# explorer.exe 0xc0000005 error



## jeff1111 (Apr 18, 2008)

Hopefully I am posting this is the right section.

Running Windows XP

Last week I was getting an error upon login to windows where it said a file
called: browsseui.dll was corrupt. 
no icons would show up on the desktop and i could not get to my files (explorer) or folders.

i could access the task manager so i copied a new browseseui.dll file to the folder
c:\windows\system32 and it fixed the problem, though every day it would reappear.

avast virus scan and ms defender found no viruses

today i got the same problem but also and error message
*explorer.exe 0xc0000005 error*

again no desktop icons and unable to get to files or folders-- even when i replaced the browseui.dll file

have searched around but not finding a solution....

*i already tried a system restore to a couple weeks ago
and no change. i also already tried to download a patch but that
did nothing. *

suggestions appreciated....

though remember i do not have a way to find or get to a file i may download. unless someone can tell me how to do that as well.

this is a business computer with many files i need to access and/or copy off so any help would be greatly
appreciated.

thanks.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jeff1111*.

Welcome to TSG.








*Click here* to download *HJTInstall.exe*

Save *HJTInstall.exe* to your desktop.
Doubleclick on the *HJTInstall.exe* icon on your desktop.
By default it will install to *C:\Program Files\Trend Micro\HijackThis* . 
Click on *Install*.
It will create a HijackThis icon on the desktop.
Once installed, it will launch *Hijackthis*.
Click on the *Do a system scan and save a logfile* button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


----------



## jeff1111 (Apr 18, 2008)

Thanks, I did as you posted, here is the Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:17:12 PM, on 4/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.createthechange.com/news.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vitagenesis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [*Restore] C:\WINDOWS\system32\restore\rstrui.exe -i
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm265MFUS
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_6_1/controls/ybrequest.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/wr_6_1/controls/YBUICtrl.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9109 bytes


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jeff1111* 

Please re-open HijackThis and scan. Check the boxes next to all the entries listed below. *

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [*Restore] C:\WINDOWS\system32\restore\rstrui.exe -i

*Now *close all windows and browsers, other than HiJackThis*, then click Fix Checked.

Close Hijackthis.

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press *Enter*.
Choose your usual account.
.

Please go to Start > Control Panel > *Add/Remove Programs* and remove the following (if present):

*MyWebSearch*

Please note any other programs that you dont recognize in that list in your next response

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these *folders* (if present):

*C:\Program Files\MyWebSearch*

Restart the computer.








Download *Deckard's System Scanner (DSS)* from *here* or *here* to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on *dss.exe *to run it, and follow the prompts.
When the scan is complete, two text files will open - *main.txt *<- this one will be maximized and *extra.txt *<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of both, the *main.txt* and the *extra.txt* in your next reply.
If the files are too long, attach them to a reply:

Scroll down and click the [*Manage Attachments*] button
Browse to the following folder:
*C:\Deckard\System Scanner*

Click *Upload* to upload these files one by one
*Submit *your reply


----------



## jeff1111 (Apr 18, 2008)

I followed the instructions and all went well until I tried to run 
the *dss.exe *file I downloaded. Tried it three times and it started
and got the the point where it said: Backing Up Registry Hives
and then my computer would reboot.

The icons have reappeared though, which is good. Yet there still may be
a virus or problem? If you can please let me know why you think the dss.exe
execution would cause my computer to reboot and if there is anything
i can do to get it to run as your requested.

thanks,
Jeff


----------



## jeff1111 (Apr 18, 2008)

Update,

I tried the dss.exe again and this time it got
past the Hives back up but then when it got to 
the Temporary Files I got this message:

dss.exe has encountered a problem and needs to 
close.

Error signature
AppName: dss.exe AppVer 3.2.8.1 ModName dss.dll
ModVer 0.0.0.0 Offset 00002120

Exception information
Code: 0xc000000d
Flags: 0x00000000


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jeff1111* 

Download the enclosed folder. Save and extract its contents to the desktop. It is a folder containing a batch file. Once extracted, double click on the *RunMe.bat* and post the contents of resulting report.

Download *OTScanit.exe *to your Desktop and double-click on it to extract the files. It will create a folder named *OTScanit* on your desktop. *OTScanit* can be detected as malware by your firewall and Ativirus. Chose *Ignore* on any warning alert.

Close any open browsers.
Open the *OTScanit* folder and double-click on *OTScanit.exe* to start the program.
Now click the *Run Scan *button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
Use the *Reply* button and attach the notepad file here *(Do not copy and paste in a reply, rather attach it to it).*


----------



## jeff1111 (Apr 18, 2008)

Thanks, 

I did these steps and have attached both results files.

- Jeff


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jeff1111* 

You have been running programs from the temporary folders. Nothing should be ran from these. If you need to download and run a program, make sure you run that program from a *Permanent* folder such as, your desktop.

Start *OTScanit*. Copy/Paste the information in the Quotebox below into the pane where it says *"Paste fix here"* and then click the Run Fix button.


```
[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> Capture Text -> []
< User Agent Post Platform [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
YN -> FunWebProducts -> 
YN -> SU 3.011 -> StumbleUpon Version String
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
YY -> ic32pp:{BBCA9F81-8F4F-11D2-90FF-0080C83D3571} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\wc98pp.dll[Reg Error: Value  does not exist or could not be read.]
< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/DownloadManagerV2.ocx\\.Owner -> {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1}
[Files/Folders - Created Within 30 days]
YY -> 6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files/Folders - Modified Within 30 days]
NY -> 2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
NY -> opa11.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa11.dat
NY -> 16 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZD8DN9NW\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZD8DN9NW\*.tmp
NY -> CF06674C-EDA6-48df-B12C-F810984ACF54.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\CF06674C-EDA6-48df-B12C-F810984ACF54.exe
NY -> dotnetfx3setup.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\dotnetfx3setup.exe
NY -> install.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\install.exe
NY -> JingSetup1.2.5.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\JingSetup1.2.5.exe
NY -> msgup810_249_us.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\msgup810_249_us.exe
NY -> msgup810_401_us.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\msgup810_401_us.exe
NY -> msgup810_421_us.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\msgup810_421_us.exe
NY -> msgup_us.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\msgup_us.exe
NY -> WiseUpdX.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\WiseUpdX.exe
NY -> ymsgr.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\ymsgr.exe
NY -> 4023 C:\Documents and Settings\Jeff\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\*.tmp
NY -> uninstall.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\{257079CA-2FFD-4C92-A1B5-3AE466ECEF22}\uninstall.exe
NY -> update.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\{257079CA-2FFD-4C92-A1B5-3AE466ECEF22}\update.exe
NY -> 3 C:\Documents and Settings\Jeff\Local Settings\Temp\{257079CA-2FFD-4C92-A1B5-3AE466ECEF22}\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\{257079CA-2FFD-4C92-A1B5-3AE466ECEF22}\*.tmp
NY -> QuickTimeInstaller.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\{336C06E7-0219-44AF-8593-E2009E24FCCD}\QuickTimeInstaller.exe
NY -> Drvldr.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\{D0B62912-F69C-4F35-BAC6-8460F7DF6C3C}\{BBBCAE4B-B416-4182-A6F2-438180894A81}\Roxio\Drvldr.exe
NY -> setup.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\{D0B62912-F69C-4F35-BAC6-8460F7DF6C3C}\{BBBCAE4B-B416-4182-A6F2-438180894A81}\Roxio\setup.exe
NY -> md5deep.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~aidlpks.tmp\md5deep.exe
NY -> sed.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~aidlpks.tmp\sed.exe
NY -> swreg.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~aidlpks.tmp\swreg.exe
NY -> md5deep.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~dykoriw.tmp\md5deep.exe
NY -> sed.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~dykoriw.tmp\sed.exe
NY -> md5deep.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~eijtxmu.tmp\md5deep.exe
NY -> sed.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~eijtxmu.tmp\sed.exe
NY -> swreg.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~eijtxmu.tmp\swreg.exe
NY -> md5deep.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~fyivshr.tmp\md5deep.exe
NY -> sed.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~fyivshr.tmp\sed.exe
NY -> swreg.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~fyivshr.tmp\swreg.exe
NY -> md5deep.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~mjgjgtc.tmp\md5deep.exe
NY -> sed.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~mjgjgtc.tmp\sed.exe
NY -> swreg.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~mjgjgtc.tmp\swreg.exe
NY -> md5deep.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~smqgbhg.tmp\md5deep.exe
NY -> sed.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~smqgbhg.tmp\sed.exe
NY -> swreg.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~smqgbhg.tmp\swreg.exe
NY -> INVISUSSpywareScan.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\is-MCQER.tmp\INVISUSSpywareScan.exe
NY -> SetupX.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\SetupX.exe
NY -> 50comupd.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Redist\50comupd.exe
NY -> instmsia.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Redist\instmsia.exe
NY -> instmsiw.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Redist\instmsiw.exe
NY -> ShFolder.Exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Redist\ShFolder.Exe
NY -> NeroDelTmp.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Setup\NeroDelTmp.exe
NY -> UninstallNero.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Setup\UninstallNero.exe
NY -> Secret Crystals and Gemstones Vol I eBook.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Directory 1 for Secret_Crystals_and_Gemstones_Vol_I_eBook.zip\Secret Crystals and Gemstones Vol I eBook.exe
NY -> @Alternate Data Stream - 0 bytes -> %UserProfile%\Local Settings\Temp\Temporary Directory 1 for Secret_Crystals_and_Gemstones_Vol_I_eBook.zip\Secret Crystals and Gemstones Vol I eBook.exe:Zone.Identifier
NY -> Setup.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Directory 1 for sothink-free-menu-builder.zip\Disk1\Setup.exe
NY -> @Alternate Data Stream - 0 bytes -> %UserProfile%\Local Settings\Temp\Temporary Directory 1 for sothink-free-menu-builder.zip\Disk1\Setup.exe:Zone.Identifier
NY -> Secret Crystals and Gemstones Vol I eBook.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Directory 2 for Secret_Crystals_and_Gemstones_Vol_I_eBook.zip\Secret Crystals and Gemstones Vol I eBook.exe
NY -> @Alternate Data Stream - 0 bytes -> %UserProfile%\Local Settings\Temp\Temporary Directory 2 for Secret_Crystals_and_Gemstones_Vol_I_eBook.zip\Secret Crystals and Gemstones Vol I eBook.exe:Zone.Identifier
NY -> AcsInstall.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\AcsInstall.dll
NY -> AOLFirewallMgr.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\AOLFirewallMgr.dll
NY -> AOLInstallerfw.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\AOLInstallerfw.dll
NY -> insmac2k.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\insmac2k.dll
NY -> instph.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\instph.dll
NY -> QTInstallerHelper.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\QTInstallerHelper.dll
NY -> SHFOLDER.DLL -> C:\Documents and Settings\Jeff\Local Settings\Temp\SHFOLDER.DLL
NY -> uninst.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\uninst.dll
NY -> ywiseext.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\ywiseext.dll
NY -> 4023 C:\Documents and Settings\Jeff\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\*.tmp
NY -> 5596adc.DLL -> C:\Documents and Settings\Jeff\Local Settings\Temp\_ISTMP1.DIR\_ISTMP1.DIR\5596adc.DLL
NY -> Adobeisf.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\_ISTMP1.DIR\_ISTMP1.DIR\Adobeisf.dll
NY -> Adobeupd.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\_ISTMP1.DIR\_ISTMP1.DIR\Adobeupd.dll
NY -> patchw32.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\_ISTMP1.DIR\_ISTMP1.DIR\patchw32.dll
NY -> CondMgr.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\{45BA7145-64B0-4B5D-BDC2-40E20FCDC6DC}\CondMgr.dll
NY -> HSAPI.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\{45BA7145-64B0-4B5D-BDC2-40E20FCDC6DC}\HSAPI.dll
NY -> dss.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\~aidlpks.tmp\dss.dll
NY -> dss.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\~dykoriw.tmp\dss.dll
NY -> dss.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\~eijtxmu.tmp\dss.dll
NY -> dss.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\~fyivshr.tmp\dss.dll
NY -> dss.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\~mjgjgtc.tmp\dss.dll
NY -> pncrt.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\~rnsetup\pncrt.dll
NY -> pnrs3260.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\~rnsetup\pnrs3260.dll
NY -> dss.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\~smqgbhg.tmp\dss.dll
NY -> asycfilt.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Redist\MS\System\asycfilt.dll
NY -> mfc42.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Redist\MS\System\mfc42.dll
NY -> msvcirt.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Redist\MS\System\msvcirt.dll
NY -> msvcp60.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Redist\MS\System\msvcp60.dll
NY -> msvcrt.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Redist\MS\System\msvcrt.dll
NY -> oleaut32.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Redist\MS\System\oleaut32.dll
NY -> olepro32.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Redist\MS\System\olepro32.dll
NY -> APATCH.DLL -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Setup\APATCH.DLL
NY -> nps.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Setup\nps.dll
NY -> unrar.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Setup\unrar.dll
NY -> AdvrCntr2.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\nro.tmp\AdvrCntr2.dll
NY -> ShellManager.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\nro.tmp\ShellManager.dll
NY -> ShellManager10E2D762.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\nro.tmp\ShellManager10E2D762.dll
NY -> 1 C:\Documents and Settings\Jeff\Local Settings\Temp\nro.tmp\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\nro.tmp\*.tmp
NY -> System.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\nsi414.tmp\System.dll
NY -> InetLoad.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\nsvD74.tmp\InetLoad.dll
NY -> InstallOptions.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\nsvD74.tmp\InstallOptions.dll
NY -> System.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\nsvD74.tmp\System.dll
NY -> UserInfo.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\nsvD74.tmp\UserInfo.dll
NY -> InetLoad.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\nsxD70.tmp\InetLoad.dll
NY -> InstallOptions.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\nsxD70.tmp\InstallOptions.dll
NY -> System.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\nsxD70.tmp\System.dll
NY -> UserInfo.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\nsxD70.tmp\UserInfo.dll
NY -> rhaplog.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\Rhapsody\rhaplog.dll
NY -> rspov2701.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\RSPSoftware\rspov2701.dll
NY -> js3250.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\tb_temp\xpcom.ns\bin\js3250.dll
NY -> nspr4.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\tb_temp\xpcom.ns\bin\nspr4.dll
NY -> plc4.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\tb_temp\xpcom.ns\bin\plc4.dll
NY -> plds4.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\tb_temp\xpcom.ns\bin\plds4.dll
NY -> xpcom_compat.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\tb_temp\xpcom.ns\bin\xpcom_compat.dll
NY -> xpcom_core.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\tb_temp\xpcom.ns\bin\xpcom_core.dll
NY -> jar50.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\tb_temp\xpcom.ns\bin\components\jar50.dll
NY -> jsd3250.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\tb_temp\xpcom.ns\bin\components\jsd3250.dll
NY -> xpinstal.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\tb_temp\xpcom.ns\bin\components\xpinstal.dll
NY -> pcp.dat -> C:\Documents and Settings\Jeff\Local Settings\Temp\pcp.dat
NY -> Perflib_Perfdata_1e4.dat -> C:\Documents and Settings\Jeff\Local Settings\Temp\Perflib_Perfdata_1e4.dat
NY -> Perflib_Perfdata_d08.dat -> C:\Documents and Settings\Jeff\Local Settings\Temp\Perflib_Perfdata_d08.dat
NY -> Perflib_Perfdata_e9c.dat -> C:\Documents and Settings\Jeff\Local Settings\Temp\Perflib_Perfdata_e9c.dat
NY -> 4023 C:\Documents and Settings\Jeff\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\*.tmp
NY -> 1a162918f4e459e3f12678cf55c8c460.dat -> C:\Documents and Settings\Jeff\Local Settings\Temp\{257079CA-2FFD-4C92-A1B5-3AE466ECEF22}\cache\1a162918f4e459e3f12678cf55c8c460.dat
NY -> 4194-1~3.ini -> C:\Documents and Settings\Jeff\Local Settings\Temp\4194-1~3.ini
NY -> addonsb.ini -> C:\Documents and Settings\Jeff\Local Settings\Temp\addonsb.ini
NY -> AOLFirewallMgr.ini -> C:\Documents and Settings\Jeff\Local Settings\Temp\AOLFirewallMgr.ini
NY -> aolsetup.ini -> C:\Documents and Settings\Jeff\Local Settings\Temp\aolsetup.ini
NY -> Dll_.ini -> C:\Documents and Settings\Jeff\Local Settings\Temp\Dll_.ini
NY -> setup.ini -> C:\Documents and Settings\Jeff\Local Settings\Temp\setup.ini
NY -> {AC76BA86-1033-F400-7760-000000000003}.ini -> C:\Documents and Settings\Jeff\Local Settings\Temp\{AC76BA86-1033-F400-7760-000000000003}.ini
NY -> 4023 C:\Documents and Settings\Jeff\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\*.tmp
NY -> AdobeIns.ini -> C:\Documents and Settings\Jeff\Local Settings\Temp\_ISTMP1.DIR\_ISTMP1.DIR\AdobeIns.ini
NY -> 0x0409.ini -> C:\Documents and Settings\Jeff\Local Settings\Temp\{D0B62912-F69C-4F35-BAC6-8460F7DF6C3C}\{BBBCAE4B-B416-4182-A6F2-438180894A81}\Roxio\0x0409.ini
NY -> Setup.ini -> C:\Documents and Settings\Jeff\Local Settings\Temp\{D0B62912-F69C-4F35-BAC6-8460F7DF6C3C}\{BBBCAE4B-B416-4182-A6F2-438180894A81}\Roxio\Setup.ini
NY -> vtipres.INI -> C:\Documents and Settings\Jeff\Local Settings\Temp\FrontPageTempDir\vtipres.INI
NY -> 106 C:\Documents and Settings\Jeff\Local Settings\Temp\FrontPageTempDir\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\FrontPageTempDir\*.tmp
NY -> ioSpecial.ini -> C:\Documents and Settings\Jeff\Local Settings\Temp\nsvD74.tmp\ioSpecial.ini
NY -> ioSpecial.ini -> C:\Documents and Settings\Jeff\Local Settings\Temp\nsxD70.tmp\ioSpecial.ini
NY -> z-BornRich.ini -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Directory 1 for bornrich.zip\z-BornRich.ini
NY -> z-BornRich.ini -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Directory 2 for bornrich.zip\z-BornRich.ini
NY -> 1 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HMRGLQJ\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HMRGLQJ\*.tmp
NY -> 57 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\1V7FH1KU\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\1V7FH1KU\*.tmp
NY -> 54 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\8PIV8D2N\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\8PIV8D2N\*.tmp
NY -> 6 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\AJEBIHUB\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\AJEBIHUB\*.tmp
NY -> 80 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\AXO769M9\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\AXO769M9\*.tmp
NY -> 23 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\DZIPVR1T\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\DZIPVR1T\*.tmp
NY -> 13 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\GDE3STU3\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\GDE3STU3\*.tmp
NY -> 3 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\HBNZ2FLN\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\HBNZ2FLN\*.tmp
NY -> 15 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\N0YFAG1Y\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\N0YFAG1Y\*.tmp
NY -> 18 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\OHYRO9YN\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\OHYRO9YN\*.tmp
NY -> 7 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\S54JW3SJ\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\S54JW3SJ\*.tmp
NY -> 15 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\SNH3A2FP\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\SNH3A2FP\*.tmp
NY -> 3 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\UOD5RRZN\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\UOD5RRZN\*.tmp
NY -> 66 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5U3CP6B\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5U3CP6B\*.tmp
NY -> 15 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\YX523QLS\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\YX523QLS\*.tmp
NY -> 16 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZD8DN9NW\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZD8DN9NW\*.tmp
NY -> capture.exe -> C:\WINDOWS\Temp\capture.exe
NY -> ~GL_1476.EXE -> C:\WINDOWS\Temp\~GL_1476.EXE
NY -> 97 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
NY -> saver.dll -> C:\WINDOWS\Temp\saver.dll
NY -> 97 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
[Extra Files]
C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HMRGLQJ\*.*
C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\1V7FH1KU\*.*
C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\8PIV8D2N\*.*
C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\AJEBIHUB\*.*
C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\DZIPVR1T\*.*
C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\EDELOXGZ\*.*
C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\GDE3STU3\*.*
C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\HBNZ2FLN\*.*
C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\N0YFAG1Y\*.*
C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\N8H5F08C\*.*
C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\OHYRO9YN\*.*
C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\OLW56NK1\*.*
C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q7GTADSR\*.*
C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\S54JW3SJ\*.*
C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\S54JW3SJ\*.*
C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\SNH3A2FP\*.*
C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\SNH3A2FP\*.*
C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\UOD5RRZN\*.*
C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\UOD5RRZN\*.*
C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5U3CP6B\*.*
C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\YX523QLS\*.*
C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZD8DN9NW\*.*
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. *Post that information back here along with a new OTScanit scan*.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.


----------



## jeff1111 (Apr 18, 2008)

It looks to me like the Otscanit program is in my desktop folder, so I am not sure how I am running them from a temporary folder. 

C:\Documents and Settings\Jeff\Desktop\OTScanIt

But I Ran this as you suggested and:

1. Did not see a box pop up saying it was finished, a box popped up saying it
needed to reboot the computer to finish moving files. 

2. I clicked Ok and it rebooted fine. 

Not sure what files to include but I have attached one of two log files I see in a folder called Moved Files. The second one will not attach as it is probably too big, it is
2.45 MB (2,574,956 bytes) and called 04192008_211146.log


I also included the Otscanit.txt file even though that seems to be time stamped this afternoon.

I hope I did this correctly, please let me know if I need to rerun it or something?

I appreciate all the help you have given so far, - Jeff


----------



## JSntgRvr (Jul 1, 2003)

The *OTScanIt* report is the same report submitted earlier. Please re-scan with *OTScanIt* and post a fresh report.


----------



## jeff1111 (Apr 18, 2008)

I re-scanned with OTScanIt and have attached
the fresh report.

Thank you.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jeff1111* 

It looks much better.

Please do an online scan with Kaspersky WebScanner (Use internet Explorer)

Click on *Accept*

You will be promted to install an ActiveX component from Kaspersky, Click *Yes*.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on *NEXT
*
Now click on *Scan Settings*
In the scan settings make that the following are selected:
*Scan using the following Anti-Virus database:*

*Extended (if available otherwise Standard)*

*Scan Options:*

*Scan Archives
Scan Mail Bases*

Click *OK*
Now under select a target to scan:
Select *My Computer*

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the *Save as Text* button:

Save the file to your desktop.
Copy and paste that information in your next post.


----------



## jeff1111 (Apr 18, 2008)

The scan ran for about 20 minutes and the screen/compute froze up.
I had to reboot to do anything.

*Will try it again and post if it runs through. *

Update, I did have the browseui.dll file corrupted again this morning (no icons on desktop) and they returned after I corrected that file.

Computer has rebooted itself twice (this has happened in the past as well) for no apparent reason.

Again, many thanks for your continued help with this. - Jeff


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jeff1111* 

Try *DSS.exe* once again, if the issue persists, please download ComboFix from *Here* or *Here* to your Desktop.

***Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------​
*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results"_.
_Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask._
-----------------------------------------------------------​

Close any open browsers. 
*WARNING: Combofix will disconnect your machine from the Internet as soon as it starts*
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------​
Double click on *combofix.exe* & follow the prompts.
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review.
***Note: Do not mouseclick combofix's window while it's running. That may cause it to stall***


----------



## jeff1111 (Apr 18, 2008)

Hi,

Could not get the DSS to run, same problem as before.

But the Combofix ran. Here are the combofix.txt contents and a new Hijack this follows it:

ComboFix 08-04-20.2 - Jeff 2008-04-20 20:10:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.159 [GMT -4:00]
Running from: C:\Documents and Settings\Jeff\Desktop\ComboFix.exe
* Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\IEToolbar
C:\Program Files\internet explorer\msimg32.dll
C:\WINDOWS\system32\f3PSSavr.scr

.
((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-20 11:54 . 2008-04-20 11:54 d--------	C:\WINDOWS\system32\Kaspersky Lab
2008-04-20 11:54 . 2008-04-20 11:54 d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-19 13:51 . 2008-04-19 13:51 d--------	C:\Deckard
2008-04-18 22:16 . 2008-04-18 22:16 d--------	C:\Program Files\Trend Micro
2008-04-14 19:41 . 2008-04-14 19:41	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2008-04-14 19:41 . 2008-04-14 19:41	1,409	--a------	C:\WINDOWS\QTFont.for
2008-04-11 09:12 . 2008-04-10 10:24	1,016,832	--a------	C:\WINDOWS\system32\browshold.dll
2008-04-09 12:53 . 2007-04-13 13:30	25,136	-ra------	C:\WINDOWS\system32\drivers\ATWPKT2.SYS
2008-03-30 11:22 . 2008-03-30 11:22 d--------	C:\Program Files\WinFF
2008-03-30 11:22 . 2008-03-30 13:04 d--------	C:\Documents and Settings\Jeff\Application Data\WinFF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 00:09	---------	d-----w	C:\Documents and Settings\Jeff\Application Data\Orbit
2008-04-21 00:08	---------	d-----w	C:\Documents and Settings\Jeff\Application Data\StumbleUpon
2008-04-19 17:45	---------	d-----w	C:\Program Files\SurfOffline
2008-04-16 02:06	---------	d-----w	C:\Program Files\ePrompter
2008-03-19 09:47	1,845,248	------w	C:\WINDOWS\system32\win32k.sys
2008-02-28 14:12	---------	d-----w	C:\Documents and Settings\All Users\Application Data\pdf995
2008-02-20 06:51	282,624	----a-w	C:\WINDOWS\system32\gdi32.dll
2008-02-16 08:59	659,456	----a-w	C:\WINDOWS\system32\wininetx.dll
2008-02-16 08:59	659,456	----a-w	C:\WINDOWS\system32\wininet.dll
2006-08-04 00:32	321	---ha-w	C:\Documents and Settings\Jeff\hpothb07.dat
2006-08-04 00:32	164	---ha-w	C:\Documents and Settings\All Users\hpothb07.dat
.

------- Sigcheck -------

2002-08-29 10:00 12800 0f7d9c87b0ce1fa520473119752c6f79	C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 03:56 14336 8f078ae4ed187aaabc0a305146de6716	C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2004-08-04 03:56 14336 8f078ae4ed187aaabc0a305146de6716	C:\WINDOWS\system32\svchost.exe

2005-03-02 14:19 577024 1800f293bccc8ede8a70e12b88d80036	C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 11:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b	C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2004-12-28 21:31 574464 0706e1cd6b89800781db038f4b3f5654	C:\WINDOWS\$NtServicePackUninstall$\user32.dll
2002-08-29 10:00 560128 dd9269230c21ee8fb7fd3fccc3b1cfcb	C:\WINDOWS\$NtUninstallKB840987$\user32.dll
2004-08-04 03:56 577024 c72661f8552ace7c5c85e16a3cf505c4	C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2004-06-17 13:58 560128 31fb2d788a9aa618452c02e8375b6dcd	C:\WINDOWS\$NtUninstallKB891711$\user32.dll
2005-03-02 14:09 577024 de2db164bbb35db061af0997e4499054	C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2004-08-04 03:56 577024 c72661f8552ace7c5c85e16a3cf505c4	C:\WINDOWS\ServicePackFiles\i386\user32.dll
2007-03-08 11:36 577536 b409909f6e2e8a7067076ed748abf1e7	C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 577536 b409909f6e2e8a7067076ed748abf1e7	C:\WINDOWS\system32\dllcache\user32.dll

2002-08-29 10:00 75264 8529c295df59b564d37a73b5629162b1	C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll
2004-08-04 03:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2	C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll
2004-08-04 03:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2	C:\WINDOWS\system32\ws2_32.dll

2005-05-25 15:07 359936 63fdfea54eb53de2d863ee454937ce1e	C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 13:07 360448 5562cc0a47b2aef06d3417b733f3c195	C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4	C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8	C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2002-08-29 10:00 332928 244a2f9816bc9b593957281ef577d976	C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 02:14 359040 9f4b36614a0fc234525ba224957de55c	C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 15:04 359808 88763a98a4c26c409741b4aa162720c9	C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-12 22:28 359808 583e063fdc888ca30d05c2724b0d7ef4	C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4	C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2004-08-04 02:14 359040 9f4b36614a0fc234525ba224957de55c	C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178	C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178	C:\WINDOWS\system32\drivers\tcpip.sys

2004-05-26 21:38 483328 e7f9d2e4e4a94a6f58014e5ffa16a65e	C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2002-08-29 10:00 516608 2246d8d8f4714a2cedb21ab9b1849abb	C:\WINDOWS\$NtUninstallKB840987$\winlogon.exe
2004-08-04 03:56 502272 01c3346c241652f43aed8e2149881bfe	C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-04 03:56 502272 01c3346c241652f43aed8e2149881bfe	C:\WINDOWS\system32\winlogon.exe

2002-08-29 10:00 167552 3b350e5a2a5e951453f3993275a4523a	C:\WINDOWS\$NtServicePackUninstall$\ndis.sys
2004-08-04 02:14 182912 558635d3af1c7546d26067d5d9b6959e	C:\WINDOWS\ServicePackFiles\i386\ndis.sys
2004-08-04 02:14 182912 558635d3af1c7546d26067d5d9b6959e	C:\WINDOWS\system32\drivers\ndis.sys

2004-08-04 02:00 29056 4448006b6bc60e6c027932cfc38d6855	C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys
2004-08-04 02:00 29056 4448006b6bc60e6c027932cfc38d6855	C:\WINDOWS\system32\drivers\ip6fw.sys

2005-03-01 20:36 2056832 d8aba3eab509627e707a3b14f00fbb6b	C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2006-12-19 12:12 2059392 ba4b97c00a437c1cc3da365d93ee1e9d	C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
2007-02-28 05:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba	C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2004-10-22 03:29 1955840 efa7883018f42295d927121808ae6cee	C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2002-08-29 10:00 1947904 0e8efb15746878a9b256e75267337233	C:\WINDOWS\$NtUninstallKB840987$\ntkrnlpa.exe
2004-06-17 04:03 1954688 ed0d7a5f1138ccfd3ecaf8f6ac691f13	C:\WINDOWS\$NtUninstallKB885835_0$\ntkrnlpa.exe
2004-08-04 01:58 2056832 947fb1d86d14afcffdb54bf837ec25d0	C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 20:34 2056832 81013f36b21c7f72cf784cc6731e0002	C:\WINDOWS\$NtUninstallKB929338$\ntkrnlpa.exe
2006-12-19 08:55 2057600 1d659bfb788ed2ba45075624b748d249	C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 04:38 2057600 515d30e2c90a3665a2739309334c9283	C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2004-08-04 01:58 2056832 947fb1d86d14afcffdb54bf837ec25d0	C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2007-02-28 04:38 2057600 515d30e2c90a3665a2739309334c9283	C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-28 04:38 2057600 515d30e2c90a3665a2739309334c9283	C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

2005-03-01 21:04 2179456 28187802b7c368c0d3aef7d4c382aabb	C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2006-12-19 12:51 2182016 cef243f6defd20be4adde26c7ecacb54	C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
2007-02-28 05:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9	C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2004-10-22 04:33 2088448 5a7eb0c9f96917b7ecf5adf70c4b1bae	C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2002-08-29 10:00 2042240 b9080d97dbd631aadf9128f7316958d2	C:\WINDOWS\$NtUninstallKB840987$\ntoskrnl.exe
2004-06-17 13:22 2051584 f240dc474f8edb2d95514d831df069e5	C:\WINDOWS\$NtUninstallKB885835_0$\ntoskrnl.exe
2004-08-04 02:19 2180992 ce218bc7088681faa06633e218596ca7	C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 20:59 2179328 4d4cf2c14550a4b7718e94a6e581856e	C:\WINDOWS\$NtUninstallKB929338$\ntoskrnl.exe
2006-12-19 10:17 2180352 8f0deab1f81fb83f9c5995853ce48b9f	C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 05:10 2180352 582a8dbaa58c3b1f176eb2817daee77c	C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2004-08-04 02:19 2180992 ce218bc7088681faa06633e218596ca7	C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2007-02-28 05:10 2180352 582a8dbaa58c3b1f176eb2817daee77c	C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 05:10 2180352 582a8dbaa58c3b1f176eb2817daee77c	C:\WINDOWS\system32\dllcache\ntoskrnl.exe

2002-08-29 10:00 13312 414de7cf9d3f19c3ea902f1bb38ec116	C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
2004-08-04 03:56 15360 24232996a38c0b0cf151c2140ae29fc8	C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
2004-08-04 03:56 15360 24232996a38c0b0cf151c2140ae29fc8	C:\WINDOWS\system32\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 09:34 68856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 14:37 79224]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32 53248]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 13:34 69632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-12-02 21:20:32 323646]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-02 21:56:10 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msvideo7"= STV680tg.dll
"msacm.scg726"= scg726.acm
"msacm.alf2cd"= alf2cd.acm
"msacm.ac3acm"= AC3ACM.acm
"vidc.dvsd"= mcdvd_32.dll
"VIDC.HFYU"= huffyuv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jeff^Start Menu^Programs^Startup^LifeDrive Manager.lnk]
path=C:\Documents and Settings\Jeff\Start Menu\Programs\Startup\LifeDrive Manager.lnk
backup=C:\WINDOWS\pss\LifeDrive Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jeff^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=C:\Documents and Settings\Jeff\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=C:\WINDOWS\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a------ 2005-04-11 10:36 83544 C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2006-10-23 08:50 71216 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-09-25 20:52 50736 C:\Program Files\Common Files\AOL\1170336603\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--------- 2003-07-28 16:19 4841472 C:\WINDOWS\System32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 19:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-02-25 21:10 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2005-12-08 14:55 3096576 C:\Program Files\Yahoo!\Messenger\ypager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Conference\\Conference.dll"=
"C:\\Program Files\\GlobalSCAPE\\CuteFTP 7 Home\\ftpte.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\palmOne\\Hotsync.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\AOL\\1170336603\\ee\\aolsoftware.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 14:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 14:35]
R2 HPFECP13;HPFECP13;C:\WINDOWS\system32\drivers\HPFECP13.SYS [1998-07-31 01:40]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ []
S3 ADM8511;Belkin USB Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\NET8511.SYS [2001-04-10 05:11]
S3 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2006-04-14 10:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\B]
\Shell\AutoRun\command - B:\setup.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-18 23:23:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2005-06-17 19:38:02 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1109345024.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I 
"2008-04-21 00:03:20 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 20:15:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\TEMP\TMP0000007A474FC8944465B252 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-04-20 20:24:47
ComboFix-quarantined-files.txt 2008-04-21 00:24:29

Pre-Run: 44,233,621,504 bytes free
Post-Run: 44,245,831,680 bytes free

234	--- E O F ---	2008-04-20 04:15:45

*
Hijack this contents:*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:30:06 PM, on 4/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.createthechange.com/news.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vitagenesis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm265MFUS
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_6_1/controls/ybrequest.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/wr_6_1/controls/YBUICtrl.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9394 bytes

Hope I got this all run correctly, both were on the desktop and in the desktop
folder when I ran them.

- Jeff


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jeff1111* 

Please go to *Virus Total* and scan the following files:

*C:\WINDOWS\system32\browshold.dll
C:\WINDOWS\system32\gdi32.dll
C:\WINDOWS\system32\wininetx.dll 
C:\WINDOWS\system32\wininet.dll *

Post the reports in your next reply.


----------



## jeff1111 (Apr 18, 2008)

I scanned all for files and it looks like 0 virus was found in them.
Wasn't sure what you needed from the results so I copied the
entire info that was displayed for each of the four files and attached
them to this post.

*Please note: The file browshold.dll *is a file I copied from (I think) Microsoft
when I had the message that browseui.dll was corrupt. Each day when the
icons do not show up on my desktop I copy the browshold.dll to browseui.dll
to restore them. Not sure if this is important or what I should do but it has
been a temporary fix for me as to why the browseui.dll file is modified and corrupt
by morning (the timestamp is around 3am).

4 files attached.

- Jeff


----------



## JSntgRvr (Jul 1, 2003)

> Please note: The file browshold.dll is a file I copied from (I think) Microsoft
> when I had the message that browseui.dll was corrupt. Each day when the
> icons do not show up on my desktop I copy the browshold.dll to browseui.dll
> to restore them. Not sure if this is important or what I should do but it has
> ...


Very strange.

Download the enclosed folder. Save and extract its contents to the desktop, A new folder will be created on your desktop, *SeekBrow*. Open this folder and double click on the *RunMe.bat*. The MSDOS window will be displayed for a while. That is normal. Post the report it will create in your next reply.

Please do an online scan with Kaspersky WebScanner (Use internet Explorer)

Click on *Accept*

You will be promted to install an ActiveX component from Kaspersky, Click *Yes*.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on *NEXT
*
Now click on *Scan Settings*
In the scan settings make that the following are selected:
*Scan using the following Anti-Virus database:*

*Extended (if available otherwise Standard)*

*Scan Options:*

*Scan Archives
Scan Mail Bases*

Click *OK*
Now under select a target to scan:
Select *My Computer*

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the *Save as Text* button:

Save the file to your desktop.
Copy and paste that information in your next post.


----------



## jeff1111 (Apr 18, 2008)

Hi,

Did the RunMe.bat afer downloading the folder.
Here is the report:

----a-w 1,016,832 2005-01-27 17:08:41 $hf_mig$\KB867282\SP2QFE\browseui.dll
----a-w 1,019,904 2005-05-02 20:57:24 $hf_mig$\KB883939\SP2QFE\browseui.dll
----a-w 1,016,832 2005-03-10 07:43:21 $hf_mig$\KB890923\SP2QFE\browseui.dll
----a-w 1,019,904 2005-09-02 23:53:38 $hf_mig$\KB896688\SP2QFE\browseui.dll
----a-w 1,019,904 2005-07-03 02:09:30 $hf_mig$\KB896727\SP2QFE\browseui.dll
----a-w 1,022,464 2005-11-24 01:07:00 $hf_mig$\KB905915\SP2QFE\browseui.dll
----a-w 1,022,976 2006-03-04 03:58:42 $hf_mig$\KB912812\SP2QFE\browseui.dll
----a-w 1,022,976 2006-05-10 05:25:20 $hf_mig$\KB916281\SP2QFE\browseui.dll
----a-w 1,022,976 2006-06-23 11:25:29 $hf_mig$\KB918899\SP2QFE\browseui.dll
----a-w 1,022,976 2006-09-14 08:31:26 $hf_mig$\KB922760\SP2QFE\browseui.dll
----a-w 1,022,976 2006-10-23 15:34:19 $hf_mig$\KB925454\SP2QFE\browseui.dll
----a-w 1,022,976 2007-01-04 14:05:28 $hf_mig$\KB928090\SP2QFE\browseui.dll
----a-w 1,022,976 2007-02-20 09:52:13 $hf_mig$\KB931768\SP2QFE\browseui.dll
----a-w 1,022,976 2007-04-18 12:46:26 $hf_mig$\KB933566\SP2QFE\browseui.dll
----a-w 1,022,976 2007-06-15 08:12:28 $hf_mig$\KB937143\SP2QFE\browseui.dll
----a-w 1,022,976 2007-08-22 12:55:28 $hf_mig$\KB939653\SP2QFE\browseui.dll
----a-w 1,024,000 2007-10-11 05:57:29 $hf_mig$\KB942615\SP2QFE\browseui.dll
----a-w 1,024,000 2007-12-07 00:44:30 $hf_mig$\KB944533\SP2QFE\browseui.dll
----a-w 1,024,000 2008-02-16 09:32:03 $hf_mig$\KB947864\SP2QFE\browseui.dll
-c----w 1,017,856 2004-12-07 22:41:16 $NtServicePackUninstall$\browseui.dll
-c----w 1,016,832 2004-08-04 07:56:41 $NtUninstallKB867282$\browseui.dll
-c----w 1,021,952 2002-08-29 14:00:00 $NtUninstallKB867282-IE6SP1-20050127.163319$\browseui.dll
-c----w 1,016,832 2005-03-10 08:02:33 $NtUninstallKB883939$\browseui.dll
-c----w 1,016,832 2005-01-27 17:13:16 $NtUninstallKB890923$\browseui.dll
-c----w 1,019,904 2005-07-03 02:11:28 $NtUninstallKB896688$\browseui.dll
-c----w 1,019,904 2005-05-02 20:52:34 $NtUninstallKB896727$\browseui.dll
-c----w 1,019,904 2005-09-02 23:52:04 $NtUninstallKB905915$\browseui.dll
-c----w 1,022,464 2005-11-24 01:06:33 $NtUninstallKB912812$\browseui.dll
-c----w 1,022,976 2006-03-04 03:33:40 $NtUninstallKB916281$\browseui.dll
-c----w 1,022,976 2006-05-10 05:22:59 $NtUninstallKB918899$\browseui.dll
-c----w 1,022,976 2006-06-23 11:02:49 $NtUninstallKB922760$\browseui.dll
-c----w 1,022,976 2006-09-14 08:39:49 $NtUninstallKB925454$\browseui.dll
-c----w 1,022,976 2006-10-23 15:17:51 $NtUninstallKB928090$\browseui.dll
-c----w 1,023,488 2007-01-04 13:36:29 $NtUninstallKB931768$\browseui.dll
-c----w 1,023,488 2007-02-20 09:48:03 $NtUninstallKB933566$\browseui.dll
-c----w 1,023,488 2007-04-18 12:31:37 $NtUninstallKB937143$\browseui.dll
-c----w 1,023,488 2007-06-14 18:09:18 $NtUninstallKB939653$\browseui.dll
-c----w 1,022,976 2007-08-22 13:12:15 $NtUninstallKB942615$\browseui.dll
-c----w 1,023,488 2007-10-11 06:13:44 $NtUninstallKB944533$\browseui.dll
-c----w 1,023,488 2007-12-07 01:07:12 $NtUninstallKB947864$\browseui.dll
------w 1,016,832 2004-08-04 07:56:41 ServicePackFiles\i386\browseui.dll
----a-w 1,023,488 2008-02-16 08:59:34 SoftwareDistribution\Download\4f34fed83363df83031761e8fceb73ae\sp2gdr\browseui.dll
----a-w 1,024,000 2008-02-16 09:32:03 SoftwareDistribution\Download\4f34fed83363df83031761e8fceb73ae\sp2qfe\browseui.dll
----a-w 1,016,832 2008-04-10 14:24:45 system32\browseui.dll
-c----w 1,023,488 2008-02-16 08:59:34 system32\dllcache\browseui.dll

Entries: 45 (45)
Directories: 0 Files: 45
Bytes: 45,973,504 Blocks: 89,792


Next I ran the online Kaspersky scan as directed.
It ran for about an hour and was at 70% when the computer
rebooted itself, so I was unable to save or find anything.

I did notice on the screen as it was scanning it did say

*1 viruses found
3 files infected*

Not sure what to do next, I could rerun Kaspersky but this is
the second time I have used it and my computer either freezes
or reboots after it runs awhile.

Please let me know what to do next. Thanks,

Jeff


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jeff1111* 

You are using an old version of the file.

Set Explorer to view Hidden Files and Folders:

Right-click your Start button and go to "Explore".
Select Tools from the menu
Select Folder Options
Select the View tab
Click on Show all Files and Folders
Remove the checkmark from Hide extensions for known file types
Remove the checkmark from Hide protected operating System files
Select *Apply to All Folders *| *Yes* | *Apply* |* OK*.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), navigate to the C:\Windows\System32 folder. Locate the *browseui.dll* file and rename it to *browseui.old*. Then copy the *browseui.dll* file present in the C:\Windows\System32\Dllcache folder into the C:\Windows\System32 folder. Restart the computer and retry.

If *Kaspersky* fail to scan, Please download Malwarebytes' Anti-Malware from *Here* or *Here*

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.*


----------



## jeff1111 (Apr 18, 2008)

Ran Malwarebytes Anti-Malware, it found 117 objects, I followed your instructions and here is the log contents;

Malwarebytes' Anti-Malware 1.11
Database version: 599

Scan type: Quick Scan
Objects scanned: 30460
Time elapsed: 5 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 115
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e0de227-5ce4-4ea3-ab0c-8b03e1aa76bc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.datacontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.shellviewcontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.shellviewcontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7473d296-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlayembed (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlayembed.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlaybarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlaybarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d778513b-1c40-4819-b0c5-49e40b39afd0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eaa-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eac-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f87d7fb5-9dc5-4c8c-b998-d8dfe02e2978} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{07b18ea0-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{0d26bc71-a633-4e71-ad31-eadc3a1b6a3a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2763e333-b168-41a0-a112-d35f96f410c0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{29d67d3c-509a-4544-903f-c8c1b8236554} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{38a7c9da-8db7-4d0f-a7b1-c4b1a305bddb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720451-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720453-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3e720450-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{621feacd-8857-43a6-ae26-451d670d5370} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d291-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d293-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d295-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d297-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{7473d290-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d6ff3684-ad3b-48eb-bbb4-b9e6c5a355c1} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8ca01f0e-987c-49c3-b852-2f1ac4a7094c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8d292ec0-6792-4a38-82ed-73a087e41ba6} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8e6f1830-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{98635087-3f5d-418f-990c-b1efe0797a3b} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c8cecde3-1ae1-4c4a-ad82-6d5b00212144} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e47caee0-deea-464a-9326-3f2801535a4d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e79dfbc0-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-f3embed (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)


----------



## JSntgRvr (Jul 1, 2003)

Double click on the *RunMe.bat* once again and post the report. Any progress with *Kaspersky*?

*How is the computer doing?*


----------



## jeff1111 (Apr 18, 2008)

Computer seems to be starting up a bit faster and I don't think it has rebooted itself
yet today.

Still cannot get the *Kaspersky* to run to completion. It freezes at various points and the entire system locks up.

I did rerun *RunMe.bat* just a few moments ago. Here is the report:

----a-w 1,016,832 2005-01-27 17:08:41 $hf_mig$\KB867282\SP2QFE\browseui.dll
----a-w 1,019,904 2005-05-02 20:57:24 $hf_mig$\KB883939\SP2QFE\browseui.dll
----a-w 1,016,832 2005-03-10 07:43:21 $hf_mig$\KB890923\SP2QFE\browseui.dll
----a-w 1,019,904 2005-09-02 23:53:38 $hf_mig$\KB896688\SP2QFE\browseui.dll
----a-w 1,019,904 2005-07-03 02:09:30 $hf_mig$\KB896727\SP2QFE\browseui.dll
----a-w 1,022,464 2005-11-24 01:07:00 $hf_mig$\KB905915\SP2QFE\browseui.dll
----a-w 1,022,976 2006-03-04 03:58:42 $hf_mig$\KB912812\SP2QFE\browseui.dll
----a-w 1,022,976 2006-05-10 05:25:20 $hf_mig$\KB916281\SP2QFE\browseui.dll
----a-w 1,022,976 2006-06-23 11:25:29 $hf_mig$\KB918899\SP2QFE\browseui.dll
----a-w 1,022,976 2006-09-14 08:31:26 $hf_mig$\KB922760\SP2QFE\browseui.dll
----a-w 1,022,976 2006-10-23 15:34:19 $hf_mig$\KB925454\SP2QFE\browseui.dll
----a-w 1,022,976 2007-01-04 14:05:28 $hf_mig$\KB928090\SP2QFE\browseui.dll
----a-w 1,022,976 2007-02-20 09:52:13 $hf_mig$\KB931768\SP2QFE\browseui.dll
----a-w 1,022,976 2007-04-18 12:46:26 $hf_mig$\KB933566\SP2QFE\browseui.dll
----a-w 1,022,976 2007-06-15 08:12:28 $hf_mig$\KB937143\SP2QFE\browseui.dll
----a-w 1,022,976 2007-08-22 12:55:28 $hf_mig$\KB939653\SP2QFE\browseui.dll
----a-w 1,024,000 2007-10-11 05:57:29 $hf_mig$\KB942615\SP2QFE\browseui.dll
----a-w 1,024,000 2007-12-07 00:44:30 $hf_mig$\KB944533\SP2QFE\browseui.dll
----a-w 1,024,000 2008-02-16 09:32:03 $hf_mig$\KB947864\SP2QFE\browseui.dll
-c----w 1,017,856 2004-12-07 22:41:16 $NtServicePackUninstall$\browseui.dll
-c----w 1,016,832 2004-08-04 07:56:41 $NtUninstallKB867282$\browseui.dll
-c----w 1,021,952 2002-08-29 14:00:00 $NtUninstallKB867282-IE6SP1-20050127.163319$\browseui.dll
-c----w 1,016,832 2005-03-10 08:02:33 $NtUninstallKB883939$\browseui.dll
-c----w 1,016,832 2005-01-27 17:13:16 $NtUninstallKB890923$\browseui.dll
-c----w 1,019,904 2005-07-03 02:11:28 $NtUninstallKB896688$\browseui.dll
-c----w 1,019,904 2005-05-02 20:52:34 $NtUninstallKB896727$\browseui.dll
-c----w 1,019,904 2005-09-02 23:52:04 $NtUninstallKB905915$\browseui.dll
-c----w 1,022,464 2005-11-24 01:06:33 $NtUninstallKB912812$\browseui.dll
-c----w 1,022,976 2006-03-04 03:33:40 $NtUninstallKB916281$\browseui.dll
-c----w 1,022,976 2006-05-10 05:22:59 $NtUninstallKB918899$\browseui.dll
-c----w 1,022,976 2006-06-23 11:02:49 $NtUninstallKB922760$\browseui.dll
-c----w 1,022,976 2006-09-14 08:39:49 $NtUninstallKB925454$\browseui.dll
-c----w 1,022,976 2006-10-23 15:17:51 $NtUninstallKB928090$\browseui.dll
-c----w 1,023,488 2007-01-04 13:36:29 $NtUninstallKB931768$\browseui.dll
-c----w 1,023,488 2007-02-20 09:48:03 $NtUninstallKB933566$\browseui.dll
-c----w 1,023,488 2007-04-18 12:31:37 $NtUninstallKB937143$\browseui.dll
-c----w 1,023,488 2007-06-14 18:09:18 $NtUninstallKB939653$\browseui.dll
-c----w 1,022,976 2007-08-22 13:12:15 $NtUninstallKB942615$\browseui.dll
-c----w 1,023,488 2007-10-11 06:13:44 $NtUninstallKB944533$\browseui.dll
-c----w 1,023,488 2007-12-07 01:07:12 $NtUninstallKB947864$\browseui.dll
------w 1,016,832 2004-08-04 07:56:41 ServicePackFiles\i386\browseui.dll
----a-w 1,023,488 2008-02-16 08:59:34 SoftwareDistribution\Download\4f34fed83363df83031761e8fceb73ae\sp2gdr\browseui.dll
----a-w 1,024,000 2008-02-16 09:32:03 SoftwareDistribution\Download\4f34fed83363df83031761e8fceb73ae\sp2qfe\browseui.dll
----a-w 1,023,488 2008-02-16 08:59:34 system32\browseui.dll
-c----w 1,023,488 2008-02-16 08:59:34 system32\dllcache\browseui.dll

Entries: 45 (45)
Directories: 0 Files: 45
Bytes: 45,980,160 Blocks: 89,805

Thanks, Jeff


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jeff1111* 

Except for *Kaspersky*, all seems clear. *Are you still experiencing the error?*

Make sure you set Explorer to Defaults:

Right-click your Start button and go to "Explore".
Select Tools from the menu
Select Folder Options
Select the View tab
Click on Restore Defaults
Select *Apply to All Folders *| *Yes* | *Apply* |* OK*.

Please post a fresh Hijackthis log.


----------



## jeff1111 (Apr 18, 2008)

Fresh Hijack this is below.

The problem with the browseui.dll file error is persisting. Is there something that runs sometime during the night that replaces the file? I know if I reboot during the day it is fine, but first time I turn on the computer in the A.M. it is corrupt.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:12:01 AM, on 4/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.createthechange.com/news.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vitagenesis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm265MFUS
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_6_1/controls/ybrequest.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/wr_6_1/controls/YBUICtrl.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9642 bytes

Thanks, Jeff


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jeff1111* 

Please re-open HijackThis and scan. Check the boxes next to all the entries listed below. *

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZUxdm265MFUS

*Now *close all windows and browsers, other than HiJackThis*, then click Fix Checked.

Close Hijackthis.

Go to the *Control Panel*. Click on the *JAVA* icon. Under *Temporary Internet Files*, click on *Settings*. Click on *Delete Files*, then Ok, out of the properties window.

Right click on *My Computer*, select *Properties* and then the *Advanced* tab. Click on *Settings* in 'Startup and Recovery'. Under '*Write debugging information*' - click on the down arrow and then select '*None*' - OK your way out








Upgrade your *Java*. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application. *Beware it is NOT supported for use in 9x or ME and probably will not install in those systems*

*Upgrading Java*: 

Download the latest version of *Java Runtime Environment (JRE) 6 Update 6*.
Scroll down to where it says "*The J2SE Runtime Environment (JRE) allows end-users to run Java applications*".
Click the "*Download*" button to the right.
Select your Platform and check the box that says: "*I agree to the Java SE Runtime Environment 6 License Agreement.*".
Click on *Continue*.
Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.
Please run the *F-Secure Online Scanner*

Note: *This Scanner is for Internet Explorer Only!*
For information click *Here*
Accept the License Agreement.
Once the ActiveX installs,Click *Full System Scan*
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the *Automatic cleaning (recommended)* button.
Click the *Show Report* button and *Copy&Paste the entire report in your next reply along with a fresh Hijackthis log.*


----------



## jeff1111 (Apr 18, 2008)

Hi,
I did as directed and everything went fine until I ran the
F-Secure Online scan. That ran for quite awhile and then 
the computer rebooted before it finished.

I did notice that it had *skipped 1 file*
and had * 2 spyware files found* 
before it closed do to the reboot.

Then I ran a new Hijack log, here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:03 PM, on 4/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.createthechange.com/news.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vitagenesis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_6_1/controls/ybrequest.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/wr_6_1/controls/YBUICtrl.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9606 bytes

Doesn't seem like any of the online scans will run through without
freezing up or my computer rebooting thus far.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jeff1111* 

Download *OTScanit.exe *to your Desktop and double-click on it to extract the files. It will create a folder named *OTScanit* on your desktop. *OTScanit* can be detected as malware by your firewall and Ativirus. Chose *Ignore* on any warning alert.

Close any open browsers.
Open the *OTScanit* folder and double-click on *OTScanit.exe* to start the program.
Leave all settings as they appear as default, except for the following:
Under *Drivers*, select *"Non microsoft"*.
Under *Rootkit Search*, select *Yes*
Under *additional Sca*n select the following:
*
Uncheck "Non Microsoft Only".
Reg: Botcheck
Reg: File Associations
Software Policy Settings
*


Now click the *Run Scan *button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
Use the *Reply* button and attach the notepad file here *(Do not copy and paste in a reply, rather attach it to it).*


----------



## jeff1111 (Apr 18, 2008)

*Ran OTScanit and have attached the files.*

Thanks,
Jeff


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jeff1111* 

Nothing out of the ordinary in this log..

Click *here* to download *Dr.Web CureIt *and save it to your desktop.

Doubleclick the *drweb-cureit.exe *file and allow to run the express scan
This will scan the files currently running in memory and when something is found, click the *yes* button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click *'Yes to all' *if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: 








If so, click it and then click the next icon right below and select Move incurable as you'll see in next image: 








This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the *Dr.Web CureIt *menu on top, click file and choose save report list
Save the report to your desktop. The report will be called *DrWeb.csv*
*Close Dr.Web Cureit*.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from *Dr.Web *you saved previously in your next reply along with a new *HijackThis log*.


----------



## jeff1111 (Apr 18, 2008)

Tried to run the Dr. Cure It several times and it kept either freezing the computer or the computer would reboot. I did get it to run one time through but only on a few folders instead of all the folders. I *attached *the csv file from that limited run to this log. 
It did find a few Trojan viruses, though on the ones when it didn't run complete I am not sure what happened to them.

Also below is the latest Hijackthis report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:08:51 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.createthechange.com/news.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vitagenesis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_6_1/controls/ybrequest.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/wr_6_1/controls/YBUICtrl.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9574 bytes

Thanks,
Jeff


----------



## JSntgRvr (Jul 1, 2003)

Please download gmer rootkit detector from the following link:

*Link 1*

Unzip it and double click the gmer.exe file
Select rootkit tab.
Make sure all the boxes on the right of the screen are checked, *EXCEPT* for Show All.
Press scan 
When it has finished press save & post back the log it makes 
Repeat the proces with the Autostarts tab and do the same there


----------



## jeff1111 (Apr 18, 2008)

I ran the two scans and the files are attached.

Thanks,
Jeff


----------



## JSntgRvr (Jul 1, 2003)

I find nothing out of the ordinary in those logs.

*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with with any scan or remove some of its embedded files which may cause _"unpredictable results"_.
_Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask._

Run Dr.Web once again and let me know the results.


----------



## jeff1111 (Apr 18, 2008)

Disabled all programs.

Dr.Web CureIt will not run to completion for me, the computer keeps rebooting as it did the last time I tried it. It will run for anywhere from a couple minutes up to 20 minutes and then it reboots.

What else can I try?

Jeff


----------



## JSntgRvr (Jul 1, 2003)

jeff1111 said:


> Disabled all programs.
> 
> Dr.Web CureIt will not run to completion for me, the computer keeps rebooting as it did the last time I tried it. It will run for anywhere from a couple minutes up to 20 minutes and then it reboots.
> 
> ...


How about running the program in Safe Mode.

Download Getservices.zip from *Here* and extract the zip file to your *C: drive*. Once it is extracted there will be a directory on your *C:* drive called *getservice*. Inside the *C:\getservice *directory will be a file called *getservice.bat *. Simply double-click on the *getservice.bat *file and when it is completed a notepad will open with a lot of information. Save this document to your desktop and attach it to a reply.

Download pv.zip from *Here* and extract the zip file to your C: drive. Once it is extracted there will be a directory on your C: drive called PV. Inside the C:\PV directory will be a file called runme.bat . Simply double-click on the runme.bat file. A dos window will open. Select option 1 for explorer dlls by typing 1 and then pressing enter. Notepad will open with a log in it. Copy and paste the log into this thread. Usually pretty large and take more than one post. Please do option 2 for Internet Explorer dlls too.


----------



## jeff1111 (Apr 18, 2008)

I got DrCureit to run in safe mode, thanks for that tip.

It found several viruses, I included the file *attached here* and a new Hijack log.

Shall I still run the other one you suggested.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:57 AM, on 4/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.createthechange.com/news.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vitagenesis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_6_1/controls/ybrequest.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/wr_6_1/controls/YBUICtrl.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9707 bytes


----------



## jeff1111 (Apr 18, 2008)

Dr. Web file attached, I don't think it was on the last post.

Thanks, Jeff


----------



## JSntgRvr (Jul 1, 2003)

The log wasn't attached. Can you copy and paste it in a reply?


----------



## jeff1111 (Apr 18, 2008)

setup.exe;C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4286.1.4;Probably BACKDOOR.Trojan;Incurable.Moved.;
msimg32.dll;C:\Program Files\MSN Messenger;Adware.Funweb;Incurable.Moved.;
riched20.dll;C:\Program Files\MSN Messenger;Adware.Msearch;Incurable.Moved.;
backup-20080419-133959-142.dll;C:\Program Files\Trend Micro\HijackThis\backups;Adware.Websearch;Incurable.Moved.;
msimg32.dll.vir;C:\QooBox\Quarantine\C\Program Files\Internet Explorer;Adware.Funweb;Incurable.Moved.;
f3PSSavr.scr.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Adware.Msearch;Incurable.Moved.;
S0231963.Acl;C:\System Volume Information\_restore{31B08BA2-23BB-420B-8033-80664BFDB688}\RP1116;Modification of RPME.WByte;Moved.;
A0400226.EXE;C:\System Volume Information\_restore{31B08BA2-23BB-420B-8033-80664BFDB688}\RP1192;Adware.Websearch;Incurable.Moved.;
A0404378.exe;C:\System Volume Information\_restore{31B08BA2-23BB-420B-8033-80664BFDB688}\RP1195;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0440848.DLL;C:\System Volume Information\_restore{31B08BA2-23BB-420B-8033-80664BFDB688}\RP1210;Adware.Websearch;Incurable.Moved.;
A0448003.dll;C:\System Volume Information\_restore{31B08BA2-23BB-420B-8033-80664BFDB688}\RP1214;Adware.Funweb;Incurable.Moved.;
A0448004.scr;C:\System Volume Information\_restore{31B08BA2-23BB-420B-8033-80664BFDB688}\RP1214;Adware.Msearch;Incurable.Moved.;
A0448010.bat;C:\System Volume Information\_restore{31B08BA2-23BB-420B-8033-80664BFDB688}\RP1214;Probably BATCH.Virus;Incurable.Moved.;
A0448016.bat;C:\System Volume Information\_restore{31B08BA2-23BB-420B-8033-80664BFDB688}\RP1214;Probably SCRIPT.Virus;Incurable.Moved.;
A0465655.exe;C:\System Volume Information\_restore{31B08BA2-23BB-420B-8033-80664BFDB688}\RP1232;Trojan.PWS.Gamania.origin;Incurable.Moved.;
A0469654.dll;C:\System Volume Information\_restore{31B08BA2-23BB-420B-8033-80664BFDB688}\RP1232;Trojan.PWS.Ruby;Deleted.;


----------



## JSntgRvr (Jul 1, 2003)

If you still have Deckard's System Scanner, run the command: (Start->Run->Copy and paste, click OK)

*CMD /C "%Userprofile%\Desktop\DSS.exe" /Config*

Select everything under the *Main* log. Under the Extra log select System Information, and un-check everything else. Click on Scan.

Lets see if it works now.

Post the Main and Extra logs.


----------



## jeff1111 (Apr 18, 2008)

Run DSS in safe mode or not?

I tried to run it without going into Safe Mode and it rebooted the computer.

When I went to do it in Safe Mode it said it should not run there.

Please let me know, thanks,
Jeff


----------



## JSntgRvr (Jul 1, 2003)

Hi, jeff1111 

We can't fix what we can't see.

Download Getservices.zip from *Here* and extract the zip file to your *C: drive*. Once it is extracted there will be a directory on your *C:* drive called *getservice*. Inside the *C:\getservice *directory will be a file called *getservice.bat *. Simply double-click on the *getservice.bat *file and when it is completed a notepad will open with a lot of information. Save this document to your desktop and attach it to a reply.

Download pv.zip from *Here* and extract the zip file to your C: drive. Once it is extracted there will be a directory on your C: drive called PV. Inside the C:\PV directory will be a file called runme.bat . Simply double-click on the runme.bat file. A dos window will open. Select option 1 for explorer dlls by typing 1 and then pressing enter. Notepad will open with a log in it. Copy and paste the log into this thread. Usually pretty large and take more than one post. Please do option 2 for Internet Explorer dlls too.


----------



## JSntgRvr (Jul 1, 2003)

Run the command: (Start->Run->Copy and paste, click OK)

*CMD /C "%Userprofile%\Desktop\DSS.exe" /Config*

Under the Extra log select System Information, and un-check everything else. Click on Scan.


----------



## jeff1111 (Apr 18, 2008)

Hi, 
No matter what I try, the DSS will not run, the computer simply reboots after it runs a few minutes.

I did run the other two downloads you directed. 
Attached is a file from the getservice 

Here is a copy and paste of the log files from the pv

Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 1000000 1044480 C:\WINDOWS\Explorer.EXE 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234) Windows Explorer
ntdll.dll 7c900000 720896 C:\WINDOWS\system32\ntdll.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT Layer DLL
kernel32.dll 7c800000 1003520 C:\WINDOWS\system32\kernel32.dll 5.1.2600.3119 (xpsp_sp2_gdr.070416-1301) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.3173 (xpsp_sp2_gdr.070709-0051) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Security Support Provider Interface
BROWSEUI.dll 75f80000 1032192 C:\WINDOWS\system32\BROWSEUI.dll 6.00.2900.2518 (xpsp_sp2_gdr.040919-1056) Shell Browser UI Library
GDI32.dll 77f10000 290816 C:\WINDOWS\system32\GDI32.dll 5.1.2600.3316 (xpsp_sp2_gdr.080219-1316) GDI Client DLL
USER32.dll 7e410000 589824 C:\WINDOWS\system32\USER32.dll 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) Windows XP USER API Client DLL
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT CRT DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) Microsoft OLE for Windows
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.3314 (xpsp_sp2_gdr.080215-1241) Shell Light-weight Utility Library
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.3266 
SHDOCVW.dll 7e290000 1503232 C:\WINDOWS\system32\SHDOCVW.dll 
CRYPT32.dll 77a80000 606208 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Crypto API32
MSASN1.dll 77b20000 73728 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ASN.1 Runtime APIs
CRYPTUI.dll 754d0000 524288 C:\WINDOWS\system32\CRYPTUI.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust UI Provider
WINTRUST.dll 76c30000 188416 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Image Helper
NETAPI32.dll 5b860000 344064 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.2976 (xpsp_sp2_gdr.060817-0106) Net Win32 API DLL
WININET.dll 771b0000 679936 C:\WINDOWS\system32\WININET.dll 6.00.2900.3314 (xpsp_sp2_gdr.080215-1241) Internet Extensions for Win32
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Win32 LDAP API DLL
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Version Checking and File Installation Libraries
SHELL32.dll 7c9c0000 8478720 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.3241 (xpsp_sp2_gdr.071025-1248) Windows Shell Common Dll
UxTheme.dll 5ad70000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Microsoft UxTheme Library
ShimEng.dll 5cb70000 155648 C:\WINDOWS\system32\ShimEng.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Compatibility DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MCI API DLL
MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft ACM Audio Filter
USERENV.dll 769c0000 733184 C:\WINDOWS\system32\USERENV.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Userenv
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll 6.0 (xpsp.060825-0040) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.060825-0040) Common Controls Library
SYNCOR11.DLL 6bd00000 53248 C:\WINDOWS\system32\SYNCOR11.DLL 1.2.3 SynthCore R2.0 Midi Interface Driver
appHelp.dll 77b40000 139264 C:\WINDOWS\system32\appHelp.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Application Compatibility Client Library
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.308 
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.258 
cscui.dll 77a20000 344064 C:\WINDOWS\System32\cscui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Client Side Caching UI
CSCDLL.dll 76600000 118784 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Offline Network Agent
themeui.dll 5ba60000 462848 C:\WINDOWS\System32\themeui.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Windows Theme API
MSIMG32.dll 76380000 20480 C:\WINDOWS\System32\MSIMG32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) GDIEXT Client DLL
xpsp2res.dll 20000000 2904064 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Service Pack 2 Messages
actxprxy.dll 71d40000 114688 C:\WINDOWS\System32\actxprxy.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) ActiveX Interface Marshaling Library
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SAM Library DLL
ntshrui.dll 76990000 151552 C:\WINDOWS\system32\ntshrui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Shell extensions for sharing
ATL.DLL 76b20000 69632 C:\WINDOWS\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
LINKINFO.dll 76980000 32768 C:\WINDOWS\system32\LINKINFO.dll 5.1.2600.2751 (xpsp_sp2_gdr.050831-1520) Windows Volume Tracking
SETUPAPI.dll 77920000 995328 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Setup API
MpShHook.dll 5f800000 90112 C:\PROGRA~1\WINDOW~3\MpShHook.dll 1.1.1593.0 Shell Execution Monitor
MSVCR80.dll 78130000 634880 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll 8.00.50727.1433 Microsoft® C Runtime Library
MSVCP80.dll 7c420000 552960 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCP80.dll 8.00.50727.1433 Microsoft® C++ Runtime Library
rsaenh.dll ffd0000 163840 C:\WINDOWS\system32\rsaenh.dll 5.1.2600.2161 (xpsp.040706-1629) Microsoft Enhanced Cryptographic Provider
NETSHELL.dll 76400000 1728512 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Network Connections Shell
rtutils.dll 76e80000 57344 C:\WINDOWS\system32\rtutils.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Routing Utilities
credui.dll 76c00000 188416 C:\WINDOWS\system32\credui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Credential Manager User Interface
WS2_32.dll 71ab0000 94208 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 Helper for Windows NT
iphlpapi.dll 76d60000 102400 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2912 (xpsp_sp2_gdr.060519-0003) IP Helper API
urlmon.dll 7e1e0000 659456 C:\WINDOWS\system32\urlmon.dll 6.00.2900.3314 (xpsp_sp2_gdr.080215-1241) OLE32 Extensions for Win32
msi.dll 7d1e0000 2875392 C:\WINDOWS\system32\msi.dll 3.1.4000.4039 Windows Installer
WINSTA.dll 76360000 65536 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Winstation Library
webcheck.dll 74b30000 286720 C:\WINDOWS\System32\webcheck.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Web Site Monitor
WSOCK32.dll 71ad0000 36864 C:\WINDOWS\System32\WSOCK32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 32-Bit DLL
stobject.dll 76280000 135168 C:\WINDOWS\System32\stobject.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Systray shell service object
BatMeter.dll 74af0000 40960 C:\WINDOWS\System32\BatMeter.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Battery Meter Helper DLL
POWRPROF.dll 74ad0000 32768 C:\WINDOWS\System32\POWRPROF.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Power Profile Helper DLL
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\System32\WTSAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Terminal Server SDK APIs
wdmaud.drv 72d20000 36864 C:\WINDOWS\system32\wdmaud.drv 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\system32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
midimap.dll 77bd0000 28672 C:\WINDOWS\system32\midimap.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft MIDI Mapper
MPR.dll 71b20000 73728 C:\WINDOWS\system32\MPR.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Multiple Provider Router DLL
drprov.dll 75f60000 28672 C:\WINDOWS\System32\drprov.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 57344 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft® Lan Manager
NETUI0.dll 71cd0000 94208 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 262144 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 28672 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Net Remote Admin Protocol DLL
davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Web DAV Client DLL
RASAPI32.dll 76ee0000 245760 C:\WINDOWS\system32\RASAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Access API
rasman.dll 76e90000 73728 C:\WINDOWS\system32\rasman.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Access Connection Manager
TAPI32.dll 76eb0000 192512 C:\WINDOWS\system32\TAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft® Windows(TM) Telephony API Client DLL
msv1_0.dll 77c70000 143360 C:\WINDOWS\system32\msv1_0.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Authentication Package v1.0
printui.dll 74b80000 573440 C:\WINDOWS\system32\printui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Print UI DLL
WINSPOOL.DRV 73000000 155648 C:\WINDOWS\system32\WINSPOOL.DRV 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Spooler Driver
ACTIVEDS.dll 77cc0000 204800 C:\WINDOWS\system32\ACTIVEDS.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ADs Router Layer DLL
adsldpc.dll 76e10000 151552 C:\WINDOWS\system32\adsldpc.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ADs LDAP Provider C DLL
CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\system32\CFGMGR32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Configuration Manager Forwarder DLL
browselc.dll 1200000 73728 C:\WINDOWS\system32\browselc.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Shell Browser UI Library
IMM32.dll 76390000 118784 C:\WINDOWS\system32\IMM32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows XP IMM32 API Client DLL
DUSER.dll 6c1b0000 315392 C:\WINDOWS\system32\DUSER.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows DirectUser Engine
MpOAv.dll 1df0000 86016 C:\PROGRA~1\WINDOW~3\MpOAv.dll 1.1.1593.0 IOfficeAntiVirus Module
PSAPI.DLL 76bf0000 45056 C:\WINDOWS\system32\PSAPI.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Process Status Helper
zipfldr.dll 73380000 356352 C:\WINDOWS\System32\zipfldr.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Compressed (zipped) Folders
MLANG.dll 75cf0000 593920 C:\WINDOWS\system32\MLANG.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Multi Language Support DLL
wuapi.dll 506a0000 557056 C:\WINDOWS\system32\wuapi.dll 7.0.6000.381 (winmain(wmbla).070730-1740) Windows Update Client API
Cabinet.dll 75150000 81920 C:\WINDOWS\system32\Cabinet.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft® Cabinet File API
msohev.dll 325c0000 73728 C:\Program Files\Microsoft Office\OFFICE11\msohev.dll 11.0.5510 Microsoft Office 2003 component
asfsipc.dll 41f00000 28672 C:\WINDOWS\system32\asfsipc.dll 1.1.00.3917 ASFSipc Object
MSISIP.DLL 60980000 28672 C:\WINDOWS\system32\MSISIP.DLL 3.1.4000.1823 MSI Signature SIP Provider
wshext.dll 74ea0000 65536 C:\WINDOWS\System32\wshext.dll 5.6.0.8820 Microsoft (r) Shell Extension for Windows Script Host
MFC42.DLL 73dd0000 1040384 C:\WINDOWS\system32\MFC42.DLL 6.02.4131.0 MFCDLL Shared Library - Retail Version
comdlg32.dll 763b0000 299008 C:\WINDOWS\system32\comdlg32.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Common Dialogs DLL
MCPS.DLL 36d30000 102400 C:\PROGRA~1\MICROS~3\OFFICE11\MCPS.DLL 11.0.5510 Media Catalog Proxy/Stub

-----------------

Option 2

Module information for 'iexplore.exe'
MODULE BASE SIZE PATH
iexplore.exe 400000 102400 C:\Program Files\Internet Explorer\iexplore.exe 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Internet Explorer
ntdll.dll 7c900000 720896 C:\WINDOWS\system32\ntdll.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT Layer DLL
kernel32.dll 7c800000 1003520 C:\WINDOWS\system32\kernel32.dll 5.1.2600.3119 (xpsp_sp2_gdr.070416-1301) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT CRT DLL
USER32.dll 7e410000 589824 C:\WINDOWS\system32\USER32.dll 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) Windows XP USER API Client DLL
GDI32.dll 77f10000 290816 C:\WINDOWS\system32\GDI32.dll 5.1.2600.3316 (xpsp_sp2_gdr.080219-1316) GDI Client DLL
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.3314 (xpsp_sp2_gdr.080215-1241) Shell Light-weight Utility Library
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.3173 (xpsp_sp2_gdr.070709-0051) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Security Support Provider Interface
SHDOCVW.dll 7e290000 1503232 C:\WINDOWS\system32\SHDOCVW.dll 
CRYPT32.dll 77a80000 606208 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Crypto API32
MSASN1.dll 77b20000 73728 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ASN.1 Runtime APIs
CRYPTUI.dll 754d0000 524288 C:\WINDOWS\system32\CRYPTUI.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust UI Provider
WINTRUST.dll 76c30000 188416 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Image Helper
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.3266 
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) Microsoft OLE for Windows
NETAPI32.dll 5b860000 344064 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.2976 (xpsp_sp2_gdr.060817-0106) Net Win32 API DLL
WININET.dll 771b0000 679936 C:\WINDOWS\system32\WININET.dll 6.00.2900.3314 (xpsp_sp2_gdr.080215-1241) Internet Extensions for Win32
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Win32 LDAP API DLL
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Version Checking and File Installation Libraries
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll 6.0 (xpsp.060825-0040) User Experience Controls Library
SHELL32.dll 7c9c0000 8478720 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.3241 (xpsp_sp2_gdr.071025-1248) Windows Shell Common Dll
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.060825-0040) Common Controls Library
uxtheme.dll 5ad70000 229376 C:\WINDOWS\system32\uxtheme.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Microsoft UxTheme Library
BROWSEUI.dll 75f80000 1032192 C:\WINDOWS\system32\BROWSEUI.dll 6.00.2900.2518 (xpsp_sp2_gdr.040919-1056) Shell Browser UI Library
browselc.dll 20000000 73728 C:\WINDOWS\system32\browselc.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Shell Browser UI Library
appHelp.dll 77b40000 139264 C:\WINDOWS\system32\appHelp.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Application Compatibility Client Library
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.308 
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.258 
urlmon.dll 7e1e0000 659456 C:\WINDOWS\system32\urlmon.dll 6.00.2900.3314 (xpsp_sp2_gdr.080215-1241) OLE32 Extensions for Win32
cscui.dll 77a20000 344064 C:\WINDOWS\System32\cscui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Client Side Caching UI
CSCDLL.dll 76600000 118784 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Offline Network Agent
SETUPAPI.dll 77920000 995328 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Setup API
googletoolbar5.dll 10000000 3665920 c:\program files\google\googletoolbar5.dll 4, 0, 1601, 4978 Google IE Client Toolbar
msi.dll 7d1e0000 2875392 C:\WINDOWS\system32\msi.dll 3.1.4000.4039 Windows Installer
WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MCI API DLL
WSOCK32.dll 71ad0000 36864 C:\WINDOWS\system32\WSOCK32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 32-Bit DLL
WS2_32.dll 71ab0000 94208 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 Helper for Windows NT
IMM32.dll 76390000 118784 C:\WINDOWS\system32\IMM32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows XP IMM32 API Client DLL
MSIMG32.dll 76380000 20480 C:\WINDOWS\system32\MSIMG32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) GDIEXT Client DLL
SYNCOR11.DLL 6bd00000 53248 C:\WINDOWS\system32\SYNCOR11.DLL 1.2.3 SynthCore R2.0 Midi Interface Driver
msxml3.dll 74980000 1126400 C:\WINDOWS\system32\msxml3.dll 8.90.1101.0 MSXML 3.0 SP9
DBGHELP.DLL 59a60000 659456 C:\WINDOWS\system32\DBGHELP.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Image Helper
RASAPI32.DLL 76ee0000 245760 C:\WINDOWS\system32\RASAPI32.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Access API
rasman.dll 76e90000 73728 C:\WINDOWS\system32\rasman.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Access Connection Manager
TAPI32.dll 76eb0000 192512 C:\WINDOWS\system32\TAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft® Windows(TM) Telephony API Client DLL
rtutils.dll 76e80000 57344 C:\WINDOWS\system32\rtutils.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Routing Utilities
msv1_0.dll 77c70000 143360 C:\WINDOWS\system32\msv1_0.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Authentication Package v1.0
iphlpapi.dll 76d60000 102400 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2912 (xpsp_sp2_gdr.060519-0003) IP Helper API
mlang.dll 75cf0000 593920 C:\WINDOWS\system32\mlang.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Multi Language Support DLL
sensapi.dll 722b0000 20480 C:\WINDOWS\system32\sensapi.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SENS Connectivity API DLL
mswsock.dll 71a50000 258048 C:\WINDOWS\system32\mswsock.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Windows Sockets 2.0 Service Provider
hnetcfg.dll 662b0000 360448 C:\WINDOWS\system32\hnetcfg.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Home Networking Configuration Manager
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Sockets Helper DLL
USERENV.dll 769c0000 733184 C:\WINDOWS\system32\USERENV.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Userenv
ntshrui.dll 76990000 151552 C:\WINDOWS\system32\ntshrui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Shell extensions for sharing
ATL.DLL 76b20000 69632 C:\WINDOWS\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
dlcsIE.dll 1b70000 274432 C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll 1.0.0.8 del.icio.us Buttons for Internet Explorer
DNSAPI.dll 76f20000 159744 C:\WINDOWS\system32\DNSAPI.dll 5.1.2600.2938 (xpsp_sp2_gdr.060626-0020) DNS Client API DLL
StumbleUponIEBar.dll 1be0000 991232 C:\Program Files\StumbleUpon\StumbleUponIEBar.dll 1.0.0.1 StumbleUpon Toolbar
jscript.dll 75c50000 454656 C:\WINDOWS\system32\jscript.dll 5.6.0.8835 Microsoft (r) JScript
xpsp2res.dll 1f10000 2904064 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Service Pack 2 Messages
rasadhlp.dll 76fc0000 24576 C:\WINDOWS\system32\rasadhlp.dll 5.1.2600.2938 (xpsp_sp2_gdr.060626-0020) Remote Access AutoDial Helper
MPR.dll 71b20000 73728 C:\WINDOWS\system32\MPR.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Multiple Provider Router DLL
drprov.dll 75f60000 28672 C:\WINDOWS\System32\drprov.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 57344 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft® Lan Manager
NETUI0.dll 71cd0000 94208 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 262144 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 28672 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Net Remote Admin Protocol DLL
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SAM Library DLL
davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Web DAV Client DLL
MSGINA.dll 75970000 1011712 C:\WINDOWS\system32\MSGINA.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Logon GINA DLL
WINSTA.dll 76360000 65536 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Winstation Library
ODBC32.dll 74320000 249856 C:\WINDOWS\system32\ODBC32.dll 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) Microsoft Data Access - ODBC Driver Manager
comdlg32.dll 763b0000 299008 C:\WINDOWS\system32\comdlg32.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Common Dialogs DLL
odbcint.dll 2eb0000 94208 C:\WINDOWS\system32\odbcint.dll 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) Microsoft Data Access - ODBC Resources
sti.dll 73ba0000 77824 C:\WINDOWS\System32\sti.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Still Image Devices client DLL 
CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Configuration Manager Forwarder DLL
SXS.DLL 75e90000 720896 C:\WINDOWS\system32\SXS.DLL 5.1.2600.3019 (xpsp_sp2_gdr.061019-0414) Fusion 2.5
scrrun.dll 735a0000 151552 C:\WINDOWS\system32\scrrun.dll 5.6.0.8820 Microsoft (r) Script Runtime
MFC42.DLL 73dd0000 1040384 C:\WINDOWS\system32\MFC42.DLL 6.02.4131.0 MFCDLL Shared Library - Retail Version
orbitcth.dll 1350000 192512 C:\Program Files\Orbitdownloader\orbitcth.dll 2, 4, 0, 1 Orbitcth
ssv.dll 6d7c0000 503808 C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll 6.0.60.2 Java(TM) Platform SE binary
MSVCR71.dll 7c340000 352256 C:\Program Files\Java\jre1.6.0_06\bin\MSVCR71.dll 7.10.3052.4 Microsoft® C Runtime Library
swg.dll 1a30000 344064 C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll 2, 0, 1121, 2472 GoogleToolbarNotifier
shdoclc.dll 1a90000 557056 C:\WINDOWS\system32\shdoclc.dll  6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Shell Doc Object and Control Library
mshtml.dll 7dc30000 3084288 C:\WINDOWS\System32\mshtml.dll 6.00.2900.3314 (xpsp_sp2_gdr.080215-1241) Microsoft (R) HTML Viewer
msls31.dll 746c0000 159744 C:\WINDOWS\System32\msls31.dll 3.10.349.0 Microsoft Line Services library file
PSAPI.DLL 76bf0000 45056 C:\WINDOWS\System32\PSAPI.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Process Status Helper

Thanks, Jeff


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jeff1111* 

It is a mystery.

Right click on *My Computer*. Select *Properties*. Select the *Advanced* tab. Under *Startup and recovery*, click on *Settings*. Under *System failure*, remove the checkmark from "*Automatically restart*".

Now, if for some reason the computer attempts to restart, it should not and as error message on a BSOD should be returned. If it does, post the contents of the error message.
On the process above, after selecting Properties, allow the information to load in that window. Compare the information therein concerning your physical memory.

Please go to* Virus Total* and scan the following file:

*C:\Windows\Explorer.exe*

Post the results in your next reply.

I will ask you at this time to rename Combofix during its download. You cannot rename Combofix after it is downloaded. It may create a lot of problems. Also, do not rename Combofix unless instructed by an authorized member, and only using the name provided.

Please remove the version of Combofix present in your computer, if any, then follow these steps:

Please download ComboFix from *Here* or *Here* to your Desktop.

***Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop***

If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

During the download, change the name of the download from *Combofix* to *MyPoppy*.
It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------​
*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results"_.
_Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask._
-----------------------------------------------------------​

Close any open browsers. 
*WARNING: Combofix will disconnect your machine from the Internet as soon as it starts*
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------​
Double click on *Mypoppy.exe* & follow the prompts.
When finished, it will produce a report for you. 
Please post the *"C:\Mypoppy.txt" *along with a *new HijackThis log* for further review.
***Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall***


----------



## jeff1111 (Apr 18, 2008)

Did what you wrote in the last post

*Attached are the results of the Virus Total scan

Attached is a log file that popped up after combo fix ran

Attached is the combofix.txt file that was created***

I did rename it MyPoppy prior to Downloading it but the file
created at the end was named combofix.

And below is the Hijack This log I ran after the MyPoppy finished.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:10 PM, on 4/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.createthechange.com/news.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vitagenesis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_6_1/controls/ybrequest.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/wr_6_1/controls/YBUICtrl.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9553 bytes

Thank you,
Jeff


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jeff1111* 

What puzzles me is that *combofix* runs when renamed, but not when ran as Combofix. Please go to *Virus Total* and scan the following files:

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\REGSHAVE\REGSHAVE.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

Post the reports only if something wrong is found.


----------



## jeff1111 (Apr 18, 2008)

I ran the files, just two of them found something.

Here is the file and the link to the report.

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

http://www.virustotal.com/analisis/f08035309b486eb5cc693e5d7a993a83

C:\Program Files\REGSHAVE\REGSHAVE.exe

http://www.virustotal.com/analisis/ccaf38500d45a7c429df79a9a8d5ec5b

Also the computer did go to the blue screen twice since I changed the option for it 
to automatically restart on an error. 
I could not copy or do anything with the screen as the computer was frozen. It did
say the error was

IRQL_NOT_LESS_OR_EQUAL

Stop: 0X0000000A

There was a string of more numbers/letters after that which I did not
know if it was important, I can copy them down next time it happens if
that would be of any use.

The Browseui.dll file was corrupt again today upon start up too.

Thanks,
Jeff


----------



## JSntgRvr (Jul 1, 2003)

Please remove all Google programs from your computer and remove the following folder if present:

C:\Program Files\*Google*

In your position I would also remove *Orbitdownloader, AOL Toolbar, del.icio.us, and StumbleUpon* and remove their folders. After cleaining the computer you can reinstall.

Any more information on that error messages such as, modules involved? What was your most recent hardware installation.

Go to Start ->Control Panel -> Administrative Tools -> Event viewer. See if there are error messages on both, *System* and * Software*


----------



## jeff1111 (Apr 18, 2008)

I removed everything I could find as you suggested.
I could not find Stumbleupon for the firefox browswer, but did get it from IE.

The latest hardware installed was most likely a long time ago, I think it was a brother laser printer driver that is connected to another computer.

I haven't seen any other errors except the one I indicated in my last post.

Attached is a screenshot for* application* and *system *under event viewer. Thesee are full screen jpg's in the event you want to see what was there. There was no *software *section. There are many events in the two I attached.

Thanks,
Jeff


----------



## JSntgRvr (Jul 1, 2003)

I see no signs of malware. Does this folder exist in your computer?:

*C:\WINDOWS\Minidump*

If Yes, does it contains any files within? IF yes, right click the latest and select send to -> Compressed (zipped) folder and attach that zipped file to a reply.


----------



## jeff1111 (Apr 18, 2008)

Yes I did find the Minidump folder

Attached is the zip file.

There is still some problem as the browseui.dll file is replaced with a bad file
every morning around 3am and i am still getting ocassional shut downs.

Thanks, Jeff


----------



## JSntgRvr (Jul 1, 2003)

Please download the enclosed folder. Save and extract its contents o the desktop. It is a folder containing a batch file. Once extracted, open the folder and double click on the *RunMe.bat*. Post back the resulting report.

Send me also another couple of those minidumps files.


----------



## jeff1111 (Apr 18, 2008)

Attached is the result from the RunMe.bat 
and two more zipped files from minidumps folder.

Thanks,
Jeff


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jeff1111* 

This is the inormations I have been able to extract from the minidumps you have submitted. The BSOD error you are experiencing is define as follows:

*IRQL_NOT_LESS_OR_EQUAL (a)*

An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses.

The files (modules) in question are as follows:



> *update.exe* (Unknown file)
> *MRT.exe* (mrt.exe is a process belonging to Microsoft's enhanced security technologies which addresses Spyware and other processes which can monitor your Internet usage without your knowledge.)
> *aswSP.SYS* (avast! self protection module/ALWIL Software)
> *ntoskrnl.exe* (NT Kernel & System)


As I see it, AVAST is placing a driver in protected memory that affects Windows' kernel.

I would like to start by identifying however, that *update.exe* file mentioned in the Minnidumps and find out what it is for.


*Copy the entire contents of the Quote Box * below to *Notepad*. 
Name the file as *RunMe.bat * 
Change the *Save as Type* to *All Files * 
and *Save* it in the *VFind* folder created earlier. Overwrite the existing one. 
 Once saved, double click on the *RunMe.bat* file and post the report it shall produced.



> @ECHO OFF
> If exist C:\Results.txt Del C:\Results.txt
> Echo Working ..........
> pushd C:\
> ...


----------



## jeff1111 (Apr 18, 2008)

I did as you recommended and ran the file.
Attached is the results file.

Thank you,
Jeff


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jeff1111* 

It will be quite difficult to identify the *update.exe* file from that list. Do you have any use for the* C:\Speedo Autorun Maker?* How much memory (RAM) is installed in your computer? How many modules (sticks) are present?

Download the *AVG Free installation* file to your desktop, but do not run it yet.

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press *Enter*.
Choose your usual account.
.

Please go to Start > Control Panel > *Add/Remove Programs* and remove the following (if present):

*Programs Related to Avast Antivirus*

If for any reason you cannot remove Avast in Safe Mode, attempt its removal in Normal Mode. Once Avast is removed, (in Normal Mode) double-click on the AVG installation file on your desktop and follow the prompts for its installation. Update its definition and perform a full scan.

Please also attempt to re-enact the BSOD error message (perhaps running DSS), and let me know the outcome.

I would also like to see another (Mypoppy) Combofix log.


----------



## jeff1111 (Apr 18, 2008)

*I downloaded the AVG program*

*I removed Avast in Safe Mode*

I rebooted and installed AVG with no problem.

When I try to run it (scan) it will run for a short time
and then have a system error. I tried more than one time 
with the same problem.

The message I saw when that happened was

Driver_IrQL_NOT_LESS_OR_EQUAL 
with a stop code of 0x000000D1

I also had a couple other system errors happen when I was
not running the scan. The codes were without any error description but
a stop code of 0x00000000A

My computer looks like it has *448MB RAM*
_
I am unfamiliar with what a module (stick) is, I can tell you if you
let me know how to find the information._

I did run MyPoppy again. The first time it froze the computer, the second time it ran to completion, and I have attached the 
report.

I do not know what C:\Speedo Autorun Maker is and don't ever recall using it, so I could delete it if you think I should. Please let
me know.

Thanks,
Jeff


----------



## JSntgRvr (Jul 1, 2003)

Hi, jeff1111 

The last Mnidumps sent were for April 21, 2008. See if you can sort these by date and send me at least the latest six (6).

Rightclick on an empty space in the *C:\WINDOWS\Minidump* folder and select *New* -> *Folde*r. Name it *Dump*. Then drag and drop the Minidumps files you will send me into this new folder. Once done, rightclick on the Dump folder -> Send to -> compressed (zipped) folder. Include this .zip folder in your next reply.

This may sound odd, but if it isn't cause by a driver, then the issue may be faulty memory modules.


----------



## jeff1111 (Apr 18, 2008)

Hi, 
Attached is the zipfolder of the minidump files, it looks like there are no new ones since April 21 but I included 8 of the most recent. 

Would the problem with memory you described cause the browseui.dll corruption, as this is still occurring too.

Thanks,
Jeff


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jeff1111* 

Although this analysis isn't perfect, it does gives you an idea on what could be wrong. In this case a driver or a corrupted memory.

One of the dump files mentions a nVidia driver as the cause of the crash, the rest shows a problem with a corrupted memory.

I would recommend that you re-load* nVidia* video drivers and if that does not resolve the issue, the Memory modules must be checked, and perhaps replace. Except for that, there is nothing under software that we can use to resolve the issue. There is a program most people use to check their memory modules, but then again is not a perfect science.

You can download *Memtest* from here:

http://hcidesign.com/memtest/

Read the Manual. Accordingly, the more time you allow this program to run, the better results.

Test it overnight and let me know the outcome.


----------



## jeff1111 (Apr 18, 2008)

Where do I find the Nvidia drivers?

I ran the memory test and it ran for about an hour and the system locked up. No errors were found at that point. I then tried to run it overnight but the computer rebooted around 3am with the browseui.dll problem so that test also failed to complete. 

Something must still be causing that browseui.dll file to reset or corrupt, I am not sure.

Thanks,
Jeff


----------



## JSntgRvr (Jul 1, 2003)

Download the enclosed folder. Save and extract its contents to the desktop. It is a batch file, *Filelist.bat.*. Once extracted, doubleclick on the Filelist.bat file and attach the report it will produce to a reply.


----------



## jeff1111 (Apr 18, 2008)

Ran that file, the report is attached.

Thanks, 
Jeff


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jeff1111* 

The *browseui.dll* running still an older version.

Please download the enclosed folder. Save and extract its contents to the desktop. It is a batch file, *JDelTmp.bat*. Do not run this file yet. We will do it in Safe Mode.

Please download and install the following Update:

http://www.microsoft.com/downloads/...78-E3A4-4FF6-9E2D-BF1935003E8E&displaylang=en

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press *Enter*.
Choose your usual account.
.
Once in Safe Mode, double click on the *JDelTmp.bat*. The MSDOS windows will remain open for a while. That is normal. Once it closes, restart the computer.

Run the *Filelist.bat* once again and post its report.


----------



## jeff1111 (Apr 18, 2008)

The windows download/update would not install, it said i had the wrong version of windows, not sure what that meant.

I did run the JDelTmp.bat in safemode and that ran fine.

I then ran the filelist.bat and the report is attached.

The computer has had the same error a couple of times but the last two days
the browseui.dll file has not had to be restored. Not sure what changed because
before I had to restore that each morning.

Thanks,
Jeff


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jeff1111* 

We still have a couple of option we can work with..

1. Set explorer to create minidumps file:

Go to Start and rihht click on My Computer and select Properties. Select the Advanced tab. Under Startup and Recovery set the computer to create Minidumps. See my settings attached.

2. Troubleshoot Windows throughout a Clean Boot.

Clean boot is the process of disabling and removing some programs and drivers from the Windows startup process. This is done to identify and troubleshoot issues occurring with Windows XP.

NOTE: Following these steps may result in loss of some functionality temporarily. Restoring the settings may return the original problem.

To perform a clean boot in Windows XP, follow these steps:

1. Log in as an Administrator or a member of the Administrators group. 
2. Click *Start*, select *Run*, and type *MSConfig.exe * in the command line. 
3. Click *OK*. 
4. Select the *General* tab and click *Selective Startup*. 
5. Deselect all the checkboxes except Use *Original Boot.ini*. 
6. Click OK and restart the computer.

Upon restart you will be confronted with a dialogue box warning about running in selective startup. Just ignore that message and put a check in the box by "*Don't show me this message or launch the System Configuration Utility when Windows starts*" and click "OK". You will not be bothered by the message again.

Hopefully, when you restart the system the problem should be gone. (Attempt at all causes to re create the BSOD issue. If the issue reoccurs, there must be something wrong with the Windows Installation, and you may need to reinstal or repair the Windows XP installation.

If the issue does not appear, then perform the following steps:

1. Click Start, select Run, and type *MSConfig.exe * in the command line. 
2. On the *General* tab, select the Process *SYSTEM.INI* File checkbox. 
3. Click *OK* and restart the computer. If the problem reappears, then the issue is with an entry in the System.ini file. 
4. If the problem does not reoccurs, then run *MSconfig* again and select the Process *WIN.INI* file. Continue with this process until the issue reapears, selecting one of each item such as, *Load Startup Items*, *Load System Services * checkboxes.
5. When the issue reappears for any of the selected entries, you will need to edit that particular item.

For example, if the problem reappears after selecting the *Win.ini * file,click the *Win.ini * tab in System Configuration Utility as to edit that configuration file. Clear half of the check boxes, ( except for those clearly marked as required) click *OK*, and then restart your computer. Continue this process until you locate the setting that is causing the issue.

Post back the results with the setting causing the issue, if identified..


----------



## JSntgRvr (Jul 1, 2003)

Hi, *jeff1111* 

We still have a couple of options we can work with..

1. Set explorer to create minidumps file:

Go to Start and rihht click on My Computer and select Properties. Select the Advanced tab. Under Startup and Recovery set the computer to create Minidumps. See my settings attached.

2. Troubleshoot Windows throughout a Clean Boot.

Clean boot is the process of disabling and removing some programs and drivers from the Windows startup process. This is done to identify and troubleshoot issues occurring with Windows XP.

NOTE: Following these steps may result in loss of some functionality temporarily. Restoring the settings may return the original problem.

To perform a clean boot in Windows XP, follow these steps:

1. Log in as an Administrator or a member of the Administrators group. 
2. Click *Start*, select *Run*, and type *MSConfig.exe * in the command line. 
3. Click *OK*. 
4. Select the *General* tab and click *Selective Startup*. 
5. Deselect all the checkboxes except Use *Original Boot.ini*. 
6. Click OK and restart the computer.

Upon restart you will be confronted with a dialogue box warning about running in selective startup. Just ignore that message and put a check in the box by "*Don't show me this message or launch the System Configuration Utility when Windows starts*" and click "OK". You will not be bothered by the message again.

Hopefully, when you restart the system the problem should be gone. (Attempt at all causes to re create the BSOD issue. If the issue reoccurs, there must be something wrong with the Windows Installation, and you may need to reinstal or repair the Windows XP installation.

If the issue does not appear, then perform the following steps:

1. Click Start, select Run, and type *MSConfig.exe * in the command line. 
2. On the *General* tab, select the Process *SYSTEM.INI* File checkbox. 
3. Click *OK* and restart the computer. If the problem reappears, then the issue is with an entry in the System.ini file. 
4. If the problem does not reoccurs, then run *MSconfig* again and select the Process *WIN.INI* file. Continue with this process until the issue reapears, selecting one of each item such as, *Load Startup Items*, *Load System Services * checkboxes.
5. When the issue reappears for any of the selected entries, you will need to edit that particular item.

For example, if the problem reappears after selecting the *Win.ini * file,click the *Win.ini * tab in System Configuration Utility as to edit that configuration file. Clear half of the check boxes, ( except for those clearly marked as required) click *OK*, and then restart your computer. Continue this process until you locate the setting that is causing the issue.

Post back the results with the setting causing the issue, if identified..


----------



## jeff1111 (Apr 18, 2008)

I tried each of these steps but could not find
anything that would cause the problem. 

The computer has been running a bit better, has
only frozen or shut down a couple times, usually
for no specific reason. Sometimes it has happened
even just when sitting idle. The browseui.dll problem
seems to have gone away though. 

please let me know if there is anything else I can do
or try.

Thanks,
Jeff


----------



## JSntgRvr (Jul 1, 2003)

If you set explorer to create minidumps files, the check the minidump folder for new entries, zip and post them. Is the only way we can have an idea on the reasons for a crash.


----------



## jeff1111 (Apr 18, 2008)

I did set the minidumps and have included two I found that were recent in the zip file attached. 

Thanks,
Jeff


----------



## JSntgRvr (Jul 1, 2003)

I am enclosing the analysis on both files. All seem to indicate problems with your memory modules. You will need to take the machine to a tech to perform an on-site diagnostic and replace the memory modules if found faulty.


----------



## jeff1111 (Apr 18, 2008)

Thank you, I'll have it checked out.
I appreciate all the help you have given over the past
couple of weeks. 

sincerely,
Jeff


----------



## JSntgRvr (Jul 1, 2003)

You are welcome, *Jeff*


----------

