# HELP PLEASE - Contra Virus



## CourtneyLeigh (Jun 15, 2007)

How do I get rid of CONTRA VIRUS 
It is in my add /remove programs and if I remove it, upon restart is back in there. 
It also give me a fake microsoft icon that says:
your computer is infected!
Dangerous infection was detected on you PC the system will now download and install most Efficient antimalware program to prevent data loss and you private information theft. Click here to protect your computer from the biggest malware threats. 

also ad-ware comes up to sell the product conveniently called 'contra virus!' 

Can someone please give me step by step instructions on how to remove. Thank you!


----------



## Byteman (Jan 24, 2002)

Hi, You can get the trial version of Kaspersky antivirus here, it's good for 30 days....should get rid of it.

The link to it is down the page at the last post....

http://forum.kaspersky.com/lofiversion/index.php/t39861.html


----------



## Byteman (Jan 24, 2002)

hi, Also, it would be easier to first use this tool:

Please download *SmitfraudFix* (by *S!Ri*)
Double-click *SmitfraudFix.exe*
Select option #1 - *Search* by typing *1* and press "*Enter*"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.


----------



## CourtneyLeigh (Jun 15, 2007)

I did the scan, these are the results are below > I tried to get Kaspersky but didn't work.
I really appreciate you trying to help me.

SmitFraudFix v2.195

Scan done at 10:16:17.29, 15/06/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\USB Storage RW\udsi.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\System32\xpuupdate.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\~nsu.tmp\Au_.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\wincom27.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\xpuupdate.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data

C:\Documents and Settings\Owner\Application Data\AdProtect NoSpam FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\ContraVirus\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{6DCAF589-F9AF-4B0C-BA35-6D763BFCC9AA}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6DCAF589-F9AF-4B0C-BA35-6D763BFCC9AA}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{6DCAF589-F9AF-4B0C-BA35-6D763BFCC9AA}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End


----------



## Byteman (Jan 24, 2002)

Hi, I am not sure what you mean about it did not work?

Anyway that infection will be removed, so I don't think you need to bother with the Kaspersky program at all....instead, let's do this:

Do the second part of the SmitFraudFix:

*Copy these steps to a Notepad text file and save it as steps.txt to your desktop, or print them, as you will not be able to get online while working in Safe Mode (and, please do
not use Safe Mode with Networking for this fix!)*
Next, please reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in *Safe Mode, then press "Enter".*
Choose your usual account.
Once in Safe Mode, open the *SmitfraudFix* folder again and double-click *smitfraudfix.cmd*
Select option #2 - *Clean* by typing *2* and press "*Enter*" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "*Yes*" by typing *Y* and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if *wininet.dll* is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing *Y* and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at *C:\rapport.txt*

Warning: running option #2 on a non infected computer will remove your Desktop background.

Post the log from that either now after you finish this or after you do the below scan:

*This is an online scanner, not an installed Program,* however there is a good sized download of the Control and detection files you have to do, before you can scan so be prepared to spend some time with this part> then the scan will take from half to one hour, depending on how many files there are present.

Follow the steps, do the Extended scan, and scan ALL hard (data) drives....you can also scan any external devices like MP3 players, USB Flash drives, as they often can be infected without you realizing, might be a good idea, as there are some other users of this computer, be a good idea to have their drives attached to scan now...

*Kaspersky online full scan*

Please go *HERE* and click Kaspersky Online Scanner
Read and Accept the Agreement
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
If you see a Windows dialog asking if you want to install this software, click the Install button. 
The program will launch and then begin downloading the latest definition files,
When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it. 
Click on the Scan Settings button, and in the next window select the *Extended database*, and click Ok. 
Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
Copy and Paste the contents of the on line scanner results into a Reply here in your thread, along with a new HJT log and log from any other scans you run.

Be sure to save and post the log it makes, along with a new HJT log please.


----------



## CourtneyLeigh (Jun 15, 2007)

Rapport

SmitFraudFix v2.195

Scan done at 17:26:01.70, 15/06/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\wincom27.dll Deleted
C:\WINDOWS\system32\xpuupdate.exe Deleted
C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\ContraVirus 2.0.lnk Deleted
C:\Documents and Settings\Owner\Application Data\AdProtect NoSpam\ Deleted
C:\DOCUME~1\Owner\STARTM~1\ContraVirus 2.0.lnk Deleted
C:\DOCUME~1\Owner\STARTM~1\Programs\ContraVirus Deleted
C:\DOCUME~1\Owner\Desktop\ContraVirus 2.0.lnk Deleted
C:\Program Files\ContraVirus\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{6DCAF589-F9AF-4B0C-BA35-6D763BFCC9AA}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6DCAF589-F9AF-4B0C-BA35-6D763BFCC9AA}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{6DCAF589-F9AF-4B0C-BA35-6D763BFCC9AA}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End


----------



## Byteman (Jan 24, 2002)

Hi, Good- when I see the results of the online scan will check that and see what is left to do.

Post a new Hijackthis also, made after you finish the online scan please.


----------



## CourtneyLeigh (Jun 15, 2007)

Online scan is currently at 91%


----------



## CourtneyLeigh (Jun 15, 2007)

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, June 15, 2007 7:47:06 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 16/06/2007
Kaspersky Anti-Virus database records: 347362
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 51758
Number of viruses found: 6
Number of infected objects: 15
Number of suspicious objects: 0
Duration of the scan process: 01:09:57

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\Owner\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\Reboot.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe/data.rar	Infected: not-a-virus:RiskTool.Win32.Reboot.f	skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe	RarSFX: infected - 2	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr00005.log	Object is locked	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\pending.dat	Object is locked	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_9830_5F24_305F_8A0\dfsr.db	Object is locked	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_9830_5F24_305F_8A0\fsr.log	Object is locked	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_9830_5F24_305F_8A0\fsrtmp.log	Object is locked	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_9830_5F24_305F_8A0\tmp.edb	Object is locked	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\real\members.stg	Object is locked	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\shadow\members.stg	Object is locked	skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF3195.tmp	Object is locked	skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF31DC.tmp	Object is locked	skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFED8A.tmp	Object is locked	skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFED9B.tmp	Object is locked	skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Owner\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG	Object is locked	skipped
C:\hp\bin\KillWind.exe	Infected: not-a-virus:RiskTool.Win32.PsKill.p	skipped
C:\Program Files\Norton AntiVirus\AVApp.log	Object is locked	skipped
C:\Program Files\Norton AntiVirus\AVError.log	Object is locked	skipped
C:\Program Files\Norton AntiVirus\AVVirus.log	Object is locked	skipped
C:\Program Files\Norton AntiVirus\Quarantine\3E107C69	Infected: Trojan.WinREG.StartPage	skipped
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP21\A0006415.dll	Infected: not-a-virus:FraudTool.Win32.ContaVir.a	skipped
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP21\A0006417.exe	Infected: not-a-virus:FraudTool.Win32.ContaVir.b	skipped
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP21\A0006424.exe	Infected: not-a-virus:FraudTool.Win32.ContaVir.b	skipped
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP21\A0006672.dll	Infected: not-a-virus:FraudTool.Win32.ContaVir.a	skipped
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP21\A0006673.exe	Infected: not-a-virus:FraudTool.Win32.ContaVir.b	skipped
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP21\A0006683.exe	Infected: Trojan-Downloader.Win32.Agent.btf	skipped
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP21\A0006692.exe	Infected: not-a-virus:FraudTool.Win32.ContaVir.b	skipped
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP21\A0006693.dll	Infected: not-a-virus:FraudTool.Win32.ContaVir.a	skipped
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP21\A0006709.exe	Infected: not-a-virus:FraudTool.Win32.ContaVir.b	skipped
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP21\change.log	Object is locked	skipped
C:\WINDOWS\Debug\oakley.log	Object is locked	skipped
C:\WINDOWS\Debug\PASSWD.LOG	Object is locked	skipped
C:\WINDOWS\SchedLgU.Txt	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{9DA162B3-98F7-4B9B-B315-BDE13F6CFDD2}.bin	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log	Object is locked	skipped
C:\WINDOWS\Sti_Trace.log	Object is locked	skipped
C:\WINDOWS\system32\config\AppEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\default	Object is locked	skipped
C:\WINDOWS\system32\config\default.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SAM	Object is locked	skipped
C:\WINDOWS\system32\config\SAM.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SecEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\software	Object is locked	skipped
C:\WINDOWS\system32\config\software.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SysEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\system	Object is locked	skipped
C:\WINDOWS\system32\config\system.LOG	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA	Object is locked	skipped
C:\WINDOWS\wiadebug.log	Object is locked	skipped
C:\WINDOWS\wiaservc.log	Object is locked	skipped
C:\WINDOWS\WindowsUpdate.log	Object is locked	skipped

Scan process completed.


----------



## CourtneyLeigh (Jun 15, 2007)

Logfile of HijackThis v1.99.1
Scan saved at 7:49:13 PM, on 15/06/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\USB Storage RW\udsi.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KYE_UDSI] "C:\Program Files\USB Storage RW\udsi.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\IcoSet\adjust.bat seticon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe


----------



## Byteman (Jan 24, 2002)

Hi, That Kaspersky log may look bad, but everything that is a real threat has been quarantined, by Norton AV or removed by our fixes...or is backed up in System Restore.

Wait a few days then delete the items in Norton Quarantine.

You can simply right click the SmitFraudFix folder and delete that.

You should run a temp file cleanup tool, either of the ones below will work fine for you, and you should use only one. I prefer CleanUp!.

*CLEAN UP!*

I use *CleanUP!*, and find it an excellent way to clean up temp files.

About every 2 or 3 days, as the last thing before shutting down, I run CleanUp.

There is always a message to log off, after using it, but I sometimes do and then sometimes don't and have not noticed anything different.

And, the first time you run it, you will see a popup about using it in Demo mode, that is a good idea just to see how much junk you have, but then you will have to run CleanUp again, this time, tell it No, so it does it's thing. You won't get the "run in Demo mode" bit after the first time.

Note: Removing all Cookies will mean that all users of the computer who use sites like TSG that require logging in to an account, will have to manually log in with usernames and passwords at ALL places they have an account....so, be sure everyone knows all their logins and passwords...

CleanUp also has a Cookie filter, where you can enter the ones you would like to keep- you will see the Cookies tab at the top of it's window.

Download Cleanup from *here*
 

Open *Cleanup!* by double-clicking the icon on your desktop (or from the Start > All Programs menu). 
Click the *Options...* button on the right. 
Move the arrow down to "*Custom CleanUp!*" 
Put a check next to the following (Make sure nothing else is checked!):
Empty Recycle Bins 
Delete Cookies 
Cleanup! All Users 
Click *OK* 
 *DO NOT RUN IT YET*

Now boot to safe mode.

Restart your computer to *safe mode*: 
Restart your computer 
Start tapping the F8 key when the computer restarts. 
When the start menu opens, choose Safe mode 
Press Enter. The computer then begins to start in Safe mode.
Log onto your usual account- *not* the Administrator account.

Run Cleanup: 
 Click on the "*Cleanup*" button and let it run.
 Once its done, *close the program*.

After the first run, you do not have to run CleanUP! in Safe Mode, I use it about twice a week in Normal Mode.

The last step is to clean out your *System Restore Points* since if you actually had to do a Restore back to a previous time, doing so would put back the malware you just worked to remove.

*Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab. ( If there is a check in "Turn Off System Restore...."= it is Off.)
Check Turn off System Restore.
Click Apply, and then click OK.Wait for hourglass to stop and it says
"Turned Off"

Restart your computer, turn System Restore back on and create a restore point.
To turn System Restore back on, take the checkmark out of the box where you did.
Wait till you see "Monitoring" for the status.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.


----------



## CourtneyLeigh (Jun 15, 2007)

I am on my dads computer, just ran a scan that says he has viruses.

I ran Kaspersky : Results: 
KASPERSKY ONLINE SCANNER REPORT 
Sunday, June 17, 2007 5:11:52 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 18/06/2007
Kaspersky Anti-Virus database records: 347814

Scan Settings 
Scan using the following antivirus database extended 
Scan Archives true 
Scan Mail Bases true

Scan Target My Computer 
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics 
Total number of scanned objects 47342 
Number of viruses found 3 
Number of infected objects 8 
Number of suspicious objects 0 
Duration of the scan process 00:48:42

Infected Object Name Virus Name Last Action 
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\ApplicationHistory\VCMain.exe.e1a297a.ini.inuse Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From "WEIGHTLOSS" "lMZAwn2FUhqtUjzLM7X8mJ7X0dWVI7Au4WiIXlCRJDn3fRHDHEZHIcmGGZyJwchghZVLl"][Date Sun, 19 Feb 2006 06:43:50 +0900]/CLICK_Buy_DIETSENSATION.HTM Infected: Trojan.JS.Redirector.b skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From "MALENHANCER" "j5vdijXj79RLtPg6iRvOSHq3Ww15uJmvO7UfWKaodmYbBObO0htShWWcYrZEn+0rgNf0V6"][Date Sat, 18 Feb 2006 16:12:15 -0800]/UNNAMED/BUY_PERMANENTENLARG.HTM Infected: Trojan.JS.Redirector.b skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From "MALENHANCER" "j5vdijXj79RLtPg6iRvOSHq3Ww15uJmvO7UfWKaodmYbBObO0htShWWcYrZEn+0rgNf0V6"][Date Sat, 18 Feb 2006 16:12:15 -0800]/UNNAMED Infected: Trojan.JS.Redirector.b skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From "MENSENLARG" "2tlEydTKsf94+eBWUT9KTThUJsh0wntTvoNAxkBdimrjxyNUihFeIsVCJfLbTkGeR9NH"][Date Sat, 18 Feb 2006 22:30:28 -0800]/UNNAMED/BUY_PERMANENTENLARG.HTM Infected: Trojan.JS.Redirector.b skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From "MENSENLARG" "2tlEydTKsf94+eBWUT9KTThUJsh0wntTvoNAxkBdimrjxyNUihFeIsVCJfLbTkGeR9NH"][Date Sat, 18 Feb 2006 22:30:28 -0800]/UNNAMED Infected: Trojan.JS.Redirector.b skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx Mail MS Outlook 5: infected - 5 skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\pending.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_EECC_E48C_CCE4_507F\dfsr.db Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_EECC_E48C_CCE4_507F\fsr.log Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_EECC_E48C_CCE4_507F\fsrtmp.log Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_EECC_E48C_CCE4_507F\tmp.edb Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\real\members.stg Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\shadow\members.stg Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_d40.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DF6425.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DFC5A9.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DFC5B8.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DFD06C.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DFD07E.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Network Monitor\netmon.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped

C:\Program Files\SB\Smart-Browser\BHO.0.1.0.155.dll Infected: not-a-virus:AdWare.Win32.Thingies skipped

C:\Program Files\Yahoo!\Messenger\logs\billing_Owner.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\client_Owner.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\GIPS.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\network_Owner.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\voice.log Object is locked skipped

C:\sti.log Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP151\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\yacs.log Object is locked skipped

Scan process completed.

Smitfraudfix REPORT BELOW:
SmitFraudFix v2.195

Scan done at 17:13:17.28, Sun 06/17/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\VCClient\VCMain.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Common Files\VCClient\VCMain.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{DCEA5DFF-C5CE-4A59-87D6-F72482F7DD61}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DCEA5DFF-C5CE-4A59-87D6-F72482F7DD61}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{DCEA5DFF-C5CE-4A59-87D6-F72482F7DD61}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

I also ran smitfraudfix in safe mode and did option 2 RESULTS BELOW
SmitFraudFix v2.195

Scan done at 17:24:30.51, Sun 06/17/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Program Files\Common Files\VCClient Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{DCEA5DFF-C5CE-4A59-87D6-F72482F7DD61}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DCEA5DFF-C5CE-4A59-87D6-F72482F7DD61}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{DCEA5DFF-C5CE-4A59-87D6-F72482F7DD61}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Im running another kaspersky report - right now and it is showing more viruses than the first report ... what should I do. (please give me lots of steps to do at once lol)


----------



## CourtneyLeigh (Jun 15, 2007)

This is a report with the new information from kaspersky 
(with the new virus)

SmitFraudFix v2.195

Scan done at 17:24:30.51, Sun 06/17/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Program Files\Common Files\VCClient Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{DCEA5DFF-C5CE-4A59-87D6-F72482F7DD61}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DCEA5DFF-C5CE-4A59-87D6-F72482F7DD61}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{DCEA5DFF-C5CE-4A59-87D6-F72482F7DD61}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End


----------



## Byteman (Jan 24, 2002)

hi, For this new (Dad's) computer:

ATF CLEANER
Download   ATFCleaner by Atribune & save it to your desktop. DO NOT use it yet. We will use it in *Safe Mode, later *
As you probably know, deleting Cookies can result in you having to type in your username and passwords at ALL sites that use logins, like this site does, so if you willy nilly delete cookies, which is safe enough to do, you will have to re-establish these cookies and login the first time you visit any site like that.
ATF Cleaner has a way to save those cookies you would like to keep but it will require some time. If you DO KNOW or have saved all your Passwords and login usernames you can delete all cookies.

* Restart your computer into safe mode now.To get into the Windows 2000 / XP Safe mode, as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" 
Use your arrow keys to move to "Safe Mode" and press your Enter key.

Next, start up ATFCleaner:

Double-click *ATF-Cleaner.exe* to run the program.
Under *Main* choose: *Select All*
Click the *Empty Selected* button.
If you use Firefox browser
Click *Firefox* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.
If you use Opera browser
Click *Opera* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.
Click *Exit* on the Main menu to close the program.
Restart the computer.

Next:

Download and run ComboFix on Dad's computer. Post the log.

COMBO FIX:
Download ComboFix from *Here* or *Here* to your Desktop. 

Double click *combofix.exe * and follow the prompts.
When finished, it shall produce a log for you. Post that log and a *HiJackthis* log in your next reply
*IMPORTANT!*
*Note: Do not mouseclick combofix's window while its running. That may cause it to stall*
_ _ _ _ _ _ _

*Also, do this>*

Open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad. Copy and paste that list here.


----------



## CourtneyLeigh (Jun 15, 2007)

Here are the logs you've asked for. - I am leaving my dads for a bit, but my dad (kind of not great with computeres) and brother (knowledgeable about computers) will come on here are continue from here. I have done everything up to this point and have explained to dad what I have been doing. Thanks again for helping us out!

ComboFix 07-06-13.3 - C:\Documents and Settings\Owner\Desktop\ComboFix.exe
"Owner" - 2007-06-17 21:22:38 - Service Pack 2 NTFS

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\domains.txt
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\log.txt
C:\Program Files\Common Files\download
C:\Program Files\internet optimizer
C:\Program Files\msmovies
C:\Program Files\msmovies\p.zip
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\WINDOWS\dh.ini
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\Uninst2.htm
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\Unist1.htm

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\Network Monitor
-------\Windows Overlay Components

((((((((((((((((((((((((( Files Created from 2007-05-18 to 2007-06-18 )))))))))))))))))))))))))))))))

2007-06-17 21:14	49,152	--a------	C:\WINDOWS\nircmd.exe
2007-06-17 20:19 d--------	C:\WINDOWS\pss
2007-06-17 19:57 d--------	C:\Program Files\DivX
2007-06-17 17:23	786,432	--ah-----	C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-17 17:23 d--------	C:\DOCUME~1\ADMINI~1\WINDOWS
2007-06-17 17:23 d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\You've Got Pictures Screensaver
2007-06-17 17:23 d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\SampleView
2007-06-17 17:23 d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\McAfee
2007-06-17 17:23 d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\AOL
2007-06-17 17:12	2,620	--a------	C:\WINDOWS\system32\tmp.reg
2007-06-17 16:35	53,248	--a------	C:\WINDOWS\system32\Process.exe
2007-06-17 16:35	51,200	--a------	C:\WINDOWS\system32\dumphive.exe
2007-06-17 16:35	288,417	--a------	C:\WINDOWS\system32\SrchSTS.exe
2007-06-17 16:14 d--------	C:\WINDOWS\system32\Kaspersky Lab
2007-06-17 16:14 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-06-05 14:44 d--------	C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-06-03 12:36 d--h-----	C:\WINDOWS\PIF

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-17 22:07:49	--------	d-----w	C:\DOCUME~1\Owner\APPLIC~1\LimeWire
2007-06-12 08:07:39	12,289,487	----a-w	C:\AVG7QT.DAT
2007-05-16 15:12:02	683,520	----a-w	C:\WINDOWS\system32\inetcomm.dll
2007-05-16 04:04:13	--------	d-----w	C:\Program Files\Lexmark X1100 Series
2007-05-10 17:58:40	--------	d-----w	C:\Program Files\Share_Accelerator_MM
2007-05-09 23:27:29	--------	d-----w	C:\Program Files\LimeWire
2007-05-03 13:29:02	--------	d-----w	C:\Program Files\BitTorrent
2007-05-03 13:25:25	--------	d-----w	C:\DOCUME~1\Owner\APPLIC~1\BitTorrent
2007-04-30 02:52:44	--------	d-----w	C:\Program Files\BigFix
2007-04-25 14:21:15	144,896	----a-w	C:\WINDOWS\system32\schannel.dll
2007-04-24 21:56:58	--------	d-----w	C:\Program Files\Yahoo!
2007-04-24 21:56:29	--------	d-----w	C:\Program Files\Common Files\Real
2007-04-21 19:40:01	--------	d-----w	C:\Program Files\SB
2007-04-18 16:12:23	2,854,400	----a-w	C:\WINDOWS\system32\msi.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{00000185-C745-43D2-44F1-01A1C789C738}=C:\PROGRA~1\SB\SMART-~1\BHO010~1.DLL [2004-06-28 04:12]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 13:02]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 21:33]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-21 08:04]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezrlwchA]
C:\WINDOWS\ezrlwchA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
"C:\Program Files\Internet Optimizer\optimize.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
"C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsMovies]
C:\Program Files\MsMovies\MsMovies.exe /auto

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NewFrn]
C:\WINDOWS\newfrn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qzmi]
C:\PROGRA~1\COMMON~1\qzmi\qzmim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
%WINDIR%\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
C:\Program Files\Digital Media Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]
C:\WINDOWS\SYSC00.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\virtual-ie]
winlogi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
VTtrayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe

Contents of the 'Scheduled Tasks' folder
2006-02-15 19:03:21 C:\WINDOWS\tasks\ISP signup reminder 3.job
2007-06-18 03:29:18 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-17 21:27:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-17 21:31:13 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-17 21:30

--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 9:46:48 PM, on 6/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: BHO - {00000185-C745-43D2-44F1-01A1C789C738} - C:\PROGRA~1\SB\SMART-~1\BHO010~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by120fd.bay120.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.blogtv.ca//chatobject/launcher.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

ABBYY FineReader 5.0 Sprint
Adobe Acrobat 5.0
Adobe Flash Player 9
Adobe Reader 7.0
AVG Free Edition
CleanUp!
Creative PC-CAM Center
Creative WebCam Monitor
Creative WebCam NX Pro Driver (1.00.06.0512)
Digital Media Reader
DivX Web Player
FaxTools
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB926239)
J2SE Runtime Environment 5.0 Update 2
Kaspersky Online Scanner
Lexmark X1100 Series
LimeWire 4.12.11
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
MSN
MSXML 4.0 SP2 (KB927978)
PowerDVD
QuickTime
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Soft Data Fax Modem with SmartCP
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Windows Backup Utility
Windows Genuine Advantage v1.3.0254.0
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Overlay Components
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Yahoo! Internet Mail
Yahoo! Messenger


----------



## Byteman (Jan 24, 2002)

Hi "Dad"- or ("Brother") I will post some things to do later today. Could you post a reply and tell me what would be your best time to be able to work on this? Thank you!


----------



## CourtneyLeigh (Jun 15, 2007)

hi ill be on tonight and tomorrow afternoon all the help i can get would be apreciated.


----------



## Byteman (Jan 24, 2002)

Hi, We had a bad T-storm, seems to be over now...

SUPERAntispywarePro Free Trial version:
Download the Trial version of *Superantispyware Pro (SAS)*: 
http://www.superantispyware.com/superantispyware.html?rid=3132

Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.
· Please paste that information here for me with a new Hijack This log.

Dad's computer also is way behind on the Java Plugin updates....the older versions of this are very vulnerable to the Vundo trojan...

Go to  * HERE * and download the latest version of java, it's the Java Runtime Environment 6.0, 
the fourth download down.
Once you have, Uninstall all the older versions
of Java JRE you see in Control Panel> Add/Remove Programs and install the new.

Also> Since Dad or someone is a filesharing program user, they need good protection running...
After we get it cleaned up I will post some other programs for that computer.


----------



## CourtneyLeigh (Jun 15, 2007)

(Courtney) - My dad got lost in looking for this thread lol - I did the steps you just asked here are the logs. Thanks again for helping us out! - oh yeah I wrote down the instructions for him to get to the thread lol

Was not able to get the JAVA due to high demand for the download at the time.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/20/2007 at 08:33 PM

Application Version : 3.8.1002

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 01:08:11

Memory items scanned : 412
Memory threats detected : 0
Registry items scanned : 4626
Registry threats detected : 17
File items scanned : 50195
File threats detected : 41

Adware.Smart-Browser
HKLM\Software\Classes\CLSID\{00000185-C745-43D2-44F1-01A1C789C738}
HKCR\CLSID\{00000185-C745-43D2-44F1-01A1C789C738}
HKCR\CLSID\{00000185-C745-43D2-44F1-01A1C789C738}
HKCR\CLSID\{00000185-C745-43D2-44F1-01A1C789C738}\InprocServer32
HKCR\CLSID\{00000185-C745-43D2-44F1-01A1C789C738}\InprocServer32#ThreadingModel
HKCR\CLSID\{00000185-C745-43D2-44F1-01A1C789C738}\ProgID
HKCR\CLSID\{00000185-C745-43D2-44F1-01A1C789C738}\TypeLib
HKCR\CLSID\{00000185-C745-43D2-44F1-01A1C789C738}\Version
C:\PROGRA~1\SB\SMART-~1\BHO010~1.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000185-C745-43D2-44F1-01A1C789C738}
C:\PROGRAM FILES\SB\SMART-BROWSER\BHO.0.1.0.155.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][3].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Trojan.Windows Overlay Components/SysMon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OvMon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OvMon#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OvMon#UninstallString

Trojan.WinBo32/Enhance
HKU\S-1-5-21-3624949454-3777370436-994384242-1003\Software\System\sysuid

Browser Hijacker.Internet Explorer Settings Hijack
HKU\S-1-5-21-3624949454-3777370436-994384242-1003\Software\Microsoft\Internet Explorer\Search\SearchAssistant Explorer\Main#Default_Search_URL [ http://searchbar.findthewebsiteyouneed.com ]

Adware.IST/ISTBar (Slotch Bar)
HKU\S-1-5-21-3624949454-3777370436-994384242-1003\Software\Microsoft\Internet Explorer\Main#BandRest [ Never ]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main#BandRest [ Never ]

Trojan.YourEnhancement
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#TheMonitor [ C:\WINDOWS\SYSC00.exe ]

Adware.Unknown Origin
C:\PROGRAM FILES\COMMON FILES\QZMI\QZMID\CLASS-BARREL
C:\PROGRAM FILES\COMMON FILES\QZMI\QZMID\VOCABULARY

Unclassified.Unknown Origin/System
C:\PROGRAM FILES\COMMON FILES\QZMI\QZMID\QZMIC.DLL

Trojan.NetMon/DNSChange
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\NETWORK MONITOR\NETMON.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP151\A0039959.EXE

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\DH.INI.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\UNINST2.HTM.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\UNINSTALL_NMON.VBS.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\UNIST1.HTM.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP151\A0039958.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP151\A0039968.INI

Adware.SurfSideKick
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP151\A0039848.EXE

Logfile of HijackThis v1.99.1
Scan saved at 8:54:48 PM, on 6/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Owner\Desktop\Cleaning up computer\hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe
O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [ezrlwchA] C:\WINDOWS\ezrlwchA.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by120fd.bay120.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.blogtv.ca//chatobject/launcher.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS


----------



## Byteman (Jan 24, 2002)

Hi, Good work! I need a new ComboFix log please....same drill, we need to download it new!

Download ComboFix from *Here* or *Here* to your Desktop. 

Double click *combofix.exe * and follow the prompts.
When finished, it shall produce a log for you. Post that log and a *HiJackthis* log in your next reply
*IMPORTANT!*
*Note: Do not mouseclick combofix's window while its running. That may cause it to stall*

EDIT> You might not see this right at first, but that's OK as long as you post this at some point:

Open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad. Copy and paste that list here.


----------



## CourtneyLeigh (Jun 15, 2007)

ComboFix 07-06-18.2 
"Owner" - 2007-06-21 18:08:07 - Service Pack 2 NTFS

((((((((((((((((((((((((( Files Created from 2007-05-21 to 2007-06-21 )))))))))))))))))))))))))))))))

2007-06-21 16:12 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-06-20 19:18 d--------	C:\Program Files\SUPERAntiSpyware
2007-06-20 19:18 d--------	C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2007-06-20 19:18 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-20 19:17 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-06-17 21:14	49,152	--a------	C:\WINDOWS\nircmd.exe
2007-06-17 20:19 d--------	C:\WINDOWS\pss
2007-06-17 19:57 d--------	C:\Program Files\DivX
2007-06-17 17:23	786,432	--ah-----	C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-17 17:23 d--------	C:\DOCUME~1\ADMINI~1\WINDOWS
2007-06-17 17:23 d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\You've Got Pictures Screensaver
2007-06-17 17:23 d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\SampleView
2007-06-17 17:23 d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\McAfee
2007-06-17 17:23 d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\AOL
2007-06-17 17:12	2,620	--a------	C:\WINDOWS\system32\tmp.reg
2007-06-17 16:35	53,248	--a------	C:\WINDOWS\system32\Process.exe
2007-06-17 16:35	51,200	--a------	C:\WINDOWS\system32\dumphive.exe
2007-06-17 16:35	288,417	--a------	C:\WINDOWS\system32\SrchSTS.exe
2007-06-17 16:14 d--------	C:\WINDOWS\system32\Kaspersky Lab
2007-06-17 16:14 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-06-05 14:44 d--------	C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-06-03 12:36 d--h-----	C:\WINDOWS\PIF

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-21 22:02:56	--------	d-----w	C:\Program Files\Yahoo!
2007-06-21 02:45:31	--------	d-----w	C:\DOCUME~1\Owner\APPLIC~1\LimeWire
2007-06-12 08:07:39	12,289,487	----a-w	C:\AVG7QT.DAT
2007-05-16 15:12:02	683,520	----a-w	C:\WINDOWS\system32\inetcomm.dll
2007-05-16 04:04:13	--------	d-----w	C:\Program Files\Lexmark X1100 Series
2007-05-10 17:58:40	--------	d-----w	C:\Program Files\Share_Accelerator_MM
2007-05-09 23:27:29	--------	d-----w	C:\Program Files\LimeWire
2007-05-03 13:29:02	--------	d-----w	C:\Program Files\BitTorrent
2007-05-03 13:25:25	--------	d-----w	C:\DOCUME~1\Owner\APPLIC~1\BitTorrent
2007-04-30 02:52:44	--------	d-----w	C:\Program Files\BigFix
2007-04-25 14:21:15	144,896	----a-w	C:\WINDOWS\system32\schannel.dll
2007-04-24 21:56:29	--------	d-----w	C:\Program Files\Common Files\Real
2007-04-21 19:40:01	--------	d-----w	C:\Program Files\SB
2007-04-18 16:12:23	2,854,400	----a-w	C:\WINDOWS\system32\msi.dll
2007-04-17 04:47:36	33,624	----a-w	C:\WINDOWS\system32\wups.dll
2007-04-17 04:45:54	1,710,936	----a-w	C:\WINDOWS\system32\wuaueng.dll
2007-04-17 04:45:48	549,720	----a-w	C:\WINDOWS\system32\wuapi.dll
2007-04-17 04:45:42	325,976	----a-w	C:\WINDOWS\system32\wucltui.dll
2007-04-17 04:45:36	203,096	----a-w	C:\WINDOWS\system32\wuweb.dll
2007-04-17 04:45:28	92,504	----a-w	C:\WINDOWS\system32\cdm.dll
2007-04-17 04:45:20	53,080	----a-w	C:\WINDOWS\system32\wuauclt.exe
2007-04-17 04:45:20	43,352	----a-w	C:\WINDOWS\system32\wups2.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 10:28]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 13:02]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 21:33]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-21 08:04]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 17:04]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 22:24]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"Internet Optimizer"="C:\Program Files\Internet Optimizer\optimize.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-23 10:12]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 18:16]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
"C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qzmi]
C:\PROGRA~1\COMMON~1\qzmi\qzmim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\virtual-ie]
winlogi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
VTtrayp.exe

Contents of the 'Scheduled Tasks' folder
2006-02-15 19:03:21 C:\WINDOWS\tasks\ISP signup reminder 3.job
2007-06-22 00:09:00 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-21 18:10:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-21 18:12:07
C:\ComboFix-quarantined-files.txt ... 2007-06-21 18:11
C:\ComboFix2.txt ... 2007-06-17 21:31

--- E O F ---


----------



## Byteman (Jan 24, 2002)

Hi, OK, just some things to remove, let's use WINPFind3u> I apologize for being "late" this evening, but it's been one T-storm after another, most of the entire day, and had a meeting from 7-9PM.

You'll probably want to do this yourself at Dad's~

WINPFind3U
Download *WinPFind3U.exe* to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.
In the *Processes * group click *ALL* 
In the *Win32 Services * group click *ALL* 
In the *Driver Services * group click *ALL* 
In the *Registry * group click *ALL* 
In the *Files Created Within* group click *60 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *Files Modified Within* group select *30 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *File String Search* group select *ALL*
in the Additional scans sections please press select *ALL* 
Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file but click on the "Format" menu and make sure that "word wrap" is not checked. If it is then click on it to uncheck it.
Upload the report as an *attachment* please.


----------



## CourtneyLeigh (Jun 15, 2007)

It's alright if you take awhile to respond, I dont live @ dads - so Im not always on there. 
almost everyday we've had a T-storm, then it becomes sunny for the rest of the day lol 
I wont beable to work on dads comp until sunday afternoon. 

Thanks again.


----------



## Byteman (Jan 24, 2002)

Hi, OK sounds good!


----------



## CourtneyLeigh (Jun 15, 2007)

WinPFind3 logfile created on: 6/27/2007 6:31:29 PM
WinPFind3U by OldTimer - Version 1.0.39	Folder = C:\Documents and Settings\Owner\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

190.48 Mb Total Physical Memory | 57.86 Mb Available Physical Memory | 30.37% Memory free
462.79 Mb Paging File | 175.05 Mb Available in Paging File | 37.82% Paging File free
Paging file location(s): C:\pagefile.sys 288 576;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 89.16 Gb Total Space | 81.91 Gb Free Space | 91.87% Space Free
Drive D: | 3.98 Gb Total Space | 2.24 Gb Free Space | 56.31% Space Free
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: YOUR-245474C37A
Current User Name: Owner
Logged in as Administrator.
Current Boot Mode: Normal

[Processes - All]
smss.exe -> %System32%\smss.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 50688 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
csrss.exe -> %System32%\csrss.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 6144 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
winlogon.exe -> %System32%\winlogon.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 502272 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
services.exe -> %System32%\services.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 108032 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
lsass.exe -> %System32%\lsass.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 13312 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
svchost.exe -> %System32%\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST -K DCOMLAUNCH] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\rpcss.dll [DcomLaunch] -> Microsoft Corporation [Ver = 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) | Size = 397824 bytes | Modified Date = 7/25/2005 10:39:50 PM | Attr = ]
-> %System32%\termsrv.dll [TermService] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 295424 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\termsrv.dll [TermService] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 295424 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
svchost.exe -> %System32%\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST -K RPCSS] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\rpcss.dll [RpcSs] -> Microsoft Corporation [Ver = 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) | Size = 397824 bytes | Modified Date = 7/25/2005 10:39:50 PM | Attr = ]
svchost.exe -> %System32%\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\appmgmts.dll [AppMgmt] -> File not found
-> %System32%\audiosrv.dll [AudioSrv] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 42496 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\qmgr.dll [BITS] -> Microsoft Corporation [Ver = 6.6.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 382464 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\browser.dll [Browser] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 77312 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\cryptsvc.dll [CryptSvc] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 60416 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\dhcpcsvc.dll [Dhcp] -> Microsoft Corporation [Ver = 5.1.2600.2912 (xpsp_sp2_gdr.060519-0003) | Size = 111616 bytes | Modified Date = 5/19/2006 6:59:42 AM | Attr = ]
-> %System32%\dmserver.dll [dmserver] -> Microsoft Corp. [Ver = 2600.2180.503.0 | Size = 23552 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\ersvc.dll [ERSvc] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 23040 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\es.dll [EventSystem] -> Microsoft Corporation [Ver = 2001.12.4414.308 | Size = 243200 bytes | Modified Date = 7/25/2005 10:39:46 PM | Attr = ]
-> %System32%\shsvcs.dll [FastUserSwitchingCompatibility] -> Microsoft Corporation [Ver = 6.00.2900.3051 (xpsp_sp2_gdr.061219-0316) | Size = 134656 bytes | Modified Date = 12/19/2006 3:52:18 PM | Attr = ]
-> %WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll [helpsvc] -> File not found
-> %System32%\hidserv.dll [HidServ] -> File not found
-> %System32%\srvsvc.dll [lanmanserver] -> Microsoft Corporation [Ver = 5.1.2600.2577 (xpsp_sp2_gdr.041130-1729) | Size = 96768 bytes | Modified Date = 12/7/2004 1:32:34 PM | Attr = ]
-> %System32%\wkssvc.dll [lanmanworkstation] -> Microsoft Corporation [Ver = 5.1.2600.2976 (xpsp_sp2_gdr.060817-0106) | Size = 132096 bytes | Modified Date = 8/17/2006 6:28:28 AM | Attr = ]
-> %System32%\msgsvc.dll [Messenger] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 33792 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\netman.dll [Netman] -> Microsoft Corporation [Ver = 5.1.2600.2743 (xpsp_sp2_gdr.050819-1525) | Size = 197632 bytes | Modified Date = 8/22/2005 12:29:46 PM | Attr = ]
-> %System32%\mswsock.dll [Nla] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\ntmssvc.dll [NtmsSvc] -> Microsoft Corporation [Ver = 5.1.2400.2180 | Size = 435200 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\rasauto.dll [RasAuto] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 89088 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\rasmans.dll [RasMan] -> Microsoft Corporation [Ver = 5.1.2600.2936 (xpsp_sp2_gdr.060621-2347) | Size = 181248 bytes | Modified Date = 6/22/2006 4:47:18 AM | Attr = ]
-> %System32%\mprdim.dll [RemoteAccess] -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 49152 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\schedsvc.dll [Schedule] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 190976 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\seclogon.dll [seclogon] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 18944 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\sens.dll [SENS] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 38912 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\ipnathlp.dll [SharedAccess] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 331264 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\shsvcs.dll [ShellHWDetection] -> Microsoft Corporation [Ver = 6.00.2900.3051 (xpsp_sp2_gdr.061219-0316) | Size = 134656 bytes | Modified Date = 12/19/2006 3:52:18 PM | Attr = ]
-> %System32%\srsvc.dll [srservice] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 170496 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\tapisrv.dll [TapiSrv] -> Microsoft Corporation [Ver = 5.1.2600.2716 (xpsp_sp2_gdr.050707-1657) | Size = 249344 bytes | Modified Date = 7/8/2005 10:27:56 AM | Attr = ]
-> %System32%\shsvcs.dll [Themes] -> Microsoft Corporation [Ver = 6.00.2900.3051 (xpsp_sp2_gdr.061219-0316) | Size = 134656 bytes | Modified Date = 12/19/2006 3:52:18 PM | Attr = ]
-> %System32%\trkwks.dll [TrkWks] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 90624 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\w32time.dll [W32Time] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 174592 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\wbem\WMIsvc.dll [winmgmt] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 144896 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\MsPMSNSv.dll [WmdmPmSN] -> Microsoft Corporation [Ver = 11.0.5721.5145 | Size = 27136 bytes | Modified Date = 10/18/2006 9:47:16 PM | Attr = ]
-> %System32%\wscsvc.dll [wscsvc] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 81408 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\wuauserv.dll [wuauserv] -> Microsoft Corporation [Ver = 5.4.3790.2180 (xpsp_sp2_rtm.040803-2158) | Size = 6656 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\wzcsvc.dll [WZCSVC] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 359936 bytes | Modified Date = 8/3/2004 6:56:48 PM | Attr = ]
-> %System32%\xmlprov.dll [xmlprov] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 129536 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
svchost.exe -> %System32%\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETWORKSERVICE] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\dnsrslvr.dll [Dnscache] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 45568 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
svchost.exe -> %System32%\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K LOCALSERVICE] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\alrsvc.dll [Alerter] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 17408 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\lmhsvc.dll [LmHosts] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 13824 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\ssdpsrv.dll [SSDPSRV] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 71680 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\upnphost.dll [upnphost] -> Microsoft Corporation [Ver = 5.1.2600.3077 (xpsp_sp2_gdr.070204-2255) | Size = 185344 bytes | Modified Date = 2/5/2007 2:17:02 PM | Attr = ]
-> %System32%\webclnt.dll [WebClient] -> Microsoft Corporation [Ver = 5.1.2600.2821 (xpsp_sp2_gdr.060103-1536) | Size = 68096 bytes | Modified Date = 1/3/2006 9:35:06 PM | Attr = ]
lexbces.exe -> %System32%\LEXBCES.EXE -> Lexmark International, Inc. [Ver = 8.29 | Size = 303104 bytes | Modified Date = 8/18/2003 4:37:10 AM | Attr = ]
lexpps.exe -> %System32%\LEXPPS.EXE -> Lexmark International, Inc. [Ver = 8.29 | Size = 174592 bytes | Modified Date = 8/18/2003 4:32:56 AM | Attr = ]
spoolsv.exe -> %System32%\spoolsv.exe -> Microsoft Corporation [Ver = 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519) | Size = 57856 bytes | Modified Date = 6/10/2005 5:53:32 PM | Attr = ]
avgamsvr.exe -> %ProgramFiles%\Grisoft\AVG Free\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.453 | Size = 353280 bytes | Modified Date = 4/21/2007 8:04:10 AM | Attr = ]
avgupsvc.exe -> %ProgramFiles%\Grisoft\AVG Free\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 49664 bytes | Modified Date = 2/28/2007 12:01:04 PM | Attr = ]
avgemc.exe -> %ProgramFiles%\Grisoft\AVG Free\avgemc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.474 | Size = 352768 bytes | Modified Date = 6/25/2007 7:57:20 AM | Attr = ]
svchost.exe -> %System32%\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K HTTPFILTER] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\w3ssl.dll [HTTPFilter] -> Microsoft Corporation [Ver = 6.0.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 15872 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
prismxl.sys -> %CommonProgramFiles%\New Boundary\PrismXL\PRISMXL.SYS -> New Boundary Technologies, Inc. [Ver = 6.0.1.22 | Size = 172032 bytes | Modified Date = 2/15/2006 12:13:04 PM | Attr = ]
svchost.exe -> %System32%\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K IMGSVC] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
-> %System32%\wiaservc.dll [stisvc] -> Microsoft Corporation [Ver = 5.1.2600.3051 (xpsp_sp2_gdr.061219-0316) | Size = 333824 bytes | Modified Date = 12/19/2006 12:16:48 PM | Attr = ]
wmpnetwk.exe -> %ProgramFiles%\Windows Media Player\wmpnetwk.exe -> Microsoft Corporation [Ver = 11.0.5721.5145 (WMP_11.061018-2006) | Size = 913408 bytes | Modified Date = 10/18/2006 8:05:24 PM | Attr = ]
explorer.exe -> %SystemRoot%\explorer.exe -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 1032192 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
avgcc.exe -> %ProgramFiles%\Grisoft\AVG Free\avgcc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.460 | Size = 416256 bytes | Modified Date = 4/21/2007 8:04:12 AM | Attr = ]
shwiconem.exe -> %ProgramFiles%\Digital Media Reader\shwiconem.exe -> Alcor Micro, Corp. [Ver = 1, 4, 0, 8 | Size = 135168 bytes | Modified Date = 11/15/2004 5:04:32 PM | Attr = ]
pdvdserv.exe -> %ProgramFiles%\CyberLink\PowerDVD\PDVDServ.exe -> Cyberlink Corp. [Ver = 6.00.1027 | Size = 32768 bytes | Modified Date = 11/2/2004 10:24:46 PM | Attr = ]
msnmsgr.exe -> %ProgramFiles%\MSN Messenger\msnmsgr.exe -> Microsoft Corporation [Ver = 8.1.0178.00 | Size = 5674352 bytes | Modified Date = 1/19/2007 1:54:56 PM | Attr = ]
alg.exe -> %System32%\alg.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 44544 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
wmpnscfg.exe -> %ProgramFiles%\Windows Media Player\wmpnscfg.exe -> Microsoft Corporation [Ver = 11.0.5721.5145 (WMP_11.061018-2006) | Size = 204288 bytes | Modified Date = 10/18/2006 8:05:26 PM | Attr = ]
superantispyware.exe -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 6/27/2007 12:17:44 PM | Attr = ]
usnsvc.exe -> %ProgramFiles%\MSN Messenger\usnsvc.exe -> Microsoft Corporation [Ver = 8.1.0178.00 | Size = 97136 bytes | Modified Date = 1/19/2007 1:54:14 PM | Attr = ]
ymsgr_tray.exe -> %ProgramFiles%\Yahoo!\Messenger\ymsgr_tray.exe -> Yahoo! Inc. [Ver = 8,1,0,0 | Size = 103928 bytes | Modified Date = 6/11/2007 6:16:12 PM | Attr = ]
iexplore.exe -> %ProgramFiles%\Internet Explorer\IEXPLORE.EXE -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 93184 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
wlloginproxy.exe -> %CommonProgramFiles%\Microsoft Shared\Windows Live\WLLoginProxy.exe -> Microsoft Corporation [Ver = 4.100.313.1 | Size = 115024 bytes | Modified Date = 8/31/2006 9:33:02 PM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.38.0 | Size = 322048 bytes | Modified Date = 6/23/2007 3:15:54 PM | Attr = ]


----------



## CourtneyLeigh (Jun 15, 2007)

[Win32 Services - All]
(Alerter) Alerter [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(ALG) Application Layer Gateway Service [Win32_Own | On_Demand | Running] -> %System32%\alg.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 44544 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(AppMgmt) Application Management [Win32_Shared | On_Demand | Stopped] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(aspnet_state) ASP.NET State Service [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -> Microsoft Corporation [Ver = 2.0.50727.42 (RTM.050727-4200) | Size = 29896 bytes | Modified Date = 9/23/2005 8:28:32 AM | Attr = ]
(AudioSrv) Windows Audio [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(Avg7Alrt) AVG7 Alert Manager Server [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Free\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.453 | Size = 353280 bytes | Modified Date = 4/21/2007 8:04:10 AM | Attr = ]
(Avg7UpdSvc) AVG7 Update Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Free\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 49664 bytes | Modified Date = 2/28/2007 12:01:04 PM | Attr = ]
(AVGEMS) AVG E-mail Scanner [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Free\avgemc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.474 | Size = 352768 bytes | Modified Date = 6/25/2007 7:57:20 AM | Attr = ]
(BITS) Background Intelligent Transfer Service [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(Browser) Computer Browser [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(CiSvc) Indexing Service [Win32_Shared | On_Demand | Stopped] -> %System32%\cisvc.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 5632 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(ClipSrv) ClipBook [Win32_Own | Disabled | Stopped] -> %System32%\clipsrv.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 33280 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(clr_optimization_v2.0.50727_32) .NET Runtime Optimization Service v2.0.50727_X86 [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -> Microsoft Corporation [Ver = 2.0.50727.42 (RTM.050727-4200) | Size = 66240 bytes | Modified Date = 9/23/2005 8:28:56 AM | Attr = ]
(COMSysApp) COM+ System Application [Win32_Own | On_Demand | Stopped] -> %System32%\dllhost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 5120 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(CryptSvc) Cryptographic Services [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(DcomLaunch) DCOM Server Process Launcher [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(Dhcp) DHCP Client [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(dmserver) Logical Disk Manager [Win32_Shared | On_Demand | Stopped] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(Dnscache) DNS Client [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(ERSvc) Error Reporting Service [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(Eventlog) Event Log [Win32_Shared | Auto | Running] -> %System32%\services.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 108032 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(EventSystem) COM+ Event System [Win32_Shared | On_Demand | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(FastUserSwitchingCompatibility) Fast User Switching Compatibility [Win32_Shared | On_Demand | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(helpsvc) Help and Support [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(HidServ) Human Interface Device Access [Win32_Shared | Disabled | Stopped] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(HTTPFilter) HTTP SSL [Win32_Shared | On_Demand | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(ImapiService) IMAPI CD-Burning COM Service [Win32_Own | On_Demand | Stopped] -> %System32%\imapi.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 150016 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(lanmanserver) Server [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(lanmanworkstation) Workstation [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(LexBceS) LexBce Server [Win32_Own | Auto | Running] -> %System32%\LEXBCES.EXE -> Lexmark International, Inc. [Ver = 8.29 | Size = 303104 bytes | Modified Date = 8/18/2003 4:37:10 AM | Attr = ]
(LmHosts) TCP/IP NetBIOS Helper [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(Messenger) Messenger [Win32_Shared | Disabled | Stopped] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(mnmsrvc) NetMeeting Remote Desktop Sharing [Win32_Own | On_Demand | Stopped] -> %System32%\mnmsrvc.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 | Size = 32768 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(MSDTC) Distributed Transaction Coordinator [Win32_Own | On_Demand | Stopped] -> %System32%\msdtc.exe -> Microsoft Corporation [Ver = 2001.12.4414.258 | Size = 6144 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(MSIServer) Windows Installer [Win32_Shared | On_Demand | Stopped] -> %System32%\msiexec.exe -> Microsoft Corporation [Ver = 3.1.4000.1823 | Size = 78848 bytes | Modified Date = 5/4/2005 4:45:36 PM | Attr = ]
(NetDDE) Network DDE [Win32_Shared | Disabled | Stopped] -> %System32%\netdde.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 111104 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(NetDDEdsdm) Network DDE DSDM [Win32_Shared | Disabled | Stopped] -> %System32%\netdde.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 111104 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(Netlogon) Net Logon [Win32_Shared | On_Demand | Stopped] -> %System32%\lsass.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 13312 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(Netman) Network Connections [Win32_Shared | On_Demand | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(Nla) Network Location Awareness (NLA) [Win32_Shared | On_Demand | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(NtLmSsp) NT LM Security Support Provider [Win32_Shared | On_Demand | Stopped] -> %System32%\lsass.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 13312 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(NtmsSvc) Removable Storage [Win32_Shared | On_Demand | Stopped] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(PlugPlay) Plug and Play [Win32_Shared | Auto | Running] -> %System32%\services.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 108032 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(PolicyAgent) IPSEC Services [Win32_Shared | Auto | Running] -> %System32%\lsass.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 13312 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(PrismXL) PrismXL [Win32_Own | Auto | Running] -> %CommonProgramFiles%\New Boundary\PrismXL\PRISMXL.SYS -> New Boundary Technologies, Inc. [Ver = 6.0.1.22 | Size = 172032 bytes | Modified Date = 2/15/2006 12:13:04 PM | Attr = ]
(ProtectedStorage) Protected Storage [Win32_Shared | Auto | Running] -> %System32%\lsass.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 13312 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(RasAuto) Remote Access Auto Connection Manager [Win32_Shared | On_Demand | Stopped] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(RasMan) Remote Access Connection Manager [Win32_Shared | On_Demand | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(RDSessMgr) Remote Desktop Help Session Manager [Win32_Own | On_Demand | Stopped] -> %System32%\sessmgr.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 140800 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(RemoteAccess) Routing and Remote Access [Win32_Shared | Disabled | Stopped] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(RpcLocator) Remote Procedure Call (RPC) Locator [Win32_Own | On_Demand | Stopped] -> %System32%\locator.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 75264 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(RpcSs) Remote Procedure Call (RPC) [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(RSVP) QoS RSVP [Win32_Own | On_Demand | Stopped] -> %System32%\rsvp.exe -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 132608 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(SamSs) Security Accounts Manager [Win32_Shared | Auto | Running] -> %System32%\lsass.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 13312 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(SCardSvr) Smart Card [Win32_Shared | On_Demand | Stopped] -> %System32%\scardsvr.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 95744 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(Schedule) Task Scheduler [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(seclogon) Secondary Logon [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(SENS) System Event Notification [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(SharedAccess) Internet Connection Sharing [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(ShellHWDetection) Shell Hardware Detection [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(Spooler) Print Spooler [Win32_Own | Auto | Running] -> %System32%\spoolsv.exe -> Microsoft Corporation [Ver = 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519) | Size = 57856 bytes | Modified Date = 6/10/2005 5:53:32 PM | Attr = ]
(srservice) System Restore Service [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(SSDPSRV) SSDP Discovery Service [Win32_Shared | On_Demand | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(stisvc) Windows Image Acquisition (WIA) [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(SwPrv) MS Software Shadow Copy Provider [Win32_Own | On_Demand | Stopped] -> %System32%\dllhost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 5120 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(SysmonLog) Performance Logs and Alerts [Win32_Own | On_Demand | Stopped] -> %System32%\smlogsvc.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 89600 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(TapiSrv) Telephony [Win32_Shared | On_Demand | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(TermService) Terminal Services [Win32_Shared | On_Demand | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(Themes) Themes [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(TrkWks) Distributed Link Tracking Client [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(upnphost) Universal Plug and Play Device Host [Win32_Shared | On_Demand | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(UPS) Uninterruptible Power Supply [Win32_Own | On_Demand | Stopped] -> %System32%\ups.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 18432 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(usnjsvc) Messenger Sharing Folders USN Journal Reader service [Win32_Own | On_Demand | Running] -> %ProgramFiles%\MSN Messenger\usnsvc.exe -> Microsoft Corporation [Ver = 8.1.0178.00 | Size = 97136 bytes | Modified Date = 1/19/2007 1:54:14 PM | Attr = ]
(VSS) Volume Shadow Copy [Win32_Own | On_Demand | Stopped] -> %System32%\vssvc.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 289792 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(W32Time) Windows Time [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(WebClient) WebClient [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(winmgmt) Windows Management Instrumentation [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(WmdmPmSN) Portable Media Serial Number Service [Win32_Shared | On_Demand | Stopped] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(WmiApSrv) WMI Performance Adapter [Win32_Own | On_Demand | Stopped] -> %System32%\wbem\wmiapsrv.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 126464 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(WMPNetworkSvc) Windows Media Player Network Sharing Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Windows Media Player\wmpnetwk.exe -> Microsoft Corporation [Ver = 11.0.5721.5145 (WMP_11.061018-2006) | Size = 913408 bytes | Modified Date = 10/18/2006 8:05:24 PM | Attr = ]
(wscsvc) Security Center [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(wuauserv) Automatic Updates [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(WudfSvc) Windows Driver Foundation - User-mode Driver Framework [Win32_Shared | On_Demand | Stopped] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(WZCSVC) Wireless Zero Configuration [Win32_Shared | Auto | Running] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(xmlprov) Network Provisioning Service [Win32_Shared | On_Demand | Stopped] -> %System32%\svchost.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]


----------



## Byteman (Jan 24, 2002)

Hi, Courtney, very sorry but you have posted the WinPFind3u log *into your reply* >> you were asked not to, to *attach* the log to a reply....it does not work correctly sometimes when it is posted and we simply copy and paste from the forum page>>>> so we include NOT to post it, >>>> please try again!

When you have run the program, and the log pops up, and you have followed the other steps in the directions, come to your thread and open a Reply, put something in it like "I have attached the x log....etc" or whatever, and then use the *"Manage Attachments"* button beneath the reply space...if you dont see that, and see "Go Advanced" hit that button, and then scroll down, and you will see Manage Attachments button....hit that, and Browse to the location of the saved log, highlight the log file (does not have to be open) and then hit *Upload* and wait until you see the log filename as an attachment, then hit the "Submit" button, just like you would send in any ordianary Reply here.



Byteman said:


> Hi, OK, just some things to remove, let's use WINPFind3u> I apologize for being "late" this evening, but it's been one T-storm after another, most of the entire day, and had a meeting from 7-9PM.
> 
> You'll probably want to do this yourself at Dad's~
> 
> ...


----------

