# love.exe help



## bigdaddysjm09 (Jan 9, 2008)

i have something on my computer and it's in my C:/WINDOWS/system32/ folder and it's known as love.exe 

it doesn't cause any dampers on my system performance all it does is use alot of Page File.....and RAM.... but i can open up task manager and end the love.exe process and functions return to normal......i've used lavasoft adaware pro...norton internet security...Spy Huter 3 Security Suite.... and uniblue Spy Eraser and Run FULL scans...they picked up some cookies and a few other things but won't remove love.exe.....it's stuck there......i can go into the system 32 folder and delete it and the next time i start up my computer it's right there again and just starts up with my computer again.......someone please help me remove this pain in the neck


----------



## bigdaddysjm09 (Jan 9, 2008)

could someone please help me with this...it's starting to affect my system performance and idk what it is ...the process as listed above is love.exe

it's located in 
C:/WINDOWS/system32/love.exe
i uninstalled norton 2008 and installed norton 2007 and it picked up stuff in the full system scan that norton 2008 didn't....i updated my uniblue spy eraser and ran a deep scan it picked up the file love.exe and an S.bat file ...both were located in my system32 folder they were removed and i restarted my computer afterwards and they're right there again...norton internet security doesn't pick this up by the way ......can someone please help me


----------



## Cookiegal (Aug 27, 2003)

*Click here* to download *HJTsetup.exe*.

Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This. 
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Addition Tasks* dialogue.
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click *Save* to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.	
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required. 

*Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.*


----------



## bigdaddysjm09 (Jan 9, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:04 PM, on 5/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SQ931STI.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\rserver30\RServer3.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\love.exe
C:\WINDOWS\system32\rserver30\FamItrfc.Exe
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_1.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\MsiExec.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SQ931STI] C:\WINDOWS\SQ931STI.EXE
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKCU\..\Policies\Explorer\Run: [] C:\WINDOWS\system32\config\sysrestore.exe -s
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: StartupFaster
O4 - Global Startup: StartupFaster
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - 
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 
O17 - HKLM\Software\..\Telephony: DomainName = 
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = 
O23 - Service: Ad-Aware 2007 Service (aawservice) - - (no file)
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avp - GRISOFT, s.r.o. - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Radmin Server V3 (RServer3) - Famatech International Corp. - C:\WINDOWS\system32\rserver30\RServer3.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 10110 bytes


----------



## Cookiegal (Aug 27, 2003)

Please visit *Combofix Guide & Instructions * for instructions for downloading and running ComboFix:

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.


----------



## bigdaddysjm09 (Jan 9, 2008)

Combo Fix LOG

ComboFix 08-05-11.1 - Stephen Matthews 2008-05-11 12:41:31.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.137 [GMT -7:00]
Running from: C:\Documents and Settings\Stephen Matthews.STEPHEN\Desktop\ComboFix.exe
* Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\msvrc20.dll
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000017_.tmp.dll
C:\WINDOWS\system32\_000024_.tmp.dll
C:\WINDOWS\system32\_000028_.tmp.dll
C:\WINDOWS\system32\_000029_.tmp.dll
C:\WINDOWS\system32\_000030_.tmp.dll
C:\WINDOWS\system32\_000031_.tmp.dll
C:\WINDOWS\system32\_000032_.tmp.dll
C:\WINDOWS\system32\_000034_.tmp.dll
C:\WINDOWS\system32\_000058_.tmp.dll
C:\WINDOWS\system32\i.txt
C:\WINDOWS\system32\Ultra.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-11 to 2008-05-11 )))))))))))))))))))))))))))))))
.

2008-05-10 20:42 . 2008-05-10 20:42 d----c---	C:\Program Files\Trend Micro
2008-05-10 20:32 . 2008-05-10 20:32	66	--a--c---	C:\WINDOWS\system32\S.BAT
2008-05-07 20:52 . 2008-05-07 20:52 d----c---	C:\Program Files\Radmin Viewer 3
2008-05-07 18:32 . 2008-05-07 18:32 d----c---	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Radmin
2008-05-07 16:57 . 2008-05-10 19:27 d----c---	C:\WINDOWS\system32\rserver30
2008-05-06 17:58 . 2008-05-06 17:58 d----c---	C:\WINDOWS\Migo Recover Lost Data
2008-05-06 14:20 . 2008-05-06 14:20 d----c---	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Aurora Web Editor
2008-05-06 10:49 . 2008-05-06 16:05 d----c---	C:\Program Files\Multimedia Australia
2008-05-03 21:44 . 2008-05-05 17:55 d----c---	C:\Program Files\SUPERAntiSpyware
2008-05-03 21:44 . 2008-05-05 17:55 d----c---	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\SUPERAntiSpyware.com
2008-05-03 12:56 . 2008-05-03 12:56 d----c---	C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-05-01 21:44 . 2008-05-01 21:44 d----c---	C:\Setup
2008-05-01 20:56 . 2008-05-01 20:56 d--hsc---	C:\INCINERATE
2008-04-29 14:42 . 2008-04-29 14:42 d----c---	C:\Program Files\Speed Gear 5
2008-04-27 20:07 . 2008-04-27 20:40 d----c---	C:\Program Files\Norton Internet Security
2008-04-27 20:06 . 2008-04-27 20:35	123,952	--a--c---	C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-04-27 20:06 . 2008-04-27 20:35	60,800	--a--c---	C:\WINDOWS\system32\S32EVNT1.DLL
2008-04-27 20:05 . 2008-04-27 20:35 d----c---	C:\Program Files\Symantec
2008-04-27 19:15 . 2008-04-27 19:17 d----c---	C:\WINDOWS\system32\Adobe
2008-04-26 11:51 . 2008-04-26 11:51	24	--a--c---	C:\WINDOWS\ES_2_D1.prf
2008-04-26 11:51 . 2008-04-26 11:51	24	--a--c---	C:\WINDOWS\ES_1_D1.prf
2008-04-26 11:51 . 2008-04-26 11:51	24	--a--c---	C:\WINDOWS\AM_D0.PRF
2008-04-26 07:45 . 2008-04-26 07:45 d----c---	C:\Documents and Settings\All Users\Application Data\SRS Labs
2008-04-26 07:45 . 2007-05-03 10:27	47,360	-ra--c---	C:\WINDOWS\system32\drivers\Surroundhp_kern_i386.sys
2008-04-26 07:45 . 2007-05-03 10:27	46,592	-ra--c---	C:\WINDOWS\system32\drivers\tshd4_kern_i386.sys
2008-04-26 07:45 . 2007-05-03 10:28	39,552	-ra--c---	C:\WINDOWS\system32\drivers\SRS_SSCFilter_i386.sys
2008-04-26 07:45 . 2007-05-03 10:27	37,248	-ra--c---	C:\WINDOWS\system32\drivers\csiidecoder_kern_i386.sys
2008-04-26 07:45 . 2007-05-03 10:27	32,000	-ra--c---	C:\WINDOWS\system32\drivers\wowhd_kern_i386.sys
2008-04-25 21:06 . 2008-04-25 21:06 d----c---	C:\Program Files\Google Hacks
2008-04-25 15:12 . 2007-12-24 17:37	138,384	--a--c---	C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-24 21:00 . 2008-04-24 21:00 d----c---	C:\Documents and Settings\Administrator.STEPHEN\Application Data\Lavasoft
2008-04-23 18:56 . 2008-04-23 18:56 d----c---	C:\Program Files\LimeWire
2008-04-23 17:06 . 2008-04-23 17:06	71	--a--c---	C:\WINDOWS\SpotAuditor.INI
2008-04-22 15:01 . 2008-04-22 15:01 d----c---	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\DAEMON Tools Pro
2008-04-22 14:56 . 2007-02-22 09:05	90,112	--a--c---	C:\Progr_.dll
2008-04-22 14:38 . 2008-04-22 14:38 d----c---	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\DAEMON Tools
2008-04-22 14:38 . 2008-04-22 14:38	717,296	--a--c---	C:\WINDOWS\system32\drivers\sptd.sys
2008-04-22 04:59 . 2008-04-22 04:59	1,409	--a--c---	C:\WINDOWS\system32\tmp621EE.FOT
2008-04-22 04:59 . 2008-04-22 04:59	24	--a--c---	C:\WINDOWS\AM_D8.PRF
2008-04-22 04:55 . 2008-04-26 11:26 d----c---	C:\Program Files\Graffiti Studio 2.0
2008-04-21 22:11 . 2008-04-21 22:11 d----c---	C:\WINDOWS\uninstall\F4U KeyGen Maker
2008-04-21 22:11 . 2008-04-21 22:11 d----c---	C:\WINDOWS\uninstall
2008-04-21 20:17 . 2008-04-21 20:17	16	--a--c---	C:\WINDOWS\system32\coh.cache
2008-04-20 20:25 . 2008-04-20 20:25 d----c---	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-04-20 20:13 . 2008-04-21 21:25 d----c---	C:\Program Files\Wireless WEP Key Password Spy
2008-04-18 19:01 . 2008-04-23 10:58 d----c---	C:\Program Files\Speeditup Free
2008-04-17 04:49 . 2007-12-19 11:06	172,032	--a--c---	C:\WINDOWS\system32\igfxres.dll
2008-04-17 04:45 . 2008-04-17 04:45 d----c---	C:\WINDOWS\OPTIONS
2008-04-17 04:45 . 2008-04-17 04:45 d----c---	C:\Program Files\Realtek
2008-04-17 04:43 . 2008-01-31 21:45	53,248	--a--c---	C:\WINDOWS\system32\CSVer.dll
2008-04-17 04:40 . 2008-04-17 04:40 d----c---	C:\WINDOWS\system32\ENU
2008-04-17 04:40 . 2007-10-18 15:51	126,976	--a--c---	C:\WINDOWS\system32\Imsmudlg.exe
2008-04-16 22:59 . 2004-06-14 14:56	427,864	--a--c---	C:\WINDOWS\system32\XceedZip.dll
2008-04-16 22:38 . 2008-04-16 22:46 d--h-c---	C:\Documents and Settings\All Users\Application Data\{36D03E21-363A-4CBC-9E13-A90BDCFAFB04}
2008-04-14 14:52 . 2008-04-14 14:52 d----c---	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-14 14:34 . 2008-04-19 09:21 d----c---	C:\Program Files\XoftSpySE
2008-04-13 22:26 . 2008-05-10 20:37 d-a--c---	C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-13 12:40 . 2008-04-30 09:24 d----c---	C:\WINDOWS\system32\NtmsData
2008-04-11 21:28 . 2007-10-01 16:40	1,526,072	--a--c---	C:\WINDOWS\WRSetup.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 19:43	---------	dc----w	C:\Program Files\Common Files\Symantec Shared
2008-05-11 03:32	495,616	-cs---w	C:\WINDOWS\system32\love.exe
2008-05-11 02:30	---------	dc----w	C:\Program Files\Thinstall.VS
2008-05-09 00:26	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\U3
2008-05-08 02:35	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Thinstall
2008-05-07 22:51	---------	dc----w	C:\Program Files\FriendBlasterPro
2008-05-06 00:58	---------	dc-h--w	C:\Program Files\InstallShield Installation Information
2008-05-06 00:55	---------	dc----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-05-03 21:01	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Registry Help Pro
2008-05-03 20:47	---------	dc----w	C:\Program Files\TuneUp Utilities 2008
2008-05-03 20:46	307,968	-c--a-w	C:\WINDOWS\system32\TuneUpDefragService.exe
2008-05-02 16:18	---------	dc----w	C:\Documents and Settings\All Users\Application Data\iolo
2008-04-30 16:27	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\iolo
2008-04-30 16:24	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\LimeWire
2008-04-30 16:24	---------	dc----w	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-30 15:02	---------	dc----w	C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-30 00:14	---------	dc----w	C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-28 03:39	6,596	-csha-w	C:\WINDOWS\system32\drivers\fidbox2.idx
2008-04-28 03:39	58,912	-csha-w	C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-28 03:35	805	-c--a-w	C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-04-28 03:35	10,740	-c--a-w	C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-04-26 13:54	---------	dc----w	C:\Program Files\RegCure
2008-04-24 01:52	---------	dc----w	C:\Program Files\Microsoft Money 2006
2008-04-20 20:10	---------	dc----w	C:\Program Files\KGB Archiver 2
2008-04-17 22:24	---------	dc----w	C:\Program Files\Hewlett-Packard
2008-04-17 11:40	---------	dc----w	C:\Program Files\Intel
2008-04-14 04:15	---------	dc----w	C:\Documents and Settings\All Users\Application Data\Trymedia
2008-04-12 04:47	---------	dc----w	C:\Program Files\Hitman Pro
2008-04-11 06:55	---------	dc----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-11 03:57	164	-c--a-w	C:\install.dat
2008-04-08 03:42	32,300	-csha-w	C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-08 03:42	2,331,424	-csha-w	C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-08 01:46	---------	dc----w	C:\Program Files\Enigma Software Group
2008-04-07 23:46	---------	dc----w	C:\Program Files\Spybot - Search & Destroy
2008-04-07 21:00	---------	dc----w	C:\Program Files\Kaspersky Lab
2008-04-07 05:50	---------	dc----w	C:\Program Files\Yahoo!
2008-04-07 02:07	---------	dc----w	C:\Program Files\Avant Browser
2008-04-04 03:30	31,938	-c--a-w	C:\WINDOWS\system32\tcpipbak.reg
2008-04-03 21:11	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\URSoft
2008-04-03 05:32	---------	dc----w	C:\Program Files\Lavasoft
2008-04-03 01:49	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Auslogics
2008-04-03 01:20	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\IconTweaker
2008-04-02 00:22	---------	dc----w	C:\Program Files\Dachshund Software
2008-04-01 23:51	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Lavasoft
2008-04-01 23:31	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\AdobeUM
2008-04-01 23:27	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Sonic
2008-04-01 23:27	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Leadertech
2008-04-01 02:53	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\JP Software
2008-03-30 23:11	---------	dc----w	C:\Program Files\CBS Software
2008-03-30 05:51	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\acccore
2008-03-30 02:59	---------	dc----w	C:\Program Files\AIM6
2008-03-30 02:59	---------	dc----w	C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-30 02:57	---------	dc----w	C:\Program Files\Common Files\AOL
2008-03-29 21:50	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\InstallShield
2008-03-25 11:51	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\PC Tools
2008-03-21 11:48	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\BinarySense
2008-03-21 11:36	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\tor
2008-03-21 11:19	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Mask Surf Standard
2008-03-20 18:36	---------	dc----w	C:\Documents and Settings\Administrator.STEPHEN\Application Data\Uniblue
2008-03-20 18:06	---------	dc----w	C:\Program Files\Uniblue
2008-03-20 17:47	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Uniblue
2008-03-20 09:13	---------	dc----w	C:\Program Files\Java
2008-03-19 16:53	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\DMCache
2008-03-19 09:47	1,845,248	-c--a-w	C:\WINDOWS\system32\win32k.sys
2008-03-15 00:52	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint
2008-03-14 19:54	---------	dc----w	C:\Program Files\Microsoft Silverlight
2008-03-14 08:59	---------	dc----w	C:\Program Files\Remove on Reboot
2008-03-14 04:47	---------	dc----w	C:\Program Files\MySpace
2008-03-13 08:51	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\gtk-2.0
2008-03-13 08:47	---------	dc----w	C:\Program Files\PidginPortable
2008-03-13 05:35	---------	dc----w	C:\Program Files\Microsoft Works
2008-03-13 04:21	---------	dc-h--w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\yahoo!
2008-03-11 07:48	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\DelinvFile
2008-03-11 02:33	---------	dc----w	C:\Program Files\Acesoft
2008-03-11 01:40	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\TeamViewer
2008-03-01 13:06	826,368	-c--a-w	C:\WINDOWS\system32\wininet.dll
2008-02-27 20:15	28,416	-c--a-w	C:\WINDOWS\system32\uxtuneup.dll
2008-02-23 06:01	675,328	-c--a-w	C:\WINDOWS\is-L7F12.exe
2008-02-20 06:51	282,624	-c--a-w	C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32	45,568	-c--a-w	C:\WINDOWS\system32\dnsrslvr.dll
2007-12-04 02:07	2	-cshatr	C:\WINDOWS\winstart.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 15:44 178712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 08:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 22:58 458752]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-02 15:21 135168]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 10:23 1187840]
"SQ931STI"="C:\WINDOWS\SQ931STI.EXE" [2007-01-24 14:24 151552]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-16 22:22 794713]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-12-19 11:08 135168]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-12-19 11:08 159744]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-12-19 11:07 131072]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 02:04 84640]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 20:22 26248]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 13:32 8699904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= love.exe

[HKLM\~\startupfolder\C:^Documents and Settings^Stephen Matthews.STEPHEN^Start Menu^Programs^StartUp^HDDlife.lnk]
backup=C:\WINDOWS\pss\HDDlife.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedConnectStartUp]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 raddrvv3;raddrvv3;C:\WINDOWS\system32\rserver30\raddrvv3.sys [2008-04-24 08:49]
R2 RServer3;Radmin Server V3;"C:\WINDOWS\system32\rserver30\RServer3.exe" /service []
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14:00]
R3 mirrorv3;mirrorv3;C:\WINDOWS\system32\DRIVERS\rminiv3.sys [2006-11-01 06:01]
S3 SQ931;USB 2.0 Video Camera;C:\WINDOWS\system32\Drivers\Capt931a.sys [2007-03-27 17:44]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-05-03 13:46]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{61825c52-ed79-11dc-b43f-0014a5f0bae9}]
\Shell\AutoRun\command - F:\setupSNK.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
*Newly Created Service* - RADDRVV3
.
Contents of the 'Scheduled Tasks' folder
"2008-05-03 15:49:47 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Stephen Matthews.job"
- C:\PROGRA~1\Norton Internet Security\Norton AntiVirus\Navw32.exe
"2008-04-24 20:17:03 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-11 12:43:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-11 12:46:32
ComboFix-quarantined-files.txt 2008-05-11 19:46:27

Pre-Run: 32,881,324,032 bytes free
Post-Run: 32,939,630,592 bytes free

255	--- E O F ---	2008-04-28 02:20:07


----------



## bigdaddysjm09 (Jan 9, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:28:59 PM, on 5/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\rserver30\RServer3.exe
C:\WINDOWS\system32\love.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SQ931STI.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\rserver30\FamItrfc.Exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SQ931STI] C:\WINDOWS\SQ931STI.EXE
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKCU\..\Policies\Explorer\Run: [] C:\WINDOWS\system32\config\sysrestore.exe -s
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: StartupFaster
O4 - Global Startup: StartupFaster
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - 
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 
O17 - HKLM\Software\..\Telephony: DomainName = 
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = 
O23 - Service: Ad-Aware 2007 Service (aawservice) - - (no file)
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avp - GRISOFT, s.r.o. - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Radmin Server V3 (RServer3) - Famatech International Corp. - C:\WINDOWS\system32\rserver30\RServer3.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 9826 bytes


----------



## Cookiegal (Aug 27, 2003)

I just wanted to let you know that I haven't forgotten you but I won't be able to get to that log until tomorrow morning.


----------



## bigdaddysjm09 (Jan 9, 2008)

oh don't worry i can wait it's all cool....someone looked at it and i've tried everything i've run scans with norton internet security...nod32.....kaspersky internet security.....spyeraser (uniblue)....Spybot Search and Destroy....XoftSpy SE.....and quite a few online scanners.....and they've picked up nothing but cookies and when i delete this file known as love.exe i get an error saying it's missing ot of my system32 folder....but i can wait no problem....thanks for the help so far...i really appreciate it


----------



## Cookiegal (Aug 27, 2003)

Go to the following link and upload the following file(s) for analysis and let me know what the results are please:

http://virusscan.jotti.org/

*C:\WINDOWS\is-L7F12.exe*

Open Notepad and copy and paste the text in the code box below into it:


```
File::
C:\WINDOWS\system32\S.BAT
C:\WINDOWS\system32\love.exe
C:\WINDOWS\winstart.bat

Folder::
C:\WINDOWS\uninstall\F4U KeyGen Maker
C:\Documents and Settings\All Users\Application Data\Trymedia
C:\Program Files\Enigma Software Group
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint

DirLook::
C:\Setup
C:\INCINERATE
C:\WINDOWS\uninstall
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## bigdaddysjm09 (Jan 9, 2008)

A-Squared Found nothing 
AntiVir Found nothing 
ArcaVir Found nothing 
Avast Found nothing 
AVG Antivirus Found nothing 
BitDefender Found nothing 
ClamAV Found nothing 
CPsecure Found nothing 
Dr.Web Found nothing 
F-Prot Antivirus Found nothing 
F-Secure Anti-Virus Found nothing 
Fortinet Found nothing 
Ikarus Found nothing 
Kaspersky Anti-Virus Found nothing 
NOD32 Found nothing 
Norman Virus Control Found nothing 
Panda Antivirus Found nothing 
Sophos Antivirus Found nothing 
VirusBuster Found nothing 
VBA32 Found nothing 


but idk where it came from if you want me to delete it i can..


----------



## bigdaddysjm09 (Jan 9, 2008)

ComboFix 08-05-11.1 - Stephen Matthews 2008-05-13 20:48:53.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.188 [GMT -7:00]
Running from: C:\Documents and Settings\Stephen Matthews.STEPHEN\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Stephen Matthews.STEPHEN\Desktop\CFScript.txt
* Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*

FILE ::
C:\WINDOWS\system32\love.exe
C:\WINDOWS\system32\S.BAT
C:\WINDOWS\winstart.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Trymedia
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\-1271263650.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\-392803713.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\1469554372.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\155915928.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\656290609.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-1013624820.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-2015586220.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-51377543.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-825612810.swf
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-905540712.mtz
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1806120299.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1879617777.mtz
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\-1250051772.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\-135678801.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\-729682611.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\1759399190.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\1901163955.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\407034558.ini
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\-135813659.swf
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\1446580733.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\1469502972.swf
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\1997079084.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\570236374.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\663702647.mts
C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\853263198.mts
C:\Program Files\Enigma Software Group
C:\WINDOWS\system32\i.txt
C:\WINDOWS\system32\love.exe
C:\WINDOWS\system32\S.BAT
C:\WINDOWS\uninstall\F4U KeyGen Maker
C:\WINDOWS\uninstall\F4U KeyGen Maker\setup.exe
C:\WINDOWS\winstart.bat

.
((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-13 20:40 . 2008-05-13 20:40 d----c---	C:\WINDOWS\LastGood
2008-05-12 20:46 . 2004-03-09 00:00	224,016	--a--c---	C:\WINDOWS\system32\TabCtl32.ocx
2008-05-12 20:46 . 2004-03-09 00:00	132,880	--a--c---	C:\WINDOWS\system32\msinet.ocx
2008-05-12 16:45 . 2007-09-18 15:24	676,224	--a--c---	C:\WINDOWS\system32\OGACheckControl.dll
2008-05-10 20:42 . 2008-05-10 20:42 d----c---	C:\Program Files\Trend Micro
2008-05-07 20:52 . 2008-05-07 20:52 d----c---	C:\Program Files\Radmin Viewer 3
2008-05-07 18:32 . 2008-05-07 18:32 d----c---	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Radmin
2008-05-07 16:57 . 2008-05-10 19:27 d----c---	C:\WINDOWS\system32\rserver30
2008-05-06 17:58 . 2008-05-06 17:58 d----c---	C:\WINDOWS\Migo Recover Lost Data
2008-05-06 14:20 . 2008-05-06 14:20 d----c---	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Aurora Web Editor
2008-05-06 10:49 . 2008-05-06 16:05 d----c---	C:\Program Files\Multimedia Australia
2008-05-03 21:44 . 2008-05-05 17:55 d----c---	C:\Program Files\SUPERAntiSpyware
2008-05-03 21:44 . 2008-05-05 17:55 d----c---	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\SUPERAntiSpyware.com
2008-05-03 12:56 . 2008-05-03 12:56 d----c---	C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-05-01 21:44 . 2008-05-01 21:44 d----c---	C:\Setup
2008-05-01 20:56 . 2008-05-01 20:56 d--hsc---	C:\INCINERATE
2008-04-29 14:42 . 2008-04-29 14:42 d----c---	C:\Program Files\Speed Gear 5
2008-04-27 20:07 . 2008-04-27 20:40 d----c---	C:\Program Files\Norton Internet Security
2008-04-27 20:06 . 2008-04-27 20:35	123,952	--a--c---	C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-04-27 20:06 . 2008-04-27 20:35	60,800	--a--c---	C:\WINDOWS\system32\S32EVNT1.DLL
2008-04-27 20:05 . 2008-04-27 20:35 d----c---	C:\Program Files\Symantec
2008-04-27 19:15 . 2008-04-27 19:17 d----c---	C:\WINDOWS\system32\Adobe
2008-04-26 11:51 . 2008-04-26 11:51	24	--a--c---	C:\WINDOWS\ES_2_D1.prf
2008-04-26 11:51 . 2008-04-26 11:51	24	--a--c---	C:\WINDOWS\ES_1_D1.prf
2008-04-26 11:51 . 2008-04-26 11:51	24	--a--c---	C:\WINDOWS\AM_D0.PRF
2008-04-26 07:45 . 2008-04-26 07:45 d----c---	C:\Documents and Settings\All Users\Application Data\SRS Labs
2008-04-26 07:45 . 2007-05-03 10:27	47,360	-ra--c---	C:\WINDOWS\system32\drivers\Surroundhp_kern_i386.sys
2008-04-26 07:45 . 2007-05-03 10:27	46,592	-ra--c---	C:\WINDOWS\system32\drivers\tshd4_kern_i386.sys
2008-04-26 07:45 . 2007-05-03 10:28	39,552	-ra--c---	C:\WINDOWS\system32\drivers\SRS_SSCFilter_i386.sys
2008-04-26 07:45 . 2007-05-03 10:27	37,248	-ra--c---	C:\WINDOWS\system32\drivers\csiidecoder_kern_i386.sys
2008-04-26 07:45 . 2007-05-03 10:27	32,000	-ra--c---	C:\WINDOWS\system32\drivers\wowhd_kern_i386.sys
2008-04-25 21:06 . 2008-04-25 21:06 d----c---	C:\Program Files\Google Hacks
2008-04-25 15:12 . 2007-12-24 17:37	138,384	--a--c---	C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-24 21:00 . 2008-04-24 21:00 d----c---	C:\Documents and Settings\Administrator.STEPHEN\Application Data\Lavasoft
2008-04-23 18:56 . 2008-04-23 18:56 d----c---	C:\Program Files\LimeWire
2008-04-23 17:06 . 2008-04-23 17:06	71	--a--c---	C:\WINDOWS\SpotAuditor.INI
2008-04-22 15:01 . 2008-04-22 15:01 d----c---	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\DAEMON Tools Pro
2008-04-22 14:56 . 2007-02-22 09:05	90,112	--a--c---	C:\Progr_.dll
2008-04-22 14:38 . 2008-04-22 14:38 d----c---	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\DAEMON Tools
2008-04-22 14:38 . 2008-04-22 14:38	717,296	--a--c---	C:\WINDOWS\system32\drivers\sptd.sys
2008-04-22 04:59 . 2008-04-22 04:59	1,409	--a--c---	C:\WINDOWS\system32\tmp621EE.FOT
2008-04-22 04:59 . 2008-04-22 04:59	24	--a--c---	C:\WINDOWS\AM_D8.PRF
2008-04-22 04:55 . 2008-04-26 11:26 d----c---	C:\Program Files\Graffiti Studio 2.0
2008-04-21 22:11 . 2008-05-13 20:49 d----c---	C:\WINDOWS\uninstall
2008-04-21 20:17 . 2008-04-21 20:17	16	--a--c---	C:\WINDOWS\system32\coh.cache
2008-04-20 20:25 . 2008-04-20 20:25 d----c---	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-04-20 20:13 . 2008-04-21 21:25 d----c---	C:\Program Files\Wireless WEP Key Password Spy
2008-04-18 19:01 . 2008-05-11 22:35 d----c---	C:\Program Files\Speeditup Free
2008-04-17 04:49 . 2007-12-19 11:06	172,032	--a--c---	C:\WINDOWS\system32\igfxres.dll
2008-04-17 04:45 . 2008-04-17 04:45 d----c---	C:\WINDOWS\OPTIONS
2008-04-17 04:45 . 2008-04-17 04:45 d----c---	C:\Program Files\Realtek
2008-04-17 04:43 . 2008-01-31 21:45	53,248	--a--c---	C:\WINDOWS\system32\CSVer.dll
2008-04-17 04:40 . 2008-04-17 04:40 d----c---	C:\WINDOWS\system32\ENU
2008-04-17 04:40 . 2007-10-18 15:51	126,976	--a--c---	C:\WINDOWS\system32\Imsmudlg.exe
2008-04-16 22:59 . 2004-06-14 14:56	427,864	--a--c---	C:\WINDOWS\system32\XceedZip.dll
2008-04-16 22:38 . 2008-04-16 22:46 d--h-c---	C:\Documents and Settings\All Users\Application Data\{36D03E21-363A-4CBC-9E13-A90BDCFAFB04}
2008-04-14 14:52 . 2008-04-14 14:52 d----c---	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-14 14:34 . 2008-04-19 09:21 d----c---	C:\Program Files\XoftSpySE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-14 02:53	675,328	-c--a-w	C:\WINDOWS\is-L7F12.exe
2008-05-14 02:22	---------	dc----w	C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-14 02:15	---------	dc----w	C:\Program Files\Common Files\Symantec Shared
2008-05-13 03:43	---------	dc--a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-13 03:30	73,216	-c--a-w	C:\WINDOWS\ST6UNST.EXE
2008-05-13 03:30	249,856	-c----w	C:\WINDOWS\Setup1.exe
2008-05-12 04:02	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\LimeWire
2008-05-11 02:30	---------	dc----w	C:\Program Files\Thinstall.VS
2008-05-09 00:26	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\U3
2008-05-08 02:35	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Thinstall
2008-05-07 22:51	---------	dc----w	C:\Program Files\FriendBlasterPro
2008-05-06 00:58	---------	dc-h--w	C:\Program Files\InstallShield Installation Information
2008-05-06 00:55	---------	dc----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-05-03 21:01	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Registry Help Pro
2008-05-03 20:47	---------	dc----w	C:\Program Files\TuneUp Utilities 2008
2008-05-03 20:46	307,968	-c--a-w	C:\WINDOWS\system32\TuneUpDefragService.exe
2008-05-02 16:18	---------	dc----w	C:\Documents and Settings\All Users\Application Data\iolo
2008-04-30 16:27	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\iolo
2008-04-30 16:24	---------	dc----w	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-30 00:14	---------	dc----w	C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-28 03:39	6,596	-csha-w	C:\WINDOWS\system32\drivers\fidbox2.idx
2008-04-28 03:39	58,912	-csha-w	C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-28 03:35	805	-c--a-w	C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-04-28 03:35	10,740	-c--a-w	C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-04-26 13:54	---------	dc----w	C:\Program Files\RegCure
2008-04-24 01:52	---------	dc----w	C:\Program Files\Microsoft Money 2006
2008-04-20 20:10	---------	dc----w	C:\Program Files\KGB Archiver 2
2008-04-17 22:24	---------	dc----w	C:\Program Files\Hewlett-Packard
2008-04-17 11:40	---------	dc----w	C:\Program Files\Intel
2008-04-12 04:47	---------	dc----w	C:\Program Files\Hitman Pro
2008-04-11 06:55	---------	dc----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-11 03:57	164	-c--a-w	C:\install.dat
2008-04-08 03:42	32,300	-csha-w	C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-08 03:42	2,331,424	-csha-w	C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-07 23:46	---------	dc----w	C:\Program Files\Spybot - Search & Destroy
2008-04-07 21:00	---------	dc----w	C:\Program Files\Kaspersky Lab
2008-04-07 05:50	---------	dc----w	C:\Program Files\Yahoo!
2008-04-07 02:07	---------	dc----w	C:\Program Files\Avant Browser
2008-04-04 03:30	31,938	-c--a-w	C:\WINDOWS\system32\tcpipbak.reg
2008-04-03 21:11	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\URSoft
2008-04-03 05:32	---------	dc----w	C:\Program Files\Lavasoft
2008-04-03 01:49	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Auslogics
2008-04-03 01:20	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\IconTweaker
2008-04-02 00:22	---------	dc----w	C:\Program Files\Dachshund Software
2008-04-01 23:51	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Lavasoft
2008-04-01 23:31	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\AdobeUM
2008-04-01 23:27	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Sonic
2008-04-01 23:27	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Leadertech
2008-04-01 02:53	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\JP Software
2008-03-30 23:11	---------	dc----w	C:\Program Files\CBS Software
2008-03-30 05:51	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\acccore
2008-03-30 02:59	---------	dc----w	C:\Program Files\AIM6
2008-03-30 02:57	---------	dc----w	C:\Program Files\Common Files\AOL
2008-03-29 21:50	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\InstallShield
2008-03-25 11:51	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\PC Tools
2008-03-21 11:48	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\BinarySense
2008-03-21 11:36	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\tor
2008-03-21 11:19	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Mask Surf Standard
2008-03-20 18:36	---------	dc----w	C:\Documents and Settings\Administrator.STEPHEN\Application Data\Uniblue
2008-03-20 18:06	---------	dc----w	C:\Program Files\Uniblue
2008-03-20 17:47	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Uniblue
2008-03-20 09:13	---------	dc----w	C:\Program Files\Java
2008-03-19 16:53	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\DMCache
2008-03-19 09:47	1,845,248	-c--a-w	C:\WINDOWS\system32\win32k.sys
2008-03-14 19:54	---------	dc----w	C:\Program Files\Microsoft Silverlight
2008-03-14 08:59	---------	dc----w	C:\Program Files\Remove on Reboot
2008-03-14 04:47	---------	dc----w	C:\Program Files\MySpace
2008-03-01 13:06	826,368	-c--a-w	C:\WINDOWS\system32\wininet.dll
2008-02-27 20:15	28,416	-c--a-w	C:\WINDOWS\system32\uxtuneup.dll
2008-02-20 06:51	282,624	-c--a-w	C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32	45,568	-c--a-w	C:\WINDOWS\system32\dnsrslvr.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\INCINERATE ----

2008-05-01 21:38	65	---hsc---	C:\INCINERATE\desktop.ini 
2008-05-01 20:58	0	--a--c---	C:\INCINERATE\info.shr

---- Directory of C:\Setup ----

2008-05-01 21:44	4090214	--a--c---	C:\Setup\Setup.exe

---- Directory of C:\WINDOWS\uninstall ----

2008-04-21 22:11	417802	--a--c---	C:\WINDOWS\uninstall\F4U KeyGen Maker\setup.exe

((((((((((((((((((((((((((((( [email protected]_12.46.12.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-11 03:32:16	2,048	--s-a-w	C:\WINDOWS\bootstat.dat
+ 2008-05-13 11:52:38	2,048	--s-a-w	C:\WINDOWS\bootstat.dat
- 2008-04-30 15:00:41	217,864	-c--a-r	C:\WINDOWS\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
+ 2008-05-14 02:16:17	217,864	-c--a-r	C:\WINDOWS\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
- 2008-04-30 15:01:50	20,240	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-05-14 02:22:42	20,240	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-04-30 15:01:50	184,080	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-05-14 02:22:42	184,080	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
- 2008-04-30 15:01:50	217,864	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
+ 2008-05-14 02:22:42	217,864	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
- 2008-04-30 15:01:50	18,704	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-05-14 02:22:42	18,704	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-04-30 15:01:51	35,088	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-05-14 02:22:42	35,088	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-04-30 15:01:50	922,384	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-05-14 02:22:42	922,384	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
- 2008-04-30 15:01:51	888,080	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-05-14 02:22:42	888,080	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-04-30 15:01:50	1,172,240	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-05-14 02:22:42	1,172,240	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 15:44 178712]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 08:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 22:58 458752]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-02 15:21 135168]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 10:23 1187840]
"SQ931STI"="C:\WINDOWS\SQ931STI.EXE" [2007-01-24 14:24 151552]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-16 22:22 794713]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-12-19 11:08 135168]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-12-19 11:08 159744]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-12-19 11:07 131072]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 02:04 84640]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 20:22 26248]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 13:32 8699904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= love.exe

[HKLM\~\startupfolder\C:^Documents and Settings^Stephen Matthews.STEPHEN^Start Menu^Programs^StartUp^HDDlife.lnk]
backup=C:\WINDOWS\pss\HDDlife.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedConnectStartUp]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 raddrvv3;raddrvv3;C:\WINDOWS\system32\rserver30\raddrvv3.sys [2008-04-24 08:49]
R2 RServer3;Radmin Server V3;"C:\WINDOWS\system32\rserver30\RServer3.exe" /service []
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14:00]
R3 mirrorv3;mirrorv3;C:\WINDOWS\system32\DRIVERS\rminiv3.sys [2006-11-01 06:01]
S3 SQ931;USB 2.0 Video Camera;C:\WINDOWS\system32\Drivers\Capt931a.sys [2007-03-27 17:44]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-05-03 13:46]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-03 15:49:47 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Stephen Matthews.job"
- C:\PROGRA~1\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
"2008-04-24 20:17:03 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 20:51:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-13 20:53:49
ComboFix-quarantined-files.txt 2008-05-14 03:53:10
ComboFix2.txt 2008-05-11 19:46:33

Pre-Run: 32,640,311,296 bytes free
Post-Run: 32,675,254,272 bytes free

301	--- E O F ---	2008-04-28 02:20:07


----------



## bigdaddysjm09 (Jan 9, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:49:44 AM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\rserver30\RServer3.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SQ931STI.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\rserver30\FamItrfc.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SQ931STI] C:\WINDOWS\SQ931STI.EXE
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: StartupFaster
O4 - Global Startup: StartupFaster
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - 
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 
O17 - HKLM\Software\..\Telephony: DomainName = 
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = 
O23 - Service: Ad-Aware 2007 Service (aawservice) - - (no file)
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avp - GRISOFT, s.r.o. - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Radmin Server V3 (RServer3) - Famatech International Corp. - C:\WINDOWS\system32\rserver30\RServer3.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 9718 bytes


----------



## Cookiegal (Aug 27, 2003)

I'd like someone to check that file out so please do this:

Go to the forum *here* and upload this (these) file(s):

*C:\WINDOWS\is-L7F12.exe *

Here are the directions for uploading the file:

Just click "New Topic", fill in the needed details and post a link to your thread here. Click the "Browse" button. Navigate to the file on your computer. When the file is listed in the window click "Post" to upload the file.


----------



## Cookiegal (Aug 27, 2003)

Did you set this policy to stop the infection from running?

*[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er\disallowrun]
"1"= love.exe*

Please delete this folder:

C:\WINDOWS\*uninstall*

*Download and scan with* *SUPERAntiSpyware* Free for Home Users
Double-click *SUPERAntiSpyware.exe* and use the default settings for installation. 
An icon will be created on your desktop. Double-click that icon to launch the program. 
If asked to update the program definitions, click "*Yes*". If not, update the definitions before scanning by selecting "*Check for Updates*". (_If you encounter any problems while downloading the updates, manually download and unzip them from here._) 
Under "*Configuration and Preferences*", click the *Preferences* button. 
Click the *Scanning Control* tab. 
Under *Scanner Options* make sure the following are checked _(leave all others unchecked)_:
_Close browsers before scanning._ 
_Scan for tracking cookies._ 
_Terminate memory threats before quarantining._

Click the "*Close*" button to leave the control center screen. 
Back on the main screen, under "*Scan for Harmful Software*" click *Scan your computer*. 
On the left, make sure you check *C:\Fixed Drive*. 
On the right, under "*Complete Scan*", choose *Perform Complete Scan*. 
Click "*Next*" to start the scan. Please be patient while it scans your computer. 
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "*OK*". 
Make sure everything has a checkmark next to it and click "*Next*". 
A notification will appear that "_Quarantine and Removal is Complete_". Click "*OK*" and then click the "*Finish*" button to return to the main menu. 
If asked if you want to reboot, click "*Yes*". 
To retrieve the removal information after reboot, launch SUPERAntispyware again.
_Click *Preferences*, then click the *Statistics/Logs* tab._ 
_Under Scanner Logs, double-click *SUPERAntiSpyware Scan Log*._ 
_If there are several logs, click the current dated log and press *View log*. A text file will open in your default text editor._ 
*Please copy and paste the Scan Log results in your next reply.*

Click *Close* to exit the program.

Please run Kaspersky online virus scan *Kaspersky Online Scanner*.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the *"Extended database" *for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

*Note:* You have to use Internet Explorer to do the online scan.

*Post a new HiJackThis log along with the results from the SuperAntiSpyware and Kaspersky scans.*


----------



## bigdaddysjm09 (Jan 9, 2008)

ok i've used the recovery console and it made other users in the processi guess you could say...so there are A LOT of locked items that were skipped so i'm just going to post the ones that it said was infected


----------



## bigdaddysjm09 (Jan 9, 2008)

C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Uniblue\SpyEraser\Quarantine\Malware (General Components)_10_05_2008_16_54_33.asq29358	Infected: Trojan-PSW.Win32.VB.or	skipped
C:\Documents and Settings\Stephen Matthews.STEPHEN\Desktop\Folders etc\NEW STUFF\Radmin_31.rar/Radmin31/rserv31.exe	Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.n	skipped
C:\Documents and Settings\Stephen Matthews.STEPHEN\Desktop\Folders etc\NEW STUFF\Radmin_31.rar/Radmin31/rview31.exe	Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.n	skipped
C:\Documents and Settings\Stephen Matthews.STEPHEN\Desktop\Folders etc\NEW STUFF\Radmin_31.rar	RAR: infected - 2	skipped
C:\Documents and Settings\Stephen Matthews.STEPHEN\Desktop\ophcrack livecd 1.0.iso/ophcrack-win32-installer-2.2.exe/file36	Infected: not-a-virusSWTool.Win32.PWDump.2	skipped
C:\Documents and Settings\Stephen Matthews.STEPHEN\Desktop\ophcrack livecd 1.0.iso/ophcrack-win32-installer-2.2.exe/file37	Infected: not-a-virusSWTool.Win32.PWDump.2	skipped
C:\Documents and Settings\Stephen Matthews.STEPHEN\Desktop\ophcrack livecd 1.0.iso/ophcrack-win32-installer-2.2.exe/file55	Infected: not-a-virusSWTool.Win32.PWDump.4	skipped
C:\Documents and Settings\Stephen Matthews.STEPHEN\Desktop\ophcrack livecd 1.0.iso/ophcrack-win32-installer-2.2.exe/file56	Infected: not-a-virusSWTool.Win32.PWDump.4	skipped
C:\Documents and Settings\Stephen Matthews.STEPHEN\Desktop\ophcrack livecd 1.0.iso/ophcrack-win32-installer-2.2.exe	Infected: not-a-virusSWTool.Win32.PWDump.4	skipped
C:\Documents and Settings\Stephen Matthews.STEPHEN\Desktop\ophcrack livecd 1.0.iso	ISOimage: infected - 5	skipped
C:\Documents and Settings\Stephen Matthews.STEPHEN\Local Settings\Application Data\Downloaded Installations\{DA0CEEE4-E986-4AA0-BDB4-1AD53E77A054}\rserv31.msi/Data1.cab/rserver3.exe	Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.n	skipped
C:\Documents and Settings\Stephen Matthews.STEPHEN\Local Settings\Application Data\Downloaded Installations\{DA0CEEE4-E986-4AA0-BDB4-1AD53E77A054}\rserv31.msi/Data1.cab	Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.n	skipped
C:\Documents and Settings\Stephen Matthews.STEPHEN\Local Settings\Application Data\Downloaded Installations\{DA0CEEE4-E986-4AA0-BDB4-1AD53E77A054}\rserv31.msi	Embedded: infected - 2	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\love.exe.vir	Infected: Trojan-PSW.Win32.VB.or	skipped
C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP2\A0000087.exe	Infected: Trojan-PSW.Win32.VB.or	skipped
C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP2\A0000090.exe	Infected: Trojan-PSW.Win32.VB.or	skipped
C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP2\A0000159.exe	Infected: Trojan-PSW.Win32.VB.or	skipped
C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP3\A0000175.exe	Infected: Trojan-PSW.Win32.VB.or	skipped
C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP4\A0000334.exe	Infected: Trojan-PSW.Win32.VB.or	skipped
C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP4\A0000335.exe	Infected: Trojan-PSW.Win32.VB.or	skipped
C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP6\A0000381.exe	Infected: Trojan-PSW.Win32.VB.or	skipped
C:\WINDOWS\system32\config\sysrestore.exe	Infected: Trojan-PSW.Win32.VB.or	skipped
C:\WINDOWS\system32\dllcache\wiknpc.exe	Infected: Trojan-PSW.Win32.VB.or	skipped


----------



## bigdaddysjm09 (Jan 9, 2008)

everything that has rserv31 in it is my radmin server that i distribute to fix computers...and everything that has ophcrack in it is a password cracking iso file that i use to gain access to computers with of course lost passwords as for everything else..idk what it is


----------



## bigdaddysjm09 (Jan 9, 2008)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/14/2008 at 05:05 PM

Application Version : 4.0.1154

Core Rules Database Version : 3460
Trace Rules Database Version: 1451

Scan type : Complete Scan
Total Scan Time : 01:00:37

Memory items scanned : 420
Memory threats detected : 0
Registry items scanned : 5445
Registry threats detected : 1
File items scanned : 22933
File threats detected : 5

Adware.Tracking Cookie
C:\Documents and Settings\Stephen Matthews.STEPHEN\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Matthews.STEPHEN\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Matthews.STEPHEN\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen Matthews.STEPHEN\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen Matthews.STEPHEN\Cookies\[email protected][2].txt

Registry Cleaner Trial
HKU\S-1-5-21-1691938981-1926685983-1786476240-1006\Software\SoftwareOnline.com


----------



## Cookiegal (Aug 27, 2003)

Open Notepad and copy and paste the text in the code box below into it:


```
File::
C:\WINDOWS\system32\config\sysrestore.exe
C:\WINDOWS\system32\dllcache\wiknpc.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## bigdaddysjm09 (Jan 9, 2008)

ComboFix 08-05-11.1 - Stephen Matthews 2008-05-16 14:58:11.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.139 [GMT -7:00]
Running from: C:\Documents and Settings\Stephen Matthews.STEPHEN\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Stephen Matthews.STEPHEN\Desktop\CFScript.txt
* Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*

FILE ::
C:\WINDOWS\system32\config\sysrestore.exe
C:\WINDOWS\system32\dllcache\wiknpc.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\config\sysrestore.exe
C:\WINDOWS\system32\dllcache\wiknpc.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-16 to 2008-05-16 )))))))))))))))))))))))))))))))
.

2008-05-15 14:28 . 2008-05-15 14:28 d----c---	C:\WINDOWS\system32\Kaspersky Lab
2008-05-12 20:46 . 2004-03-09 00:00	224,016	--a--c---	C:\WINDOWS\system32\TabCtl32.ocx
2008-05-12 20:46 . 2004-03-09 00:00	132,880	--a--c---	C:\WINDOWS\system32\msinet.ocx
2008-05-12 16:45 . 2007-09-18 15:24	676,224	--a--c---	C:\WINDOWS\system32\OGACheckControl.dll
2008-05-10 20:42 . 2008-05-10 20:42 d----c---	C:\Program Files\Trend Micro
2008-05-07 20:52 . 2008-05-07 20:52 d----c---	C:\Program Files\Radmin Viewer 3
2008-05-07 18:32 . 2008-05-07 18:32 d----c---	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Radmin
2008-05-07 16:57 . 2008-05-10 19:27 d----c---	C:\WINDOWS\system32\rserver30
2008-05-06 17:58 . 2008-05-06 17:58 d----c---	C:\WINDOWS\Migo Recover Lost Data
2008-05-06 14:20 . 2008-05-06 14:20 d----c---	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Aurora Web Editor
2008-05-06 10:49 . 2008-05-06 16:05 d----c---	C:\Program Files\Multimedia Australia
2008-05-03 21:44 . 2008-05-15 14:27 d----c---	C:\Program Files\SUPERAntiSpyware
2008-05-03 21:44 . 2008-05-14 16:03 d----c---	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\SUPERAntiSpyware.com
2008-05-03 12:56 . 2008-05-03 12:56 d----c---	C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-05-01 21:44 . 2008-05-01 21:44 d----c---	C:\Setup
2008-05-01 20:56 . 2008-05-01 20:56 d--hsc---	C:\INCINERATE
2008-04-29 14:42 . 2008-04-29 14:42 d----c---	C:\Program Files\Speed Gear 5
2008-04-27 20:07 . 2008-04-27 20:40 d----c---	C:\Program Files\Norton Internet Security
2008-04-27 20:06 . 2008-04-27 20:35	123,952	--a--c---	C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-04-27 20:06 . 2008-04-27 20:35	60,800	--a--c---	C:\WINDOWS\system32\S32EVNT1.DLL
2008-04-27 20:05 . 2008-04-27 20:35 d----c---	C:\Program Files\Symantec
2008-04-27 19:15 . 2008-04-27 19:17 d----c---	C:\WINDOWS\system32\Adobe
2008-04-26 11:51 . 2008-04-26 11:51	24	--a--c---	C:\WINDOWS\ES_2_D1.prf
2008-04-26 11:51 . 2008-04-26 11:51	24	--a--c---	C:\WINDOWS\ES_1_D1.prf
2008-04-26 11:51 . 2008-04-26 11:51	24	--a--c---	C:\WINDOWS\AM_D0.PRF
2008-04-26 07:45 . 2008-04-26 07:45 d----c---	C:\Documents and Settings\All Users\Application Data\SRS Labs
2008-04-26 07:45 . 2007-05-03 10:27	47,360	-ra--c---	C:\WINDOWS\system32\drivers\Surroundhp_kern_i386.sys
2008-04-26 07:45 . 2007-05-03 10:27	46,592	-ra--c---	C:\WINDOWS\system32\drivers\tshd4_kern_i386.sys
2008-04-26 07:45 . 2007-05-03 10:28	39,552	-ra--c---	C:\WINDOWS\system32\drivers\SRS_SSCFilter_i386.sys
2008-04-26 07:45 . 2007-05-03 10:27	37,248	-ra--c---	C:\WINDOWS\system32\drivers\csiidecoder_kern_i386.sys
2008-04-26 07:45 . 2007-05-03 10:27	32,000	-ra--c---	C:\WINDOWS\system32\drivers\wowhd_kern_i386.sys
2008-04-25 21:06 . 2008-04-25 21:06 d----c---	C:\Program Files\Google Hacks
2008-04-25 15:12 . 2007-12-24 17:37	138,384	--a--c---	C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-24 21:00 . 2008-04-24 21:00 d----c---	C:\Documents and Settings\Administrator.STEPHEN\Application Data\Lavasoft
2008-04-23 18:56 . 2008-04-23 18:56 d----c---	C:\Program Files\LimeWire
2008-04-23 17:06 . 2008-05-15 15:08	71	--a--c---	C:\WINDOWS\SpotAuditor.INI
2008-04-22 15:01 . 2008-04-22 15:01 d----c---	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\DAEMON Tools Pro
2008-04-22 14:56 . 2007-02-22 09:05	90,112	--a--c---	C:\Progr_.dll
2008-04-22 14:38 . 2008-04-22 14:38 d----c---	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\DAEMON Tools
2008-04-22 14:38 . 2008-04-22 14:38	717,296	--a--c---	C:\WINDOWS\system32\drivers\sptd.sys
2008-04-22 04:59 . 2008-04-22 04:59	1,409	--a--c---	C:\WINDOWS\system32\tmp621EE.FOT
2008-04-22 04:59 . 2008-04-22 04:59	24	--a--c---	C:\WINDOWS\AM_D8.PRF
2008-04-22 04:55 . 2008-04-26 11:26 d----c---	C:\Program Files\Graffiti Studio 2.0
2008-04-21 20:17 . 2008-04-21 20:17	16	--a--c---	C:\WINDOWS\system32\coh.cache
2008-04-20 20:25 . 2008-04-20 20:25 d----c---	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-04-20 20:13 . 2008-04-21 21:25 d----c---	C:\Program Files\Wireless WEP Key Password Spy
2008-04-18 19:01 . 2008-05-11 22:35 d----c---	C:\Program Files\Speeditup Free
2008-04-17 04:49 . 2007-12-19 11:06	172,032	--a--c---	C:\WINDOWS\system32\igfxres.dll
2008-04-17 04:45 . 2008-04-17 04:45 d----c---	C:\WINDOWS\OPTIONS
2008-04-17 04:45 . 2008-04-17 04:45 d----c---	C:\Program Files\Realtek
2008-04-17 04:43 . 2008-01-31 21:45	53,248	--a--c---	C:\WINDOWS\system32\CSVer.dll
2008-04-17 04:40 . 2008-04-17 04:40 d----c---	C:\WINDOWS\system32\ENU
2008-04-17 04:40 . 2007-10-18 15:51	126,976	--a--c---	C:\WINDOWS\system32\Imsmudlg.exe
2008-04-16 22:59 . 2004-06-14 14:56	427,864	--a--c---	C:\WINDOWS\system32\XceedZip.dll
2008-04-16 22:38 . 2008-04-16 22:46 d--h-c---	C:\Documents and Settings\All Users\Application Data\{36D03E21-363A-4CBC-9E13-A90BDCFAFB04}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 21:04	---------	dc----w	C:\Program Files\Common Files\Symantec Shared
2008-05-16 05:00	675,328	-c--a-w	C:\WINDOWS\is-L7F12.exe
2008-05-16 04:45	---------	dc----w	C:\Program Files\Microsoft Silverlight
2008-05-14 23:02	---------	dc----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-05-14 10:01	---------	dc----w	C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-13 03:43	---------	dc--a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-13 03:30	73,216	-c--a-w	C:\WINDOWS\ST6UNST.EXE
2008-05-13 03:30	249,856	-c----w	C:\WINDOWS\Setup1.exe
2008-05-12 04:02	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\LimeWire
2008-05-11 02:30	---------	dc----w	C:\Program Files\Thinstall.VS
2008-05-09 00:26	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\U3
2008-05-08 02:35	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Thinstall
2008-05-07 22:51	---------	dc----w	C:\Program Files\FriendBlasterPro
2008-05-06 00:58	---------	dc-h--w	C:\Program Files\InstallShield Installation Information
2008-05-03 21:01	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Registry Help Pro
2008-05-03 20:47	---------	dc----w	C:\Program Files\TuneUp Utilities 2008
2008-05-03 20:46	307,968	-c--a-w	C:\WINDOWS\system32\TuneUpDefragService.exe
2008-05-02 16:18	---------	dc----w	C:\Documents and Settings\All Users\Application Data\iolo
2008-04-30 16:27	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\iolo
2008-04-30 16:24	---------	dc----w	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-30 00:14	---------	dc----w	C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-28 03:39	6,596	-csha-w	C:\WINDOWS\system32\drivers\fidbox2.idx
2008-04-28 03:39	58,912	-csha-w	C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-28 03:35	805	-c--a-w	C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-04-28 03:35	10,740	-c--a-w	C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-04-26 13:54	---------	dc----w	C:\Program Files\RegCure
2008-04-24 01:52	---------	dc----w	C:\Program Files\Microsoft Money 2006
2008-04-20 20:10	---------	dc----w	C:\Program Files\KGB Archiver 2
2008-04-19 16:21	---------	dc----w	C:\Program Files\XoftSpySE
2008-04-17 22:24	---------	dc----w	C:\Program Files\Hewlett-Packard
2008-04-17 11:40	---------	dc----w	C:\Program Files\Intel
2008-04-14 21:52	---------	dc----w	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-12 04:47	---------	dc----w	C:\Program Files\Hitman Pro
2008-04-11 06:55	---------	dc----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-11 03:57	164	-c--a-w	C:\install.dat
2008-04-08 03:42	32,300	-csha-w	C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-08 03:42	2,331,424	-csha-w	C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-07 23:46	---------	dc----w	C:\Program Files\Spybot - Search & Destroy
2008-04-07 21:00	---------	dc----w	C:\Program Files\Kaspersky Lab
2008-04-07 05:50	---------	dc----w	C:\Program Files\Yahoo!
2008-04-07 02:07	---------	dc----w	C:\Program Files\Avant Browser
2008-04-04 03:30	31,938	-c--a-w	C:\WINDOWS\system32\tcpipbak.reg
2008-04-03 21:11	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\URSoft
2008-04-03 05:32	---------	dc----w	C:\Program Files\Lavasoft
2008-04-03 01:49	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Auslogics
2008-04-03 01:20	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\IconTweaker
2008-04-02 00:22	---------	dc----w	C:\Program Files\Dachshund Software
2008-04-01 23:51	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Lavasoft
2008-04-01 23:31	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\AdobeUM
2008-04-01 23:27	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Sonic
2008-04-01 23:27	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Leadertech
2008-04-01 02:53	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\JP Software
2008-03-30 23:11	---------	dc----w	C:\Program Files\CBS Software
2008-03-30 05:51	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\acccore
2008-03-30 02:59	---------	dc----w	C:\Program Files\AIM6
2008-03-30 02:57	---------	dc----w	C:\Program Files\Common Files\AOL
2008-03-29 21:50	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\InstallShield
2008-03-27 08:12	151,583	-c--a-w	C:\WINDOWS\system32\msjint40.dll
2008-03-25 11:51	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\PC Tools
2008-03-21 11:48	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\BinarySense
2008-03-21 11:36	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\tor
2008-03-21 11:19	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Mask Surf Standard
2008-03-20 18:36	---------	dc----w	C:\Documents and Settings\Administrator.STEPHEN\Application Data\Uniblue
2008-03-20 18:06	---------	dc----w	C:\Program Files\Uniblue
2008-03-20 17:47	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\Uniblue
2008-03-20 09:13	---------	dc----w	C:\Program Files\Java
2008-03-19 16:53	---------	dc----w	C:\Documents and Settings\Stephen Matthews.STEPHEN\Application Data\DMCache
2008-03-19 09:47	1,845,248	-c--a-w	C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06	826,368	-c--a-w	C:\WINDOWS\system32\wininet.dll
2008-02-27 20:15	28,416	-c--a-w	C:\WINDOWS\system32\uxtuneup.dll
2008-02-20 06:51	282,624	-c--a-w	C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32	45,568	-c--a-w	C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((( [email protected]_12.46.12.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-23 04:56:21	554,008	-c--a-w	C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\dao360.dll
+ 2007-12-10 12:41:11	518,944	-c--a-w	C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexch40.dll
+ 2007-12-10 12:41:11	326,432	-c--a-w	C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexcl40.dll
+ 2007-12-10 12:41:11	1,516,568	-c--a-w	C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjet40.dll
+ 2007-12-10 12:41:11	355,112	-c--a-w	C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjetol1.dll
+ 2008-03-27 07:39:13	151,583	-c--a-w	C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjint40.dll
+ 2007-12-10 12:41:12	60,192	-c--a-w	C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjter40.dll
+ 2007-12-10 12:41:12	248,608	-c--a-w	C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjtes40.dll
+ 2007-12-10 12:41:12	219,936	-c--a-w	C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msltus40.dll
+ 2007-12-10 12:41:12	355,104	-c--a-w	C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mspbde40.dll
+ 2007-12-10 12:41:13	432,928	-c--a-w	C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd2x40.dll
+ 2007-12-10 12:41:13	322,336	-c--a-w	C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd3x40.dll
+ 2007-12-10 12:41:13	559,904	-c--a-w	C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrepl40.dll
+ 2007-12-10 12:41:13	264,992	-c--a-w	C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mstext40.dll
+ 2007-12-10 12:41:13	838,432	-c--a-w	C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswdat10.dll
+ 2007-12-10 12:41:14	621,344	-c--a-w	C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswstr10.dll
+ 2007-12-10 12:41:14	355,104	-c--a-w	C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msxbde40.dll
+ 2007-03-06 01:22:36	14,048	-c--a-w	C:\WINDOWS\$hf_mig$\KB950749\spmsg.dll
+ 2007-03-06 01:22:41	213,216	-c--a-w	C:\WINDOWS\$hf_mig$\KB950749\spuninst.exe
+ 2007-03-06 01:22:34	22,752	-c--a-w	C:\WINDOWS\$hf_mig$\KB950749\update\spcustom.dll
+ 2007-03-06 01:22:59	716,000	-c--a-w	C:\WINDOWS\$hf_mig$\KB950749\update\update.exe
+ 2007-03-06 01:23:51	371,424	-c--a-w	C:\WINDOWS\$hf_mig$\KB950749\update\updspapi.dll
- 2008-05-11 03:32:16	2,048	--s-a-w	C:\WINDOWS\bootstat.dat
+ 2008-05-16 05:17:08	2,048	--s-a-w	C:\WINDOWS\bootstat.dat
- 2008-04-30 15:00:41	217,864	-c--a-r	C:\WINDOWS\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
+ 2008-05-14 02:16:17	217,864	-c--a-r	C:\WINDOWS\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
- 2008-04-30 15:01:50	20,240	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-05-14 10:01:31	20,240	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-04-30 15:01:50	184,080	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-05-14 10:01:31	184,080	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
- 2008-04-30 15:01:50	217,864	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
+ 2008-05-14 10:01:31	217,864	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
- 2008-04-30 15:01:50	18,704	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-05-14 10:01:31	18,704	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-04-30 15:01:51	35,088	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-05-14 10:01:31	35,088	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-04-30 15:01:50	922,384	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-05-14 10:01:31	922,384	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
- 2008-04-30 15:01:51	888,080	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-05-14 10:01:31	888,080	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-04-30 15:01:50	1,172,240	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-05-14 10:01:31	1,172,240	-c--a-r	C:\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-05-14 23:03:23	18,944	-c--a-r	C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
- 2008-01-14 01:44:02	65,024	-c--a-r	C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-05-14 23:03:23	65,024	-c--a-r	C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-03-25 04:50:25	554,008	-c----w	C:\WINDOWS\system32\dllcache\dao360.dll
+ 2008-03-25 04:50:28	518,944	-c----w	C:\WINDOWS\system32\dllcache\msexch40.dll
+ 2008-03-25 04:50:30	326,432	-c----w	C:\WINDOWS\system32\dllcache\msexcl40.dll
+ 2008-03-25 04:50:34	1,516,568	-c----w	C:\WINDOWS\system32\dllcache\msjet40.dll
+ 2008-03-25 04:50:40	355,112	-c----w	C:\WINDOWS\system32\dllcache\msjetol1.dll
+ 2008-03-27 08:12:54	151,583	-c----w	C:\WINDOWS\system32\dllcache\msjint40.dll
+ 2008-03-25 04:50:42	60,192	-c----w	C:\WINDOWS\system32\dllcache\msjter40.dll
+ 2008-03-25 04:50:42	248,608	-c----w	C:\WINDOWS\system32\dllcache\msjtes40.dll
+ 2008-03-25 04:50:44	219,936	-c----w	C:\WINDOWS\system32\dllcache\msltus40.dll
+ 2008-03-25 04:50:45	355,104	-c----w	C:\WINDOWS\system32\dllcache\mspbde40.dll
+ 2008-03-25 04:50:47	432,928	-c----w	C:\WINDOWS\system32\dllcache\msrd2x40.dll
+ 2008-03-25 04:50:49	322,336	-c----w	C:\WINDOWS\system32\dllcache\msrd3x40.dll
+ 2008-03-25 04:50:52	559,904	-c----w	C:\WINDOWS\system32\dllcache\msrepl40.dll
+ 2008-03-25 04:50:55	264,992	-c----w	C:\WINDOWS\system32\dllcache\mstext40.dll
+ 2008-03-25 04:50:57	838,432	-c----w	C:\WINDOWS\system32\dllcache\mswdat10.dll
+ 2008-03-25 04:50:58	621,344	-c----w	C:\WINDOWS\system32\dllcache\mswstr10.dll
+ 2008-03-25 04:50:58	355,104	-c----w	C:\WINDOWS\system32\dllcache\msxbde40.dll
- 2008-04-30 16:44:49	282,928	-c--a-w	C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-05-14 11:43:34	282,928	-c--a-w	C:\WINDOWS\system32\FNTCACHE.DAT
- 2008-05-02 23:11:12	70,936	-c--a-w	C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
+ 2008-05-16 02:12:24	70,936	-c--a-w	C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
+ 2005-05-24 19:27:16	213,048	-c--a-w	C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 22:47:20	94,208	-c--a-w	C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 22:49:54	950,272	-c--a-w	C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-04-06 05:56:22	19,836,024	-c--a-w	C:\WINDOWS\system32\MRT.exe
+ 2008-05-09 21:35:04	16,863,864	-c--a-w	C:\WINDOWS\system32\MRT.exe
- 2004-08-04 21:00:00	512,029	-c--a-w	C:\WINDOWS\system32\msexch40.dll
+ 2008-03-25 04:50:28	518,944	-c--a-w	C:\WINDOWS\system32\msexch40.dll
- 2004-08-04 21:00:00	319,517	-c--a-w	C:\WINDOWS\system32\msexcl40.dll
+ 2008-03-25 04:50:30	326,432	-c--a-w	C:\WINDOWS\system32\msexcl40.dll
- 2004-08-04 21:00:00	1,507,356	-c--a-w	C:\WINDOWS\system32\msjet40.dll
+ 2008-03-25 04:50:34	1,516,568	-c--a-w	C:\WINDOWS\system32\msjet40.dll
- 2004-08-04 21:00:00	358,976	-c--a-w	C:\WINDOWS\system32\msjetoledb40.dll
+ 2008-03-25 04:50:40	355,112	-c--a-w	C:\WINDOWS\system32\msjetoledb40.dll
- 2004-08-04 21:00:00	53,279	-c--a-w	C:\WINDOWS\system32\msjter40.dll
+ 2008-03-25 04:50:42	60,192	-c--a-w	C:\WINDOWS\system32\msjter40.dll
- 2004-08-04 21:00:00	241,693	-c--a-w	C:\WINDOWS\system32\msjtes40.dll
+ 2008-03-25 04:50:42	248,608	-c--a-w	C:\WINDOWS\system32\msjtes40.dll
- 2004-08-04 21:00:00	213,023	-c--a-w	C:\WINDOWS\system32\msltus40.dll
+ 2008-03-25 04:50:44	219,936	-c--a-w	C:\WINDOWS\system32\msltus40.dll
- 2004-08-04 21:00:00	348,189	-c--a-w	C:\WINDOWS\system32\mspbde40.dll
+ 2008-03-25 04:50:45	355,104	-c--a-w	C:\WINDOWS\system32\mspbde40.dll
- 2004-08-04 21:00:00	421,919	-c--a-w	C:\WINDOWS\system32\msrd2x40.dll
+ 2008-03-25 04:50:47	432,928	-c--a-w	C:\WINDOWS\system32\msrd2x40.dll
- 2004-08-04 21:00:00	315,423	-c--a-w	C:\WINDOWS\system32\msrd3x40.dll
+ 2008-03-25 04:50:49	322,336	-c--a-w	C:\WINDOWS\system32\msrd3x40.dll
- 2004-08-04 21:00:00	552,989	-c--a-w	C:\WINDOWS\system32\msrepl40.dll
+ 2008-03-25 04:50:52	559,904	-c--a-w	C:\WINDOWS\system32\msrepl40.dll
- 2004-08-04 21:00:00	258,077	-c--a-w	C:\WINDOWS\system32\mstext40.dll
+ 2008-03-25 04:50:55	264,992	-c--a-w	C:\WINDOWS\system32\mstext40.dll
- 2004-08-04 21:00:00	831,519	-c--a-w	C:\WINDOWS\system32\mswdat10.dll
+ 2008-03-25 04:50:57	838,432	-c--a-w	C:\WINDOWS\system32\mswdat10.dll
- 2004-08-04 21:00:00	614,429	-c--a-w	C:\WINDOWS\system32\mswstr10.dll
+ 2008-03-25 04:50:58	621,344	-c--a-w	C:\WINDOWS\system32\mswstr10.dll
- 2004-08-04 21:00:00	348,189	-c--a-w	C:\WINDOWS\system32\msxbde40.dll
+ 2008-03-25 04:50:58	355,104	-c--a-w	C:\WINDOWS\system32\msxbde40.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 15:44 178712]
"Aim6"="" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 08:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 22:58 458752]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-02 15:21 135168]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 10:23 1187840]
"SQ931STI"="C:\WINDOWS\SQ931STI.EXE" [2007-01-24 14:24 151552]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-16 22:22 794713]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-12-19 11:08 135168]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-12-19 11:08 159744]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-12-19 11:07 131072]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 02:04 84640]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 20:22 26248]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 13:32 8699904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Stephen Matthews.STEPHEN^Start Menu^Programs^StartUp^HDDlife.lnk]
backup=C:\WINDOWS\pss\HDDlife.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedConnectStartUp]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 raddrvv3;raddrvv3;C:\WINDOWS\system32\rserver30\raddrvv3.sys [2008-04-24 08:49]
R2 RServer3;Radmin Server V3;"C:\WINDOWS\system32\rserver30\RServer3.exe" /service []
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14:00]
R3 mirrorv3;mirrorv3;C:\WINDOWS\system32\DRIVERS\rminiv3.sys [2006-11-01 06:01]
S3 SQ931;USB 2.0 Video Camera;C:\WINDOWS\system32\Drivers\Capt931a.sys [2007-03-27 17:44]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-05-03 13:46]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-03 15:49:47 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Stephen Matthews.job"
- C:\PROGRA~1\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
"2008-04-24 20:17:03 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-16 15:01:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-16 15:03:41
ComboFix-quarantined-files.txt 2008-05-16 22:03:27
ComboFix2.txt 2008-05-14 03:53:50
ComboFix3.txt 2008-05-11 19:46:33

Pre-Run: 32,205,676,544 bytes free
Post-Run: 32,393,801,728 bytes free

343	--- E O F ---	2008-05-16 02:27:42


----------



## bigdaddysjm09 (Jan 9, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:20 PM, on 5/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\rserver30\RServer3.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SQ931STI.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\rserver30\FamItrfc.Exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SQ931STI] C:\WINDOWS\SQ931STI.EXE
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: StartupFaster
O4 - Global Startup: StartupFaster
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - 
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 
O17 - HKLM\Software\..\Telephony: DomainName = 
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = 
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - - (no file)
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avp - GRISOFT, s.r.o. - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Radmin Server V3 (RServer3) - Famatech International Corp. - C:\WINDOWS\system32\rserver30\RServer3.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 9911 bytes


----------



## Cookiegal (Aug 27, 2003)

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

*O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 
O17 - HKLM\Software\..\Telephony: DomainName = 
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
O23 - Service: avp - GRISOFT, s.r.o. - (no file)*

Since you have Norton, you should uninstall Authentium as it's not good to have more than one anti-virus program installed as they will conflict and cause problems.

Reboot and post a new HijackThis log please.


----------



## bigdaddysjm09 (Jan 9, 2008)

actually t tell you the truth...i don't ave any other anti-virus installed that i know of ...if you tell me what the name of that Authentium antivirus is i'll uninstall it promptly....


----------



## bigdaddysjm09 (Jan 9, 2008)

i have a problem with this too after the removal of love.exe which i thank you very much for assisting me in that....this keeps showing up how do i remove it???


----------



## bigdaddysjm09 (Jan 9, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:21:08 PM, on 5/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\rserver30\RServer3.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SQ931STI.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\rserver30\FamItrfc.Exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SQ931STI] C:\WINDOWS\SQ931STI.EXE
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: StartupFaster
O4 - Global Startup: StartupFaster
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - 
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - - (no file)
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Radmin Server V3 (RServer3) - Famatech International Corp. - C:\WINDOWS\system32\rserver30\RServer3.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 9690 bytes


----------



## Cookiegal (Aug 27, 2003)

That indicates something is still trying to load it although the file itself is now gone.

Download *OTScanIt.exe *to your Desktop and double-click on it to extract the files. It will create a folder named *OTScanIt* on your desktop.

Leave the default settings and only change those that are specifically mentioned below.


Close any open browsers.
Disconnect from the Internet.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of OTScanIt.
Open the *OTScanit* folder and double-click on *OTScanit.exe* to start the program.
In the *Drivers* group click *Non-Microsoft*. 
In the *Registry * group click *ALL*.
In the *File String Search* group select *ALL*.
In the *Rootkit Search* group select *YES*.
In the *Files Created Within* group click *30 days*. 
In the *Files Modified Within* group select *30 days*.
In the *Additional Scans section* please press *Select ALL*. 
On the toolbar at the top select "Scan All User Accounts" then click the *Run Scan* button.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file and then upload it here as an attachment (do not copy and paste the report).


----------



## bigdaddysjm09 (Jan 9, 2008)

kind of extensive but here it is

well nvm....the file is 8776 kb and you only allow 500kb txt type document to be posted what do you want me to do with the file since i can't post it would you like me to go ahead and post it on the thread or do you have another recommendation???


----------



## Cookiegal (Aug 27, 2003)

Please zip it and then attach it. It should work that way. I may not get to this until tomorrow as these logs take a long time to analyze.


----------



## bigdaddysjm09 (Jan 9, 2008)

when i zip it it's 663 kb and when i put it in rar it's 566 kb still ...so neither will work for the max upload amount i can upload it on rapidshare if you want...unless you hae another suggestion


----------



## Cookiegal (Aug 27, 2003)

Split it up into two zipped attachments please.


----------



## bigdaddysjm09 (Jan 9, 2008)

here they are sorry it took so long i had to manually can up to highlight about half the file took a long time lol


----------



## Cookiegal (Aug 27, 2003)

I'm having trouble getting those scan results to show up properly.

Let's try a smaller scan and see if you can attach this as a .txt file please.

Download *OTScanIt.exe *to your Desktop and double-click on it to extract the files. It will create a folder named *OTScanIt* on your desktop.

Close any open browsers.
Disconnect from the Internet.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of OTScanIt.
Open the *OTScanIt* folder and double-click on OTScanIt.exe to start the program.
Check the box that says *Scan All User Accounts*
Under Drivers select the radio button for *All*
Check the Radio buttons for Files/Folders Created Within *90 Days* and Files/Folders Modified Within *90 Days* 
Under Additional Scans check the following:
Reg - BotCheck
Reg - ControlSets
Reg - Desktop Components
Reg - Disabled MS Config Items
Reg - Print Monitors
Reg - Safeboot Options
Reg - Security Settings
Reg - Session Manager Settings
Reg - Shell Spawning
Reg - Software Policy Settings
File - Additional Folder Scans
File - Lop Check
File - Purity Scan
Evnt - EventViewer Errors/Warnings (last 7 days)

Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it automatically.
Save that Notepad file. Click the *Format* menu and make sure that *Word wrap* is not checked. If it is then click on it to uncheck it.
Use the *Reply* button and upload Notepad file here as an attachment please.


----------



## bigdaddysjm09 (Jan 9, 2008)

scan results

idk if this would have anything to do with it but i have winrar on my computer....3.71 to be exact and it's managing my zip files....idk if that would have anything with you not being able to view them properly....just a piece of info that i thought may have been the problem


----------



## Cookiegal (Aug 27, 2003)

No, it really has nothing to do with Winrar.

*Note: You must be logged on to the system with an account that has Administrator privileges to run this program.*

Close *ALL OTHER PROGRAMS*.
Open the *OTScanIt folder* and double-click on *OTScanIt.exe* to start the program).
Click the *None* button on the toolbar.
Copy/paste the text in the code box below into the *Custom Scans* edit box:

```
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\ /s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\ /s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt\ /s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\ /s
```

*Do not change any other settings.*
Now click the *Run Scan* button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete *Notepad* will open with the report file loaded in it.
Click the *Format* menu and make sure that *Word wrap* is not checked. If it is then click on it to uncheck it.
Use the *Add Reply* button and Copy/Paste the information back here. I will review it when it comes in. Make sure that the first line is *code* with brackets around it *[]* and that the last line is */code* with brackets around it *[]*.


----------



## bigdaddysjm09 (Jan 9, 2008)

file was too large in characters to just post it...sorry


----------



## Cookiegal (Aug 27, 2003)

There is something preventing OTScanIt from seeing certain files and I've been conferring with the developer, OldTimer. He's made some modifications to the tool and suggests that we remove the current version and download another so please follow these instructions:


Start *OTScanIt*
Click the *CleanUp* button
OTScanIt will download a small file from the Internet. If a security program or firewall warns you of this allow it to download.
OTScanIt will delete any tools downloaded and files/folders created and then ask you to reboot so it can remove itself. Click *Yes*.

Now download *OTScanIt.exe* to your Desktop and double-click on it to extract the files. It will create a folder named *OTScanIt* on your desktop.

*Note: You must be logged on to the system with an account that has Administrator privileges to run this program.*


Close *ALL OTHER PROGRAMS*.

Open the *OTScanIt folder* and double-click on *OTScanIt.exe* to start the program (if you are running on Vista then right-click the program and choose *Run as Administrator*).

In the *Drivers* section click on *Non-Microsoft*.

Under *Additional Scans* click the checkboxes in front of the following items to select them:

Reg - BotCheck
File - Additional Folder Scans



*Do not change any other settings.*

Now click the *Run Scan* button on the toolbar.

Let it run unhindered until it finishes.

When the scan is complete *Notepad* will open with the report file loaded in it.

Click the *Format* menu and make sure that *Wordwrap* is not checked. If it is then click on it to uncheck it.


Use the *Add Reply* button and Copy/Paste the information back here. I will review it when it comes in. Make sure that the first line is *code* with brackets around it *[]* and that the last line is */code* with brackets around it *[]*.

*If, after posting, the last line is not **<End of Report> then the log is too big to fit into a single post and you will need to split it into multiple posts or attach it as a file.*


----------



## bigdaddysjm09 (Jan 9, 2008)

scan results


----------



## Cookiegal (Aug 27, 2003)

We need to look at some specific registry keys so please do the following:


Be sure to close *ALL OTHER PROGRAMS*.
Open the *OTScanIt folder* and double-click on *OTScanIt.exe* to start the program.
Click the *None* button on the toolbar.
Copy/paste the text in the code box below into the *Custom Scans* edit box:

```
hkcu\software\classes|NeverShowExt /rs
hklm\software\classes|NeverShowExt /rs
```

*Do not change any other settings.*
Now click the *Run Scan* button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete *Notepad* will open with the report file loaded in it.
Click the *Format* menu and make sure that *Word wrap* is not checked. If it is then click on it to uncheck it.
Use the *Add Reply* button and Copy/Paste the information back here. I will review it when it comes in. Make sure that the first line is *code* with brackets around it *[]* and that the last line is */code* with brackets around it *[]*.


----------



## bigdaddysjm09 (Jan 9, 2008)

here's the scan


----------



## Cookiegal (Aug 27, 2003)

I would like you to export these registry keys please.

Go to *Start *- *Run *and copy and paste the following line and click OK.



> *regedit /a C:\look.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"*


Do the same for this line:



> *regedit /a C:\look2.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"*


Two reports will have been created under C:\look.txt and C:\look2.txt. Please open those reports and copy and paste their contents here.


----------



## bigdaddysjm09 (Jan 9, 2008)

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"TaskbarSizeMove"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder]
"Type"="group"
"Text"="@shell32.dll,-30498"
"Bitmap"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,32,\
5c,53,48,45,4c,4c,33,32,2e,64,6c,6c,2c,34,00
"HelpID"="shell.hlp#51140"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ClassicViewState]
"Type"="checkbox"
"Text"="@shell32.dll,-30506"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"ValueName"="ClassicViewState"
"CheckedValue"=dword:00000000
"UncheckedValue"=dword:00000001
"DefaultValue"=dword:00000000
"HelpID"="shell.hlp#51076"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ControlPanelInMyComputer]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\HideMyComputerIcons"
"Text"="@shell32.dll,-30497"
"Type"="checkbox"
"ValueName"="{21EC2020-3AEA-1069-A2DD-08002B30309D}"
"CheckedValue"=dword:00000000
"UncheckedValue"=dword:00000001
"DefaultValue"=dword:00000001
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51150"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\DesktopProcess]
"Type"="checkbox"
"Text"="@shell32.dll,-30507"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"ValueName"="SeparateProcess"
"CheckedValue"=dword:00000001
"UncheckedValue"=dword:00000000
"DefaultValue"=dword:00000000
"HelpID"="shell.hlp#51079"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\DesktopProcess\Policy]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\DesktopProcess\Policy\SeparateProcess]
@=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\DisableThumbCache]
"Type"="checkbox"
"Text"="@shell32.dll,-30517"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"ValueName"="DisableThumbnailCache"
"CheckedValue"=dword:00000001
"UncheckedValue"=dword:00000000
"DefaultValue"=dword:00000000
"HelpID"="shell.hlp#51155"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\FolderSizeTip]
"Type"="checkbox"
"Text"="@shell32.dll,-30514"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"ValueName"="FolderContentsInfoTip"
"CheckedValue"=dword:00000001
"UncheckedValue"=dword:00000000
"DefaultValue"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\FriendlyTree]
"Type"="checkbox"
"Text"="@shell32.dll,-30511"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"ValueName"="FriendlyTree"
"CheckedValue"=dword:00000001
"UncheckedValue"=dword:00000000
"HelpID"="shell.hlp#51149"
"DefaultValue"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden]
"Text"="@shell32.dll,-30499"
"Type"="group"
"Bitmap"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,32,\
5c,53,48,45,4c,4c,33,32,2e,64,6c,6c,2c,34,00
"HelpID"="shell.hlp#51131"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="@shell32.dll,-30501"
"Type"="radio"
"CheckedValue"=dword:00000002
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51104"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="@shell32.dll,-30500"
"Type"="radio"
"CheckedValue"=dword:00000001
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51105"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt]
"Type"="checkbox"
"Text"="@shell32.dll,-30503"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"ValueName"="HideFileExt"
"CheckedValue"=dword:00000001
"UncheckedValue"=dword:00000000
"DefaultValue"=dword:00000001
"HelpID"="shell.hlp#51101"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\NetCrawler]
"Type"="checkbox"
"Text"="@shell32.dll,-30509"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"ValueName"="NoNetCrawling"
"CheckedValue"=dword:00000000
"UncheckedValue"=dword:00000001
"DefaultValue"=dword:00000000
"HelpID"="shell.hlp#51147"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\NetCrawler\Policy]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\NetCrawler\Policy\NoNetCrawling]
@=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\PersistBrowsers]
"Type"="checkbox"
"Text"="@shell32.dll,-30513"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"ValueName"="PersistBrowsers"
"CheckedValue"=dword:00000001
"UncheckedValue"=dword:00000000
"HelpID"="shell.hlp#51152"
"DefaultValue"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowCompColor]
"Type"="checkbox"
"Text"="@shell32.dll,-30512"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"ValueName"="ShowCompColor"
"CheckedValue"=dword:00000001
"UncheckedValue"=dword:00000000
"DefaultValue"=dword:00000001
"HelpID"="shell.hlp#51130"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowFullPath]
"Type"="checkbox"
"Text"="@shell32.dll,-30504"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CabinetState"
"ValueName"="FullPath"
"CheckedValue"=dword:00000001
"UncheckedValue"=dword:00000000
"DefaultValue"=dword:00000000
"HelpID"="shell.hlp#51100"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowFullPathAddress]
"Type"="checkbox"
"Text"="@shell32.dll,-30505"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CabinetState"
"ValueName"="FullPathAddress"
"CheckedValue"=dword:00000001
"UncheckedValue"=dword:00000000
"DefaultValue"=dword:00000001
"HelpID"="shell.hlp#51107"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowInfoTip]
"Type"="checkbox"
"Text"="@shell32.dll,-30502"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"ValueName"="ShowInfoTip"
"CheckedValue"=dword:00000001
"UncheckedValue"=dword:00000000
"DefaultValue"=dword:00000001
"HelpID"="shell.hlp#51102"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden]
"Type"="checkbox"
"Text"="@shell32.dll,-30508"
"WarningIfNotDefault"="@shell32.dll,-28964"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"ValueName"="ShowSuperHidden"
"CheckedValue"=dword:00000000
"UncheckedValue"=dword:00000001
"DefaultValue"=dword:00000000
"HelpID"="shell.hlp#51103"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden]
@=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Thickets]
"Text"="Managing pairs of Web pages and folders"
"HelpID"="TBD"
"Type"="group"
"Bitmap"="C:\\WINDOWS\\system32\\\\SHELL32.DLL,4"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Thickets\AUTO]
"CheckedValue"=dword:00000000
"Type"="radio"
"ValueName"="NoFileFolderConnection"
"HelpID"="TBD"
"Text"="Show and manage the pair as a single file"
"DefaultValue"=dword:00000000
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer"
"HKeyRoot"=dword:80000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Thickets\NOHIDE]
"ValueName"="NoFileFolderConnection"
"DefaultValue"=dword:00000000
"Text"="Show both parts but manage as a single file"
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer"
"HelpID"="TBD"
"Type"="radio"
"CheckedValue"=dword:00000002
"HKeyRoot"=dword:80000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Thickets\NONE]
"CheckedValue"=dword:00000001
"Type"="radio"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer"
"HelpID"="TBD"
"ValueName"="NoFileFolderConnection"
"DefaultValue"=dword:00000000
"Text"="Show both parts and manage them individually"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\WebViewBarricade]
"Type"="checkbox"
"Text"="@shell32.dll,-30510"
"HKeyRoot"=dword:80000001
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"ValueName"="WebViewBarricade"
"CheckedValue"=dword:00000001
"UncheckedValue"=dword:00000000
"HelpID"="shell.hlp#51148"
"DefaultValue"=dword:00000000


----------



## bigdaddysjm09 (Jan 9, 2008)

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ServerAdminUI"=dword:00000000
"Hidden"=dword:00000001
"ShowCompColor"=dword:00000001
"HideFileExt"=dword:00000000
"DontPrettyPath"=dword:00000000
"ShowInfoTip"=dword:00000001
"HideIcons"=dword:00000000
"MapNetDrvBtn"=dword:00000000
"WebView"=dword:00000001
"Filter"=dword:00000000
"SuperHidden"=dword:00000000
"SeparateProcess"=dword:00000000
"ListviewAlphaSelect"=dword:00000000
"ListviewShadow"=dword:00000001
"ListviewWatermark"=dword:00000000
"TaskbarAnimations"=dword:00000000
"TaskbarSizeMove"=dword:00000001
"StartMenuFavorites"=dword:00000001
"StartMenuAdminTools"=dword:00000000
"StartMenuLogoff"=dword:00000001
"Start_ShowPrinters"=dword:00000001
"IntelliMenus"="NO"
"StartMenuInit"=dword:00000002
"StartButtonBalloonTip"=dword:00000002
"FolderContentsInfoTip"=dword:00000001
"FriendlyTree"=dword:00000001
"WebViewBarricade"=dword:00000000
"DisableThumbnailCache"=dword:00000000
"ShowSuperHidden"=dword:00000001
"ClassicViewState"=dword:00000000
"PersistBrowsers"=dword:00000000
"NoNetCrawling"=dword:00000001
"EnableBalloonTips"=dword:00000000
"Start_ShowNetConn_ShouldShow"=dword:00000042


----------



## Cookiegal (Aug 27, 2003)

I'm attaching a Hidden.zip file to this post. Save it to your desktop. Unzip it and double-click the Hidden.reg file and allow it to enter into the registry.

Then remove the version of OTScanIT you currently have and download the lastest one from the following link and perform another scan as follows:

Download *OTScanIt.exe *to your Desktop and double-click on it to extract the files. It will create a folder named *OTScanIt* on your desktop.

Close any open browsers.
Disconnect from the Internet.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of OTScanIt.
Open the *OTScanIt* folder and double-click on OTScanIt.exe to start the program.
Check the box that says *Scan All User Accounts*
Under Drivers select the radio button for *All*
Check the Radio buttons for Files/Folders Created Within *90 Days* and Files/Folders Modified Within *90 Days* 
Under Additional Scans check the following:
Reg - BotCheck
Reg - Disabled MS Config Items
Reg - NeverShowExt Settings
Reg - Software Policy Settings
Reg - Uninstall List
File - Additional Folder Scans

Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it automatically.
Save that Notepad file. Click the *Format* menu and make sure that *Word wrap* is not checked. If it is then click on it to uncheck it.
Use the *Reply* button and upload Notepad file here as an attachment please.


----------



## bigdaddysjm09 (Jan 9, 2008)

scan results


----------



## Cookiegal (Aug 27, 2003)

Start *OTScanIt*. Copy/Paste the information in the code box below into the pane where it says *"Paste fix here"* and then click the "Run Fix" button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the OK button and Notepad will open with a log of actions taken during the fix. *Post that information back here along with a new HijackThis log please.



Code:


[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> 36 domain(s) and sub-domain(s) not assigned to a zone. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> 37 domain(s) and sub-domain(s) not assigned to a zone. -> 
< Trusted Sites Domains [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> 35 domain(s) and sub-domain(s) not assigned to a zone. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> 35 domain(s) and sub-domain(s) not assigned to a zone. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-1691938981-1926685983-1786476240-1006\] > -> HKEY_USERS\S-1-5-21-1691938981-1926685983-1786476240-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> 37 domain(s) and sub-domain(s) not assigned to a zone. -> 
[Registry - Additional Scans - Non-Microsoft Only]
< Uninstall List [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
YN -> {3248F0A8-6813-11D6-A77B-00B0D0150060} -> J2SE Runtime Environment 5.0 Update 6
[Files/Folders - Created Within 90 days]
NY -> Progr_.dll -> %SystemDrive%\Progr_.dll
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> @Alternate Data Stream - 115 bytes -> %AllUsersProfile%\Application Data\TEMP:5C321E34
NY -> @Alternate Data Stream - 150 bytes -> %AllUsersProfile%\Application Data\TEMP:5F7539FF
NY -> @Alternate Data Stream - 169 bytes -> %AllUsersProfile%\Application Data\TEMP:B3D74A13
[Files/Folders - Modified Within 90 days]
NY -> hosts.20080407-164945.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080407-164945.backup
NY -> hosts.20080410-214109.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080410-214109.backup
NY -> hosts.20080410-214145.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080410-214145.backup
NY -> hosts.20080414-044440.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080414-044440.backup
NY -> hosts.20080422-220140.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080422-220140.backup
NY -> hosts.20080423-170129.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080423-170129.backup
NY -> hosts.20080424-210335.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080424-210335.backup
NY -> hosts.20080425-022305.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080425-022305.backup
NY -> hosts.20080503-142709.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080503-142709.backup
NY -> hosts.20080527-194442.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080527-194442.backup
NY -> hosts.bak -> %SystemRoot%\System32\drivers\etc\hosts.bak
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> @Alternate Data Stream - 115 bytes -> %AllUsersProfile%\Application Data\TEMP:5C321E34
NY -> @Alternate Data Stream - 150 bytes -> %AllUsersProfile%\Application Data\TEMP:5F7539FF
NY -> @Alternate Data Stream - 169 bytes -> %AllUsersProfile%\Application Data\TEMP:B3D74A13
NY -> WildTangent -> %AllUsersProfile%\Application Data\WildTangent
[Empty Temp Folders]
[Start Explorer]
[Reboot]

*


----------



## bigdaddysjm09 (Jan 9, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:06 AM, on 5/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\rserver30\RServer3.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\rserver30\FamItrfc.Exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SQ931STI.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Progra~1\CrossLoop\CrossLoopConnect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SQ931STI] C:\WINDOWS\SQ931STI.EXE
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [CrossLoop] C:\Progra~1\CrossLoop\CrossLoopConnect.exe -ap=crossloop -port=5910 -udp=www.CrossLoop.com -webserver=server.crossloop.com -webservice=www.crossloop.com -startup=server -minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: StartupFaster
O4 - Global Startup: StartupFaster
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - 
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 
O17 - HKLM\Software\..\Telephony: DomainName = 
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = 
O20 - AppInit_DLLs: C:\WINDOWS\system32\rserver30\newtstop.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - - (no file)
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Radmin Server V3 (RServer3) - Famatech International Corp. - C:\WINDOWS\system32\rserver30\RServer3.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 9816 bytes


----------



## Cookiegal (Aug 27, 2003)

I'm not sure if I mentioned this before but you have Authentium and Norton anti-virus programs. It's not good to have more than one installed as they will conflict and cause problems so you need to decide which one you want to keep and remove the other.


How are things with the system now?


----------



## bigdaddysjm09 (Jan 9, 2008)

i do remember you mentioning something about this...i'm going to keep the norton internet security which i have installed but well...if you give me a specific name of what exactly the Authentium antivirus is then i'll remove all traces of it because i truly don't know what it is...i figured it may have something to do with kaspersky because i can't install kaspersky internet security on my computer without it giving me an error but if you let me know what name my authentium AV goes by or what they go by i'll search and remove them alll but i want to keep norton


----------



## bigdaddysjm09 (Jan 9, 2008)

things are good now...love.exe is completely gone for good every now and then i do still get the kissing noise i hardly ever turn off my computer and i've only got it a few times after the actual removal of love.exe so i'm good and it doesn't do it anymore i'm greatly appreciative of your help that you've given me and i'm working on getting certified at geekstogo.com to be able to help on the site...thanks


----------



## Cookiegal (Aug 27, 2003)

You're quite welcome. 

The following list will show us what's in your add/remove program list:

Open HijackThis and click on "Config" and then on the "Misc Tools" button. If you're viewing HijackThis from the Main Menu then click on "Open the Misc Tools Section". Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here please.


----------



## bigdaddysjm09 (Jan 9, 2008)

here's the list and i see that i can uninstall the authentium AV through hijack this but i use an uninstaller that scans and deletes the registry keys also....it's known as your uninstaller 2008...but why is this (authentium) not on that list and since it isn't after i unistall it i want to get rid of the left over registry keys will regcure and reghelp take care of this for me???




Ad-Aware SE Professional
Adobe Flash Player ActiveX
Adobe Reader 7.0.5
AIM 6
AppCore
Aspi Installer
Authentium AntiVirus SDK - 2
AV
Avant Browser (remove only)
Battery Doubler 1.2.1
ccCommon
Conexant HD Audio
CrossLoop 2.20
Customer Experience Enhancement
DivX
Easy Internet Sign-up
FileAlyzer
Graffiti Studio 2.0
HDAUDIO Soft Data Fax Modem with SmartCP
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB909095)
Hotfix for Windows XP (KB910728)
Hotfix for Windows XP (KB912436)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB914906)
Hotfix for Windows XP (KB915326)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB918005)
Hotfix for Windows XP (KB926239)
HP DVD Play 2.3
HP Help and Support
HP Imaging Device Functions 6.0
HP Photosmart Premier Software 6.0
HP Quick Launch Buttons 6.10 A1
HP Update
HP User Guides 0037
HP Wireless Assistant 2.00 G2
Intel(R) Graphics Media Accelerator Driver
Intel(R) Matrix Storage Manager
Java(TM) 6 Update 5
Kaspersky Online Scanner
LimeWire PRO 4.12.3
LiveUpdate 3.1 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.14)
MSRedist
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
muvee autoProducer 5.0
MySpaceIM
NetWaiting
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
Office 2003 Trial Assistant
PFConfig 1.0.163
Quicken 2006
Radmin Server 3.2
Radmin Viewer 3.2
REALTEK GbE & FE Ethernet PCI NIC Driver
Remove on Reboot Shell Extension
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Excel 2007 (KB946974)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Office 2007 (KB947801)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
SmartAudio
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
SPBBC 32bit
Speed Gear 5.00
SpeedConnect Internet Accelerator v.7.0
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
SymNet
Synaptics Pointing Device Driver
TourSetup
Tracks Eraser Pro v7.01
TuneUp Utilities 2008
Uniblue PowerSuite
Uniblue ProcessQuickLink 2
Uniblue SpyEraser
Update for Office 2007 (KB946691)
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
USB 2.0 Video Camera
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885464
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB888402
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892559
Windows XP Hotfix - KB893086
WinRAR archiver
Wireless Home Network Setup
Wireless WEP Key Password Spy
Yahoo! Messenger


----------



## Cookiegal (Aug 27, 2003)

*Authentium AntiVirus SDK - 2* is listed there so you should uninstall that. I would use the Add/Remove programs to uninstall it.

Do you know what this is that's listed there as well?

*AV*

I don't recommend using any registry cleaners as they usually cause more harm then good by removing neede registry keys and/or values.


----------



## bigdaddysjm09 (Jan 9, 2008)

my add remove programs section in my control panel doesn't list either one of them so i don't know what they are..but neither is listed in the add/remove programs control panel


----------



## Cookiegal (Aug 27, 2003)

Using HijackThis, open up the uninstall list again and highlight this item in the list then click Delete this Entry.

*Authentium AntiVirus SDK - 2*

As for the AV one, look to see if you have a folder anywhere (specifically in Program Files) by that name so we can get an idea of what it is before deleting it. AV may be short for anti-virus but I don't know for sure.


----------



## bigdaddysjm09 (Jan 9, 2008)

ok...i deleted that uninstall entry and looked in my program files folder for a folder labeled AV and i even used the search feature and still no results


----------



## Cookiegal (Aug 27, 2003)

Can you post a new uninstall list please?


----------



## bigdaddysjm09 (Jan 9, 2008)

after i deleted the add remove entry of that authentium AV ...kind of weird but it showed up in my uninstall list for my uninstaller and my control panel after i deleted that entry so i uninstalled it....



Ad-Aware SE Professional
Adobe Flash Player ActiveX
Adobe Reader 7.0.5
AIM 6
AppCore
Aspi Installer
AV
Avant Browser (remove only)
Battery Doubler 1.2.1
ccCommon
Conexant HD Audio
CrossLoop 2.20
Customer Experience Enhancement
DivX
Easy Internet Sign-up
FriendBlasterPro
Graffiti Studio 2.0
HDAUDIO Soft Data Fax Modem with SmartCP
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB909095)
Hotfix for Windows XP (KB910728)
Hotfix for Windows XP (KB912436)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB914906)
Hotfix for Windows XP (KB915326)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB918005)
Hotfix for Windows XP (KB926239)
HP DVD Play 2.3
HP Help and Support
HP Imaging Device Functions 6.0
HP Photosmart Premier Software 6.0
HP Quick Launch Buttons 6.10 A1
HP Update
HP User Guides 0037
HP Wireless Assistant 2.00 G2
Intel(R) Graphics Media Accelerator Driver
Intel(R) Matrix Storage Manager
Java(TM) 6 Update 5
Kaspersky Online Scanner
LimeWire PRO 4.12.3
LiveUpdate 3.1 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.14)
MSRedist
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
muvee autoProducer 5.0
MYB Money Maker 1.30
MySpaceIM
NetWaiting
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
Office 2003 Trial Assistant
PFConfig 1.0.163
Quicken 2006
Radmin Server 3.2
Radmin Viewer 3.2
REALTEK GbE & FE Ethernet PCI NIC Driver
Remove on Reboot Shell Extension
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Excel 2007 (KB946974)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Office 2007 (KB947801)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
SmartAudio
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
SPBBC 32bit
Speed Gear 5.00
SpeedConnect Internet Accelerator v.7.0
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
SymNet
Synaptics Pointing Device Driver
TourSetup
Tracks Eraser Pro v7.01
TuneUp Utilities 2008
Uniblue PowerSuite
Uniblue ProcessQuickLink 2
Uniblue SpyEraser
Update for Office 2007 (KB946691)
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
USB 2.0 Video Camera
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885464
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB888402
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892559
Windows XP Hotfix - KB893086
WinRAR archiver
Wireless Home Network Setup
Wireless WEP Key Password Spy
Yahoo! Messenger


----------



## Cookiegal (Aug 27, 2003)

AV may have something to do with the Avant Browser as well.

Are there any problems remaining?


----------



## bigdaddysjm09 (Jan 9, 2008)

no sir...i think i'm good to go....no perfomance issues..no freezing up...and no kissing sounds anymore so i think i'm good...is there anything else i need to do


----------



## Cookiegal (Aug 27, 2003)

*Edit: Before doing the following, please check my next post as there is something else I wanted to check with you.*

Here are some final instructions for you.

Your *Java* is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

*Upgrading Java*:


Download the latest version of *Java Runtime Environment (JRE) 6 Update 6*.
Scroll down to where it says * Java Runtime Environment (JRE) 6 Update 6. The Java SE Runtime Environment (JRE) allows end-users to run Java applications* (the fifth one in the list).
Click the "*Download*" button to the right. A new page will open.
Select your platform and check the box that says: *I agree to the Java SE Runtime Environment 6 License Agreement*.
Click *Continue*.
Click on the link under *Windows Offline Installation* (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager.
Go to *Start* - *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Close any programs you may have running - especially your web browser.
Then from your desktop double-click on the download to install the newest version.

The following program will remove the tools we've used and their associated files and backups and then it will delete itself.

Please download *OTMoveIt2 by OldTimer*.

*Save* it to your *desktop*.
Make sure you have an Internet Connection.
Double-click *OTMoveIt.exe* to run it. (Vista users, please right-click on *OTMoveIt2.exe* and select "Run as an *Administrator*")
Click on the *CleanUp!* button
A list of tool components used in the cleanup of malware will be downloaded.
If your firewall or real-time protection attempts to block OTMoveIt2 to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application which will delete itself.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose *Yes.*

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start* - *All Programs* - *Accessories* - *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

Delete Temporary Files:

Go to *Start* - *Run* and type in *cleanmgr* and click OK. 
Let it scan your system for files to remove. 
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked. 
Press OK to remove them.

***

You should trim down your start-ups (these show as the 04 entries in your HijackThis log) as there are too many running. You can research them at these sites and if they aren't required at start-up then you can uncheck them in msconfig via Start - Run - type msconfig click OK and then click on the start-up tab.

http://castlecops.com/StartupList.html
http://www.bleepingcomputer.com/startups/
http://www.windowsstartup.com/wso/index.php


----------



## Cookiegal (Aug 27, 2003)

Before doing all of the above, there was something else I had in my notes that I wanted to check with you.

Do you recognize this folder? I suspect it may have been created by the malware and could even be empty now but needs to be checked. If it's not empty and you don't recognize it, can you tell me what files are in it? It was created on April 7, 2008.

C:\*ckis *


----------

