/2007
Time: 10:17:19 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Dhcp
Event Category:	None
Event ID:	1000
Date: 10/10/2007
Time: 1:22:17 AM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
Your computer has lost the lease to its IP address 192.168.0.102 on the Network Card with network address 00134621A5AC.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/12/2007
Time: 10:21:05 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7009
Date: 10/12/2007
Time: 10:24:35 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
Timeout (30000 milliseconds) waiting for the combofix service to connect.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/12/2007
Time: 10:24:35 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The combofix service failed to start due to the following error: 
The service did not respond to the start or control request in a timely fashion.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/12/2007
Time: 10:25:51 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Schedule
Event Category:	None
Event ID:	7901
Date: 10/13/2007
Time: 5:00:00 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The At18.job command failed to start due to the following error: 
General access denied error

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Srv
Event Category:	None
Event ID:	2000
Date: 10/13/2007
Time: 5:12:51 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The server's call to a system service failed unexpectedly.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 04 00 01 00 54 00 ......T.
0008: 00 00 00 00 d0 07 00 c0 ....Ð..À
0010: 00 00 00 00 9a 00 00 c0 ......À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 37 03 ad 04 7.*.

Event Type:	Error
Event Source:	Srv
Event Category:	None
Event ID:	2000
Date: 10/13/2007
Time: 5:12:54 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The server's call to a system service failed unexpectedly.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 04 00 01 00 54 00 ......T.
0008: 00 00 00 00 d0 07 00 c0 ....Ð..À
0010: 00 00 00 00 9a 00 00 c0 ......À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 37 03 ad 04 7.*.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/13/2007
Time: 5:21:36 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7009
Date: 10/13/2007
Time: 5:35:52 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
Timeout (30000 milliseconds) waiting for the combofix service to connect.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/13/2007
Time: 5:35:52 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The combofix service failed to start due to the following error: 
The service did not respond to the start or control request in a timely fashion.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/13/2007
Time: 5:37:25 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Dhcp
Event Category:	None
Event ID:	1001
Date: 10/14/2007
Time: 4:21:06 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00134621A5AC. The following error occurred: 
The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: c7 04 00 00 Ç...

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/14/2007
Time: 4:32:26 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/14/2007
Time: 11:29:44 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/14/2007
Time: 11:57:06 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/15/2007
Time: 1:49:57 AM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/15/2007
Time: 3:07:13 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/15/2007
Time: 10:22:07 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/15/2007
Time: 10:34:46 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/15/2007
Time: 11:00:26 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	SideBySide
Event Category:	None
Event ID:	36
Date: 10/15/2007
Time: 11:39:05 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The assembly x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1740_x-ww_7cb8ab44 has missing or invalid files; recovery of this assembly failed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	SideBySide
Event Category:	None
Event ID:	36
Date: 10/15/2007
Time: 11:43:14 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The assembly x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1816_x-ww_7d33ba0e has missing or invalid files; recovery of this assembly failed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/12/2007
Time: 10:10:38 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/16/2007
Time: 12:14:54 AM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/16/2007
Time: 12:53:26 AM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/16/2007
Time: 4:48:28 AM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/16/2007
Time: 2:24:43 AM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/16/2007
Time: 4:39:16 PM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/16/2007
Time: 1:45:12 AM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/16/2007
Time: 7:33:30 AM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/16/2007
Time: 7:31:52 AM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/16/2007
Time: 5:01:24 AM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 10/16/2007
Time: 4:58:50 AM
User: N/A
Computer:	JONATHAN-ZMY5MS
Description:
The DgiVecp service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

---SOOOO sorry there are so many errors 
thank you for being so helpful!!!


----------



## Cookiegal (Aug 27, 2003)

I knew there were a lot as they show in the WinpFind3u log but it doesn't give enough information about them.

Go to Control Panel - Add/Remove programs and remove these if there:

Network Monitor
WinTouch

Locate and delete this folder:

C:\Program Files\*WinTouch*

Please open HijackThis.
Click on *Open Misc Tools Section*
Make sure that both boxes beside "Generate StartupList Log" are checked:

*List all minor sections(Full)*
*List Empty Sections(Complete)*
Click *Generate StartupList Log*.
Click *Yes* at the prompt.
It will open a text file. Please copy the entire contents of that page and paste it here.


----------



## jonpistone2 (Oct 5, 2007)

I didnt see Network Monitor but did remove WinTouch....i looked for the WinTouch folder after the add/remove portion ---but there was no longer a WinTouch folder.
here is the log:

StartupList report, 10/16/2007, 6:25:52 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16544)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Jonathan\Start Menu\Programs\Startup]
SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D-Link AirPlus G Wireless Utility.lnk = ?
D-Link REG Utility.lnk = ?
Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ATIModeChange = Ati2mdxx.exe
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
ISUSPM Startup = C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
ISUSScheduler = "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
DVDLauncher = "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
BCMSMMSG = BCMSMMSG.exe
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
ZoneAlarm Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
updateMgr = "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
AIM = C:\Program Files\AIM\aim.exe -cnetwait.odl
Uniblue RegistryBooster 2 = C:\Documents and Settings\Jonathan\Desktop\draft demo\RegistryBooster 2\RegistryBooster.exe /S
PCTAVApp = "C:\Documents and Settings\Jonathan\Desktop\draft demo\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
SpywareGuard Download Protection - C:\Program Files\SpywareGuard\dlprotect.dll - {4A368E80-174F-4872-96B5-0B27DDD11DB2}
(no name) - C:\Program Files\Java\jre1.6.0\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[{01A88BB1-1174-41EC-ACCB-963509EAE56B}]
CODEBASE = http://support.dell.com/systemprofiler/SysPro.CAB

[iPIX ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\ipixx.ocx
CODEBASE = http://www.ipix.com/viewers/ipixx.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\System32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[Yahoo! Audio Conferencing]
InProcServer32 = C:\Documents and Settings\Jonathan\Desktop\upro\Messenger\yacscom.dll
CODEBASE = http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

[{3334504D-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1192503125298

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[YouBet Secure Data Transfer Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ybreq.dll
CODEBASE = http://www.youbet.net/wr_5_8/controls/ybrequest.cab

[Install Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\pinstall.dll
CODEBASE = http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159136039112

[Yahoo! Audio UI1]
InProcServer32 = C:\Documents and Settings\Jonathan\Desktop\upro\Messenger\yacsui.dll
CODEBASE = http://chat.yahoo.com/cab/yacsui.cab

[Java Plug-in 1.6.0]
InProcServer32 = C:\Program Files\Java\jre1.6.0\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

[ZooInstaller Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZooInstaller.dll
CODEBASE = http://www.zoo-games.com/ClientSite/ZooInstaller.cab

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

[YBUICtrl.FloatWnd.1]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ybuictrl.dll
CODEBASE = http://www.youbet.net/wr_5_8/controls/YBUICtrl.cab

[Java Plug-in 1.4.2_07]
InProcServer32 = C:\Program Files\Java\jre1.6.0\bin\ssv.dll
CODEBASE = http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

[Java Plug-in 1.5.0_12]
InProcServer32 = C:\Program Files\Java\jre1.6.0\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab

[Java Plug-in 1.6.0]
InProcServer32 = C:\Program Files\Java\jre1.6.0\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

[Java Plug-in 1.6.0]
InProcServer32 = C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash9d.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[TikGames Online Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\gpcontrol.dll
CODEBASE = http://download.games.yahoo.com/games/web_games/tikgames/cinematycoon/cinematycoon.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------


----------



## jonpistone2 (Oct 5, 2007)

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Atheros Configuration Service: C:\WINDOWS\System32\acs.exe (autostart)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Appdrv: \??\C:\Program Files\Dell\NICCONFIGSVC\Appdrv.sys (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
D-Link Adapter: System32\DRIVERS\ar5211.sys (manual start)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (autostart)
AVG7 Clean Driver: \SystemRoot\System32\Drivers\avgclean.sys (system)
AVG E-mail Scanner: C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (autostart)
AVG Network Redirector: \SystemRoot\System32\Drivers\avgtdi.sys (autostart)
Broadcom 440x 10/100 Integrated Controller XP Driver: System32\DRIVERS\bcm4sbxp.sys (manual start)
BCM V.92 56K Modem: System32\DRIVERS\BCMSM.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
catchme: \??\C:\DOCUME~1\Jonathan\LOCALS~1\Temp\catchme.sys (manual start)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Password Validation: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (manual start)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
Microsoft ACPI Control Method Battery Driver: System32\DRIVERS\CmBatt.sys (manual start)
Microsoft Composite Battery Driver: System32\DRIVERS\compbatt.sys (system)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Dual-Mode DSC(2770): System32\Drivers\SQcaptur.sys (manual start)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DgiVecp: \??\C:\WINDOWS\System32\Drivers\DgiVecp.sys (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
GEAR CDRom Filter: SYSTEM32\DRIVERS\GEARAspiWDM.sys (manual start)
gmer: System32\DRIVERS\gmer.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPod Service: "C:\Program Files\iPod\bin\iPodService.exe" (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
AEGIS Protocol (IEEE 802.1x) v2.3.1.9: System32\DRIVERS\mdc8021x.sys (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
NICCONFIGSVC: C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe (autostart)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Texas Instruments OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
OMCI: \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS (system)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Pcmcia: System32\DRIVERS\pcmcia.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Schedule: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Symantec Network Drivers Service: C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
srescan: System32\ZoneLabs\srescan.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Audio Driver (WDM) - SigmaTel CODEC: system32\drivers\stac97.sys (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{640CB203-4584-44A1-A415-6EFA87E77655} (manual start)
Symantec Core LC: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (autostart)
SYMDNS: \SystemRoot\System32\Drivers\SYMDNS.SYS (manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
SYMFW: \SystemRoot\System32\Drivers\SYMFW.SYS (manual start)
SYMIDS: \SystemRoot\System32\Drivers\SYMIDS.SYS (manual start)
SYMIDSCO: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\IDS-DI~1\20070821.001\symidsco.sys (manual start)
symlcbrd: \??\C:\WINDOWS\System32\drivers\symlcbrd.sys (autostart)
SYMNDIS: \SystemRoot\System32\Drivers\SYMNDIS.SYS (manual start)
SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
Synaptics TouchPad Driver: System32\DRIVERS\SynTP.sys (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
Messenger Sharing Folders USN Journal Reader service: C:\Program Files\MSN Messenger\usnsvc.exe (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
vsdatant: System32\vsdatant.sys (system)
TrueVector Internet Monitor: C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service (autostart)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
WpdUsb: System32\Drivers\wpdusb.sys (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (system)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 38,896 bytes
Report generated in 0.671 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## Cookiegal (Aug 27, 2003)

Please do a search for this file and let me know if you find it:

*DgiVecp.sys*

Also, do you have this program?

DeviceGuys, Inc. Team MFP for Windows NT, 9x, and 3.1


----------



## jonpistone2 (Oct 5, 2007)

No, as far as i know, i do not have that program....and after doing the search...i don't have that file either.


----------



## jonpistone2 (Oct 5, 2007)

do u want me to get that DeviceGuys, Inc program???


----------



## ~Candy~ (Jan 27, 2001)

I'm sure that she doesn't want you to get it, she's trying to find out if you have it or know of it, so instances of it can be removed, if there  I think she stepped out for a bit, so I thought since I saw you still online I'd try to answer for her


----------



## jonpistone2 (Oct 5, 2007)

okay thanks--ill make sure to not get it--and wait to hear waht she wants me to scan or do next when she gets back


----------



## Cookiegal (Aug 27, 2003)

Thanks Candy. 

One of the errors you've been getting is because there's a service looking for that file but it can't find it. If you don't have that program or know of it, we can fix that error by deleting the service.

Go to *Start *- *Run * type in *cmd *then click OK. The MSDOS window will be displayed. At the prompt type the following:

*SC Stop DgiVecp*

Then press Enter

Type:

*SC Delete DgiVecp*

Then press Enter.


----------



## Cookiegal (Aug 27, 2003)

Run the same commands for this service:

*SC Stop Network Monitor*
Then press Enter.

Type:

*SC Delete Network Monitor*

Then press Enter.

Then reboot and post a new HijackThis log please.


----------



## jonpistone2 (Oct 5, 2007)

there was an error message when i tried to STOP and DELETE Network Monitor...saying it wasnt there or already gone (was it in the same folder...in Doc and Settings/Jonathan/etc....did i need to move to C:?)...everything worked well with the other one and DgiVecp was removed...not sure if it matters...but when im runing IE windows and other programs...the comp battery gets used up within a matter of min. and when i hit control alt delete the CPU usage is at 100% most all the time....that surely shouldnt happen with AOL IM and two IE windows up (plus the anti virus software i just downloaded)...correct?? and this surely isnt the first time i noticed it anyway---just thought id share in case it helps...anyway here is the log u asked for:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:44:57 PM, on 10/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\Reg.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\taskmgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://216.76.114.124/exchweb/bin/auth/owalogon.asp?url=https://216.76.114.124/exchange&reason=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Documents and Settings\Jonathan\Desktop\draft demo\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [PCTAVApp] "C:\Documents and Settings\Jonathan\Desktop\draft demo\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Documents and Settings\Jonathan\Desktop\hyplay\New Briefcase\Hello\PicasaCapture.dll (file missing)
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Documents and Settings\Jonathan\Desktop\hyplay\New Briefcase\Hello\PicasaCapture.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1192503125298
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://www.youbet.net/wr_5_8/controls/ybrequest.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159136039112
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://www.youbet.net/wr_5_8/controls/YBUICtrl.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_games/tikgames/cinematycoon/cinematycoon.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10824 bytes


----------



## Cookiegal (Aug 27, 2003)

The Network Monitor service error was probably from before it was removed then.

May I see another WinpFind3u log please?

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.

In the *Processes * group click *ALL* 
In the *Win32 Services * group click *ALL* 
In the *Driver Services * group click *ALL* 
In the *Registry * group click *ALL* 
In the *Files Created Within* group click *60 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *Files Modified Within* group select *30 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *File String Search* group select *ALL*
in the *Additional Scans* sections please press select *ALL* 
Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file but click on the "Format" menu and make sure that "word wrap" is not checked. If it is then click on it to uncheck it.
Please post the resulting log here as an attachment.


----------



## jonpistone2 (Oct 5, 2007)

i had to break it up into two files....here it is, thanks


----------



## Cookiegal (Aug 27, 2003)

Disconnect from the Internet and disable your anti-virus and firewall programs. *Be sure to remember to re-start them before going on-line again.*

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program. Copy and paste the information in the quote box below into the pane where it says "Paste fix here" and then click the Run Fix button. The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.

Post the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log) back here along with a new HijackThis log please.


```
[Kill Explorer]
[Unregister Dlls]
[Driver Services - All]
YY -> (DgiVecp) DgiVecp [Kernel | Auto | Stopped] -> %System32%\Drivers\DgiVecp.sys
[Registry - All]
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> PCTAVApp -> %UserDesktop%\draft demo\PC Tools AntiVirus\PCTAV.exe
YN -> Uniblue RegistryBooster 2 -> %UserDesktop%\draft demo\RegistryBooster 2\RegistryBooster.exe
< Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
[Files/Folders - Created Within 60 days]
NY -> 002085_.tmp -> %SystemRoot%\002085_.tmp
NY -> jautoexp.dat -> %SystemRoot%\jautoexp.dat
NY -> rlph.dll -> %System32%\rlph.dll
[Files/Folders - Modified Within 30 days]
NY -> 0.log -> %SystemRoot%\0.log
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```
Also, please export this registry key for me.

HKEY_LOCAL_MACHINE\SOFTWARE\policies

To do that, expand these keys by clicking on the + you see to the left.

HKEY_LOCAL_MACHINE
SOFTWARE

Then, under SOFTWARE, right click on *policies *and select "export" then save it o y our desktop with the name policies.reg.

Now, right click the policies.reg file on your desktop and click "open with" and select Notepad. Then copy and paste the contents here please.


----------



## jonpistone2 (Oct 5, 2007)

the first log:

Explorer killed successfully
[Driver Services - All]
Service DgiVecp stopped successfully.
Service DgiVecp deleted successfully.
File C:\WINDOWS\SYSTEM32\Drivers\DgiVecp.sys not found.
[Registry - All]
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\PCTAVApp deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Uniblue RegistryBooster 2 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD} deleted successfully.
[Files/Folders - Created Within 60 days]
C:\WINDOWS\002085_.tmp moved successfully.
C:\WINDOWS\jautoexp.dat moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\rlph.dll
C:\WINDOWS\SYSTEM32\rlph.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\rlph.dll moved successfully.
[Files/Folders - Modified Within 30 days]
C:\WINDOWS\0.log moved successfully.
[Empty Temp Folders]
C:\DOCUME~1\Jonathan\LOCALS~1\Temp\ -> emptied.
C:\Documents and Settings\Jonathan\Local Settings\Temporary Internet Files\Content.IE5\ -> emptied
RecycleBin -> emptied.
Explorer started successfully
< End of log >
Created on 10/18/2007 22:30:02


----------



## jonpistone2 (Oct 5, 2007)

and hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:01 PM, on 10/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://216.76.114.124/exchweb/bin/auth/owalogon.asp?url=https://216.76.114.124/exchange&reason=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Documents and Settings\Jonathan\Desktop\hyplay\New Briefcase\Hello\PicasaCapture.dll (file missing)
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Documents and Settings\Jonathan\Desktop\hyplay\New Briefcase\Hello\PicasaCapture.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1192503125298
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://www.youbet.net/wr_5_8/controls/ybrequest.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159136039112
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://www.youbet.net/wr_5_8/controls/YBUICtrl.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_games/tikgames/cinematycoon/cinematycoon.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10601 bytes


----------



## jonpistone2 (Oct 5, 2007)

Cookiegal said:


> Also, please export this registry key for me.
> 
> HKEY_LOCAL_MACHINE\SOFTWARE\policies
> 
> ...


..i dont understand what you mean by this...i dont see a + on the left....can u explain again--i did the rest of what u watned though....


----------



## jonpistone2 (Oct 5, 2007)

also...i will be leaving for a wedding out of town tomorrow afternoon at some point and will be gone until monday morning...

i just wanted to let u know cause i wont have my comptuer with me and am still interested in your help---so please dont think that i forgot to sign on for a few days--ill just be out of town. 
i will try to check thru the morning tomorrow so i can do any last checks and logs before i go away...and surely will be checking again on monday to find out what i must do next..

thanks so much AGAIN for allll your help!


----------



## Cookiegal (Aug 27, 2003)

I'm sorry my instructions for the export were vague. You need to go to *Start *- *Run *- type in *regedit *to open the registry editor.

Then you should be able to follow the rest of the instructions:

To do that, expand these keys by clicking on the + you see to the left. If all you see if "My Computer" then expand that one first by click on the + sign to the left. Otherwise, you can go directly to these.

HKEY_LOCAL_MACHINE
SOFTWARE

Then, under SOFTWARE, right click on policies and select "export" then save it o y our desktop with the name policies.reg.

Now, right click the policies.reg file on your desktop and click "open with" and select Notepad. Then copy and paste the contents here please.


----------



## jonpistone2 (Oct 5, 2007)

okay--got it this time! 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies]
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="MTE3MTk6ODoxNg"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Conferencing]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\RTC]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\RTC\{A5B45060-354F-4097-A928-5125436C46F1}]
"DisableServerCheck"=dword:00000001
"LegacyPresence"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\RTC\{A5B45060-354F-4097-A928-5125436C46F1}\CertificatePolicy]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\RTC\{A5B45060-354F-4097-A928-5125436C46F1}\PortRange]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ca]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ca\Certificates]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ca\CRLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ca\CTLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\root]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\root\Certificates]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\root\CRLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\root\CTLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer]
"EnableAdminTSRemote"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{72385235-70fa-11d1-864c-14a300000000}]
"ClassName"="ipsecFilter"
"description"="Matches all ICMP packets between this computer and any other computer."
"name"="ipsecFilter{72385235-70fa-11d1-864c-14a300000000}"
"ipsecName"="All ICMP Traffic"
"ipsecID"="{72385235-70fa-11d1-864c-14a300000000}"
"ipsecDataType"=dword:00000100
"ipsecData"=hex:b5,20,dc,80,c8,2e,d1,11,a8,9e,00,a0,24,8d,30,21,52,00,00,00,01,\
00,00,00,02,00,00,00,00,00,02,00,00,00,00,00,0a,00,00,00,49,00,43,00,4d,00,\
50,00,00,00,3e,ad,17,da,06,07,54,4e,a5,b4,1b,52,be,dc,08,ee,01,00,00,00,00,\
00,00,00,ff,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00
"whenChanged"=dword:42a25125
"ipsecOwnersReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,4e,00,46,00,41,00,7b,00,38,00,35,00,35,00,61,00,35,00,35,00,34,\
00,64,00,2d,00,34,00,33,00,63,00,30,00,2d,00,34,00,38,00,61,00,38,00,2d,00,\
39,00,39,00,62,00,61,00,2d,00,66,00,32,00,39,00,34,00,37,00,30,00,62,00,65,\
00,32,00,36,00,62,00,36,00,7d,00,00,00,53,00,4f,00,46,00,54,00,57,00,41,00,\
52,00,45,00,5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,\
00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,\
64,00,6f,00,77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,\
00,6c,00,69,00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,\
70,00,73,00,65,00,63,00,4e,00,46,00,41,00,7b,00,35,00,65,00,36,00,30,00,34,\
00,63,00,62,00,35,00,2d,00,38,00,36,00,62,00,39,00,2d,00,34,00,34,00,38,00,\
37,00,2d,00,39,00,39,00,33,00,61,00,2d,00,36,00,61,00,33,00,66,00,64,00,63,\
00,39,00,38,00,65,00,62,00,61,00,32,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}]
"ClassName"="ipsecFilter"
"description"="Matches all IP packets from this computer to any other computer, except broadcast, multicast, Kerberos, RSVP and ISAKMP (IKE)."
"name"="ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}"
"ipsecName"="All IP Traffic"
"ipsecID"="{7238523a-70fa-11d1-864c-14a300000000}"
"ipsecDataType"=dword:00000100
"ipsecData"=hex:b5,20,dc,80,c8,2e,d1,11,a8,9e,00,a0,24,8d,30,21,4a,00,00,00,01,\
00,00,00,02,00,00,00,00,00,02,00,00,00,00,00,02,00,00,00,00,00,81,a1,ec,ce,\
d8,3f,dc,49,ab,81,1f,a4,ed,8c,7e,b8,01,00,00,00,00,00,00,00,ff,ff,ff,ff,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"whenChanged"=dword:42a25125
"ipsecOwnersReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,4e,00,46,00,41,00,7b,00,31,00,66,00,33,00,64,00,30,00,35,00,65,\
00,65,00,2d,00,36,00,65,00,33,00,64,00,2d,00,34,00,33,00,32,00,30,00,2d,00,\
38,00,31,00,32,00,32,00,2d,00,34,00,30,00,35,00,31,00,62,00,63,00,39,00,35,\
00,38,00,39,00,64,00,36,00,7d,00,00,00,53,00,4f,00,46,00,54,00,57,00,41,00,\
52,00,45,00,5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,\
00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,\
64,00,6f,00,77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,\
00,6c,00,69,00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,\
70,00,73,00,65,00,63,00,4e,00,46,00,41,00,7b,00,62,00,66,00,61,00,66,00,30,\
00,62,00,30,00,39,00,2d,00,39,00,37,00,31,00,36,00,2d,00,34,00,31,00,62,00,\
35,00,2d,00,38,00,32,00,64,00,62,00,2d,00,39,00,33,00,37,00,39,00,66,00,36,\
00,61,00,31,00,36,00,38,00,35,00,61,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385231-70fa-11d1-864c-14a300000000}]
"ClassName"="ipsecISAKMPPolicy"
"name"="ipsecISAKMPPolicy{72385231-70fa-11d1-864c-14a300000000}"
"ipsecID"="{72385231-70fa-11d1-864c-14a300000000}"
"ipsecDataType"=dword:00000100
"ipsecData"=hex:b8,20,dc,80,c8,2e,d1,11,a8,9e,00,a0,24,8d,30,21,40,01,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,03,00,00,00,00,00,00,00,\
00,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,80,70,00,00,00,00,\
00,00,00,00,00,00,03,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,02,00,00,00,\
00,00,00,00,00,00,00,00,80,70,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,\
00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,80,70,00,\
00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,\
00,00,00,00,00,00,00,00,00,00,00,80,70,00,00,00,00,00,00,00
"whenChanged"=dword:42a25125
"ipsecOwnersReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,50,00,6f,00,6c,00,69,00,63,00,79,00,7b,00,37,00,32,00,33,00,38,\
00,35,00,32,00,33,00,30,00,2d,00,37,00,30,00,66,00,61,00,2d,00,31,00,31,00,\
64,00,31,00,2d,00,38,00,36,00,34,00,63,00,2d,00,31,00,34,00,61,00,33,00,30,\
00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385234-70fa-11d1-864c-14a300000000}]
"ClassName"="ipsecISAKMPPolicy"
"name"="ipsecISAKMPPolicy{72385234-70fa-11d1-864c-14a300000000}"
"ipsecID"="{72385234-70fa-11d1-864c-14a300000000}"
"ipsecDataType"=dword:00000100
"ipsecData"=hex:b8,20,dc,80,c8,2e,d1,11,a8,9e,00,a0,24,8d,30,21,40,01,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,03,00,00,00,00,00,00,00,\
00,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,80,70,00,00,00,00,\
00,00,00,00,00,00,03,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,02,00,00,00,\
00,00,00,00,00,00,00,00,80,70,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,\
00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,80,70,00,\
00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,\
00,00,00,00,00,00,00,00,00,00,00,80,70,00,00,00,00,00,00,00
"whenChanged"=dword:42a25125

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385237-70fa-11d1-864c-14a300000000}]
"ClassName"="ipsecISAKMPPolicy"
"name"="ipsecISAKMPPolicy{72385237-70fa-11d1-864c-14a300000000}"
"ipsecID"="{72385237-70fa-11d1-864c-14a300000000}"
"ipsecDataType"=dword:00000100
"ipsecData"=hex:b8,20,dc,80,c8,2e,d1,11,a8,9e,00,a0,24,8d,30,21,40,01,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,03,00,00,00,00,00,00,00,\
00,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,80,70,00,00,00,00,\
00,00,00,00,00,00,03,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,02,00,00,00,\
00,00,00,00,00,00,00,00,80,70,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,\
00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,80,70,00,\
00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,\
00,00,00,00,00,00,00,00,00,00,00,80,70,00,00,00,00,00,00,00
"whenChanged"=dword:42a25125
"ipsecOwnersReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,50,00,6f,00,6c,00,69,00,63,00,79,00,7b,00,37,00,32,00,33,00,38,\
00,35,00,32,00,33,00,36,00,2d,00,37,00,30,00,66,00,61,00,2d,00,31,00,31,00,\
64,00,31,00,2d,00,38,00,36,00,34,00,63,00,2d,00,31,00,34,00,61,00,33,00,30,\
00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{7238523d-70fa-11d1-864c-14a300000000}]
"ClassName"="ipsecISAKMPPolicy"
"name"="ipsecISAKMPPolicy{7238523d-70fa-11d1-864c-14a300000000}"
"ipsecID"="{7238523d-70fa-11d1-864c-14a300000000}"
"ipsecDataType"=dword:00000100
"ipsecData"=hex:b8,20,dc,80,c8,2e,d1,11,a8,9e,00,a0,24,8d,30,21,40,01,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,03,00,00,00,00,00,00,00,\
00,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,80,70,00,00,00,00,\
00,00,00,00,00,00,03,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,02,00,00,00,\
00,00,00,00,00,00,00,00,80,70,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,\
00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,80,70,00,\
00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,\
00,00,00,00,00,00,00,00,00,00,00,80,70,00,00,00,00,00,00,00
"whenChanged"=dword:42a25125
"ipsecOwnersReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,50,00,6f,00,6c,00,69,00,63,00,79,00,7b,00,37,00,32,00,33,00,38,\
00,35,00,32,00,33,00,63,00,2d,00,37,00,30,00,66,00,61,00,2d,00,31,00,31,00,\
64,00,31,00,2d,00,38,00,36,00,34,00,63,00,2d,00,31,00,34,00,61,00,33,00,30,\
00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{04060d70-cd5d-4f08-a9db-d7c603c38fd7}]
"ClassName"="ipsecNegotiationPolicy"
"name"="ipsecNegotiationPolicy{04060d70-cd5d-4f08-a9db-d7c603c38fd7}"
"ipsecID"="{04060d70-cd5d-4f08-a9db-d7c603c38fd7}"
"ipsecNegotiationPolicyAction"="{8a171dd3-77e3-11d1-8659-a04f00000000}"
"ipsecNegotiationPolicyType"="{62f49e13-6c37-11d1-864c-14a300000000}"
"ipsecDataType"=dword:00000100
"ipsecData"=hex:b9,20,dc,80,c8,2e,d1,11,a8,9e,00,a0,24,8d,30,21,e4,01,00,00,06,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,03,00,\
00,00,02,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,\
00,00,00,03,00,00,00,01,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,01,00,00,00,01,00,00,00,02,00,00,00,02,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,02,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,02,00,00,00,00,00,00,\
00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,\
00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00
"whenChanged"=dword:42a25125
"ipsecOwnersReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,4e,00,46,00,41,00,7b,00,35,00,63,00,38,00,63,00,66,00,61,00,37,\
00,36,00,2d,00,35,00,64,00,35,00,39,00,2d,00,34,00,64,00,38,00,35,00,2d,00,\
62,00,66,00,36,00,31,00,2d,00,34,00,63,00,30,00,33,00,34,00,36,00,32,00,65,\
00,39,00,36,00,36,00,39,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{5461e479-8195-48af-88a9-3401e5e74122}]
"ClassName"="ipsecNegotiationPolicy"
"name"="ipsecNegotiationPolicy{5461e479-8195-48af-88a9-3401e5e74122}"
"ipsecID"="{5461e479-8195-48af-88a9-3401e5e74122}"
"ipsecNegotiationPolicyAction"="{8a171dd3-77e3-11d1-8659-a04f00000000}"
"ipsecNegotiationPolicyType"="{62f49e13-6c37-11d1-864c-14a300000000}"
"ipsecDataType"=dword:00000100
"ipsecData"=hex:b9,20,dc,80,c8,2e,d1,11,a8,9e,00,a0,24,8d,30,21,e4,01,00,00,06,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,03,00,\
00,00,02,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,\
00,00,00,03,00,00,00,01,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,01,00,00,00,01,00,00,00,02,00,00,00,02,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,02,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,02,00,00,00,00,00,00,\
00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,\
00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00
"whenChanged"=dword:42a25125
"ipsecOwnersReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,4e,00,46,00,41,00,7b,00,36,00,63,00,62,00,31,00,32,00,31,00,63,\
00,39,00,2d,00,64,00,36,00,65,00,33,00,2d,00,34,00,64,00,63,00,61,00,2d,00,\
38,00,64,00,37,00,64,00,2d,00,37,00,31,00,33,00,37,00,61,00,63,00,32,00,65,\
00,37,00,35,00,61,00,61,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{72385233-70fa-11d1-864c-14a300000000}]
"ClassName"="ipsecNegotiationPolicy"
"description"="Accepts unsecured communication, but requests clients to establish trust and security methods. Will communicate insecurely to untrusted clients if they do not respond to request."
"name"="ipsecNegotiationPolicy{72385233-70fa-11d1-864c-14a300000000}"
"ipsecName"="Request Security (Optional)"
"ipsecID"="{72385233-70fa-11d1-864c-14a300000000}"
"ipsecNegotiationPolicyAction"="{3f91a81a-7647-11d1-864d-d46a00000000}"
"ipsecNegotiationPolicyType"="{62f49e10-6c37-11d1-864c-14a300000000}"
"ipsecDataType"=dword:00000100
"ipsecData"=hex:b9,20,dc,80,c8,2e,d1,11,a8,9e,00,a0,24,8d,30,21,94,01,00,00,05,\
00,00,00,84,03,00,00,a0,86,01,00,00,00,00,00,00,00,00,00,01,00,00,00,03,00,\
00,00,02,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,84,03,00,00,a0,86,01,00,00,00,00,00,00,00,00,00,01,\
00,00,00,01,00,00,00,02,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,2c,01,00,00,a0,86,01,00,00,00,00,00,\
00,00,00,00,01,00,00,00,02,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,2c,01,00,00,a0,86,01,\
00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,01,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00
"whenChanged"=dword:42a25125
"ipsecOwnersReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,4e,00,46,00,41,00,7b,00,62,00,66,00,61,00,66,00,30,00,62,00,30,\
00,39,00,2d,00,39,00,37,00,31,00,36,00,2d,00,34,00,31,00,62,00,35,00,2d,00,\
38,00,32,00,64,00,62,00,2d,00,39,00,33,00,37,00,39,00,66,00,36,00,61,00,31,\
00,36,00,38,00,35,00,61,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}]
"ClassName"="ipsecNegotiationPolicy"
"description"="Permit unsecured IP packets to pass through."
"name"="ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}"
"ipsecName"="Permit"
"ipsecID"="{7238523b-70fa-11d1-864c-14a300000000}"
"ipsecNegotiationPolicyAction"="{8a171dd2-77e3-11d1-8659-a04f00000000}"
"ipsecNegotiationPolicyType"="{62f49e10-6c37-11d1-864c-14a300000000}"
"ipsecDataType"=dword:00000100
"ipsecData"=hex:b9,20,dc,80,c8,2e,d1,11,a8,9e,00,a0,24,8d,30,21,04,00,00,00,00,\
00,00,00,00
"whenChanged"=dword:42a25125
"ipsecOwnersReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,4e,00,46,00,41,00,7b,00,38,00,35,00,35,00,61,00,35,00,35,00,34,\
00,64,00,2d,00,34,00,33,00,63,00,30,00,2d,00,34,00,38,00,61,00,38,00,2d,00,\
39,00,39,00,62,00,61,00,2d,00,66,00,32,00,39,00,34,00,37,00,30,00,62,00,65,\
00,32,00,36,00,62,00,36,00,7d,00,00,00,53,00,4f,00,46,00,54,00,57,00,41,00,\
52,00,45,00,5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,\
00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,\
64,00,6f,00,77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,\
00,6c,00,69,00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,\
70,00,73,00,65,00,63,00,4e,00,46,00,41,00,7b,00,35,00,65,00,36,00,30,00,34,\
 00,63,00,62,00,35,00,2d,00,38,00,36,00,62,00,39,00,2d,00,34,00,34,00,38,00,\
37,00,2d,00,39,00,39,00,33,00,61,00,2d,00,36,00,61,00,33,00,66,00,64,00,63,\
00,39,00,38,00,65,00,62,00,61,00,32,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}]
"ClassName"="ipsecNegotiationPolicy"
"description"="Accepts unsecured communication, but always requires clients to establish trust and security methods. Will NOT communicate with untrusted clients."
"name"="ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}"
"ipsecName"="Require Security"
"ipsecID"="{7238523f-70fa-11d1-864c-14a300000000}"
"ipsecNegotiationPolicyAction"="{3f91a81a-7647-11d1-864d-d46a00000000}"
"ipsecNegotiationPolicyType"="{62f49e10-6c37-11d1-864c-14a300000000}"
"ipsecDataType"=dword:00000100
"ipsecData"=hex:b9,20,dc,80,c8,2e,d1,11,a8,9e,00,a0,24,8d,30,21,44,01,00,00,04,\
00,00,00,84,03,00,00,a0,86,01,00,00,00,00,00,00,00,00,00,01,00,00,00,03,00,\
00,00,02,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,84,03,00,00,a0,86,01,00,00,00,00,00,00,00,00,00,01,\
00,00,00,03,00,00,00,01,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,84,03,00,00,a0,86,01,00,00,00,00,00,\
00,00,00,00,01,00,00,00,01,00,00,00,02,00,00,00,02,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,84,03,00,00,a0,86,01,\
00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,02,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"whenChanged"=dword:42a25125
"ipsecOwnersReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,4e,00,46,00,41,00,7b,00,31,00,66,00,33,00,64,00,30,00,35,00,65,\
00,65,00,2d,00,36,00,65,00,33,00,64,00,2d,00,34,00,33,00,32,00,30,00,2d,00,\
38,00,31,00,32,00,32,00,2d,00,34,00,30,00,35,00,31,00,62,00,63,00,39,00,35,\
00,38,00,39,00,64,00,36,00,7d,00,00,00,00,00


----------



## jonpistone2 (Oct 5, 2007)

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{c63dec45-c44f-4a78-bcc5-150b36f05629}]
"ClassName"="ipsecNegotiationPolicy"
"name"="ipsecNegotiationPolicy{c63dec45-c44f-4a78-bcc5-150b36f05629}"
"ipsecID"="{c63dec45-c44f-4a78-bcc5-150b36f05629}"
"ipsecNegotiationPolicyAction"="{8a171dd3-77e3-11d1-8659-a04f00000000}"
"ipsecNegotiationPolicyType"="{62f49e13-6c37-11d1-864c-14a300000000}"
"ipsecDataType"=dword:00000100
"ipsecData"=hex:b9,20,dc,80,c8,2e,d1,11,a8,9e,00,a0,24,8d,30,21,e4,01,00,00,06,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,03,00,\
00,00,02,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,\
00,00,00,03,00,00,00,01,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,01,00,00,00,01,00,00,00,02,00,00,00,02,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,02,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,02,00,00,00,00,00,00,\
00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,\
00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00
"whenChanged"=dword:42a25125
"ipsecOwnersReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,4e,00,46,00,41,00,7b,00,65,00,32,00,37,00,37,00,34,00,30,00,61,\
00,62,00,2d,00,33,00,33,00,33,00,37,00,2d,00,34,00,34,00,61,00,35,00,2d,00,\
39,00,38,00,33,00,34,00,2d,00,65,00,33,00,66,00,36,00,33,00,65,00,36,00,64,\
00,66,00,34,00,30,00,39,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{1f3d05ee-6e3d-4320-8122-4051bc9589d6}]
"ClassName"="ipsecNFA"
"name"="ipsecNFA{1f3d05ee-6e3d-4320-8122-4051bc9589d6}"
"ipsecName"="Require Security"
"description"="Accepts unsecured communication, but always requires clients to establish trust and security methods. Will NOT communicate with untrusted clients."
"ipsecID"="{1f3d05ee-6e3d-4320-8122-4051bc9589d6}"
"ipsecDataType"=dword:00000100
"ipsecData"=hex:00,ac,bb,11,8d,49,d1,11,86,39,00,a0,24,8d,30,21,2a,00,00,00,01,\
00,00,00,05,00,00,00,02,00,00,00,00,00,fd,ff,ff,ff,02,00,00,00,00,00,00,00,\
00,00,00,00,00,00,01,00,00,00,02,00,00,00,00,00,01,01,01,01,01,01,01,01,01,\
01,01,01,01,01,01,01,01,00,00,00,05,00,00,00,00,00,00,00,00
"ipsecNegotiationPolicyReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}"
"ipsecFilterReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,46,00,69,00,6c,00,74,00,65,00,72,00,7b,00,37,00,32,00,33,00,38,\
00,35,00,32,00,33,00,61,00,2d,00,37,00,30,00,66,00,61,00,2d,00,31,00,31,00,\
64,00,31,00,2d,00,38,00,36,00,34,00,63,00,2d,00,31,00,34,00,61,00,33,00,30,\
00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,7d,00,00,00,00,00
"whenChanged"=dword:42a25125
"ipsecOwnersReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,50,00,6f,00,6c,00,69,00,63,00,79,00,7b,00,37,00,32,00,33,00,38,\
00,35,00,32,00,33,00,63,00,2d,00,37,00,30,00,66,00,61,00,2d,00,31,00,31,00,\
64,00,31,00,2d,00,38,00,36,00,34,00,63,00,2d,00,31,00,34,00,61,00,33,00,30,\
00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{5c8cfa76-5d59-4d85-bf61-4c03462e9669}]
"ClassName"="ipsecNFA"
"name"="ipsecNFA{5c8cfa76-5d59-4d85-bf61-4c03462e9669}"
"ipsecID"="{5c8cfa76-5d59-4d85-bf61-4c03462e9669}"
"ipsecDataType"=dword:00000100
"ipsecData"=hex:00,ac,bb,11,8d,49,d1,11,86,39,00,a0,24,8d,30,21,2a,00,00,00,01,\
00,00,00,05,00,00,00,02,00,00,00,00,00,fd,ff,ff,ff,02,00,00,00,00,00,00,00,\
00,00,00,00,00,00,01,00,00,00,02,00,00,00,00,00,01,01,01,01,01,01,01,01,01,\
01,01,01,01,01,01,01,01,00,00,00,05,00,00,00,00,00,00,00,00
"ipsecNegotiationPolicyReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecNegotiationPolicy{04060d70-cd5d-4f08-a9db-d7c603c38fd7}"
"whenChanged"=dword:42a25125
"ipsecOwnersReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,50,00,6f,00,6c,00,69,00,63,00,79,00,7b,00,37,00,32,00,33,00,38,\
00,35,00,32,00,33,00,30,00,2d,00,37,00,30,00,66,00,61,00,2d,00,31,00,31,00,\
64,00,31,00,2d,00,38,00,36,00,34,00,63,00,2d,00,31,00,34,00,61,00,33,00,30,\
00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{5e604cb5-86b9-4487-993a-6a3fdc98eba2}]
"ClassName"="ipsecNFA"
"name"="ipsecNFA{5e604cb5-86b9-4487-993a-6a3fdc98eba2}"
"ipsecName"="Permit unsecure ICMP packets to pass through."
"description"="Permit unsecure ICMP packets to pass through."
"ipsecID"="{5e604cb5-86b9-4487-993a-6a3fdc98eba2}"
"ipsecDataType"=dword:00000100
"ipsecData"=hex:00,ac,bb,11,8d,49,d1,11,86,39,00,a0,24,8d,30,21,2a,00,00,00,01,\
00,00,00,05,00,00,00,02,00,00,00,00,00,fd,ff,ff,ff,02,00,00,00,00,00,00,00,\
00,00,00,00,00,00,01,00,00,00,02,00,00,00,00,00,01,01,01,01,01,01,01,01,01,\
01,01,01,01,01,01,01,01,00,00,00,05,00,00,00,00,00,00,00,00
"ipsecNegotiationPolicyReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}"
"ipsecFilterReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,46,00,69,00,6c,00,74,00,65,00,72,00,7b,00,37,00,32,00,33,00,38,\
00,35,00,32,00,33,00,35,00,2d,00,37,00,30,00,66,00,61,00,2d,00,31,00,31,00,\
64,00,31,00,2d,00,38,00,36,00,34,00,63,00,2d,00,31,00,34,00,61,00,33,00,30,\
00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,7d,00,00,00,00,00
"whenChanged"=dword:42a25125
"ipsecOwnersReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,50,00,6f,00,6c,00,69,00,63,00,79,00,7b,00,37,00,32,00,33,00,38,\
00,35,00,32,00,33,00,30,00,2d,00,37,00,30,00,66,00,61,00,2d,00,31,00,31,00,\
64,00,31,00,2d,00,38,00,36,00,34,00,63,00,2d,00,31,00,34,00,61,00,33,00,30,\
00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{6cb121c9-d6e3-4dca-8d7d-7137ac2e75aa}]
"ClassName"="ipsecNFA"
"name"="ipsecNFA{6cb121c9-d6e3-4dca-8d7d-7137ac2e75aa}"
"ipsecID"="{6cb121c9-d6e3-4dca-8d7d-7137ac2e75aa}"
"ipsecDataType"=dword:00000100
"ipsecData"=hex:00,ac,bb,11,8d,49,d1,11,86,39,00,a0,24,8d,30,21,2a,00,00,00,01,\
00,00,00,05,00,00,00,02,00,00,00,00,00,fd,ff,ff,ff,02,00,00,00,00,00,00,00,\
00,00,00,00,00,00,01,00,00,00,02,00,00,00,00,00,01,01,01,01,01,01,01,01,01,\
01,01,01,01,01,01,01,01,00,00,00,05,00,00,00,00,00,00,00,00
"ipsecNegotiationPolicyReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecNegotiationPolicy{5461e479-8195-48af-88a9-3401e5e74122}"
"whenChanged"=dword:42a25125
"ipsecOwnersReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,50,00,6f,00,6c,00,69,00,63,00,79,00,7b,00,37,00,32,00,33,00,38,\
00,35,00,32,00,33,00,36,00,2d,00,37,00,30,00,66,00,61,00,2d,00,31,00,31,00,\
64,00,31,00,2d,00,38,00,36,00,34,00,63,00,2d,00,31,00,34,00,61,00,33,00,30,\
00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{855a554d-43c0-48a8-99ba-f29470be26b6}]
"ClassName"="ipsecNFA"
"name"="ipsecNFA{855a554d-43c0-48a8-99ba-f29470be26b6}"
"ipsecName"="Permit unsecure ICMP packets to pass through."
"description"="Permit unsecure ICMP packets to pass through."
"ipsecID"="{855a554d-43c0-48a8-99ba-f29470be26b6}"
"ipsecDataType"=dword:00000100
"ipsecData"=hex:00,ac,bb,11,8d,49,d1,11,86,39,00,a0,24,8d,30,21,2a,00,00,00,01,\
00,00,00,05,00,00,00,02,00,00,00,00,00,fd,ff,ff,ff,02,00,00,00,00,00,00,00,\
00,00,00,00,00,00,01,00,00,00,02,00,00,00,00,00,01,01,01,01,01,01,01,01,01,\
01,01,01,01,01,01,01,01,00,00,00,05,00,00,00,00,00,00,00,00
"ipsecNegotiationPolicyReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}"
"ipsecFilterReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,46,00,69,00,6c,00,74,00,65,00,72,00,7b,00,37,00,32,00,33,00,38,\
00,35,00,32,00,33,00,35,00,2d,00,37,00,30,00,66,00,61,00,2d,00,31,00,31,00,\
64,00,31,00,2d,00,38,00,36,00,34,00,63,00,2d,00,31,00,34,00,61,00,33,00,30,\
00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,7d,00,00,00,00,00
"whenChanged"=dword:42a25125
"ipsecOwnersReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,50,00,6f,00,6c,00,69,00,63,00,79,00,7b,00,37,00,32,00,33,00,38,\
00,35,00,32,00,33,00,63,00,2d,00,37,00,30,00,66,00,61,00,2d,00,31,00,31,00,\
64,00,31,00,2d,00,38,00,36,00,34,00,63,00,2d,00,31,00,34,00,61,00,33,00,30,\
00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{bfaf0b09-9716-41b5-82db-9379f6a1685a}]
"ClassName"="ipsecNFA"
"name"="ipsecNFA{bfaf0b09-9716-41b5-82db-9379f6a1685a}"
"ipsecName"="Request Security (Optional) Rule"
"description"="For all IP traffic, always request security using Kerberos trust. Allow unsecured communication with clients that do not respond to request."
"ipsecID"="{bfaf0b09-9716-41b5-82db-9379f6a1685a}"
"ipsecDataType"=dword:00000100
"ipsecData"=hex:00,ac,bb,11,8d,49,d1,11,86,39,00,a0,24,8d,30,21,2a,00,00,00,01,\
00,00,00,05,00,00,00,02,00,00,00,00,00,fd,ff,ff,ff,02,00,00,00,00,00,00,00,\
00,00,00,00,00,00,01,00,00,00,02,00,00,00,00,00,01,01,01,01,01,01,01,01,01,\
01,01,01,01,01,01,01,01,00,00,00,05,00,00,00,00,00,00,00,00
"ipsecNegotiationPolicyReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecNegotiationPolicy{72385233-70fa-11d1-864c-14a300000000}"
"ipsecFilterReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,46,00,69,00,6c,00,74,00,65,00,72,00,7b,00,37,00,32,00,33,00,38,\
00,35,00,32,00,33,00,61,00,2d,00,37,00,30,00,66,00,61,00,2d,00,31,00,31,00,\
64,00,31,00,2d,00,38,00,36,00,34,00,63,00,2d,00,31,00,34,00,61,00,33,00,30,\
00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,7d,00,00,00,00,00
"whenChanged"=dword:42a25125
"ipsecOwnersReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,50,00,6f,00,6c,00,69,00,63,00,79,00,7b,00,37,00,32,00,33,00,38,\
00,35,00,32,00,33,00,30,00,2d,00,37,00,30,00,66,00,61,00,2d,00,31,00,31,00,\
64,00,31,00,2d,00,38,00,36,00,34,00,63,00,2d,00,31,00,34,00,61,00,33,00,30,\
00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{e27740ab-3337-44a5-9834-e3f63e6df409}]
"ClassName"="ipsecNFA"
"name"="ipsecNFA{e27740ab-3337-44a5-9834-e3f63e6df409}"
"ipsecID"="{e27740ab-3337-44a5-9834-e3f63e6df409}"
"ipsecDataType"=dword:00000100
"ipsecData"=hex:00,ac,bb,11,8d,49,d1,11,86,39,00,a0,24,8d,30,21,2a,00,00,00,01,\
00,00,00,05,00,00,00,02,00,00,00,00,00,fd,ff,ff,ff,02,00,00,00,00,00,00,00,\
00,00,00,00,00,00,01,00,00,00,02,00,00,00,00,00,01,01,01,01,01,01,01,01,01,\
01,01,01,01,01,01,01,01,00,00,00,05,00,00,00,00,00,00,00,00
"ipsecNegotiationPolicyReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecNegotiationPolicy{c63dec45-c44f-4a78-bcc5-150b36f05629}"
"whenChanged"=dword:42a25125
"ipsecOwnersReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,\
5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,\
00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,\
00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,\
65,00,63,00,50,00,6f,00,6c,00,69,00,63,00,79,00,7b,00,37,00,32,00,33,00,38,\
00,35,00,32,00,33,00,63,00,2d,00,37,00,30,00,66,00,61,00,2d,00,31,00,31,00,\
64,00,31,00,2d,00,38,00,36,00,34,00,63,00,2d,00,31,00,34,00,61,00,33,00,30,\
00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{72385230-70fa-11d1-864c-14a300000000}]
"ClassName"="ipsecPolicy"
"description"="For all IP traffic, always request security using Kerberos trust. Allow unsecured communication with clients that do not respond to request."
"name"="ipsecPolicy{72385230-70fa-11d1-864c-14a300000000}"
"ipsecName"="Server (Request Security)"
"ipsecID"="{72385230-70fa-11d1-864c-14a300000000}"
"ipsecDataType"=dword:00000100
"ipsecData"=hex:63,21,20,22,4c,4f,d1,11,86,3b,00,a0,24,8d,30,21,04,00,00,00,30,\
2a,00,00,00
"ipsecISAKMPReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecISAKMPPolicy{72385231-70fa-11d1-864c-14a300000000}"
"whenChanged"=dword:42a25125
"ipsecNFAReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,5c,\
00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,00,\
72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,\
00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,00,\
63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,65,\
00,63,00,4e,00,46,00,41,00,7b,00,62,00,66,00,61,00,66,00,30,00,62,00,30,00,\
39,00,2d,00,39,00,37,00,31,00,36,00,2d,00,34,00,31,00,62,00,35,00,2d,00,38,\
00,32,00,64,00,62,00,2d,00,39,00,33,00,37,00,39,00,66,00,36,00,61,00,31,00,\
36,00,38,00,35,00,61,00,7d,00,00,00,53,00,4f,00,46,00,54,00,57,00,41,00,52,\
00,45,00,5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,\
69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,\
00,6f,00,77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,\
6c,00,69,00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,\
00,73,00,65,00,63,00,4e,00,46,00,41,00,7b,00,35,00,65,00,36,00,30,00,34,00,\
63,00,62,00,35,00,2d,00,38,00,36,00,62,00,39,00,2d,00,34,00,34,00,38,00,37,\
00,2d,00,39,00,39,00,33,00,61,00,2d,00,36,00,61,00,33,00,66,00,64,00,63,00,\
39,00,38,00,65,00,62,00,61,00,32,00,7d,00,00,00,53,00,4f,00,46,00,54,00,57,\
00,41,00,52,00,45,00,5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,\
5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,\
00,6e,00,64,00,6f,00,77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,\
50,00,6f,00,6c,00,69,00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,\
00,69,00,70,00,73,00,65,00,63,00,4e,00,46,00,41,00,7b,00,35,00,63,00,38,00,\
63,00,66,00,61,00,37,00,36,00,2d,00,35,00,64,00,35,00,39,00,2d,00,34,00,64,\
00,38,00,35,00,2d,00,62,00,66,00,36,00,31,00,2d,00,34,00,63,00,30,00,33,00,\
34,00,36,00,32,00,65,00,39,00,36,00,36,00,39,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{72385236-70fa-11d1-864c-14a300000000}]
"ClassName"="ipsecPolicy"
"description"="Communicate normally (unsecured). Use the default response rule to negotiate with servers that request security. Only the requested protocol and port traffic with that server is secured."
"name"="ipsecPolicy{72385236-70fa-11d1-864c-14a300000000}"
"ipsecName"="Client (Respond Only)"
"ipsecID"="{72385236-70fa-11d1-864c-14a300000000}"
"ipsecDataType"=dword:00000100
"ipsecData"=hex:63,21,20,22,4c,4f,d1,11,86,3b,00,a0,24,8d,30,21,04,00,00,00,30,\
2a,00,00,00
"ipsecISAKMPReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecISAKMPPolicy{72385237-70fa-11d1-864c-14a300000000}"
"whenChanged"=dword:42a25125
"ipsecNFAReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,5c,\
00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,00,\
72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,\
00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,00,\
63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,65,\
00,63,00,4e,00,46,00,41,00,7b,00,36,00,63,00,62,00,31,00,32,00,31,00,63,00,\
39,00,2d,00,64,00,36,00,65,00,33,00,2d,00,34,00,64,00,63,00,61,00,2d,00,38,\
00,64,00,37,00,64,00,2d,00,37,00,31,00,33,00,37,00,61,00,63,00,32,00,65,00,\
37,00,35,00,61,00,61,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{7238523c-70fa-11d1-864c-14a300000000}]
"ClassName"="ipsecPolicy"
"description"="For all IP traffic, always require security using Kerberos trust. Do NOT allow unsecured communication with untrusted clients."
"name"="ipsecPolicy{7238523c-70fa-11d1-864c-14a300000000}"
"ipsecName"="Secure Server (Require Security)"
"ipsecID"="{7238523c-70fa-11d1-864c-14a300000000}"
"ipsecDataType"=dword:00000100
"ipsecData"=hex:63,21,20,22,4c,4f,d1,11,86,3b,00,a0,24,8d,30,21,04,00,00,00,30,\
2a,00,00,00
"ipsecISAKMPReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecISAKMPPolicy{7238523d-70fa-11d1-864c-14a300000000}"
"whenChanged"=dword:42a25125
"ipsecNFAReference"=hex(7):53,00,4f,00,46,00,54,00,57,00,41,00,52,00,45,00,5c,\
00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,69,00,63,00,\
72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,\
00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,6c,00,69,00,\
63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,00,73,00,65,\
00,63,00,4e,00,46,00,41,00,7b,00,31,00,66,00,33,00,64,00,30,00,35,00,65,00,\
65,00,2d,00,36,00,65,00,33,00,64,00,2d,00,34,00,33,00,32,00,30,00,2d,00,38,\
00,31,00,32,00,32,00,2d,00,34,00,30,00,35,00,31,00,62,00,63,00,39,00,35,00,\
38,00,39,00,64,00,36,00,7d,00,00,00,53,00,4f,00,46,00,54,00,57,00,41,00,52,\
00,45,00,5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,5c,00,4d,00,\
69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,\
00,6f,00,77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,50,00,6f,00,\
6c,00,69,00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,69,00,70,\
00,73,00,65,00,63,00,4e,00,46,00,41,00,7b,00,38,00,35,00,35,00,61,00,35,00,\
35,00,34,00,64,00,2d,00,34,00,33,00,63,00,30,00,2d,00,34,00,38,00,61,00,38,\
00,2d,00,39,00,39,00,62,00,61,00,2d,00,66,00,32,00,39,00,34,00,37,00,30,00,\
62,00,65,00,32,00,36,00,62,00,36,00,7d,00,00,00,53,00,4f,00,46,00,54,00,57,\
00,41,00,52,00,45,00,5c,00,50,00,6f,00,6c,00,69,00,63,00,69,00,65,00,73,00,\
5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,\
00,6e,00,64,00,6f,00,77,00,73,00,5c,00,49,00,50,00,53,00,65,00,63,00,5c,00,\
50,00,6f,00,6c,00,69,00,63,00,79,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,\
00,69,00,70,00,73,00,65,00,63,00,4e,00,46,00,41,00,7b,00,65,00,32,00,37,00,\
37,00,34,00,30,00,61,00,62,00,2d,00,33,00,33,00,33,00,37,00,2d,00,34,00,34,\
00,61,00,35,00,2d,00,39,00,38,00,33,00,34,00,2d,00,65,00,33,00,66,00,36,00,\
33,00,65,00,36,00,64,00,66,00,34,00,30,00,39,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Persistent]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RTC]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RTC\CertificatePolicy]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RTC\PortRange]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
"ExecutableTypes"=hex(7):41,00,44,00,45,00,00,00,41,00,44,00,50,00,00,00,42,00,\
41,00,53,00,00,00,42,00,41,00,54,00,00,00,43,00,48,00,4d,00,00,00,43,00,4d,\
00,44,00,00,00,43,00,4f,00,4d,00,00,00,43,00,50,00,4c,00,00,00,43,00,52,00,\
54,00,00,00,45,00,58,00,45,00,00,00,48,00,4c,00,50,00,00,00,48,00,54,00,41,\
00,00,00,49,00,4e,00,46,00,00,00,49,00,4e,00,53,00,00,00,49,00,53,00,50,00,\
00,00,4c,00,4e,00,4b,00,00,00,4d,00,44,00,42,00,00,00,4d,00,44,00,45,00,00,\
00,4d,00,53,00,43,00,00,00,4d,00,53,00,49,00,00,00,4d,00,53,00,50,00,00,00,\
4d,00,53,00,54,00,00,00,4f,00,43,00,58,00,00,00,50,00,43,00,44,00,00,00,50,\
00,49,00,46,00,00,00,52,00,45,00,47,00,00,00,53,00,43,00,52,00,00,00,53,00,\
48,00,53,00,00,00,55,00,52,00,4c,00,00,00,56,00,42,00,00,00,57,00,53,00,43,\
00,00,00,00,00
"TransparentEnabled"=dword:00000001
"DefaultLevel"=dword:00040000
"AuthenticodeEnabled"=dword:00000000
"PolicyScope"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}]
"Description"="Stop the download of this file"
"FriendlyName"="Mdac11.cab"
"SaferFlags"=dword:00000000
"HashAlg"=dword:00008003
"ItemData"=hex:5e,ab,30,4f,95,7a,49,89,6a,00,6c,1c,31,15,40,15
"LastModified"=hex(b):85,c4,34,dc,19,a2,c2,01
"ItemSize"=hex(b):0b,03,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}]
"Description"="Stop the download of this file"
"FriendlyName"="mdac20.cab"
"SaferFlags"=dword:00000000
"HashAlg"=dword:00008003
"ItemData"=hex:67,b0,d4,8b,34,3a,3f,d3,bc,e9,dc,64,67,04,f3,94
"LastModified"=hex(b):03,8a,39,dc,19,a2,c2,01
"ItemSize"=hex(b):05,02,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}]
"Description"="Stop the download of this file"
"FriendlyName"="mdac20_a.cab"
"SaferFlags"=dword:00000000
"HashAlg"=dword:00008003
"ItemData"=hex:32,78,02,dc,fe,f8,c8,93,dc,8a,b0,06,dd,84,7d,1d
"LastModified"=hex(b):be,77,45,dc,19,a2,c2,01
"ItemSize"=hex(b):96,03,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}]
"Description"="Stop the download of this file"
"FriendlyName"="_msadc10.cab"
"SaferFlags"=dword:00000000
"HashAlg"=dword:00008003
"ItemData"=hex:bd,9a,2a,db,42,eb,d8,56,0e,25,0e,4d,f8,16,2f,67
"LastModified"=hex(b):81,4f,3e,dc,19,a2,c2,01
"ItemSize"=hex(b):e5,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}]
"Description"="Stop the download of this file"
"FriendlyName"="msadc11.cab"
"SaferFlags"=dword:00000000
"HashAlg"=dword:00008003
"ItemData"=hex:38,6b,08,5f,84,ec,f6,69,d3,6b,95,6a,22,c0,1e,80
"LastModified"=hex(b):40,b2,40,dc,19,a2,c2,01
"ItemSize"=hex(b):72,01,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}]
"Description"=""
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,48,00,4b,00,45,00,59,00,5f,00,43,00,55,00,52,00,52,00,\
45,00,4e,00,54,00,5f,00,55,00,53,00,45,00,52,00,5c,00,53,00,6f,00,66,00,74,\
00,77,00,61,00,72,00,65,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,\
66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,00,43,00,75,\
00,72,00,72,00,65,00,6e,00,74,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,\
5c,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,5c,00,53,00,68,00,65,\
00,6c,00,6c,00,20,00,46,00,6f,00,6c,00,64,00,65,00,72,00,73,00,5c,00,43,00,\
61,00,63,00,68,00,65,00,25,00,4f,00,4c,00,4b,00,2a,00,00,00
"LastModified"=hex(b):f0,cc,df,89,b0,0f,c8,01

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]


----------



## Cookiegal (Aug 27, 2003)

Disconnect from the Internet and disable your anti-virus and firewall programs. *Be sure to remember to re-start them before going on-line again.*

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program. Copy and paste the information in the quote box below into the pane where it says "Paste fix here" and then click the Run Fix button. The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.

Post the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log) back here along with a new HijackThis log please.


```
[Kill Explorer]
[Registry - Additional Scans - All]
< Software Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\policies\
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\policies\\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> MTE3MTk6ODoxNg
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```
Then do this please:

Please download *SmitfraudFix* (by *S!Ri*)

Extract (unzip) the content (a folder named *SmitfraudFix*) to your Desktop.

Open the *SmitfraudFix* folder and double-click *smitfraudfix.cmd*
Select option #1 - *Search* by typing *1* and press "*Enter*"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

*Note* : *process.exe* is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Warning: Do not run Option #2 until you are instructed to do so. Running option #2 on a non infected computer will remove your Desktop background.


----------



## jonpistone2 (Oct 5, 2007)

Explorer killed successfully
[Registry - Additional Scans - All]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\policies\\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} deleted successfully.
[Empty Temp Folders]
C:\DOCUME~1\Jonathan\LOCALS~1\Temp\ -> emptied.
C:\Documents and Settings\Jonathan\Local Settings\Temporary Internet Files\Content.IE5\ -> emptied
RecycleBin -> emptied.
Explorer started successfully
< End of log >
Created on 10/22/2007 16:21:08


----------



## jonpistone2 (Oct 5, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:26:50 PM, on 10/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://216.76.114.124/exchweb/bin/auth/owalogon.asp?url=https://216.76.114.124/exchange&reason=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Documents and Settings\Jonathan\Desktop\hyplay\New Briefcase\Hello\PicasaCapture.dll (file missing)
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Documents and Settings\Jonathan\Desktop\hyplay\New Briefcase\Hello\PicasaCapture.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1192503125298
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://www.youbet.net/wr_5_8/controls/ybrequest.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159136039112
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://www.youbet.net/wr_5_8/controls/YBUICtrl.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_games/tikgames/cinematycoon/cinematycoon.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10478 bytes


----------



## jonpistone2 (Oct 5, 2007)

SmitFraudFix v2.240

Scan done at 16:32:30.52, Mon 10/22/2007
Run from C:\Documents and Settings\Jonathan\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jonathan

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jonathan\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Jonathan\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: D-Link AirPlus G DWL-G630 Wireless Cardbus Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{EA64A798-DA3D-4CA0-A1EB-05D4D8FD2B24}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EA64A798-DA3D-4CA0-A1EB-05D4D8FD2B24}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End


----------



## Cookiegal (Aug 27, 2003)

How are things now?


----------



## jonpistone2 (Oct 5, 2007)

I was on my computer earlier (about 6 hours ago)...my computer has been on since then as i have left 3 web pages up for an online java game---and my cpu usage is 100% now...4 windows up and running...still slow (due t the high usage % i guess)...highest is firefox at 90...with a few others down the list...usually its explorer.exe or iexplorer.exe that are the high precentages....
any ideas???


----------



## jonpistone2 (Oct 5, 2007)

and this surely does NOT always happen...but sometimes (i feel its random but most likely it isnt, i just havent noticed a connection)...i used the Task Manager to "shut down" the firefox.exe file...and the cpu usage did drop to around 15-20%...then i went to start and shut down--so i could restart my computer....and again it went to that blue screen and talked a bout Dumping Physical Memory on the restart...due to file ar5211.sys again....

just wanted u to know--thanks!    --hope u had a nice weekend!!


----------



## Cookiegal (Aug 27, 2003)

Go to *Start * *Run *- type *msconfig*  click OK and click on the *startup tab*. Uncheck everything there except for your anti-virus program. Then reboot and let me know if the problem persists please.


----------



## jonpistone2 (Oct 5, 2007)

its hard to say--cause usually the 100% usage happens after a lil while...but so far so good--i have 3 tabs open and it back and forth between 6-15% usage...also on the restart there was no error.....
though when windows started some System Config message came up telling me i made changes and should fix them (im sure thats just for the people who didnt mean to do it...no for an expert like yourself)...
would all this mean that there is a program (or programs) in my startup menu that may be causeing this overload?!?!?


----------



## ~Candy~ (Jan 27, 2001)

Just tell it not to tell you that any longer.

The slimmer you can keep the startup items, the better your system will run. There is no need to load a lot of that stuff on startup. 

If you REALLY miss something, go back to msconfig and recheck the box of the item that you can't live without starting


----------



## jonpistone2 (Oct 5, 2007)

so there is no problem just LEAVING things like that??? im not messing up the START UP of anyhting i need to use the comp??

there are things like AOL IM that comes on startup--but its not NEEDED cause i can double click to run that program--is that how everyhting else works?? ...if i need to use it after STart Up...it will still function, correct???


----------



## Cookiegal (Aug 27, 2003)

Most things you can start up when needed but there are some that should run at startup.

You can research them at the following links to find out whether they need to run at startup or not. Some are user's choice, depending on your preference.

http://castlecops.com/StartupList.html
http://www.bleepingcomputer.com/startups/
http://www.windowsstartup.com/wso/index.php

These for sure are not needed at startup:

DVDLauncher
iTunesHelper
SunJavaUpdateSched 
MSMSGS
updateMgr
AIM


----------



## jonpistone2 (Oct 5, 2007)

thanks SOOOO MUCH!!!!    .....am i all cured now??


----------



## Cookiegal (Aug 27, 2003)

Everything looks fine now.

You can delete the ComboFix utility and delete this folder, which is where ComboFix stores deleted files as backups:

C:\*Qoobox*

Here are some final instructions for you.

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.


----------



## ~Candy~ (Jan 27, 2001)

Also, the acrobat reader and the updater for that are not needed at startup either....


----------

