pick a virus any virus

Viruses and worms
1

I use windows xp, all service packs are installed and up to date

any help is appreciated

ok to the best of my knowledge I recieved a virus by downloading what I was told was a safe file.

My virus chest holds about 5 things which I will list in a moment. I did cleanup and meanwhile kept getting a popup from avast saying adware was detected (Win32:Adware-gen. [Adw]) and I kept hitting move to virus chest and I would get a pop up saying:

avast: the process cannot access the file because it is being used by another process

cannot process “C:\documents and settings\sandy\local settings\temporary internet files\content.IE5\4hobgrkz\winantiviruspro2006freeinstall[1].exe” file

so anyhow I ran cleanup and it had about 50 things that it said could not be deleted because they were in use, now mind u nothing but cleanup and avast were running. When it was done I restarted and did cleanup again with the same results, many couldn’t be deleted.

Anytime I open an internet explorer about 3 more open with the crap about you have virus click here to scan, a tv-music site and many morepop ups.

also here is whats in my virus chest at the moment.

win32:vbstat-c[trj]

win32:nurech-aj[trj]

2 of this:
win32:purityscan-af[trj]

Now what??? What do i do with the ones already in my virus chest and how do I remove what else is obviosly still on my pc? thanks in advance

2

Spybot - Search & Destroy should hold this infection since 22.12.2006.
It’s a rogue antispyware program that could remove either by Rogue Remover (www.malwarebytes.org/rogueremover.php)

It will be good if you download, install, update and run other trojan remover tools: a-squared and/or Free AVG Antispyware (trojan removers). Some users recommend SUPERantispyware or Spyware Terminator.

3

Well whoever told you this winantiviruspro2006freeinstall[1].exe file was safe really did you a disservice as it really isn’t and is a rogue program as Tech mentions there is also another winantiviruspro2007.exe which is also the same.

Should a file be in use (in the future) then you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, Menu, ‘Schedule boot-time scan…’ Or see http://www.digitalred.com/avast-boot-time.php

4

ok well I download and installed the rogueremover pro thing and opened and hit scan, it found nothing. unsure if I did it right, as I’ve never used the software before. Scan just seemed obvious.

Next I downloaded the avgantivirus free trial and did the full scan. That found 10 adware things and deleted them, and well I restarted and still have pop ups everywhere.

What next?
Am I just supposed to leave them in the avast virus chest or delete them from there?
What is the boot scan you are talking about? and should I try that now?

thanks guys for all the help.

5

Download and run

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press “Enter”; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a “RiskTool”; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between “good” and “malicious” use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc…processutil.htm

Post that and a Hijackthis log and we will get you cleaned up

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

6

You have done the right thing, ‘first do no harm’ don’t delete, send virus to the chest and investigate.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

Welcome to the forums.

7

ok, here what the first smitfraud gave me

SmitFraudFix v2.190

Scan done at 15:30:04.67, Fri 06/01/2007
Run from C:\Documents and Settings\Sandy\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe
C:\PROGRA~1\LEXMAR~2\LXBRKsk.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Documents and Settings\All Users\Application Data\tezchiby.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\Program Files\RogueRemover PRO\RogueRemoverPRO.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Sandy

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Sandy\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Sandy\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler’s .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
“AppInit_DLLs”=“”

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“System”=“”

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32-xpdt

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce MCP Networking Adapter - Packet Scheduler Miniport
DNS Server Search Order: 68.105.28.11
DNS Server Search Order: 68.105.29.11
DNS Server Search Order: 68.105.28.12

HKLM\SYSTEM\CCS\Services\Tcpip..{C5AD0941-AB5D-49B0-A11B-D57B2818B0A0}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS1\Services\Tcpip..{C5AD0941-AB5D-49B0-A11B-D57B2818B0A0}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS3\Services\Tcpip..{C5AD0941-AB5D-49B0-A11B-D57B2818B0A0}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

8

and the 2nd one gave me this:Sorry had to post it in 2 replies it was too big

[size=8pt][quote]
Logfile of HijackThis v1.99.1
Scan saved at 3:38:39 PM, on 6/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe
C:\PROGRA~1\LEXMAR~2\LXBRKsk.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Documents and Settings\All Users\Application Data\tezchiby.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program

Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.

exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\Program Files\RogueRemover PRO\RogueRemoverPRO.exe
C:\Program Files\Kodak\KODAK Software

Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Microsoft Shared\Works

Shared\wkcalrem.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.cox.net/
R3 - URLSearchHook: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -

C:\Program Files\MSN Apps\MSN Toolbar\MSN

Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} -

(no file)
O3 - Toolbar: (no name) - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} -

(no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon

initialize
O4 - HKLM..\Run: [CARPService] carpserv.exe
O4 - HKLM..\Run: [WCOLOREAL] "C:\Program

Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access

Button Support\StartEAK.exe
O4 - HKLM..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM..\Run: [Smapp] C:\Program Files\Analog

Devices\SoundMAX\Smtray.exe
O4 - HKLM..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft

Works\WksSb.exe /AllUsers
O4 - HKLM..\Run: [Microsoft Works Update Detection] C:\Program

Files\Microsoft Works\WkDetect.exe
O4 - HKLM..\Run: [RealTray] C:\Program

Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM..\Run: [WildTangent CDA] "C:\Program

Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program

Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM..\Run: [Lexmark X83 Button Monitor]

C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM..\Run: [Lexmark X83 Button Manager]

C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM..\Run: [PrinTray]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM..\Run: [SSP Notifier] C:\Program Files\Fisher-Price\FP3

Player\sspnotifier.exe
O4 - HKLM..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100

Series\lxbrbmgr.exe"
O4 - HKLM..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~2\LXBRKsk.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM..\Run: [tezchiby.exe] C:\Documents and Settings\All

Users\Application Data\tezchiby.exe
O4 - HKLM..\Run: [setup] rundll32.exe

“C:\WINDOWS\system32\bwrhlste.dll”,realset
O4 - HKLM..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG

Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU..\Run: [MoneyAgent] "c:\Program Files\Microsoft

Money\System\Money Express.exe"
O4 - HKCU..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.

exe
O4 - HKCU..\Run: [Simple Star PhotoShow Media Manager]

C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU..\Run: [Yahoo! Pager]

“C:\PROGRA~1\Yahoo!\MESSEN~1\yahoomessenger.exe” -quiet
O4 - HKCU..\Run: [RogueMonitor] C:\Program Files\RogueRemover

PRO\RogueRemoverPRO.exe /monitor
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program

Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program

9
Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Kodak software updater.lnk = C:\Program

Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software

Updater.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM

Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program

Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) -

{85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe

(file missing)
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 -

{85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe

(file missing)
O9 - Extra button: Download5000 Toolbar -

{9D931726-DFBC-480e-851A-20C397E1A2C8} - (no file)
O9 - Extra ‘Tools’ menuitem: Download5000 Toolbar -

{9D931726-DFBC-480e-851A-20C397E1A2C8} - (no file)
O9 - Extra button: Real.com -

{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MoneySide -

{E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program

Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor -

{676620E4-8A81-4B34-AB6F-18DD16EF59BF} - C:\Program

Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows

Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl

Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody

Player Engine) -

http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/R

hapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2}

(CPlayFirstTriJinxControl Object) -

http://download.games.yahoo.com/games/web_games/playfirst/trijinx/TriJi

nx.1.0.0.55.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter

Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8}

(ActiveDataInfo Class) -

http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish

Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec

SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec

Script Runner Class) -

http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo

Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}

(BDSCANONLINE Control) -

http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}

(MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.ca

b
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1}

(FujifilmUploader Class) -

http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}

(MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools

WebPlayer Class) -

http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/

6712/player/install/installer.exe
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7}

(SproutLauncherCtrl Class) -

http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/S

proutLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}

(PopCapLoader Object) -

http://download.games.yahoo.com/games/web_games/popcap/chuzzle/pop

caploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire

Showdown Class) -

http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software -

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil

Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil

Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil

Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. -

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman

Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner -

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner -

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe

[/size] [/quote]
10

Hi there plsgoawaynow when you paste a HJT file could you please ensure that wordwrap is not selected on notepad Ta

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. [b]

O4 - HKLM..\Run: [WildTangent CDA] “C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe” /startup “C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll”
O4 - HKLM..\Run: [tezchiby.exe] C:\Documents and Settings\All Users\Application Data\tezchiby.exe
O4 - HKLM..\Run: [setup] rundll32.exe “C:\WINDOWS\system32\bwrhlste.dll”,realset
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab

[/b]Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\All Users\Application Data\tezchiby.exe
C:\WINDOWS\system32\bwrhlste.dll

Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

11

this did not end in end of report when the notepad opened with the report log…

Logfile of HijackThis v1.99.1 Scan saved at 7:54:09 AM, on 6/3/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe
C:\PROGRA~1\LEXMAR~2\LXBRKsk.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Documents and Settings\All Users\Application Data\tezchiby.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\notepad.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6E8654CB-6D55-41ED-A1ED-880DFC46EF40} - C:\WINDOWS\system32\ssqpn.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {B71FA585-B351-4E48-8DA8-22F6F705EC73} - C:\WINDOWS\system32\qomlmmk.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\yargjoli.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM..\Run: [CARPService] carpserv.exe
O4 - HKLM..\Run: [WCOLOREAL] “C:\Program Files\COMPAQ\Coloreal\coloreal.exe”
O4 - HKLM..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM..\Run: [WildTangent CDA] “C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe” /startup “C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll”
O4 - HKLM..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [SSP Notifier] C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe
O4 - HKLM..\Run: [Lexmark 3100 Series] “C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe”
O4 - HKLM..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~2\LXBRKsk.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe”
O4 - HKLM..\Run: [tezchiby.exe] C:\Documents and Settings\All Users\Application Data\tezchiby.exe
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [Genuine] rundll32.exe “C:\WINDOWS\system32\klvrpjnv.dll”,realset
O4 - HKCU..\Run: [MoneyAgent] “c:\Program Files\Microsoft Money\System\Money Express.exe”
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

12

the rest of it

O4 - HKCU\..\Run: [Simple Star PhotoShow Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\yahoomessenger.exe" -quiet O4 - HKCU\..\Run: [RogueMonitor] C:\Program Files\RogueRemover PRO\RogueRemoverPRO.exe /monitor O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Download5000 Toolbar - {9D931726-DFBC-480e-851A-20C397E1A2C8} - (no file) O9 - Extra 'Tools' menuitem: Download5000 Toolbar - {9D931726-DFBC-480e-851A-20C397E1A2C8} - (no file) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Advisor - {676620E4-8A81-4B34-AB6F-18DD16EF59BF} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://download.games.yahoo.com/games/web_games/playfirst/trijinx/TriJinx.1.0.0.55.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: winhdn32 - C:\WINDOWS\SYSTEM32\winhdn32.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing) O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing) O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
13

otmove results file

C:\Documents and Settings\All Users\Application Data\tezchiby.exe moved successfully.
File/Folder C:\WINDOWS\system32\bwrhlste.dll not found.

Created on 06/03/2007 07:59:57

14
WinPFind3 logfile created on: 6/3/2007 8:02:09 AM WinPFind3U by OldTimer - Version 1.0.38 Folder = C:\Documents and Settings\Sandy\Desktop\WinPFind3u\ Microsoft Windows XP Service Pack 2 (Version = 5.1.2600) Internet Explorer (Version = 6.0.2900.2180)

223.39 Mb Total Physical Memory | 42.04 Mb Available Physical Memory | 18.82% Memory free
546.69 Mb Paging File | 285.86 Mb Available in Paging File | 52.29% Paging File free
Paging file location(s): C:\pagefile.sys 336 672;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 25.26 Gb Free Space | 67.78% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: CPQ28805304410
Current User Name: Sandy
Logged in as Administrator.
Current Boot Mode: Normal

[Processes - Non-Microsoft Only]
acmonitor_x83.exe → %ProgramFiles%\LexmarkX83\ACMonitor_X83.exe → Jetsoft Development Company [Ver = 1, 0, 0, 1 | Size = 40960 bytes | Modified Date = 10/18/2001 11:25:20 AM | Attr = ]
ashdisp.exe → %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 75392 bytes | Modified Date = 4/30/2007 10:42:48 AM | Attr = ]
ashserv.exe → %ProgramFiles%\Alwil Software\Avast4\ashServ.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 132736 bytes | Modified Date = 4/30/2007 10:42:40 AM | Attr = ]
aswupdsv.exe → %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 16512 bytes | Modified Date = 4/30/2007 10:29:56 AM | Attr = ]
bttnserv.exe → %ProgramFiles%\COMPAQ\Easy Access Button Support\BttnServ.exe → Compaq Computer Corporation [Ver = 6.00.448 | Size = 122880 bytes | Modified Date = 3/23/2001 2:34:10 PM | Attr = ]
carpserv.exe → %System32%\carpserv.exe → Conexant Systems [Ver = 4.06.10.00 | Size = 4608 bytes | Modified Date = 1/2/2002 9:06:28 PM | Attr = ]
cpqeadm.exe → %ProgramFiles%\COMPAQ\Easy Access Button Support\CPQEADM.exe → Compaq Computer Corporation [Ver = 8.0.0.404 | Size = 446464 bytes | Modified Date = 2/8/2002 7:35:16 PM | Attr = ]
eausbkbd.exe → %SystemDrive%\COMPAQ\EAKDRV\EAUSBKBD.EXE → Compaq [Ver = 6, 0, 0, 445 | Size = 90112 bytes | Modified Date = 11/27/2001 8:38:52 PM | Attr = ]
googletoolbarnotifier.exe → %ProgramFiles%\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe → Google Inc. [Ver = 1, 2, 1128, 5462 | Size = 171448 bytes | Modified Date = 2/6/2007 5:06:10 PM | Attr = ]
guard.exe → %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe → Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 204800 bytes | Modified Date = 9/28/2006 9:13:20 AM | Attr = ]
jucheck.exe → %ProgramFiles%\Java\jre1.5.0_09\bin\jucheck.exe → Sun Microsystems, Inc. [Ver = 5.0.90.3 | Size = 241775 bytes | Modified Date = 10/12/2006 4:10:54 AM | Attr = ]
jusched.exe → %ProgramFiles%\Java\jre1.5.0_09\bin\jusched.exe → Sun Microsystems, Inc. [Ver = 5.0.90.3 | Size = 49263 bytes | Modified Date = 10/12/2006 4:10:54 AM | Attr = ]
kodakccs.exe → %System32%\drivers\KodakCCS.exe → Eastman Kodak Company [Ver = 1.1.5100.4 | Size = 322104 bytes | Modified Date = 5/24/2004 3:35:52 PM | Attr = ]
lexbces.exe → %System32%\LEXBCES.EXE → Lexmark International, Inc. [Ver = 9.35 | Size = 307200 bytes | Modified Date = 8/29/2003 8:54:16 AM | Attr = ]
lexpps.exe → %System32%\LEXPPS.EXE → Lexmark International, Inc. [Ver = 9.35 | Size = 174592 bytes | Modified Date = 8/29/2003 8:50:24 AM | Attr = ]
lxbrksk.exe → %ProgramFiles%\Lexmark 3100 Series\lxbrksk.exe → [Ver = 3.37 | Size = 294912 bytes | Modified Date = 6/13/2003 9:57:18 AM | Attr = ]
mssysmgr.exe → %ProgramFiles%\Simple Star\PhotoShow 4\data\Xtras\mssysmgr.exe → Simple Star, Inc. [Ver = 4.5.0.0 | Size = 233472 bytes | Modified Date = 1/13/2006 4:22:20 PM | Attr = ]
nvsvc32.exe → %System32%\nvsvc32.exe → NVIDIA Corporation [Ver = 6.13.10.2312 | Size = 57344 bytes | Modified Date = 12/11/2001 12:57:00 AM | Attr = ]
realplay.exe → %ProgramFiles%\Real\RealPlayer\realplay.exe → RealNetworks, Inc. [Ver = 6.0.9.584 | Size = 26112 bytes | Modified Date = 2/6/2005 12:31:58 AM | Attr = ]
smtray.exe → %ProgramFiles%\Analog Devices\SoundMAX\SMTray.exe → Analog Devices [Ver = 1, 0, 3037, 0 | Size = 69632 bytes | Modified Date = 10/12/2001 6:45:06 PM | Attr = ]
sspnotifier.exe → %ProgramFiles%\Fisher-Price\FP3 Player\sspnotifier.exe → Fisher-Price, Inc. [Ver = 1.1.0.9 | Size = 20480 bytes | Modified Date = 7/12/2006 12:44:02 PM | Attr = ]
starteak.exe → %ProgramFiles%\COMPAQ\Easy Access Button Support\STARTEAK.exe → Compaq Computer Corporation [Ver = 8, 0, 0, 330 | Size = 32768 bytes | Modified Date = 12/14/2001 5:01:24 PM | Attr = ]
winpfind3u.exe → %UserDesktop%\WinPFind3u\WinPFind3U.exe → OldTimer Tools [Ver = 1.0.38.0 | Size = 318976 bytes | Modified Date = 5/22/2007 6:27:40 PM | Attr = ]
wkcalrem.exe → %CommonProgramFiles%\Microsoft Shared\Works Shared\WkCalRem.exe → Microsoft® Corporation [Ver = 6.00.1828.1 | Size = 24633 bytes | Modified Date = 7/13/2000 3:00:00 PM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] → %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 16512 bytes | Modified Date = 4/30/2007 10:29:56 AM | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] → %ProgramFiles%\Alwil Software\Avast4\ashServ.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 132736 bytes | Modified Date = 4/30/2007 10:42:40 AM | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Stopped] → %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 243328 bytes | Modified Date = 4/30/2007 11:04:38 AM | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Stopped] → %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 345728 bytes | Modified Date = 4/30/2007 10:41:28 AM | Attr = ]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] → %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe → Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 204800 bytes | Modified Date = 9/28/2006 9:13:20 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] → %System32%\dmadmin.exe → Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 2:56:48 AM | Attr = ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] → %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe → Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 2/6/2007 5:06:02 PM | Attr = ]
(KodakCCS) Kodak Camera Connection Software [Win32_Own | Auto | Running] → %System32%\drivers\KodakCCS.exe → Eastman Kodak Company [Ver = 1.1.5100.4 | Size = 322104 bytes | Modified Date = 5/24/2004 3:35:52 PM | Attr = ]
(LexBceS) LexBce Server [Win32_Own | Auto | Running] → %System32%\LEXBCES.EXE → Lexmark International, Inc. [Ver = 9.35 | Size = 307200 bytes | Modified Date = 8/29/2003 8:54:16 AM | Attr = ]
(McShield) McAfee Real-time Scanner [Win32_Own | Unknown | Stopped] → → File not found
(McSysmon) McAfee SystemGuards [Win32_Own | Auto | Stopped] → %SystemDrive%\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe → File not found
(NVSvc) NVIDIA Driver Helper Service [Win32_Own | Auto | Running] → %System32%\nvsvc32.exe → NVIDIA Corporation [Ver = 6.13.10.2312 | Size = 57344 bytes | Modified Date = 12/11/2001 12:57:00 AM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
!AVG Anti-Spyware → %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe → Anti-Malware Development a.s. [Ver = 7, 5, 0, 50 | Size = 6266880 bytes | Modified Date = 10/7/2006 7:20:00 AM | Attr = ]
AutoLogon → → File not found
avast! → %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 75392 bytes | Modified Date = 4/30/2007 10:42:48 AM | Attr = ]
CARPService → %System32%\carpserv.exe → Conexant Systems [Ver = 4.06.10.00 | Size = 4608 bytes | Modified Date = 1/2/2002 9:06:28 PM | Attr = ]
CPQEASYACC → %ProgramFiles%\COMPAQ\Easy Access Button Support\STARTEAK.exe → Compaq Computer Corporation [Ver = 8, 0, 0, 330 | Size = 32768 bytes | Modified Date = 12/14/2001 5:01:24 PM | Attr = ]
Genuine → %System32%\klvrpjnv.dll [rundll32.exe “C:\WINDOWS\system32\klvrpjnv.dll”,realset] → [Ver = | Size = 131124 bytes | Modified Date = 6/1/2007 10:30:52 PM | Attr = ]
Lexmark 3100 Series → %ProgramFiles%\Lexmark 3100 Series\lxbrbmgr.exe → Lexmark International, Inc. [Ver = 0.1.1.1 | Size = 106496 bytes | Modified Date = 9/3/2003 9:33:54 PM | Attr = ]
Lexmark X83 Button Manager → %ProgramFiles%\LexmarkX83\AcBtnMgr_X83.exe → Jetsoft Development Company

15
[Ver = 1, 0, 0, 1 | Size = 53248 bytes | Modified Date = 6/14/2001 1:42:26 PM | Attr = ] Lexmark X83 Button Monitor -> %ProgramFiles%\LexmarkX83\ACMonitor_X83.exe -> Jetsoft Development Company [Ver = 1, 0, 0, 1 | Size = 40960 bytes | Modified Date = 10/18/2001 11:25:20 AM | Attr = ] LXBRKsk -> %ProgramFiles%\Lexmark 3100 Series\lxbrksk.exe -> [Ver = 3.37 | Size = 294912 bytes | Modified Date = 6/13/2003 9:57:18 AM | Attr = ] Microsoft Works Portfolio -> %ProgramFiles%\Microsoft Works\wkssb.exe -> Microsoft® Corporation [Ver = 6.00.1902.0 | Size = 311350 bytes | Modified Date = 7/13/2000 3:00:00 PM | Attr = ] Microsoft Works Update Detection -> %ProgramFiles%\Microsoft Works\WkDetect.exe -> Microsoft® Corporation [Ver = 6.00.1828.1 | Size = 28739 bytes | Modified Date = 7/13/2000 3:00:00 PM | Attr = ] PrinTray -> %System32%\spool\drivers\w32x86\3\printray.exe -> Lexmark [Ver = 1, 0, 0, 7 | Size = 36864 bytes | Modified Date = 6/26/2002 10:47:06 PM | Attr = ] QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 7.1.5a38 | Size = 282624 bytes | Modified Date = 1/3/2007 1:28:26 AM | Attr = ] RealTray -> %ProgramFiles%\Real\RealPlayer\realplay.exe -> RealNetworks, Inc. [Ver = 6.0.9.584 | Size = 26112 bytes | Modified Date = 2/6/2005 12:31:58 AM | Attr = ] Smapp -> %ProgramFiles%\Analog Devices\SoundMAX\SMTray.exe -> Analog Devices [Ver = 1, 0, 3037, 0 | Size = 69632 bytes | Modified Date = 10/12/2001 6:45:06 PM | Attr = ] srmclean -> %SystemDrive%\cpqs\scom\srmclean.exe -> [Ver = | Size = 36864 bytes | Modified Date = 7/24/2001 4:34:26 PM | Attr = ] SSP Notifier -> %ProgramFiles%\Fisher-Price\FP3 Player\sspnotifier.exe -> Fisher-Price, Inc. [Ver = 1.1.0.9 | Size = 20480 bytes | Modified Date = 7/12/2006 12:44:02 PM | Attr = ] SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.5.0_09\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 5.0.90.3 | Size = 49263 bytes | Modified Date = 10/12/2006 4:10:54 AM | Attr = ] UserFaultCheck -> -> File not found WCOLOREAL -> %ProgramFiles%\COMPAQ\Coloreal\COLOREAL.EXE -> [Ver = | Size = 131072 bytes | Modified Date = 1/22/2002 7:46:46 PM | Attr = ] < RunOnceEx [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx -> -> File not found < Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RogueMonitor -> %ProgramFiles%\RogueRemover PRO\RogueRemoverPRO.exe -> Malwarebytes [Ver = 1.13 | Size = 495616 bytes | Modified Date = 5/12/2007 11:06:48 AM | Attr = ] Simple Star PhotoShow Media Manager -> %ProgramFiles%\Simple Star\PhotoShow 4\data\Xtras\mssysmgr.exe -> Simple Star, Inc. [Ver = 4.5.0.0 | Size = 233472 bytes | Modified Date = 1/13/2006 4:22:20 PM | Attr = ] swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 1, 2, 1128, 5462 | Size = 171448 bytes | Modified Date = 2/6/2007 5:06:10 PM | Attr = ] Yahoo! Pager -> %ProgramFiles%\Yahoo!\Messenger\yahoomessenger.exe -> Yahoo! Inc. [Ver = 7,5,0,819 | Size = 3334144 bytes | Modified Date = 6/16/2006 2:37:08 PM | Attr = ] < Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup %AllUsersStartup%\Adobe Reader Speed Launch.lnk -> %ProgramFiles%\Adobe\Reader 8.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 40048 bytes | Modified Date = 10/23/2006 2:48:20 AM | Attr = ] %AllUsersStartup%\Adobe Reader Synchronizer.lnk -> %ProgramFiles%\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe -> [Ver = 8.0.0.0 | Size = 734872 bytes | Modified Date = 10/23/2006 1:01:50 AM | Attr = ] %AllUsersStartup%\Kodak EasyShare software.lnk -> %ProgramFiles%\Kodak\Kodak EasyShare software\bin\EasyShare.exe -> Eastman Kodak Company [Ver = 5, 0, 4, 128 | Size = 757760 bytes | Modified Date = 8/11/2004 1:22:40 AM | Attr = ] %AllUsersStartup%\Kodak software updater.lnk -> %ProgramFiles%\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe -> [Ver = | Size = 16423 bytes | Modified Date = 2/13/2004 5:12:08 PM | Attr = ] %AllUsersStartup%\Microsoft Works Calendar Reminders.lnk -> %CommonProgramFiles%\Microsoft Shared\Works Shared\WkCalRem.exe -> Microsoft® Corporation [Ver = 6.00.1828.1 | Size = 24633 bytes | Modified Date = 7/13/2000 3:00:00 PM | Attr = ] < ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 73728 bytes | Modified Date = 9/28/2006 9:13:28 AM | Attr = ] {B71FA585-B351-4E48-8DA8-22F6F705EC73} [HKLM] -> %System32%\qomlmmk.dll [] -> File not found < SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders < Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon < Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon < Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ winhdn32 -> %System32%\winhdn32.dll -> [Ver = | Size = 18944 bytes | Modified Date = 5/31/2007 10:16:02 PM | Attr = ] < CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\ -> -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 -> < CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0 ->
16
< HOSTS File > (78268 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts < Internet Explorer Settings > -> HKLM: Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome -> HKLM: Main\\Default_Search_URL -> http://www.google.com/ie -> HKLM: Local Page -> C:\windows\system32\blank.htm -> HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> HKLM: Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home -> HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> HKLM: Search\\Default_Search_URL -> http://www.google.com/ie -> HKLM: SearchAssistant -> http://www.google.com/ie -> HKCU: Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> HKCU: Local Page -> C:\windows\system32\blank.htm -> HKCU: Search Bar -> http://www.google.com/ie -> HKCU: Search Page -> http://www.google.com -> HKCU: Start Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome -> HKCU: SearchAssistant -> http://www.google.com/ie -> HKCU: URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn0\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2006, 6, 6, 1 | Size = 439872 bytes | Modified Date = 6/6/2006 9:28:44 AM | Attr = ] HKCU: ProxyEnable -> 0 -> < BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {02478D38-C3F9-4EFB-9B51-7695ECA05670} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn0\yt.dll [Yahoo! Toolbar Helper] -> Yahoo! Inc. [Ver = 2006, 6, 6, 1 | Size = 439872 bytes | Modified Date = 6/6/2006 9:28:44 AM | Attr = ] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes | Modified Date = 10/23/2006 12:08:42 AM | Attr = ] {6E8654CB-6D55-41ED-A1ED-880DFC46EF40} [HKLM] -> %System32%\ssqpn.dll [Reg Data - Value does not exist] -> File not found {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_09\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 5.0.90.3 | Size = 434279 bytes | Modified Date = 10/12/2006 4:25:44 AM | Attr = ] {AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> %ProgramFiles%\Google\googletoolbar4.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/20/2007 12:55:32 AM | Attr = R ] {B71FA585-B351-4E48-8DA8-22F6F705EC73} [HKLM] -> %System32%\qomlmmk.dll [Reg Data - Value does not exist] -> File not found {CD3447D4-CA39-4377-8084-30E86331D74C} [HKLM] -> %System32%\yargjoli.dll [Reg Data - Value does not exist] -> [Ver = | Size = 50740 bytes | Modified Date = 5/31/2007 10:26:38 PM | Attr = ] < Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found < Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ {32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found {4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found < Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar {0BF43445-2F28-4351-9252-17FE6E806AA0} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found {2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar4.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/20/2007 12:55:32 AM | Attr = R ] {EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn0\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2006, 6, 6, 1 | Size = 439872 bytes | Modified Date = 6/6/2006 9:28:44 AM | Attr = ] < Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar4.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/20/2007 12:55:32 AM | Attr = R ] WebBrowser\\{40D41A8B-D79B-43D7-99A7-9EE0F344C385} [HKLM] -> %ProgramFiles%\AIM Toolbar\AIMBar.dll [AIM Search] -> America Online, Inc [Ver = 2004.00.003 | Size = 172032 bytes | Modified Date = 4/4/2005 10:55:00 PM | Attr = ] WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found WebBrowser\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found WebBrowser\\{A8FB8EB3-183B-4598-924D-86F0E5E37085} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn0\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2006, 6, 6, 1 | Size = 439872 bytes | Modified Date = 6/6/2006 9:28:44 AM | Attr = ] < Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_09\bin\npjpi150_09.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.90.3 | Size = 69746 bytes | Modified Date = 10/12/2006 4:25:44 AM | Attr = ] {08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.5.0_09\bin\ssv.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.90.3 | Size = 434279 bytes | Modified Date = 10/12/2006 4:25:44 AM | Attr = ] {85d1f590-48f4-11d9-9669-0800200c9a66} [HKLM] -> Reg Data - Key not found [MenuText: Uninstall BitDefender Online Scanner v8] -> File not found {9D931726-DFBC-480e-851A-20C397E1A2C8} -> Reg Data - Value does not exist [ButtonText: Download5000 Toolbar] -> File not found {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -> Reg Data - Value does not exist [ButtonText: Real.com] -> File not found {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -> Reg Data - Value does not exist [ButtonText: MoneySide] -> File not found
17
CmdMapping [HKLM] -> Reg Data - Key not found [MenuText: Reg Data - Value does not exist] -> File not found < Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ &AIM Search -> %ProgramFiles%\AIM Toolbar\AIMBar.dll\aimsearch.htm -> File not found &AOL Toolbar search -> %ProgramFiles%\AOL Toolbar\toolbar.dll\SEARCH.HTM -> File not found < User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform SV1 -> -> < DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ {291D419C-7258-4EE9-B944-BF8C64C24B9B} -> () -> {C5AD0941-AB5D-49B0-A11B-D57B2818B0A0} -> (NVIDIA nForce MCP Networking Adapter) -> < Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ipp -> Reg Data - Key not found -> File not found msdaipp -> Reg Data - Key not found -> File not found < Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ {02BCC737-B171-4746-94C9-0D8A0B2C0089} -> Microsoft Office Template and Media Control - CodeBase = http://office.microsoft.com/templates/ieawsdc.cab -> {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -> QuickTime Object - CodeBase = http://www.apple.com/qtactivex/qtplugin.cab -> {166B1BCA-3F9C-11CF-8075-444553540000} -> Shockwave ActiveX Control - CodeBase = http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab -> {17492023-C23A-453E-A040-C7C580BBF700} -> Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=39204 -> {1F2F4C9E-6F09-47BC-970D-3C54734667FE} -> LSSupCtl Class - CodeBase = http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab -> {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} -> - CodeBase = http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab -> {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} -> CPlayFirstTriJinxControl Object - CodeBase = http://download.games.yahoo.com/games/web_games/playfirst/trijinx/TriJinx.1.0.0.55.cab -> {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -> YInstStarter Class - CodeBase = C:\Program Files\Yahoo!\Common\yinsthelper.dll -> {3451DEDE-631F-421C-8127-FD793AFC6CC8} -> ActiveDataInfo Class - CodeBase = http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab -> {406B5949-7190-4245-91A9-30A17DE16AD0} -> Snapfish Activia - CodeBase = http://photos.walmart.com/WalmartActivia.cab -> {44990200-3C9D-426D-81DF-AAB636FA4345} -> Symantec SmartIssue - CodeBase = http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab -> {44990301-3C9D-426D-81DF-AAB636FA4345} -> Symantec Script Runner Class - CodeBase = http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab -> {4B48D5DF-9021-45F7-A240-60304302A215} -> Malicious Software Removal Tool - CodeBase = http://download.microsoft.com/download/5/c/2/5c2fc4b7-3875-4eec-946b-ffe15472cabc/WebCleaner.cab -> {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -> MSN Photo Upload Tool - CodeBase = http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab -> {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -> BDSCANONLINE Control - CodeBase = http://download.bitdefender.com/resources/scan8/oscan8.cab -> {8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.5.0_09 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab -> {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} -> MessengerStatsClient Class - CodeBase = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab -> {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -> ActiveScan Installer Class - CodeBase = http://acs.pandasoftware.com/activescan/as5free/asinst.cab -> {A8683C98-5341-421B-B23C-8514C05354F1} -> FujifilmUploader Class - CodeBase = http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab -> {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} -> MsnMessengerSetupDownloadControl Class - CodeBase = http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab -> {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_09 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab -> {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_09 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab -> {D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab -> {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} -> Virtools WebPlayer Class - CodeBase = http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe -> {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} -> SproutLauncherCtrl Class - CodeBase = http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab -> {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} -> Solitaire Showdown Class - CodeBase = http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab -> Microsoft XML Parser for Java -> - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab ->

[Files/Folders - Created Within 30 days]
hiberfil.sys → %SystemDrive%\hiberfil.sys → [Ver = | Size = 234315776 bytes | Created Date = 1/1/1601 6:00:00 AM | Attr = HS]
VundoFix Backups → %SystemDrive%\VundoFix Backups → [Folder | Created Date = 6/1/2007 10:09:44 PM | Attr = ]
_OTMoveIt → %SystemDrive%_OTMoveIt → [Folder | Created Date = 6/3/2007 6:59:57 AM | Attr = ]
$NtUninstallKB927891$ → %SystemRoot%$NtUninstallKB927891$ → [Folder | Created Date = 5/23/2007 12:48:39 AM | Attr = H ]
$NtUninstallKB930916$ → %SystemRoot%$NtUninstallKB930916$ → [Folder | Created Date = 5/9/2007 9:41:51 PM | Attr = H ]
$NtUninstallKB931768$ → %SystemRoot%$NtUninstallKB931768$ → [Folder | Created Date = 5/9/2007 9:42:47 PM | Attr = H ]
Lexmark_ICM.ini → %SystemRoot%\Lexmark_ICM.ini → [Ver = | Size = 821 bytes | Created Date = 2/24/2100 2:15:04 PM | Attr = ]
Xenofex.ini → %SystemRoot%\Xenofex.ini → [Ver = | Size = 296448 bytes | Created Date = 5/31/2007 9:18:57 PM | Attr = ]
ActiveScan → %System32%\ActiveScan → [Folder | Created Date = 6/1/2007 9:23:53 PM | Attr = ]
asuninst.exe → %System32%\asuninst.exe → Panda Software [Ver = 1, 0, 0, 2 | Size = 73728 bytes | Created Date = 6/1/2007 9:25:16 PM | Attr = ]
dumphive.exe → %System32%\dumphive.exe → [Ver = | Size = 51200 bytes | Created Date = 6/1/2007 6:58:52 PM | Attr = ]
Help.ico → %System32%\Help.ico → [Ver = | Size = 1406 bytes | Created Date = 6/1/2007 9:24:10 PM | Attr = ]
klvrpjnv.dll → %System32%\klvrpjnv.dll → [Ver = | Size = 131124 bytes | Created Date = 6/1/2007 9:30:48 PM | Attr = ]
LXASUSCI.INI → %System32%\LXASUSCI.INI → [Ver = | Size = 62 bytes | Created Date = 2/16/2100 4:09:06 PM | Attr = ]
pavas.ico → %System32%\pavas.ico → [Ver = | Size = 30590 bytes | Created Date = 6/1/2007 9:24:08 PM | Attr = ]
Process.exe → %System32%\Process.exe → http://www.beyondlogic.org [Ver = 2, 0, 0, 0 | Size = 53248 bytes | Created Date = 6/1/2007 6:58:52 PM | Attr = ]
SrchSTS.exe → %System32%\SrchSTS.exe → S!Ri [Ver = | Size = 288417 bytes | Created Date = 6/1/2007 6:58:52 PM | Attr = ]
swreg.exe → %System32%\swreg.exe → SteelWerX [Ver = 2.0.1.0 | Size = 135168 bytes | Created Date = 6/1/2007 6:58:52 PM | Attr = ]
swsc.exe → %System32%\swsc.exe → [Ver = | Size = 40960 bytes | Created Date = 6/1/2007 6:58:52 PM | Attr = ]
swxcacls.exe → %System32%\swxcacls.exe → SteelWerX [Ver = 1.0.1.1 | Size = 79360 bytes | Created Date = 6/1/2007 6:58:52 PM | Attr = ]
ttdhmkhq.exe → %System32%\ttdhmkhq.exe → [Ver = | Size = 2580 bytes | Created Date = 6/1/2007 9:27:45 PM | Attr = ]
Uninstall.ico → %System32%\Uninstall.ico → [Ver = | Size = 2550 bytes | Created Date = 6/1/2007 9:24:11 PM | Attr = ]
vnjprvlk.ini → %System32%\vnjprvlk.ini → [Ver = | Size = 1101713 bytes | Created Date = 6/1/2007 9:30:57 PM | Attr = HS]
winhdn32.dll → %System32%\winhdn32.dll → [Ver = | Size = 18944 bytes | Created Date = 5/31/2007 9:16:00 PM | Attr = ]
yargjoli.dll → %System32%\yargjoli.dll → [Ver = | Size = 50740 bytes | Created Date = 5/31/2007 9:26:36 PM | Attr = ]
ZPORT4AS.dll → %System32%\ZPORT4AS.dll → [Ver = | Size = 11776 bytes | Created Date = 6/1/2007 9:25:16 PM | Attr = ]
AvgAsCln.sys → %System32%\drivers\AvgAsCln.sys → GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date = 6/1/2007 8:21:58 AM | Attr = ]

18
[Files/Folders - Modified Within 30 days] hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 234315776 bytes | Modified Date = 6/2/2007 6:38:46 PM | Attr = HS] Program Files -> %ProgramFiles% -> [Folder | Modified Date = 6/1/2007 10:58:40 PM | Attr = ] System Volume Information -> %SystemDrive%\System Volume Information -> [Folder | Modified Date = 6/2/2007 12:11:34 AM | Attr = HS] Temp -> %SystemDrive%\Temp -> [Folder | Modified Date = 5/30/2007 2:39:24 AM | Attr = ] VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Modified Date = 6/1/2007 11:09:46 PM | Attr = ] WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 6/2/2007 7:47:52 PM | Attr = ] _OTMoveIt -> %SystemDrive%\_OTMoveIt -> [Folder | Modified Date = 6/3/2007 7:59:58 AM | Attr = ] $hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 5/23/2007 1:48:04 AM | Attr = H ] $NtUninstallKB927891$ -> %SystemRoot%\$NtUninstallKB927891$ -> [Folder | Modified Date = 5/23/2007 1:48:40 AM | Attr = H ] $NtUninstallKB930916$ -> %SystemRoot%\$NtUninstallKB930916$ -> [Folder | Modified Date = 5/9/2007 10:41:54 PM | Attr = H ] $NtUninstallKB931768$ -> %SystemRoot%\$NtUninstallKB931768$ -> [Folder | Modified Date = 5/9/2007 10:43:00 PM | Attr = H ] ACMonitor_X83.ini -> %SystemRoot%\ACMonitor_X83.ini -> [Ver = | Size = 20 bytes | Modified Date = 6/2/2007 7:47:28 PM | Attr = ] bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 6/2/2007 6:38:46 PM | Attr = S] Debug -> %SystemRoot%\Debug -> [Folder | Modified Date = 5/9/2007 10:37:42 PM | Attr = ] Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 6/3/2007 7:57:16 AM | Attr = S] EyeCand3.INI -> %SystemRoot%\EyeCand3.INI -> [Ver = | Size = 373248 bytes | Modified Date = 5/31/2007 9:23:34 PM | Attr = ] FLASHKSK.INI -> %SystemRoot%\FLASHKSK.INI -> [Ver = | Size = 22 bytes | Modified Date = 6/2/2007 7:47:52 PM | Attr = ] Fonts -> %SystemRoot%\Fonts -> [Folder | Modified Date = 5/28/2007 3:28:32 PM | Attr = R S] inf -> %SystemRoot%\inf -> [Folder | Modified Date = 6/1/2007 10:25:38 PM | Attr = H ] Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 5/6/2007 1:02:48 PM | Attr = HS] LEXSTAT.INI -> %SystemRoot%\LEXSTAT.INI -> [Ver = | Size = 1109 bytes | Modified Date = 5/18/2007 11:47:42 AM | Attr = ] LXBRCAH.ini -> %SystemRoot%\LXBRCAH.ini -> [Ver = | Size = 3205 bytes | Modified Date = 5/18/2007 11:57:36 AM | Attr = ] NeroDigital.ini -> %SystemRoot%\NeroDigital.ini -> [Ver = | Size = 69 bytes | Modified Date = 5/29/2007 8:58:18 AM | Attr = ] Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 6/3/2007 8:01:38 AM | Attr = ] QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Modified Date = 5/12/2007 4:35:54 PM | Attr = H ] Registration -> %SystemRoot%\Registration -> [Folder | Modified Date = 5/31/2007 10:18:40 PM | Attr = ] system32 -> %System32% -> [Folder | Modified Date = 6/3/2007 7:36:46 AM | Attr = ] Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 6/3/2007 7:28:36 AM | Attr = ] win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 817 bytes | Modified Date = 6/1/2007 10:26:46 PM | Attr = ] SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 6/2/2007 6:39:02 PM | Attr = H ] ActiveScan -> %System32%\ActiveScan -> [Folder | Modified Date = 6/1/2007 10:26:40 PM | Attr = ] CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 6/1/2007 10:23:46 PM | Attr = ] config.nt -> %System32%\config.nt -> [Ver = | Size = 2626 bytes | Modified Date = 5/31/2007 7:27:26 AM | Attr = ] dllcache -> %System32%\dllcache -> [Folder | Modified Date = 5/9/2007 10:43:28 PM | Attr = RHS] drivers -> %System32%\drivers -> [Folder | Modified Date = 6/1/2007 9:22:00 AM | Attr = ] FNTCACHE.DAT -> %System32%\FNTCACHE.DAT -> [Ver = | Size = 401528 bytes | Modified Date = 5/29/2007 7:11:06 AM | Attr = ] Help.ico -> %System32%\Help.ico -> [Ver = | Size = 1406 bytes | Modified Date = 6/1/2007 10:24:12 PM | Attr = ] KGyGaAvL.sys -> %System32%\KGyGaAvL.sys -> [Ver = | Size = 3350 bytes | Modified Date = 5/6/2007 12:53:26 PM | Attr = HS] klvrpjnv.dll -> %System32%\klvrpjnv.dll -> [Ver = | Size = 131124 bytes | Modified Date = 6/1/2007 10:30:52 PM | Attr = ] pavas.ico -> %System32%\pavas.ico -> [Ver = | Size = 30590 bytes | Modified Date = 6/1/2007 10:24:12 PM | Attr = ] Restore -> %System32%\Restore -> [Folder | Modified Date = 6/2/2007 12:11:34 AM | Attr = ] tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 4376 bytes | Modified Date = 6/1/2007 7:59:48 PM | Attr = ] ttdhmkhq.exe -> %System32%\ttdhmkhq.exe -> [Ver = | Size = 2580 bytes | Modified Date = 6/1/2007 10:27:46 PM | Attr = ] Uninstall.ico -> %System32%\Uninstall.ico -> [Ver = | Size = 2550 bytes | Modified Date = 6/1/2007 10:24:12 PM | Attr = ] vnjprvlk.ini -> %System32%\vnjprvlk.ini -> [Ver = | Size = 1101713 bytes | Modified Date = 6/3/2007 7:36:46 AM | Attr = HS] winhdn32.dll -> %System32%\winhdn32.dll -> [Ver = | Size = 18944 bytes | Modified Date = 5/31/2007 10:16:02 PM | Attr = ] wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 1158 bytes | Modified Date = 6/2/2007 7:47:00 PM | Attr = ] yargjoli.dll -> %System32%\yargjoli.dll -> [Ver = | Size = 50740 bytes | Modified Date = 5/31/2007 10:26:38 PM | Attr = ]

[File String Scan - Non-Microsoft Only]
@Alternate Data Stream - 26 bytes → %SystemDrive%\data1.cab:Zone.Identifier →
@Alternate Data Stream - 26 bytes → %SystemDrive%\msgr75us.exe:Zone.Identifier →
@Alternate Data Stream - 26 bytes → %SystemDrive%\YTunnelPro2.0Build376Setup.exe:Zone.Identifier →
UPX! , UPX0 , → %SystemDrive%\YTunnelPro2.0Build376Setup.exe → Chet Simpson [Ver = 2006.6.16.1756 | Size = 1846990 bytes | Modified Date = 3/15/2007 11:42:20 PM | Attr = ]
@Alternate Data Stream - 26 bytes → %SystemDrive%\YTunnelPro2.5Build464Setup.exe:Zone.Identifier →
UPX! , UPX0 , → %SystemDrive%\YTunnelPro2.5Build464Setup.exe → Chet Simpson [Ver = 2007.3.10.725 | Size = 2676943 bytes | Modified Date = 3/15/2007 9:56:00 PM | Attr = ]
@Alternate Data Stream - 26 bytes → %SystemRoot%\doublekiller.zip:Zone.Identifier →
@Alternate Data Stream - 26 bytes → %SystemRoot%\DS_manual.pdf:Zone.Identifier →
@Alternate Data Stream - 26 bytes → %SystemRoot%\iCF.exe:Zone.Identifier →
@Alternate Data Stream - 26 bytes → %SystemRoot%\PC_DAZStudio_1_3_0_1.exe:Zone.Identifier →
PEC2 , → %SystemRoot%\PC_DAZStudio_1_3_0_1.exe → [Ver = | Size = 14295364 bytes | Modified Date = 5/9/2006 12:02:20 PM | Attr = ]
@Alternate Data Stream - 26 bytes → %SystemRoot%\PC_DS_Base_All.exe:Zone.Identifier →
UPX! , → %SystemRoot%\PC_DS_Base_All.exe → [Ver = | Size = 56300761 bytes | Modified Date = 5/9/2006 12:12:34 PM | Attr = ]
@Alternate Data Stream - 26 bytes → %SystemRoot%\ps_fr149_GirlHairConversion.exe:Zone.Identifier →
@Alternate Data Stream - 26 bytes → %SystemRoot%\ps_fr202_catwalk.exe:Zone.Identifier →
@Alternate Data Stream - 26 bytes → %SystemRoot%\ULTIMATE_PACK_for_WIN_95_98_ME_XP_NT_2000_–_WinACE_2[1].04__WinRAR.zip:Zone.Identifier →
@Alternate Data Stream - 26 bytes → %SystemRoot%\wrar36b3.exe:Zone.Identifier →
@Alternate Data Stream - 26 bytes → %System32%\4_DLLs_for_Plugins.zip:Zone.Identifier →
UPX! , UPX0 , → %System32%\aswBoot.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 745600 bytes | Modified Date = 4/30/2007 10:46:10 AM | Attr = ]
PEC2 , → %System32%\dfrg.msc → [Ver = | Size = 41397 bytes | Modified Date = 7/21/2001 5:15:34 PM | Attr = ]
@Alternate Data Stream - 26 bytes → %System32%\icmfilter.dll:Zone.Identifier →
UPX! , → %System32%\klvrpjnv.dll → [Ver = | Size = 131124 bytes | Modified Date = 6/1/2007 10:30:52 PM | Attr = ]
@Alternate Data Stream - 26 bytes → %System32%\Msvcrt10.dll:Zone.Identifier →
@Alternate Data Stream - 26 bytes → %System32%\MSVCRT10.DLX:Zone.Identifier →
@Alternate Data Stream - 26 bytes → %System32%\plugin.dll:Zone.Identifier →
UPX! , UPX0 , → %System32%\SrchSTS.exe → S!Ri [Ver = | Size = 288417 bytes | Modified Date = 4/27/2006 5:49:30 PM | Attr = ]
UPX! , UPX0 , → %System32%\swreg.exe → SteelWerX [Ver = 2.0.1.0 | Size = 135168 bytes | Modified Date = 8/29/2006 7:43:54 PM | Attr = ]
UPX! , UPX0 , → %System32%\swsc.exe → [Ver = | Size = 40960 bytes | Modified Date = 1/9/2006 10:36:06 AM | Attr = ]
UPX! , UPX0 , → %System32%\swxcacls.exe → SteelWerX [Ver = 1.0.1.1 | Size = 79360 bytes | Modified Date = 12/1/2006 6:20:34 AM | Attr = ]
winsync , → %System32%\wbdbase.deu → [Ver = | Size = 1309184 bytes | Modified Date = 7/21/2001 5:23:44 PM | Attr = ]
PEC2 , → %System32%\winhdn32.dll → [Ver = | Size = 18944 bytes | Modified Date = 5/31/2007 10:16:02 PM | Attr = ]
UPX! , → %System32%\yargjoli.dll → [Ver = | Size = 50740 bytes | Modified Date = 5/31/2007 10:26:38 PM | Attr = ]
PTech , → %System32%\drivers\mtlstrm.sys → Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/4/2004 12:41:38 AM | Attr = ]

< End of report >

19

Ok whilst I analyse the winpfind log

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. [b]

O2 - BHO: (no name) - {6E8654CB-6D55-41ED-A1ED-880DFC46EF40} - C:\WINDOWS\system32\ssqpn.dll (file missing)
O2 - BHO: (no name) - {B71FA585-B351-4E48-8DA8-22F6F705EC73} - C:\WINDOWS\system32\qomlmmk.dll (file missing)
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\yargjoli.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM..\Run: [WildTangent CDA] “C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe” /startup “C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll”
O4 - HKLM..\Run: [tezchiby.exe] C:\Documents and Settings\All Users\Application Data\tezchiby.exe
O4 - HKLM..\Run: [Genuine] rundll32.exe “C:\WINDOWS\system32\klvrpjnv.dll”,realset
O9 - Extra button: Download5000 Toolbar - {9D931726-DFBC-480e-851A-20C397E1A2C8} - (no file)
O9 - Extra ‘Tools’ menuitem: Download5000 Toolbar - {9D931726-DFBC-480e-851A-20C397E1A2C8} - (no file)
O20 - Winlogon Notify: winhdn32 - C:\WINDOWS\SYSTEM32\winhdn32.dll

[/b]Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\SYSTEM32\winhdn32.dll
C:\WINDOWS\system32\ssqpn.dll
C:\WINDOWS\system32\qomlmmk.dll
C:\WINDOWS\system32\yargjoli.dll
C:\Documents and Settings\All Users\Application Data\tezchiby.exe
C:\WINDOWS\system32\klvrpjnv.dll

Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Back with the remainder in a while

20

Some nasty ones there So lets finish them off:

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.

[Registry - Non-Microsoft Only] < Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run YY -> Genuine -> %System32%\klvrpjnv.dll [rundll32.exe "C:\WINDOWS\system32\klvrpjnv.dll",realset] [Files/Folders - Created Within 30 days] NY -> klvrpjnv.dll -> %System32%\klvrpjnv.dll NY -> pavas.ico -> %System32%\pavas.ico NY -> ttdhmkhq.exe -> %System32%\ttdhmkhq.exe NY -> vnjprvlk.ini -> %System32%\vnjprvlk.ini NY -> winhdn32.dll -> %System32%\winhdn32.dll NY -> yargjoli.dll -> %System32%\yargjoli.dll NY -> EyeCand3.INI -> %SystemRoot%\EyeCand3.INI NY -> FLASHKSK.INI -> %SystemRoot%\FLASHKSK.INI NY -> klvrpjnv.dll -> %System32%\klvrpjnv.dll NY -> pavas.ico -> %System32%\pavas.ico NY -> ttdhmkhq.exe -> %System32%\ttdhmkhq.exe NY -> vnjprvlk.ini -> %System32%\vnjprvlk.ini NY -> winhdn32.dll -> %System32%\winhdn32.dll NY -> yargjoli.dll -> %System32%\yargjoli.dll [File String Scan - Non-Microsoft Only] NY -> @Alternate Data Stream - 26 bytes -> %SystemDrive%\data1.cab:Zone.Identifier NY -> @Alternate Data Stream - 26 bytes -> %SystemDrive%\msgr75us.exe:Zone.Identifier NY -> @Alternate Data Stream - 26 bytes -> %SystemDrive%\YTunnelPro2.0Build376Setup.exe:Zone.Identifier NY -> UPX! , UPX0 , -> %SystemDrive%\YTunnelPro2.0Build376Setup.exe NY -> @Alternate Data Stream - 26 bytes -> %SystemDrive%\YTunnelPro2.5Build464Setup.exe:Zone.Identifier NY -> UPX! , UPX0 , -> %SystemDrive%\YTunnelPro2.5Build464Setup.exe NY -> @Alternate Data Stream - 26 bytes -> %SystemRoot%\doublekiller.zip:Zone.Identifier NY -> @Alternate Data Stream - 26 bytes -> %SystemRoot%\DS_manual.pdf:Zone.Identifier NY -> @Alternate Data Stream - 26 bytes -> %SystemRoot%\iCF.exe:Zone.Identifier NY -> @Alternate Data Stream - 26 bytes -> %SystemRoot%\PC_DAZStudio_1_3_0_1.exe:Zone.Identifier NY -> PEC2 , -> %SystemRoot%\PC_DAZStudio_1_3_0_1.exe NY -> @Alternate Data Stream - 26 bytes -> %SystemRoot%\PC_DS_Base_All.exe:Zone.Identifier NY -> UPX! , -> %SystemRoot%\PC_DS_Base_All.exe NY -> @Alternate Data Stream - 26 bytes -> %SystemRoot%\ps_fr149_GirlHairConversion.exe:Zone.Identifier NY -> @Alternate Data Stream - 26 bytes -> %SystemRoot%\ps_fr202_catwalk.exe:Zone.Identifier NY -> @Alternate Data Stream - 26 bytes -> %SystemRoot%\ULTIMATE_PACK_for_WIN_95_98_ME_XP_NT_2000_--_WinACE_2[1].04__WinRAR.zip:Zone.Identifier NY -> @Alternate Data Stream - 26 bytes -> %SystemRoot%\wrar36b3.exe:Zone.Identifier NY -> @Alternate Data Stream - 26 bytes -> %System32%\4_DLLs_for_Plugins.zip:Zone.Identifier NY -> @Alternate Data Stream - 26 bytes -> %System32%\icmfilter.dll:Zone.Identifier NY -> UPX! , -> %System32%\klvrpjnv.dll NY -> @Alternate Data Stream - 26 bytes -> %System32%\Msvcrt10.dll:Zone.Identifier NY -> @Alternate Data Stream - 26 bytes -> %System32%\MSVCRT10.DLX:Zone.Identifier NY -> @Alternate Data Stream - 26 bytes -> %System32%\plugin.dll:Zone.Identifier NY -> PEC2 , -> %System32%\winhdn32.dll NY -> UPX! , -> %System32%\yargjoli.dll

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.