# Solved: Hidden Files not showing?



## d2thesong (Jan 23, 2008)

Hello,

my hidden files are not showing even after i go into the tools>folder options> and clicking on "show hidden files"

I have the same exact problem as posted here
http://forums.techguy.org/windows-nt-2000-xp/638788-hidden-files-not-showing.html

after reading that post, i downloaded the "fix.rar" file in hopes of that fixing my problem, but unfortunately i still cannot see my hidden files, and whenever i attempt on selecting the option of showing my hidden files in the folder options, it reverts back to "Do not show hidden files"

all help is much appreciated! thank you


----------



## Tufenuf (Jul 29, 2007)

d2thesong, Welcome to the forum. You could download the free tool called Remove Restrictions Tool (RRT) at the link below.

Make sure you boot in to Safe Mode to use Remove Restrictions Tool (RRT).

http://www.raymond.cc/blog/archives...regedit-and-folder-options-disabled-by-virus/

Tufenuf


----------



## devil_himself (Apr 7, 2007)

Follow Post #6 And Show Us The Results
http://forums.techguy.org/windows-nt-2000-xp/638788-hidden-files-not-showing.html


----------



## d2thesong (Jan 23, 2008)

look.bat

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden]
"Text"="@shell32.dll,-30499"
"Type"="group"
"Bitmap"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,32,\
5c,53,48,45,4c,4c,33,32,2e,64,6c,6c,2c,34,00
"HelpID"="shell.hlp#51131"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="@shell32.dll,-30501"
"Type"="radio"
"CheckedValue"=dword:00000002
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51104"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="@shell32.dll,-30500"
"Type"="radio"
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51105"
"CheckedValue"="0"

query.bat

SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman © 2005

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced
ServerAdminUI REG_DWORD 0 (0x0)
Hidden REG_SZ 0
ShowCompColor REG_DWORD 1 (0x1)
HideFileExt REG_DWORD 0 (0x0)
DontPrettyPath REG_DWORD 0 (0x0)
ShowInfoTip REG_DWORD 1 (0x1)
HideIcons REG_DWORD 0 (0x0)
MapNetDrvBtn REG_DWORD 0 (0x0)
WebView REG_DWORD 1 (0x1)
Filter REG_DWORD 0 (0x0)
SuperHidden REG_DWORD 0 (0x0)
SeparateProcess REG_DWORD 0 (0x0)
ListviewAlphaSelect REG_DWORD 1 (0x1)
ListviewShadow REG_DWORD 1 (0x1)
ListviewWatermark REG_DWORD 1 (0x1)
TaskbarAnimations REG_DWORD 1 (0x1)
StartMenuInit REG_DWORD 2 (0x2)
StartButtonBalloonTip REG_DWORD 2 (0x2)
NoNetCrawling REG_DWORD 0 (0x0)
FolderContentsInfoTip REG_DWORD 1 (0x1)
FriendlyTree REG_DWORD 1 (0x1)
WebViewBarricade REG_DWORD 0 (0x0)
DisableThumbnailCache REG_DWORD 0 (0x0)
ShowSuperHidden REG_DWORD 0 (0x0)
ClassicViewState REG_DWORD 0 (0x0)
PersistBrowsers REG_DWORD 0 (0x0)


----------



## devil_himself (Apr 7, 2007)

Click Start/Run,type regedit then press Ok
Navigate to the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advan ced\Folder\Hidden\SHOWALL

Now right click on,and delete the value "CheckedValue" in the right hand window.

Now create a new "DWORD Value" called exactly CheckedValue in the right hand window.
Double click on CheckedValue.
In the opening 'Edit DWORD Value' box,set the 'Value data:' to 1

Press Ok,exit regedit,restart your pc.


----------



## d2thesong (Jan 23, 2008)

ive already tried that 

i get the same exact problem that is stated in the previous post.



chajai said:


> it tells me "Resgistry Editor cannot rename New Value #1. The specified value name already exists. Type another name and try again"
> but i clearly deleted the "CheckedValue" and i even tried renaming it n then making a new checkevalue but it doesnt work
> whenever i click something else and go bak to the SHOWALL folder the CheckedValue is back again even after i deleted it a couple times


----------



## devil_himself (Apr 7, 2007)

Try This 
http://winonline.blogspot.com/2005/11/reset-entire-registry-permissions-to.html

And Then Follow Post #5 Again


----------



## devil_himself (Apr 7, 2007)

Until Your Problem Is Solved .. You Can Use This Command to Unhide Files

Start, Run, CMD

attrib -r -s -h *X:\**.* /s /d


----------



## d2thesong (Jan 23, 2008)

im apologize for the inconvience, but i am not as advanced as you would probably want me to be

in the link you had posted http://winonline.blogspot.com/2005/1...ssions-to.html

on step 2 the directions mention to "create a new file" called "reset.cmd"

i wasnt sure how i were to go about creating a new file in cmd format, so i assumed to create a new text file, then rename it to "reset.cmd"

i then entered step 3 into the new file i had created, and then opened it.

the cmd prompt came up and a whole log of commands rapidly scrolled down the prompt screen.

i stopped after that point because i didnt know what to do.

am i doing something wrong?


----------



## devil_himself (Apr 7, 2007)

You Are Doing Everything Right 

I Will Automate The PRocedure For You 

Download the Attached File > Unzip It > Double Click on "Reset.cmd" .. Let it Run ... Might Take about 1\2 Hour


----------



## d2thesong (Jan 23, 2008)

ok i downloaded ResetACL.zip and ran the program reset.cmd. 

I waited for it to complete its process and they i tried post 5 like u told me. After deleting "CheckedValue" and attempting to create a new DWORD file called "CheckedValue", once i hit enter an error message pops up and says "The Registry Editor cannot rename New Value #1. The specified value name already exists. Try another name and try again." 

The thing is, there is no such name as "New Value #1, or "CheckedValue" inside the folder.


----------



## devil_himself (Apr 7, 2007)

Download HJTInstall.exe to your Desktop.

http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

* Doubleclick HJTInstall.exe to install it.
* By default it will install to C:\Program Files\Trend Micro\HijackThis .
* Click on Install.
* It will create a HijackThis icon on the desktop.
* Once installed, it will launch Hijackthis.
* Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
* Copy/Paste the log to your next reply please.

Don't use the Analyse This button, its findings are dangerous if misinterpreted. 
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


----------



## d2thesong (Jan 23, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:07:55 AM, on 1/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\algsrvs.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WhenUSearch\Search.exe
C:\Program Files\Steam\Steam.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: WhenUSearch Helper - {BA2325ED-F9EB-4830-8FCE-0BC35B16969B} - C:\Program Files\WhenUSearch\search.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IMJPMIG8.2] msime82.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsServer] msfun80.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5365 bytes


----------



## devil_himself (Apr 7, 2007)

Infected .

On The Right Side Of Your Post There Is A "Red Triangle With Exclamation Mark" .Use It To Politely Ask A Moderator To Move This Thread To The Malware Forum.


----------



## d2thesong (Jan 23, 2008)

well, devil_himself, thank you for your helpful efforts of trying to get this fixed. hopefully ill get this fixed in the malware section


----------



## dvk01 (Dec 14, 2002)

Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive% 
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press *Enter*.
Choose your usual account.

 Open the extracted SDFix folder and double click *RunThis.cmd* to start the script. 
 Type *Y* to begin the cleanup process.
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. 
 Press any Key and it will restart the PC. 
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt* 
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
 Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


----------



## dvk01 (Dec 14, 2002)

and why haven't you got an antivirus

running online with no antivirus is as dangerous as waving an American flag in downtown Baghdad


----------



## d2thesong (Jan 23, 2008)

please excuse me for not posting immediately, and also, allow me to inform you that my knowledge and skills dealing with computers is not too advanced

i just attempted to reboot in safemode, but after pushing f8, the advanced option window does not appear as said. instead, a "boot menu" appears and it asks me to choose out of 3 options to boot from: Floppy disk (which i dont have), hard drive, and hard disk. 

1st, i chose hard drive, and windows booted up normally, then i tried floppy disk (hey, i gave it a shot) then it also booted windows normally. i havnt tried hard disk because it seemed redundant. 

at this point, im not sure where to go from here.

also, i havnt installed an antivirus yet because this is a freshly built computer, and i havnt gotten around in finding the best antivirus program yet. 

would reformatting the harddrive just be easier instead of going through all of this, or should i just continue my efforts of fixing this error?


----------



## dvk01 (Dec 14, 2002)

run this instead

Please visit *Combofix Guide & Instructions * for instructions for downloading and running ComboFix:

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.


----------



## d2thesong (Jan 23, 2008)

Combo Fix Log:

ComboFix 08-02.01.1 - Dave Song 2008-01-31 18:04:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.709 [GMT -5:00]
Running from: C:\Documents and Settings\Dave Song\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\ufdata2000.log

.
((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02.01 )))))))))))))))))))))))))))))))
.

2008-01-31 18:04 . 2008-01-31 18:04	6,736	--a------	C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-01-31 18:01 . 2004-08-03 23:00	260,272	--a------	C:\cmldr
2008-01-31 18:01 . 2008-01-16 03:40	211	--a------	C:\Boot.bak
2008-01-29 21:52 . 2008-01-30 00:16 d--------	C:\Documents and Settings\Dave Song\Application Data\skypePM
2008-01-29 21:52 . 2008-01-29 21:52	32	--a------	C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-29 21:51 . 2008-01-29 21:51 d--------	C:\Program Files\Skype
2008-01-29 21:51 . 2008-01-29 21:51 d--------	C:\Program Files\Common Files\Skype
2008-01-29 21:51 . 2008-01-30 13:44 d--------	C:\Documents and Settings\Dave Song\Application Data\Skype
2008-01-29 21:51 . 2008-01-29 21:51 d--------	C:\Documents and Settings\All Users\Application Data\Skype
2008-01-29 20:48 . 2008-01-29 20:48 d--------	C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-29 20:45 . 2008-01-29 20:45 d--------	C:\Program Files\Bonjour
2008-01-29 20:41 . 2008-01-29 20:41 d--------	C:\Program Files\Common Files\Macrovision Shared
2008-01-26 03:07 . 2008-01-26 03:07 d--------	C:\Program Files\Trend Micro
2008-01-25 01:41 . 2008-01-25 02:25 d--------	C:\Documents and Settings\Dave Song\Application Data\Ventrilo
2008-01-25 00:40 . 2008-01-25 03:53 d--------	C:\Program Files\BitLord
2008-01-24 23:01 . 2008-01-24 23:01 d--------	C:\Program Files\Viewpoint
2008-01-24 23:01 . 2008-01-24 23:01 d--------	C:\Program Files\Common Files\AOL
2008-01-24 23:01 . 2008-01-24 23:01 d--------	C:\Documents and Settings\Dave Song\Application Data\acccore
2008-01-24 23:01 . 2008-01-24 23:01 d--------	C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-24 23:01 . 2008-01-24 23:01 d--------	C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-01-24 23:01 . 2008-01-24 23:01 d--------	C:\Documents and Settings\All Users\Application Data\AOL
2008-01-24 23:00 . 2008-01-24 23:01 d--------	C:\Program Files\AIM6
2008-01-24 23:00 . 2008-01-24 23:01	532	--ah-----	C:\IPH.PH
2008-01-24 22:46 . 2008-01-24 22:46 d--------	C:\Program Files\Windows Resource Kits
2008-01-23 01:21 . 2008-01-23 01:21 d--------	C:\WINDOWS\Sun
2008-01-23 01:21 . 2008-01-23 01:21 d--------	C:\Program Files\Java
2008-01-23 01:21 . 2008-01-23 01:21 d--------	C:\Program Files\Common Files\Java
2008-01-23 01:21 . 2007-09-24 23:31	69,632	--a------	C:\WINDOWS\system32\javacpl.cpl
2008-01-22 05:13 . 2008-01-22 05:13 d--------	C:\Documents and Settings\Dave Song\Application Data\vlc
2008-01-22 05:11 . 2008-01-22 05:11 d--------	C:\Program Files\VideoLAN
2008-01-22 00:42 . 2008-01-22 02:15 d--------	C:\Documents and Settings\Dave Song\temp
2008-01-22 00:37 . 2008-01-22 02:15 d--h-----	C:\Documents and Settings\Dave Song\QMCache00
2008-01-22 00:37 . 2008-01-26 04:32 d--------	C:\Documents and Settings\Dave Song\Application Data\Move Networks
2008-01-19 00:36 . 2008-01-19 00:36 d--------	C:\Program Files\Ventrilo
2008-01-19 00:36 . 2008-01-19 00:36 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2008-01-17 01:04 . 2008-01-17 01:04 d--------	C:\Program Files\DivX
2008-01-17 01:04 . 2008-01-23 01:21	793	--a------	C:\WINDOWS\mozver.dat
2008-01-17 00:47 . 2008-01-17 00:47 d--------	C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-01-17 00:25 . 2008-01-31 17:50 d--------	C:\Program Files\Steam
2008-01-17 00:11 . 2008-01-17 00:11 d--------	C:\Program Files\Razer
2008-01-17 00:11 . 2008-01-17 00:11 d--------	C:\Documents and Settings\Dave Song\Application Data\InstallShield
2008-01-17 00:11 . 2007-03-20 19:05	73,728	--a------	C:\WINDOWS\system32\Diamondback.cpl
2008-01-17 00:11 . 2005-04-24 22:43	13,225	--a------	C:\WINDOWS\system32\drivers\Razerlow.sys
2008-01-16 23:53 . 2008-01-16 23:53 d--------	C:\Program Files\Analog Devices
2008-01-16 23:34 . 2008-01-16 23:34	0	--a------	C:\WINDOWS\nsreg.dat
2008-01-16 03:22 . 2008-01-31 17:40	309,930	--a------	C:\WINDOWS\system32\msime82.exe
2008-01-16 03:22 . 2008-01-31 17:50	309,930	--a------	C:\WINDOWS\system32\msfun80.exe
2008-01-16 03:22 . 2008-01-31 17:50	309,930	--a------	C:\WINDOWS\system32\algsrvs.exe
2008-01-16 03:22 . 2008-02-01 18:05	309,930	---hs----	C:\fun.xls.exe
2008-01-16 03:22 . 2008-01-16 03:22	129	---hs----	C:\AUTORUN.INF
2008-01-16 03:11 . 2008-01-16 03:11 d--------	C:\Program Files\Lavasoft
2008-01-16 03:11 . 2008-01-16 03:11 d--------	C:\Documents and Settings\Dave Song\Application Data\Lavasoft
2008-01-16 03:07 . 2008-01-16 03:07 d--------	C:\Program Files\MSBuild
2008-01-16 03:07 . 2008-01-16 03:07 d--------	C:\Program Files\Microsoft Works
2008-01-16 03:07 . 2006-10-26 19:56	32,592	--a------	C:\WINDOWS\system32\msonpmon.dll
2008-01-16 03:05 . 2008-01-16 03:06 d--------	C:\WINDOWS\SHELLNEW
2008-01-16 03:05 . 2008-01-16 03:07 d--------	C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-16 03:04 . 2008-01-16 03:04 dr-h-----	C:\MSOCache
2008-01-16 03:02 . 2008-01-16 03:02 d--------	C:\Program Files\Common Files\WhenU
2008-01-16 03:02 . 2008-01-16 03:02 d--------	C:\Documents and Settings\Dave Song\Application Data\WhenU
2008-01-16 02:46 . 2008-01-16 02:46 d--------	C:\Program Files\DAEMON Tools
2008-01-16 02:42 . 2008-01-16 02:42	611,064	--a------	C:\WINDOWS\system32\drivers\sptd.sys
2008-01-16 02:13 . 2004-08-03 23:08	31,616	--a------	C:\WINDOWS\system32\drivers\usbccgp.sys
2008-01-16 02:13 . 2004-08-03 23:08	31,616	--a--c---	C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-01-16 02:13 . 2004-08-03 23:08	26,496	--a--c---	C:\WINDOWS\system32\dllcache\usbstor.sys
2008-01-16 02:04 . 2008-01-16 02:06 d--------	C:\WINDOWS\nview
2008-01-16 02:04 . 2006-08-11 23:42	208,896	--a------	C:\WINDOWS\system32\nvudisp.exe
2008-01-16 02:04 . 2008-01-31 17:50	81,191	--a------	C:\WINDOWS\system32\nvapps.xml
2008-01-16 02:04 . 2006-08-11 23:42	16,960	--a------	C:\WINDOWS\system32\nvdisp.nvu
2008-01-16 01:32 . 2006-05-05 04:41	453,120	-----c---	C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-01-16 01:19 . 2006-09-06 17:43	22,752	--a------	C:\WINDOWS\system32\spupdsvc.exe
2008-01-16 01:19 . 2008-01-16 01:19	13,688	--a------	C:\WINDOWS\system32\wpa.bak
2008-01-16 01:11 . 2008-01-16 01:11 d--------	C:\Program Files\InterVideo Information Service
2008-01-16 01:11 . 2008-01-16 01:11 d--------	C:\Program Files\Common Files\Ulead Systems
2008-01-16 01:11 . 2005-09-20 02:27	10,368	--a------	C:\WINDOWS\system32\iviaspi.sys
2008-01-16 01:11 . 2005-07-26 03:07	10,368	---------	C:\WINDOWS\system32\drivers\iviaspi.sys
2008-01-16 01:11 . 2005-12-14 19:56	519	---------	C:\WINDOWS\remove.iss
2008-01-16 01:10 . 2008-01-16 01:11 d--------	C:\Program Files\InterVideo
2008-01-16 01:10 . 2008-01-16 01:10 d--------	C:\Program Files\Common Files\InterVideo
2008-01-16 01:10 . 2008-01-16 01:10 d--------	C:\Documents and Settings\Dave Song\Application Data\InterVideo
2008-01-16 01:10 . 2005-06-21 02:33	81,920	--a------	C:\WINDOWS\mws.exe
2008-01-16 01:02 . 2008-01-22 04:52 d--------	C:\Program Files\Symantec
2008-01-16 01:02 . 2008-01-22 04:52 d--------	C:\Program Files\Common Files\Symantec Shared
2008-01-16 01:02 . 2008-01-22 04:52 d--------	C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-16 01:02 . 2006-04-10 19:32	51	--a------	C:\delnis.bat
2008-01-16 01:00 . 2008-01-29 20:45 d--------	C:\Program Files\Common Files\Adobe
2008-01-16 00:59 . 2008-01-17 18:59 d--h-----	C:\WINDOWS\$hf_mig$
2008-01-16 00:59 . 2008-01-16 01:00 d--------	C:\Program Files\ASUS
2008-01-16 00:59 . 2006-01-10 03:50	24,576	-ra------	C:\WINDOWS\system32\AsIO.dll
2008-01-16 00:59 . 2006-10-18 14:12	12,664	-ra------	C:\WINDOWS\system32\drivers\AsIO.sys
2008-01-16 00:59 . 2006-10-19 03:11	12,096	--a------	C:\WINDOWS\system32\drivers\AsInsHelp64.sys
2008-01-16 00:59 . 2006-10-19 03:11	10,304	--a------	C:\WINDOWS\system32\drivers\AsInsHelp32.sys
2008-01-16 00:59 . 2008-01-16 01:00	551	--a------	C:\WINDOWS\setup.iss
2008-01-16 00:54 . 2008-01-16 00:54 d--------	C:\WINDOWS\NV27962800.TMP
2008-01-16 00:52 . 2008-01-31 17:50	26,652	--a------	C:\WINDOWS\system32\nvdb02.adghz
2008-01-16 00:49 . 2008-01-16 00:49 d--------	C:\WINDOWS\ASUSInstAll
2008-01-16 00:46 . 2008-01-16 00:46 d--------	C:\Program Files\NVIDIA Corporation
2008-01-16 00:46 . 2008-01-17 00:11 d--h-----	C:\Program Files\InstallShield Installation Information
2008-01-16 00:45 . 2008-01-16 00:59 d--------	C:\Program Files\Common Files\InstallShield
2008-01-16 00:45 . 2006-08-07 03:39	1,104,896	-ra------	C:\WINDOWS\system32\drivers\nvnrm.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 04:17	---------	d--h--w	C:\Program Files\Uninstall Information
2008-01-16 04:13	---------	d-----w	C:\Program Files\microsoft frontpage
2007-11-29 22:30	200,704	----a-w	C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30	1,044,480	----a-w	C:\WINDOWS\system32\libdivx.dll
2007-11-07 09:26	721,920	----a-w	C:\WINDOWS\system32\lsasrv.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"MsServer"="msfun80.exe" [2008-01-31 17:50 309930 C:\WINDOWS\system32\msfun80.exe]
"Steam"="c:\program files\steam\steam.exe" [2008-01-17 00:26 1266936]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 23:43 7630848]
"NvMediaCenter"="NvMCTray.dll" [2006-08-11 23:43 86016 C:\WINDOWS\system32\nvmctray.dll]
"IMJPMIG8.2"="msime82.exe" [2008-01-31 17:40 309930 C:\WINDOWS\system32\msime82.exe]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 08:34 868352]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 07:12 729088]
"Diamondback"="C:\Program Files\Razer\Diamondback\razerhid.exe" [2007-02-14 11:15 147456]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusStartupHelp]
-ra------ 2006-12-28 20:54 363008 C:\Program Files\ASUS\AASP\1.00.24\AsRunHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
c:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
c:\Program Files\Norton Internet Security\cfgwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Ai Booster]
--a------ 2006-12-08 15:24 3714048 C:\Program Files\ASUS\AI Booster\OverClk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsServer]
--a------ 2008-01-31 17:50 309930 C:\WINDOWS\system32\msfun80.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-08-11 23:43 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
C:\Program Files\Save\Save.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSearch]
C:\Program Files\WhenUSearch\Search.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSearchWHSE]
C:\Program Files\WhenUSearch\whse.exe

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 Razerlow;Razerlow USB Filter Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-04-24 22:43]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fad4bf0-c402-11dc-9bfc-001d60638097}]
\Shell\Auto\command - E:\fun.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fad4bf1-c402-11dc-9bfc-001d60638097}]
\Shell\Auto\command - E:\fun.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 18:05:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
IMJPMIG8.2 = msime82.exe???. 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MsServer = msfun80.exe???.

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-01 18:05:37
ComboFix-quarantined-files.txt 2008-02-01 23:05:30
.
2008-01-18 01:11:15	--- E O F ---

Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:12:58 PM, on 2/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\algsrvs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IMJPMIG8.2] msime82.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsServer] msfun80.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5669 bytes


----------



## dvk01 (Dec 14, 2002)

Make sure your USB drive is plugged in to E: as we need to disinfect that as well

download the attached CFScript.txt to your desktop

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*

at the end it will pop up an alert & ask you to send the zip file it will create

please follow those instructions

Edited on 20 January 2009 to remove the cfscript
because I am fed up with totally incompetent blathering idiots who can't or won't read and see a year old topic and run a cf script not designed to fix their problem despite these clear instructions

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## d2thesong (Jan 23, 2008)

dvk01 said:


> Make sure your USB drive is plugged in to E: as we need to disinfect that as well


the thing is, i dont have a usb drive plugged in, but on the bottom right on the taskbar, it claims that i have a hardware device that is "safely remove hardware"


----------



## dvk01 (Dec 14, 2002)

just ignore that for now & run combofix


----------



## d2thesong (Jan 23, 2008)

Combo Fix:

ComboFix 08-02.01.1 - Dave Song 2008-02-01 13:27:58.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.683 [GMT -5:00]
Running from: C:\Documents and Settings\Dave Song\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dave Song\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\fun.xls.exe
C:\Documents and Settings\Dave Song\Application Data\WhenU
C:\Documents and Settings\Dave Song\Application Data\WhenU\dtStore.dat
C:\fun.xls.exe
C:\Program Files\Common Files\WhenU
C:\Program Files\Common Files\WhenU\DTAdapter.exe
C:\Program Files\Common Files\WhenU\DTPlugin.dll
C:\WINDOWS\system32\algsrvs.exe
C:\WINDOWS\system32\msfun80.exe
C:\WINDOWS\system32\msime82.exe
C:\WINDOWS\ufdata2000.log

.
((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-01-31 18:01 . 2004-08-03 23:00	260,272	--a------	C:\cmldr
2008-01-31 18:01 . 2008-01-16 03:40	211	--a------	C:\Boot.bak
2008-01-29 21:52 . 2008-02-01 08:04 d--------	C:\Documents and Settings\Dave Song\Application Data\skypePM
2008-01-29 21:52 . 2008-01-29 21:52	32	--a------	C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-29 21:51 . 2008-01-29 21:51 d--------	C:\Program Files\Skype
2008-01-29 21:51 . 2008-01-29 21:51 d--------	C:\Program Files\Common Files\Skype
2008-01-29 21:51 . 2008-02-01 13:23 d--------	C:\Documents and Settings\Dave Song\Application Data\Skype
2008-01-29 21:51 . 2008-01-29 21:51 d--------	C:\Documents and Settings\All Users\Application Data\Skype
2008-01-29 20:48 . 2008-01-29 20:48 d--------	C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-29 20:45 . 2008-01-29 20:45 d--------	C:\Program Files\Bonjour
2008-01-29 20:41 . 2008-01-29 20:41 d--------	C:\Program Files\Common Files\Macrovision Shared
2008-01-26 03:07 . 2008-01-26 03:07 d--------	C:\Program Files\Trend Micro
2008-01-25 01:41 . 2008-01-25 02:25 d--------	C:\Documents and Settings\Dave Song\Application Data\Ventrilo
2008-01-25 00:40 . 2008-01-25 03:53 d--------	C:\Program Files\BitLord
2008-01-24 23:01 . 2008-01-24 23:01 d--------	C:\Program Files\Viewpoint
2008-01-24 23:01 . 2008-01-24 23:01 d--------	C:\Program Files\Common Files\AOL
2008-01-24 23:01 . 2008-01-24 23:01 d--------	C:\Documents and Settings\Dave Song\Application Data\acccore
2008-01-24 23:01 . 2008-01-24 23:01 d--------	C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-24 23:01 . 2008-01-24 23:01 d--------	C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-01-24 23:01 . 2008-01-24 23:01 d--------	C:\Documents and Settings\All Users\Application Data\AOL
2008-01-24 23:00 . 2008-01-24 23:01 d--------	C:\Program Files\AIM6
2008-01-24 23:00 . 2008-01-24 23:01	532	--ah-----	C:\IPH.PH
2008-01-24 22:46 . 2008-01-24 22:46 d--------	C:\Program Files\Windows Resource Kits
2008-01-23 01:21 . 2008-01-23 01:21 d--------	C:\WINDOWS\Sun
2008-01-23 01:21 . 2008-01-23 01:21 d--------	C:\Program Files\Java
2008-01-23 01:21 . 2008-01-23 01:21 d--------	C:\Program Files\Common Files\Java
2008-01-23 01:21 . 2007-09-24 23:31	69,632	--a------	C:\WINDOWS\system32\javacpl.cpl
2008-01-22 05:13 . 2008-01-22 05:13 d--------	C:\Documents and Settings\Dave Song\Application Data\vlc
2008-01-22 05:11 . 2008-01-22 05:11 d--------	C:\Program Files\VideoLAN
2008-01-22 00:42 . 2008-01-22 02:15 d--------	C:\Documents and Settings\Dave Song\temp
2008-01-22 00:37 . 2008-01-22 02:15 d--h-----	C:\Documents and Settings\Dave Song\QMCache00
2008-01-22 00:37 . 2008-01-26 04:32 d--------	C:\Documents and Settings\Dave Song\Application Data\Move Networks
2008-01-19 00:36 . 2008-01-19 00:36 d--------	C:\Program Files\Ventrilo
2008-01-19 00:36 . 2008-01-19 00:36 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2008-01-17 01:04 . 2008-01-17 01:04 d--------	C:\Program Files\DivX
2008-01-17 01:04 . 2008-01-23 01:21	793	--a------	C:\WINDOWS\mozver.dat
2008-01-17 00:47 . 2008-01-17 00:47 d--------	C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-01-17 00:25 . 2008-02-01 13:30 d--------	C:\Program Files\Steam
2008-01-17 00:11 . 2008-01-17 00:11 d--------	C:\Program Files\Razer
2008-01-17 00:11 . 2008-01-17 00:11 d--------	C:\Documents and Settings\Dave Song\Application Data\InstallShield
2008-01-17 00:11 . 2007-03-20 19:05	73,728	--a------	C:\WINDOWS\system32\Diamondback.cpl
2008-01-17 00:11 . 2005-04-24 22:43	13,225	--a------	C:\WINDOWS\system32\drivers\Razerlow.sys
2008-01-16 23:53 . 2008-01-16 23:53 d--------	C:\Program Files\Analog Devices
2008-01-16 23:34 . 2008-01-16 23:34	0	--a------	C:\WINDOWS\nsreg.dat
2008-01-16 03:22 . 2008-01-16 03:22	129	---hs----	C:\AUTORUN.INF
2008-01-16 03:11 . 2008-01-16 03:11 d--------	C:\Program Files\Lavasoft
2008-01-16 03:11 . 2008-01-16 03:11 d--------	C:\Documents and Settings\Dave Song\Application Data\Lavasoft
2008-01-16 03:07 . 2008-01-16 03:07 d--------	C:\Program Files\MSBuild
2008-01-16 03:07 . 2008-01-16 03:07 d--------	C:\Program Files\Microsoft Works
2008-01-16 03:07 . 2006-10-26 19:56	32,592	--a------	C:\WINDOWS\system32\msonpmon.dll
2008-01-16 03:05 . 2008-01-16 03:06 d--------	C:\WINDOWS\SHELLNEW
2008-01-16 03:05 . 2008-01-16 03:07 d--------	C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-16 03:04 . 2008-01-16 03:04 dr-h-----	C:\MSOCache
2008-01-16 02:46 . 2008-01-16 02:46 d--------	C:\Program Files\DAEMON Tools
2008-01-16 02:42 . 2008-01-16 02:42	611,064	--a------	C:\WINDOWS\system32\drivers\sptd.sys
2008-01-16 02:13 . 2004-08-03 23:08	31,616	--a------	C:\WINDOWS\system32\drivers\usbccgp.sys
2008-01-16 02:13 . 2004-08-03 23:08	31,616	--a--c---	C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-01-16 02:13 . 2004-08-03 23:08	26,496	--a--c---	C:\WINDOWS\system32\dllcache\usbstor.sys
2008-01-16 02:04 . 2008-01-16 02:06 d--------	C:\WINDOWS\nview
2008-01-16 02:04 . 2006-08-11 23:42	208,896	--a------	C:\WINDOWS\system32\nvudisp.exe
2008-01-16 02:04 . 2008-02-01 13:30	81,191	--a------	C:\WINDOWS\system32\nvapps.xml
2008-01-16 02:04 . 2006-08-11 23:42	16,960	--a------	C:\WINDOWS\system32\nvdisp.nvu
2008-01-16 01:32 . 2006-05-05 04:41	453,120	-----c---	C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-01-16 01:19 . 2006-09-06 17:43	22,752	--a------	C:\WINDOWS\system32\spupdsvc.exe
2008-01-16 01:19 . 2008-01-16 01:19	13,688	--a------	C:\WINDOWS\system32\wpa.bak
2008-01-16 01:11 . 2008-01-16 01:11 d--------	C:\Program Files\InterVideo Information Service
2008-01-16 01:11 . 2008-01-16 01:11 d--------	C:\Program Files\Common Files\Ulead Systems
2008-01-16 01:11 . 2005-09-20 02:27	10,368	--a------	C:\WINDOWS\system32\iviaspi.sys
2008-01-16 01:11 . 2005-07-26 03:07	10,368	---------	C:\WINDOWS\system32\drivers\iviaspi.sys
2008-01-16 01:11 . 2005-12-14 19:56	519	---------	C:\WINDOWS\remove.iss
2008-01-16 01:10 . 2008-01-16 01:11 d--------	C:\Program Files\InterVideo
2008-01-16 01:10 . 2008-01-16 01:10 d--------	C:\Program Files\Common Files\InterVideo
2008-01-16 01:10 . 2008-01-16 01:10 d--------	C:\Documents and Settings\Dave Song\Application Data\InterVideo
2008-01-16 01:10 . 2005-06-21 02:33	81,920	--a------	C:\WINDOWS\mws.exe
2008-01-16 01:02 . 2008-01-22 04:52 d--------	C:\Program Files\Symantec
2008-01-16 01:02 . 2008-01-22 04:52 d--------	C:\Program Files\Common Files\Symantec Shared
2008-01-16 01:02 . 2008-01-22 04:52 d--------	C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-16 01:02 . 2006-04-10 19:32	51	--a------	C:\delnis.bat
2008-01-16 01:00 . 2008-01-29 20:45 d--------	C:\Program Files\Common Files\Adobe
2008-01-16 00:59 . 2008-01-17 18:59 d--h-----	C:\WINDOWS\$hf_mig$
2008-01-16 00:59 . 2008-01-16 01:00 d--------	C:\Program Files\ASUS
2008-01-16 00:59 . 2006-01-10 03:50	24,576	-ra------	C:\WINDOWS\system32\AsIO.dll
2008-01-16 00:59 . 2006-10-18 14:12	12,664	-ra------	C:\WINDOWS\system32\drivers\AsIO.sys
2008-01-16 00:59 . 2006-10-19 03:11	12,096	--a------	C:\WINDOWS\system32\drivers\AsInsHelp64.sys
2008-01-16 00:59 . 2006-10-19 03:11	10,304	--a------	C:\WINDOWS\system32\drivers\AsInsHelp32.sys
2008-01-16 00:59 . 2008-01-16 01:00	551	--a------	C:\WINDOWS\setup.iss
2008-01-16 00:54 . 2008-01-16 00:54 d--------	C:\WINDOWS\NV27962800.TMP
2008-01-16 00:52 . 2008-02-01 13:30	28,132	--a------	C:\WINDOWS\system32\nvdb02.adghz
2008-01-16 00:49 . 2008-01-16 00:49 d--------	C:\WINDOWS\ASUSInstAll
2008-01-16 00:46 . 2008-01-16 00:46 d--------	C:\Program Files\NVIDIA Corporation
2008-01-16 00:46 . 2008-01-17 00:11 d--h-----	C:\Program Files\InstallShield Installation Information
2008-01-16 00:45 . 2008-01-16 00:59 d--------	C:\Program Files\Common Files\InstallShield
2008-01-16 00:45 . 2006-08-07 03:39	1,104,896	-ra------	C:\WINDOWS\system32\drivers\nvnrm.sys
2008-01-16 00:44 . 2008-01-16 23:51	25,816	--a------	C:\WINDOWS\Ascd_tmp.ini
2008-01-16 00:44 . 2006-10-10 22:33	10,288	--a------	C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2008-01-16 00:44 . 2004-08-12 21:56	5,810	-ra------	C:\WINDOWS\system32\drivers\ASACPI.sys
2008-01-15 18:06 . 2001-08-17 08:59	3,072	--a------	C:\WINDOWS\system32\drivers\audstub.sys
2008-01-15 18:05 . 2004-08-03 19:56	74,240	--a------	C:\WINDOWS\system32\usbui.dll
2008-01-15 18:05 . 2004-08-03 17:59	57,472	--a------	C:\WINDOWS\system32\drivers\redbook.sys
2008-01-15 18:05 . 2001-08-17 08:46	6,400	--a------	C:\WINDOWS\system32\drivers\enum1394.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 04:17	---------	d--h--w	C:\Program Files\Uninstall Information
2008-01-16 04:13	---------	d-----w	C:\Program Files\microsoft frontpage
2007-11-29 22:30	200,704	----a-w	C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30	1,044,480	----a-w	C:\WINDOWS\system32\libdivx.dll
2007-11-07 09:26	721,920	----a-w	C:\WINDOWS\system32\lsasrv.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Steam"="c:\program files\steam\steam.exe" [2008-01-17 00:26 1266936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 23:43 7630848]
"NvMediaCenter"="NvMCTray.dll" [2006-08-11 23:43 86016 C:\WINDOWS\system32\nvmctray.dll]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 08:34 868352]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 07:12 729088]
"Diamondback"="C:\Program Files\Razer\Diamondback\razerhid.exe" [2007-02-14 11:15 147456]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusStartupHelp]
-ra------ 2006-12-28 20:54 363008 C:\Program Files\ASUS\AASP\1.00.24\AsRunHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
c:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
c:\Program Files\Norton Internet Security\cfgwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Ai Booster]
--a------ 2006-12-08 15:24 3714048 C:\Program Files\ASUS\AI Booster\OverClk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-08-11 23:43 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 Razerlow;Razerlow USB Filter Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-04-24 22:43]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fad4bf0-c402-11dc-9bfc-001d60638097}]
\Shell\Auto\command - E:\fun.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fad4bf1-c402-11dc-9bfc-001d60638097}]
\Shell\Auto\command - E:\fun.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 13:30:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\program files\steam\steam.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
.
**************************************************************************
.
Completion time: 2008-02-01 13:32:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-01 18:32:07
ComboFix2.txt 2008-02-01 23:05:38
.
2008-01-18 01:11:15	--- E O F ---

Hijack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:08:55 PM, on 2/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5493 bytes


----------



## d2thesong (Jan 23, 2008)

Everything works great! I want to thank devilhimself and dvk01 for ALL of the extensive help that has been put into this error. I cant thank you guys enough, I am truly and humbly obliged! 

excellent site, and awesome members! 

im definitely adding this site to my favorites.


----------



## dvk01 (Dec 14, 2002)

Please download  ATF Cleaner by Atribune

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

*If you use Firefox browser as well as Internet Explorer or instead of it then also do this step*

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

*If you use Opera browser as well as Internet Explorer or instead of it then also do this step*

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

This will remove all files from the items that are checked so if you have some cookies you'd like to save. please move them to a different directory first.

Notes for Windows Vista users:

On Windows Vista that "Windows Temp" is disabled, to empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator"
Prefetch has been disabled on Windows Vista. As the author is not not sure the effects that emptying prefetch on Windows Vista will have, for the time being that function won't be enabled

Please *download* the *OTMoveIt by OldTimer*.

 *Save* it to your *desktop*.
 Please double-click *OTMoveIt.exe* to run it.
press cleanup & it will search for and delete/uninstall all the tools we have used to fix your problems and all their backup folders and then delete itself when you next reboot

then 
Turn off system restore by following instructions here 
http://www.thespykiller.co.uk/index.php?page=8
That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point. Now Empty Recycle bin on desktop

go here* http://www.thespykiller.co.uk/index.php?page=3 *for info on how to tighten your security settings and how to help prevent future attacks.

and scan here* http://secunia.com/software_inspector/ * for out of date & vulnerable common applications on your computer

Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place


----------

