MAJOR Problems...apparently...

kappley5001 · 26-Apr-2007, 08:53 PM #1

So In a previous thread i posted my HJT log. One person replied and told me to post a NEW thread here...So in a nutshell...

My login to my user account is extremely slow! I'm guessing its a virus or unwanted programs. I'm really hoping someone can help me out here. I've spent 4 frustrating days trying to fix this. Here is my log:
(also note: beacuse of the way my computer is set up, windows and most of my programs are on drive F

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:51:40 PM, on 4/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\AntiVir PersonalEdition Classic\sched.exe
F:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\UPHClean\uphclean.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\QuickTime\qttask.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\HiJackThis_v2.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {20BAD863-5E51-121E-CA75-BF9C03649BCE} - F:\WINDOWS\qowdu1.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-21-329068152-606747145-725345543-1008\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Cindy Appleyard')
O4 - HKUS\S-1-5-21-329068152-606747145-725345543-1008\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "F:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" (User 'Cindy Appleyard')
O4 - HKUS\S-1-5-21-329068152-606747145-725345543-1008\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background (User 'Cindy Appleyard')
O4 - HKUS\S-1-5-21-329068152-606747145-725345543-1008\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe (User 'Cindy Appleyard')
O4 - HKUS\S-1-5-21-329068152-606747145-725345543-1008\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Cindy Appleyard')
O4 - HKUS\S-1-5-21-329068152-606747145-725345543-1008\..\Run: [Yahoo! Pager] "F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'Cindy Appleyard')
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://F:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: AbsoluteShield Track Eraser - {4A0EF50C-6A4A-4b30-84D8-53D5BC95C043} - F:\Program Files\SysShield Tools\Track Eraser\cseraser.exe (file missing) (HKCU)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download...reeInstall.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5AA5A569-F96F-4628-A528-8B3698F558BB} (HS_live Control) - http://install.homestead.com/~site/I...ve/HS_live.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5...ndows-i586.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:F:\DOCUME~1\KYLEMC~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O20 - AppInit_DLLs: \\?\F:\WINDOWS\system32\aux.nga

kappley5001 · 27-Apr-2007, 01:41 AM #2

bump

**dvk01** · 27-Apr-2007, 06:37 AM #3

you have only posted part of the HJT log so I can't do anything till we see a full log

but start with
Download Combofix to your desktop:

* Double-click combofix.exe & follow the prompts.
* When finished, it shall produce a log for you. Post that log in your next reply with a new FULL HJT log

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

kappley5001 · 27-Apr-2007, 05:09 PM #4

Sorry about the double thread....also about the incomplete log...i'm a little new to HJT so you'll have to excuse my Ineptitude

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:01:22 PM, on 4/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\AntiVir PersonalEdition Classic\sched.exe
F:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\UPHClean\uphclean.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\QuickTime\qttask.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\WINDOWS\system32\cmd.exe
F:\WINDOWS\System32\svchost.exe
F:\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {20BAD863-5E51-121E-CA75-BF9C03649BCE} - F:\WINDOWS\qowdu1.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-21-329068152-606747145-725345543-1008\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Cindy Appleyard')
O4 - HKUS\S-1-5-21-329068152-606747145-725345543-1008\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "F:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" (User 'Cindy Appleyard')
O4 - HKUS\S-1-5-21-329068152-606747145-725345543-1008\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background (User 'Cindy Appleyard')
O4 - HKUS\S-1-5-21-329068152-606747145-725345543-1008\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe (User 'Cindy Appleyard')
O4 - HKUS\S-1-5-21-329068152-606747145-725345543-1008\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Cindy Appleyard')
O4 - HKUS\S-1-5-21-329068152-606747145-725345543-1008\..\Run: [Yahoo! Pager] "F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'Cindy Appleyard')
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://F:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: AbsoluteShield Track Eraser - {4A0EF50C-6A4A-4b30-84D8-53D5BC95C043} - F:\Program Files\SysShield Tools\Track Eraser\cseraser.exe (file missing) (HKCU)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download...reeInstall.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5AA5A569-F96F-4628-A528-8B3698F558BB} (HS_live Control) - http://install.homestead.com/~site/I...ve/HS_live.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5...ndows-i586.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:F:\DOCUME~1\KYLEMC~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O20 - AppInit_DLLs: \\?\F:\WINDOWS\system32\aux.nga
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: intel3 - intel3.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - F:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - F:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - F:\WINDOWS\system32\ieframe.dll
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - F:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - F:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver - HP - F:\WINDOWS\system32\HPHipm09.exe

--
End of file - 7544 bytes

kappley5001 · 27-Apr-2007, 05:10 PM #5

Annnnd Combo Fix

"Kyle McT" - 07-04-27 16:06:01 Service Pack 2
ComboFix 07-04-25.4V - Running from: "F:\Documents and Settings\Kyle McT\Desktop\"

((((((((((((((((((((((((((((((( Files Created from 2007-03-27 to 2007-04-27 ))))))))))))))))))))))))))))))))))

2007-04-27 15:57 49,152 --a------ F:\WINDOWS\nircmd.exe
2007-04-27 15:50 1,308,216 --a------ F:\HiJackThis_v2.exe
2007-04-25 18:37 d-------- F:\WINDOWS\LastGood
2007-04-25 18:36 d-------- F:\WINDOWS\Prefetch
2007-04-25 17:54 57,472 --a------ F:\WINDOWS\system32\drivers\redbook.sys
2007-04-25 17:54 49,536 --a------ F:\WINDOWS\system32\drivers\cdrom.sys
2007-04-25 17:54 41,856 --a------ F:\WINDOWS\system32\drivers\imapi.sys
2007-04-25 17:37 d-------- F:\Program Files\UPHClean
2007-04-24 20:13 0 --a------ F:\WINDOWS\system32\CMMGR32.EXE
2007-04-24 20:09 d-------- F:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-04-24 18:36 1,308,216 --a------ F:\Program Files\HiJackThis_v2.exe
2007-04-24 18:01 d-------- F:\Program Files\Messenger
2007-04-24 16:19 d-------- F:\Program Files\SUPERAntiSpyware
2007-04-24 16:19 d-------- F:\DOCUME~1\KYLEMC~1\APPLIC~1\SUPERAntiSpyware.com
2007-04-23 23:38 331,776 --a------ F:\WINDOWS\system32\winhttp(3).dll
2007-04-23 23:00 7,143,424 --a------ F:\DOCUME~1\KYLEMC~1\ntuser.dat
2007-04-23 23:00 237,568 --a------ F:\DOCUME~1\LOCALS~1\ntuser.dat
2007-04-23 23:00 d-------- F:\DOCUME~1\KYLEMC~1\APPLIC~1\Google
2007-04-23 22:24 48,128 --a------ F:\WINDOWS\system32\inetres.dll
2007-04-23 22:24 45,568 --a------ F:\WINDOWS\system32\safrslv.dll
2007-04-23 22:24 43,520 --a------ F:\WINDOWS\system32\safrcdlg.dll
2007-04-23 22:24 43,520 --a------ F:\WINDOWS\system32\racpldlg.dll
2007-04-23 22:24 32,768 --a------ F:\WINDOWS\system32\mnmsrvc.exe
2007-04-23 22:24 32,768 --a------ F:\WINDOWS\system32\isrdbg32.dll
2007-04-23 22:24 29,696 --a------ F:\WINDOWS\system32\safrdm.dll
2007-04-23 22:23 81,920 --a------ F:\WINDOWS\system32\isign32.dll
2007-04-23 22:23 81,920 --a------ F:\WINDOWS\system32\ils.dll
2007-04-23 22:23 73,728 --a------ F:\WINDOWS\system32\icwdial.dll
2007-04-23 22:23 73,472 --a------ F:\WINDOWS\system32\drivers\sr.sys
2007-04-23 22:23 69,632 --a------ F:\WINDOWS\system32\msconf.dll
2007-04-23 22:23 678,400 --a------ F:\WINDOWS\system32\inetcomm.dll
2007-04-23 22:23 67,584 --a------ F:\WINDOWS\system32\srclient.dll
2007-04-23 22:23 65,536 --a------ F:\WINDOWS\system32\icwphbk.dll
2007-04-23 22:23 382,464 --a------ F:\WINDOWS\system32\qmgr.dll
2007-04-23 22:23 361,984 --a------ F:\WINDOWS\system32\qmgr(2).dll
2007-04-23 22:23 34,560 --a------ F:\WINDOWS\system32\mnmdd.dll
2007-04-23 22:23 28,672 --a------ F:\WINDOWS\system32\nmmkcert.dll
2007-04-23 22:23 274,944 --a------ F:\WINDOWS\system32\mstask.dll
2007-04-23 22:23 274,432 --a------ F:\WINDOWS\system32\inetcfg.dll
2007-04-23 22:23 252,928 --a------ F:\WINDOWS\system32\msoeacct.dll
2007-04-23 22:23 239,104 --a------ F:\WINDOWS\system32\srrstr.dll
2007-04-23 22:23 190,976 --a------ F:\WINDOWS\system32\schedsvc.dll
2007-04-23 22:23 18,944 --a------ F:\WINDOWS\system32\qmgrprxy.dll
2007-04-23 22:23 170,496 --a------ F:\WINDOWS\system32\srsvc.dll
2007-04-23 22:23 17,408 --a------ F:\WINDOWS\system32\qmgrprxy(2).dll
2007-04-23 22:23 159,232 --a------ F:\WINDOWS\system32\schedsvc(2).dll
2007-04-23 22:23 158,720 --a------ F:\WINDOWS\system32\srsvc(3).dll
2007-04-23 22:23 12,288 --a------ F:\WINDOWS\system32\mstinit.exe
2007-04-23 22:23 105,984 --a------ F:\WINDOWS\system32\msoert2.dll
2007-04-23 22:22 949,248 --a------ F:\WINDOWS\system32\msdtctm.dll
2007-04-23 22:22 93,696 --a------ F:\WINDOWS\system32\tscfgwmi.dll
2007-04-23 22:22 90,112 --a------ F:\WINDOWS\system32\mtxoci.dll
2007-04-23 22:22 9,216 --a------ F:\WINDOWS\system32\wuauserv(2).dll
2007-04-23 22:22 9,216 --a------ F:\WINDOWS\system32\icaapi(2).dll
2007-04-23 22:22 87,176 --a------ F:\WINDOWS\system32\rdpwsx.dll
2007-04-23 22:22 85,504 --a------ F:\WINDOWS\system32\catsrvps.dll
2007-04-23 22:22 83,968 --a------ F:\WINDOWS\system32\mtxoci(2).dll
2007-04-23 22:22 67,072 --a------ F:\WINDOWS\system32\rdshost.exe
2007-04-23 22:22 655,360 --a------ F:\WINDOWS\system32\mstscax.dll
2007-04-23 22:22 628,224 --a------ F:\WINDOWS\system32\catsrvut.dll
2007-04-23 22:22 628,224 --a------ F:\WINDOWS\system32\catsrvut(3).dll
2007-04-23 22:22 62,464 --a------ F:\WINDOWS\system32\rdpclip.exe
2007-04-23 22:22 62,464 --a------ F:\WINDOWS\system32\colbact.dll
2007-04-23 22:22 62,464 --a------ F:\WINDOWS\system32\colbact(3).dll
2007-04-23 22:22 60,416 --a------ F:\WINDOWS\system32\remotepg.dll
2007-04-23 22:22 6,656 --a------ F:\WINDOWS\system32\wuauserv.dll
2007-04-23 22:22 6,144 --a------ F:\WINDOWS\system32\msdtc.exe
2007-04-23 22:22 582,656 --a------ F:\WINDOWS\system32\catsrvut(4).dll
2007-04-23 22:22 58,880 --a------ F:\WINDOWS\system32\msdtclog.dll
2007-04-23 22:22 58,880 --a------ F:\WINDOWS\system32\licwmi.dll
2007-04-23 22:22 56,832 --a------ F:\WINDOWS\system32\colbact(4).dll
2007-04-23 22:22 56,320 --a------ F:\WINDOWS\system32\servdeps.dll
2007-04-23 22:22 540,160 --a------ F:\WINDOWS\system32\comuid.dll
2007-04-23 22:22 538,624 --a------ F:\WINDOWS\system32\spider.exe
2007-04-23 22:22 501,248 --a------ F:\WINDOWS\system32\clbcatq.dll
2007-04-23 22:22 501,248 --a------ F:\WINDOWS\system32\clbcatq(3).dll
2007-04-23 22:22 468,480 --a------ F:\WINDOWS\system32\clbcatq(4).dll
2007-04-23 22:22 44,544 --a------ F:\WINDOWS\system32\tscupgrd.exe
2007-04-23 22:22 425,472 --a------ F:\WINDOWS\system32\msdtcprx.dll
2007-04-23 22:22 407,552 --a------ F:\WINDOWS\system32\mstsc.exe
2007-04-23 22:22 38,912 --a------ F:\WINDOWS\system32\cfgbkend.dll
2007-04-23 22:22 345,088 --a------ F:\WINDOWS\system32\hypertrm.dll
2007-04-23 22:22 343,040 --a------ F:\WINDOWS\system32\mspaint.exe
2007-04-23 22:22 295,424 --a------ F:\WINDOWS\system32\termsrv.dll
2007-04-23 22:22 229,888 --a------ F:\WINDOWS\system32\catsrv.dll
2007-04-23 22:22 229,888 --a------ F:\WINDOWS\system32\catsrv(3).dll
2007-04-23 22:22 215,040 --a------ F:\WINDOWS\system32\catsrv(4).dll
2007-04-23 22:22 21,896 --a------ F:\WINDOWS\system32\drivers\tdtcp.sys
2007-04-23 22:22 200,192 --a------ F:\WINDOWS\system32\termsrv(2).dll
2007-04-23 22:22 20,480 --a------ F:\WINDOWS\system32\qprocess.exe
2007-04-23 22:22 19,968 --a------ F:\WINDOWS\system32\rdpsnd.dll
2007-04-23 22:22 185,344 --a------ F:\WINDOWS\system32\cmprops.dll
2007-04-23 22:22 183,808 --a------ F:\WINDOWS\system32\accwiz.exe
2007-04-23 22:22 17,408 --a------ F:\WINDOWS\system32\mmfutil.dll
2007-04-23 22:22 161,280 --a------ F:\WINDOWS\system32\msdtcuiu.dll
2007-04-23 22:22 147,968 --a------ F:\WINDOWS\system32\rdchost.dll
2007-04-23 22:22 140,800 --a------ F:\WINDOWS\system32\sessmgr.exe
2007-04-23 22:22 139,400 --a------ F:\WINDOWS\system32\drivers\rdpwd.sys
2007-04-23 22:22 131,584 --a------ F:\WINDOWS\system32\sndrec32.exe
2007-04-23 22:22 13,824 --a------ F:\WINDOWS\system32\rdsaddin.exe
2007-04-23 22:22 123,392 --a------ F:\WINDOWS\system32\mplay32.exe
2007-04-23 22:22 12,040 --a------ F:\WINDOWS\system32\drivers\tdpipe.sys
2007-04-23 22:22 113,944 --a------ F:\WINDOWS\system32\wuauclt.exe
2007-04-23 22:22 110,080 --a------ F:\WINDOWS\system32\clbcatex.dll
2007-04-23 22:22 11,776 --a------ F:\WINDOWS\system32\xolehlp.dll
2007-04-23 22:22 11,264 --a------ F:\WINDOWS\system32\icaapi.dll
2007-04-23 22:22 102,912 --a------ F:\WINDOWS\system32\clipbrd.exe
2007-04-23 22:22 1,251,840 --a------ F:\WINDOWS\system32\comsvcs.dll
2007-04-23 22:22 1,251,840 --a------ F:\WINDOWS\system32\comsvcs(3).dll
2007-04-23 22:22 1,172,992 --a------ F:\WINDOWS\system32\comsvcs(4).dll
2007-04-23 22:22 1,081,112 --a------ F:\WINDOWS\system32\wuaueng.dll
2007-04-23 16:25 85,376 --a------ F:\WINDOWS\system32\drivers\nabtsfec.sys
2007-04-23 16:25 6,400 --a------ F:\WINDOWS\system32\drivers\splitter.sys
2007-04-23 16:25 52,864 --a------ F:\WINDOWS\system32\drivers\dmusic.sys
2007-04-23 16:25 5,504 --a------ F:\WINDOWS\system32\drivers\mstee.sys
2007-04-23 16:25 19,328 --a------ F:\WINDOWS\system32\drivers\wstcodec.sys
2007-04-23 16:25 17,024 --a------ F:\WINDOWS\system32\drivers\ccdecode.sys
2007-04-23 16:19 19,017 --a------ F:\WINDOWS\system32\drivers\RTL8029.sys
2007-04-23 16:18 818,496 --a------ F:\WINDOWS\system32\drivers\cmuda.sys
2007-04-23 16:18 4,096 --a------ F:\WINDOWS\system32\ksuser.dll
2007-04-23 16:18 151,552 --a------ F:\WINDOWS\system32\cmuda.dll
2007-04-23 16:17 40,840 --a------ F:\WINDOWS\system32\drivers\termdd.sys
2007-04-23 16:17 196,864 --a------ F:\WINDOWS\system32\drivers\rdpdr.sys
2007-04-23 16:16 74,752 --a------ F:\WINDOWS\system32\storprop.dll
2007-04-23 16:16 24,661 --a------ F:\WINDOWS\system32\spxcoins.dll
2007-04-23 16:16 13,312 --a------ F:\WINDOWS\system32\irclass.dll
2007-04-23 16:16 11,264 --a------ F:\WINDOWS\system32\drivers\irenum.sys
2007-04-23 15:38 d-------- F:\DOCUME~1\ADMINI~1.001\APPLIC~1\Lavasoft
2007-04-23 15:37 524,288 --ah----- F:\DOCUME~1\ADMINI~1.001\ntuser.dat
2007-04-20 22:30 2,723,840 --a------ F:\DOCUME~1\Guest\ntuser.dat
2007-04-20 15:50 1,324 --a------ F:\WINDOWS\system32\d3d9caps.dat
2007-04-19 21:48 43,584 --a------ F:\WINDOWS\system32\drivers\avipbb.sys
2007-04-19 21:48 28,352 --a------ F:\WINDOWS\system32\drivers\ssmdrv.sys
2007-04-14 03:48 d-------- F:\WINDOWS\system32\LogFiles
2007-04-10 19:58 d-------- F:\DOCUME~1\CINDYA~1.MST\APPLIC~1\Lavasoft
2007-04-09 23:33 d-------- F:\Program Files\Common Files\Symantec Shared
2007-04-09 23:32 d-------- F:\WINDOWS\system32\runtime
2007-04-09 23:29 d-------- F:\Program Files\Norton Security Scan
2007-04-09 23:28 d-------- F:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-04-07 00:51 d-------- F:\DOCUME~1\KYLEMC~1\APPLIC~1\ATI
2007-03-31 22:22 d-------- F:\Program Files\iTunes
2007-03-31 22:19 d-------- F:\Program Files\Apple Software Update

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-26 19:45 -------- d-------- F:\Program Files\winamp
2007-04-26 19:45 -------- d-------- F:\Program Files\movie maker
2007-04-26 19:45 -------- d-------- F:\Program Files\limewire
2007-04-26 19:45 -------- d-------- F:\Program Files\divx
2007-04-25 18:22 -------- d-------- F:\Program Files\windows nt
2007-04-24 20:09 -------- d-------- F:\Program Files\Common Files\wise installation wizard
2007-04-23 22:41 -------- d--h----- F:\Program Files\windowsupdate
2007-04-23 22:22 23348 --a--c--- F:\WINDOWS\system32\emptyregdb.dat
2007-04-09 23:39 -------- d-------- F:\Program Files\lavasoft
2007-04-09 23:39 -------- d-------- F:\DOCUME~1\KYLEMC~1\APPLIC~1\lavasoft
2007-04-09 23:32 -------- d-------- F:\Program Files\google
2007-04-09 00:26 -------- d-------- F:\Program Files\steam
2007-03-31 22:22 -------- d-------- F:\Program Files\ipod
2007-03-31 22:21 -------- d-------- F:\Program Files\quicktime
2007-03-23 20:43 4996 --a------ F:\WINDOWS\mozver.dat
2007-03-23 14:29 2784264 --a------ F:\WINDOWS\system32\gphotos.scr
2007-02-28 21:32 -------- d-------- F:\DOCUME~1\KYLEMC~1\APPLIC~1\ventrilo
2007-02-28 21:31 -------- d-------- F:\Program Files\icqlite
2007-02-23 00:29 200704 --a------ F:\WINDOWS\system32\ssldivx.dll
2007-02-23 00:29 1044480 --a------ F:\WINDOWS\system32\libdivx.dll
2007-02-17 17:52 45056 --a------ F:\WINDOWS\system32\hssicore.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{20BAD863-5E51-121E-CA75-BF9C03649BCE} F:\WINDOWS\qowdu1.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} f:\program files\google\googletoolbar4.dll
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} F:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"QuickTime Task"="\"F:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="F:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="F:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\share dtaskscheduler]
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell executehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ComPlusSetup
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\intel3

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="\\?\F:\WINDOWS\system32\aux.nga"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="F:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="F:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="F:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
"path"="F:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Google Updater.lnk"
"backup"="F:\\WINDOWS\\pss\\Google Updater.lnkCommon Startup"
"location"="Common Startup"
"command"="F:\\PROGRA~1\\Google\\GOOGLE~3\\GOOGLE~1.EXE -systray -startup"
"item"="Google Updater"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Icatch(VI) SnapDetect.lnk]
"path"="F:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Icatch(VI) SnapDetect.lnk"
"backup"="F:\\WINDOWS\\pss\\Icatch(VI) SnapDetect.lnkCommon Startup"
"location"="Common Startup"
"command"="F:\\WINDOWS\\Twain_32\\CA561A\\SNAPDE~1.EXE "
"item"="Icatch(VI) SnapDetect"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="F:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="F:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="F:\\PROGRA~1\\MICROS~2\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^Kyle McT^Start Menu^Programs^Startup^AbsoluteShield Track Eraser.lnk]
"path"="F:\\Documents and Settings\\Kyle McT\\Start Menu\\Programs\\Startup\\AbsoluteShield Track Eraser.lnk"
"backup"="F:\\WINDOWS\\pss\\AbsoluteShield Track Eraser.lnkStartup"
"location"="Startup"
"command"="F:\\Program Files\\SysShield Tools\\Track Eraser\\cseraser.exe /autorun"
"item"="AbsoluteShield Track Eraser"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^Kyle McT^Start Menu^Programs^Startup^Adobe Gamma.lnk]
"path"="F:\\Documents and Settings\\Kyle McT\\Start Menu\\Programs\\Startup\\Adobe Gamma.lnk"
"backup"="F:\\WINDOWS\\pss\\Adobe Gamma.lnkStartup"
"location"="Startup"
"command"="F:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="F:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CLIStart"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\ATI Technologies\\ATI.ACE\\CLIStart.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgnt"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NMBgMonitor"
"hkey"="HKCU"
"command"="\"F:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RunDll32 cmicnfg"
"hkey"="HKLM"
"command"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="F:\\WINDOWS\\System32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DeadAIM"
"hkey"="HKLM"
"command"="rundll32.exe \"F:\\Program Files\\AIM\\\\DeadAIM.ocm\",ExportedCheckODLs"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpztsb04"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb04.e xe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon03]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hphmon03"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\system32\\hphmon03.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mirabilis ICQ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ICQNet"
"hkey"="HKLM"
"command"="F:\\PROGRA~1\\ICQ\\ICQNet.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"F:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"F:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PicasaMediaDetector"
"hkey"="HKLM"
"command"="F:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="F:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SUPERAntiSpyware"
"hkey"="HKCU"
"command"="F:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleToolbarNotifier"
"hkey"="HKCU"
"command"="F:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViewMgr"
"hkey"="HKLM"
"command"="F:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Save"
"hkey"="HKCU"
"command"="\"F:\\Program Files\\Save\\Save.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="F:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"F:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e202e 976-f376-11db-80e2-806d6172696f}]
Shell\AutoRun\command D:\setup.exe

Contents of the 'Scheduled Tasks' folder
F:\WINDOWS\tasks\AppleSoftwareUpdate.job
F:\WINDOWS\tasks\Disk Cleanup.job
F:\WINDOWS\tasks\Disk Defragmenter.job
F:\WINDOWS\tasks\Norton Security Scan.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-27 16:07:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-27 16:07:14
F:\ComboFix-quarantined-files.txt ... 07-04-27 16:07

kappley5001 · 28-Apr-2007, 11:56 AM #6

Bump

**dvk01** · 28-Apr-2007, 05:14 PM #7

I think we had better do it this way

Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Reboot to safe mode by pressing F8 at boot time & select safe mode in the list on the black screen

Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
- In the Processes group click Non-Microsoft
- In the Win32 Services group click Non-Microsoft
- In the Driver Services group click Non-Microsoft
- In the Registry group click Non-Microsoft
- In the Files Created Within group click 30 days Make sure Non-Microsoft only is CHECKED
- In the Files Modified Within group select 30 days Make sure Non-Microsoft only is CHECKED
- In the File String Search group select Non-Microsoft
Now click the Run Scan button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file

reboot normally
Use the Reply button and attach the notepad file here . I will review it when it comes in.

kappley5001 · 28-Apr-2007, 07:12 PM #8

I Hope i did this right...the notepad is attached.

**dvk01** · 29-Apr-2007, 06:52 AM #9

WinPFind3 Fix -

Start WinPFind3U. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code:

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YN -> intel3 -> intel3.dll
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {20BAD863-5E51-121E-CA75-BF9C03649BCE} [HKLM] -> %SystemRoot%\qowdu1.dll [Class]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Data - Key not found [Yahoo! Toolbar]
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.

when it reboots

Post the following back here:

the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log)

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

kappley5001 · 29-Apr-2007, 12:12 PM **#10**

So I ran then fix...then figured...Oh yeah...he probably wanted me to run that in safe mode...sooo I kinda did both...

In windows:
Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\intel3 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{20BAD863-5E51-121E-CA75-BF9C03649BCE} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20BAD863-5E51-121E-CA75-BF9C03649BCE} deleted successfully.
LoadLibrary failed for F:\WINDOWS\qowdu1.dll
F:\WINDOWS\qowdu1.dll NOT unregistered.
F:\WINDOWS\qowdu1.dll moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
[Empty Temp Folders]
F:\DOCUME~1\KYLEMC~1\LOCALS~1\Temp\ -> emptied.
F:\Documents and Settings\Kyle McT\Local Settings\Temporary Internet Files\Content.IE5\ -> emptied
RecycleBin -> emptied.
< End of log >
Created on 04/29/2007 10:58:35

In safe mode:
Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\intel3 not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{20BAD863-5E51-121E-CA75-BF9C03649BCE} not found.
File F:\WINDOWS\qowdu1.dll not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} not found.
[Empty Temp Folders]
F:\DOCUME~1\KYLEMC~1\LOCALS~1\Temp\ -> emptied.
F:\Documents and Settings\Kyle McT\Local Settings\Temporary Internet Files\Content.IE5\ -> emptied
RecycleBin -> emptied.
< End of log >
Created on 04/29/2007 11:06:37

I did notice my login didn't take 5 minutes, more like 30 seconds.....so is that like problem solved? If so what was wrong with my P.C.?

**dvk01** · 29-Apr-2007, 06:34 PM **#11**

you had a trojan and there still might be more

please post a fresh HJT log

kappley5001 · 29-Apr-2007, 07:32 PM **#12**

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:31:45 PM, on 4/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\AntiVir PersonalEdition Classic\sched.exe
F:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\UPHClean\uphclean.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\QuickTime\qttask.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://F:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: AbsoluteShield Track Eraser - {4A0EF50C-6A4A-4b30-84D8-53D5BC95C043} - F:\Program Files\SysShield Tools\Track Eraser\cseraser.exe (file missing) (HKCU)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download...reeInstall.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5AA5A569-F96F-4628-A528-8B3698F558BB} (HS_live Control) - http://install.homestead.com/~site/I...ve/HS_live.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5...ndows-i586.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:F:\DOCUME~1\KYLEMC~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O20 - AppInit_DLLs: \\?\F:\WINDOWS\system32\aux.nga
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - F:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - F:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - F:\WINDOWS\system32\ieframe.dll
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - F:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - F:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver - HP - F:\WINDOWS\system32\HPHipm09.exe

--
End of file - 6377 bytes

**dvk01** · 30-Apr-2007, 06:57 PM **#13**

I need to examine this before we go any further so

first download the attached catchme.txt to your desktop

next

Download catchme from
http://files.thespykiller.co.uk/catchme.exe to your desktop.

Double click the catchme.exe to run it and then press add
a window will open with a list of files, select the catchme.txt and press open
the files listed in it will appear in the catchme window

now press zip to make a copy of any files which will be backed up to catchme.zip on your desktop

now

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the catchme.zip from desktop

kappley5001 · 30-Apr-2007, 10:24 PM **#14**

ok I hope I did this right...

http://www.thespykiller.co.uk/index....c=4088.new#new

**dvk01** · 01-May-2007, 09:47 AM **#15**

catchme never found the file we were looking for so lets do this then

Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

O20 - AppInit_DLLs: \\?\F:\WINDOWS\system32\aux.nga

then reboot &

1. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the quote box below including the " Files to delete:" line, to your Clipboard by highlighting it and pressing (Ctrl+C):

Quote:

Files to delete:
F:\WINDOWS\system32\aux.nga

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

Tag Cloud
acer asus bios bsod computer crash desktop drive driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory missing modem monitor motherboard mouse network printer problem ram registry router slow software sound toshiba trojan usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless work

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!