Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

yahabags/homepage highjacks on vista

Started by joebd0 , Apr 29 2007 10:57 AM

Please log in to reply

#1
joebd0

Posted 29 April 2007 - 10:57 AM

New Member

Member
7 posts

have tried to follow fix for the XP O.S. but I am runing Vista Home Premium.
AVG will not run in safemode & SmitfraudFix does is not comp. with Vista O.S.
Please if someone can help I don't want to realy want to do a clean install of Vista on my HD

Logfile of HijackThis v1.99.1
Scan saved at 10:22:43 AM, on 4/29/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Java\jre1.6.0\bin\jucheck.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Joe\AppData\Local\Temp\Rar$EX00.656\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36E77F70-0C24-4156-9E0C-356577F51A31} - C:\Windows\system32\kjsdhdtj.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\Windows\system32\cctgiovy.dll (file missing)
O2 - BHO: (no name) - {6C622D52-0612-414B-A063-105A614D396F} - C:\Windows\system32\ddccyxv.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SD_Tips] iexplore http://www.spywarede.../tips_vista.htm
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecu...vex/TmHcmsX.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

#2
Buckeye_Sam

Posted 29 April 2007 - 07:03 PM

Malware Expert

Member
10,019 posts

Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :whistling:

Please download Deckard's System Scanner (DSS)

1. Download Deckard's System Scanner (DSS) to your Desktop (or other convenient location).
2. Close any open applications and windows.
3. Double-click on dss.exe to run it, and follow the prompts.
4. When the scan is complete, a text file will open - main.txt
5. Copy the text from that log and paste it into your post.

Note: Some firewalls may warn that sigcheck.exe is trying to access the internet. Please allow it permission to do so.

#3
joebd0

Posted 29 April 2007 - 10:04 PM

New Member

Topic Starter
Member
7 posts

Hi Sam I'm Joe and I would appreciate any help you you can give me to get rid of this thing.
I run VUNDO, it found 3 files and when I tried to remove them screen went black but never gave option to reboot. I Had to restart the comp.

Deckard's System Scanner v20070426.43
Run by Joe on 2007-04-29 at 22:30:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as Joe.exe) -------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:44:20 PM, on 4/29/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\Explorer.EXE
D:\Users\Joe\Desktop\dss.exe
D:\Users\Joe\Desktop\HIJACK~1\Joe.exe
C:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36E77F70-0C24-4156-9E0C-356577F51A31} - C:\Windows\system32\kjsdhdtj.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6C622D52-0612-414B-A063-105A614D396F} - C:\Windows\system32\ddccyxv.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SD_Tips] iexplore http://www.spywarede.../tips_vista.htm
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecu...vex/TmHcmsX.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SASDIFSV - \??\c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - \??\c:\program files\superantispyware\saskutil.sys
R3 EL90x (3Com 3C90X Family PCI EtherLink Adapter) - c:\windows\system32\drivers\el90xnd5.sys <Not Verified; 3Com Corporation; 3Com Fast EtherLink XL / EtherLink XL Adapter>
R3 SASENUM - \??\c:\program files\superantispyware\sasenum.sys

S3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 VundoFixSvc (VundoFix Service) - vundofixsvc.exe <Not Verified; Atribune.org; Vundofix Service>

-- Scheduled Tasks -------------------------------------------------------------

2007-04-29 20:37:22 414 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{F906A59F-3C7C-4E95-9A89-C3425F681478}.job

-- Files created between 2007-03-29 and 2007-04-29 -----------------------------

2007-04-29 02:28:01 24576 --a------ C:\Windows\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2007-04-28 19:03:56 0 d-------- C:\VundoFix Backups
2007-04-28 17:05:44 0 d-------- C:\Program Files\Microsoft Works
2007-04-28 17:00:00 0 d-------- C:\Program Files\Microsoft.NET
2007-04-28 16:41:50 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2007-04-28 16:39:36 0 d-------- C:\Users\All Users\Microsoft Help
2007-04-28 16:36:14 0 dr-h----- C:\MSOCache
2007-04-28 16:30:07 0 d-------- C:\Users\All Users\Office Genuine Advantage
2007-04-17 23:46:43 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2007-04-17 23:46:37 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-04-17 08:58:54 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2007-04-17 08:58:08 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-16 00:43:46 63 --a------ C:\Windows\system\SysSD.dll
2007-04-16 00:43:19 1011712 --a------ C:\Windows\system32\VchReg.dll <Not Verified; Max Secure Software; Voucher Registration>
2007-04-16 00:43:19 270336 --a------ C:\Windows\system32\CheckDll.dll <Not Verified; Max Secure Software; Spyware Detector>
2007-04-16 00:43:17 0 d-------- C:\Program Files\SpywareDetector
2007-04-15 20:48:56 1363869 ---hs---- C:\Windows\system32\vyadd.bak1
2007-04-15 20:31:12 0 d-------- C:\Program Files\Lavasoft
2007-04-15 14:54:33 0 d-------- C:\Users\Joe\.housecall6.6
2007-04-15 14:44:42 0 d-------- C:\Users\All Users\CA
2007-04-15 14:44:31 0 d-------- C:\Program Files\Common Files\Scanner
2007-04-15 13:57:45 996 --a------ C:\Windows\system32\BlockedCookies
2007-04-15 13:51:31 86016 --a------ C:\Windows\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2007-04-15 13:50:01 0 d-------- C:\Program Files\PrvDef4.0
2007-04-15 10:22:56 0 d-------- C:\Windows\BDOSCAN8
2007-04-13 22:17:16 125460 --a------ C:\Windows\system32\kjsdhdtj.dll
2007-04-13 22:16:45 1375777 ---hs---- C:\Windows\system32\stvwa.bak1
2007-04-10 14:06:39 0 dr------- C:\Users\Joe\Documents
2007-04-10 14:05:41 0 d-------- C:\Users\All Users\Adobe
2007-04-10 14:05:23 0 d-------- C:\Program Files\Common Files\Adobe
2007-04-06 11:58:35 1168 --a------ C:\Windows\mozver.dat
2007-04-06 11:55:36 0 --a------ C:\Windows\nsreg.dat
2007-04-05 16:02:18 0 d-------- C:\Windows\Sun
2007-04-03 19:08:13 0 d-------- C:\Users\Public\Application Data
2007-04-03 18:50:33 0 d-------- C:\Users\All Users\Yahoo! Companion
2007-04-03 18:49:56 0 d-------- C:\Windows\system32\Macromed
2007-04-03 18:49:09 0 d-------- C:\Users\All Users\yahoo!
2007-04-03 18:46:18 0 d-------- C:\Program Files\MSN Messenger
2007-04-03 18:44:14 0 d-------- C:\Program Files\Yahoo!
2007-04-03 18:35:54 2936832 --a------ C:\Windows\system32\MA2_6.scr
2007-04-03 18:16:09 0 d-------- C:\Program Files\Java
2007-04-03 18:15:53 0 d-------- C:\Program Files\Common Files\Java
2007-04-03 18:14:55 0 d-------- C:\Users\All Users\DVD Shrink
2007-04-03 18:14:54 0 d-------- C:\Users\Joe\Desktop
2007-04-03 18:14:51 0 d-------- C:\Program Files\DVD Shrink
2007-04-03 17:47:26 212480 --a------ C:\Windows\PCDLIB32.DLL <Not Verified; Eastman Kodak; Kodak Photo CD Access Developer Toolkit>
2007-04-03 17:47:26 0 d-------- C:\Program Files\ArcSoft
2007-04-03 17:46:37 0 d-------- C:\Users\All Users\EPSON
2007-04-03 17:43:52 495616 --a------ C:\Windows\system32\PICSDK2.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2007-04-03 17:43:52 73728 --a------ C:\Windows\system32\PICSDK.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2007-04-03 17:43:52 77824 --a------ C:\Windows\system32\PICEntry.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2007-04-03 17:43:51 45056 --a------ C:\Windows\system32\EpPicPrt.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2007-04-03 17:43:51 73220 --a------ C:\Windows\system32\EPPICPrinterDB.dat
2007-04-03 17:43:51 1140 --a------ C:\Windows\system32\EPPICPresetData_PT.dat
2007-04-03 17:43:51 1130 --a------ C:\Windows\system32\EPPICPresetData_FR.dat
2007-04-03 17:43:51 1137 --a------ C:\Windows\system32\EPPICPresetData_ES.dat
2007-04-03 17:43:51 1104 --a------ C:\Windows\system32\EPPICPresetData_EN.dat
2007-04-03 17:43:51 1130 --a------ C:\Windows\system32\EPPICPresetData_CF.dat
2007-04-03 17:43:51 1140 --a------ C:\Windows\system32\EPPICPresetData_BP.dat
2007-04-03 17:43:51 4943 --a------ C:\Windows\system32\EPPICPattern6.dat
2007-04-03 17:43:51 15670 --a------ C:\Windows\system32\EPPICPattern5.dat
2007-04-03 17:43:51 10673 --a------ C:\Windows\system32\EPPICPattern4.dat
2007-04-03 17:43:51 21021 --a------ C:\Windows\system32\EPPICPattern3.dat
2007-04-03 17:43:51 13280 --a------ C:\Windows\system32\EPPICPattern2.dat
2007-04-03 17:43:49 31053 --a------ C:\Windows\system32\EPPICPattern131.dat
2007-04-03 17:43:49 27417 --a------ C:\Windows\system32\EPPICPattern121.dat
2007-04-03 17:43:49 29114 --a------ C:\Windows\system32\EPPICPattern1.dat
2007-04-03 17:43:49 45056 --a------ C:\Windows\system32\EpPicMgr.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2007-04-03 17:42:43 0 d-------- C:\epson
2007-04-03 17:32:08 0 d-------- C:\Program Files\epson
2007-04-03 17:17:05 22768 --a------ C:\Windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2007-04-03 15:50:49 0 d-------- C:\Windows\Panther
2007-04-03 15:50:32 0 d--hs---- C:\Boot
2007-04-03 15:20:59 0 d-------- C:\Program Files\Avanquest update
2007-04-03 15:19:40 0 d-------- C:\Users\All Users\BVRP Software
2007-04-03 15:19:40 0 d-------- C:\Program Files\Motorola Phone Tools
2007-04-03 15:19:40 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-04-03 15:17:05 0 d-------- C:\Program Files\Common Files\InstallShield
2007-04-03 14:58:29 0 d------c- C:\Windows\system32\DRVSTORE
2007-04-03 14:58:15 0 d-------- C:\Program Files\MSXML 4.0
2007-04-03 14:55:54 0 d-------- C:\Windows\SoftwareDistribution
2007-04-03 14:54:11 0 d-------- C:\Windows\Debug
2007-04-03 14:51:47 0 d-------- C:\Windows\Prefetch
2007-04-03 14:51:33 0 d--hs---- C:\System Volume Information
2007-04-03 14:45:05 12 --a------ C:\Windows\bthservsdp.dat
2007-04-03 14:39:49 0 d-------- C:\Program Files\Microsoft IntelliType Pro
2007-04-03 14:35:24 0 d-------- C:\Windows\PCHEALTH
2007-04-03 14:35:19 0 d--hs---- C:\Windows\Installer
2007-04-03 14:26:57 0 -rahs---- C:\MSDOS.SYS
2007-04-03 14:26:57 0 -rahs---- C:\IO.SYS
2007-04-03 14:02:33 0 d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Templates
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Start Menu
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\SendTo
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Recent
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\PrintHood
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\NetHood
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\My Documents
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Local Settings
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Cookies
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Application Data
2007-04-03 13:08:48 1835008 --ahs---- C:\Users\Joe\NTUSER.DAT
2007-04-03 13:08:48 0 d--h----- C:\Users\Joe\AppData

-- Find3M Report ---------------------------------------------------------------

2007-04-28 17:04:28 0 d-------- C:\Program Files\MSBuild
2007-04-17 23:46:37 0 d-------- C:\Users\Joe\AppData\Roaming\SUPERAntiSpyware.com
2007-04-12 08:10:36 0 d-------- C:\Program Files\Windows Defender
2007-04-12 07:49:56 0 d-------- C:\Program Files\Windows Mail
2007-04-10 14:30:44 0 d-------- C:\Users\Joe\AppData\Roaming\Adobe
2007-04-08 16:48:14 0 d-------- C:\Users\Joe\AppData\Roaming\ArcSoft
2007-04-08 13:37:45 0 d-------- C:\Users\Joe\AppData\Roaming\LimeWire
2007-04-06 14:06:49 0 d-------- C:\Users\Joe\AppData\Roaming\Macromedia
2007-04-06 11:56:06 0 d-------- C:\Users\Joe\AppData\Roaming\Talkback
2007-04-06 11:55:29 0 d-------- C:\Users\Joe\AppData\Roaming\Mozilla
2007-04-03 19:08:14 0 d-------- C:\Users\Joe\AppData\Roaming\Vso
2007-04-03 19:08:14 34 --a------ C:\Users\Joe\AppData\Roaming\pcouffin.log
2007-04-03 19:07:30 7824 --a------ C:\Users\Joe\AppData\Roaming\pcouffin.cat
2007-04-03 19:05:01 0 d-------- C:\Users\Joe\AppData\Roaming\yahoo!
2007-04-03 18:19:40 0 d-------- C:\Users\Joe\AppData\Roaming\ImgBurn
2007-04-03 15:32:37 0 d-------- C:\Users\Joe\AppData\Roaming\InstallShield
2007-04-03 14:57:49 262 --a------ C:\Users\Joe\AppData\Roaming\WinssCookie.txt
2007-04-03 13:09:26 0 d-------- C:\Users\Joe\AppData\Roaming\Identities

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
{36E77F70-0C24-4156-9E0C-356577F51A31} C:\Windows\system32\kjsdhdtj.dll
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} C:\Program Files\Yahoo!\Common\yiesrvc.dll
{6C622D52-0612-414B-A063-105A614D396F} C:\Windows\system32\ddccyxv.dll [x]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"itype"="\"C:\\Program Files\\Microsoft IntelliType Pro\\itype.exe\""
"OneCareUI"="\"C:\\Program Files\\Microsoft Windows OneCare Live\\winssnotify.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"SD_Tips"="iexplore [url="http://www.spywaredetector.net/tips_vista.htm""]http://www.spywaredetector.net/tips_vista.htm"[/url]
"SystemTraySD"="C:\\Program Files\\SpywareDetector\\SDSystemTray.exe -AUTO"
"SDAutoLiveupdate"="C:\\Program Files\\SpywareDetector\\LiveUpdateSD.exe -AUTO"
"GrooveMonitor"="\"C:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Sidebar"="C:\\Program Files\\Windows Sidebar\\sidebar.exe /autoRun"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"ehTray.exe"="C:\\Windows\\ehome\\ehTray.exe"
"YSearchProtection"="C:\\Program Files\\Yahoo!\\Search Protection\\SearchProtection.exe"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=dword:00000002
"ConsentPromptBehaviorUser"=dword:00000001
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000000
"EnableSecureUIAPaths"=dword:00000001
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000001
"ValidateAdminCodeSignatures"=dword:00000000
"scforceoption"=dword:00000000
"FilterAdministratorToken"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\UIPI]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\UIPI\Clipboard]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\UIPI\Clipboard\ExceptionFormats]
"CF_TEXT"=dword:00000001
"CF_BITMAP"=dword:00000002
"CF_OEMTEXT"=dword:00000007
"CF_DIB"=dword:00000008
"CF_PALETTE"=dword:00000009
"CF_UNICODETEXT"=dword:0000000d
"CF_DIBV5"=dword:00000011

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6C622D52-0612-414B-A063-105A614D396F}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="Groove GFS Stub Execution Hook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="credssp.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Notification Packages REG_MULTI_SZ scecli\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0\0
Authentication Packages REG_MULTI_SZ msv1_0\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AppInfo
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\KeyIso
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\NTDS
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\OneCareMP
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\ProfSvc
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sacsvr
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SWPRV
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\TabletInputService
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\TBS
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\TrustedInstaller
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\volmgr.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\volmgrx.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ nsi\0lltdsvc\0SSDPSRV\0upnphost\0SCardSvr\0w32time\0EventSystem\0RemoteRegistry\0WinHttpAutoProxySvc\0lanmanworkstation\0TBS\0SLUINotify\0THREADORDER\0fdrespub\0netprofm\0fdphost\0wcncsvc\0QWAVE\0Mcx2Svc\0WebClient\0\0
LocalSystemNetworkRestricted REG_MULTI_SZ hidserv\0UxSms\0WdiSystemHost\0Netman\0trkwks\0AudioEndpointBuilder\0WUDFSvc\0irmon\0sysmain\0IPBusEnum\0dot3svc\0PcaSvc\0EMDMgmt\0TabletInputService\0wlansvc\0WPDBusEnum\0\0
NetworkServiceNetworkRestricted REG_MULTI_SZ PolicyAgent\0\0
LocalServiceNoNetwork REG_MULTI_SZ PLA\0DPS\0BFE\0mpssvc\0ehstart\0\0
NetworkService REG_MULTI_SZ CryptSvc\0DHCP\0TermService\0KtmRm\0DNSCache\0NapAgent\0nlasvc\0WinRM\0WECSVC\0Tapisrv\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WerSvcGroup REG_MULTI_SZ wersvc\0\0
swprv REG_MULTI_SZ swprv\0\0
LocalServiceNetworkRestricted REG_MULTI_SZ DHCP\0eventlog\0AudioSrv\0LmHosts\0wscsvc\0p2pimsvc\0PNRPSvc\0p2psvc\0WPCSvc\0PnrpAutoReg\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
regsvc REG_MULTI_SZ RemoteRegistry\0\0
wcssvc REG_MULTI_SZ WcsPlugInService\0\0
DcomLaunch REG_MULTI_SZ PlugPlay\0DcomLaunch\0\0
wdisvc REG_MULTI_SZ WdiServiceHost\0\0
sdrsvc REG_MULTI_SZ sdrsvc\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
secsvcs REG_MULTI_SZ WinDefend\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0
WindowsMobile REG_MULTI_SZ wcescomm\0rapimgr\0\0
LocalServiceRestricted REG_MULTI_SZ WcesComm\0RapiMgr\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
AeLookupSvc
wercplsupport
CertPropSvc
SCPolicySvc
gpsvc
IKEEXT
LogonHours
PCAudit
iphlpsvc
AppInfo
msiscsi
MMCSS
ProfSvc
EapHost
SessionEnv
hkmsvc

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b6687acd-e21c-11db-99e3-806e6f6e6963}]
shell\AutoRun\command F:\autorun.exe
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_SASDIFSV

-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.test.com
127.0.0.1 www.ads.x10.com
127.0.0.1 www.600pics.com
127.0.0.1 www.doberman.befree.com
127.0.0.1 www.enews.bfast.com
127.0.0.1 www.etoys.bfast.com
127.0.0.1 www.falcon.bfast.com
127.0.0.1 www.ftp.befree.com
127.0.0.1 www.ftp.bfast.com
127.0.0.1 www.geocities.bfast.com

844 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2007-04-29 at 22:45:05 ---------

#4
Buckeye_Sam

Posted 30 April 2007 - 08:34 AM

Malware Expert

Member
10,019 posts

Vundofix and Vista don't always work well together. We'll get rid of it another way.

Please download the OTMoveIt by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Windows\system32\vyadd.bak1
C:\Windows\system32\kjsdhdtj.dll
C:\Windows\system32\stvwa.bak1
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt
Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
In that case, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Please post a new hijackthis log.
Let me know if you are still getting popups.

#5
joebd0

Posted 01 May 2007 - 09:50 AM

New Member

Topic Starter
Member
7 posts

OK Sam I've got some logs for you.

Here is the VundoFix log.

VundoFix V6.3.20

Checking Java version...

Scan started at 7:03:56 PM 4/28/2007

Listing files found while scanning....

C:\Windows\system32\cctgiovy.dll
C:\Windows\system32\ddccyxv.dll
C:\Windows\System32\iifcdca.dll

Beginning removal...

VundoFix V6.3.20

Checking Java version...

Scan started at 12:07:00 PM 4/29/2007

Listing files found while scanning....

C:\Windows\system32\cctgiovy.dll
C:\Windows\system32\ddccyxv.dll
C:\Windows\System32\iifcdca.dll

Beginning removal...

VundoFix V6.3.20

Checking Java version...

Scan started at 3:48:30 PM 4/29/2007

Listing files found while scanning....

No infected files were found.

VundoFix V6.3.20

Checking Java version...

Scan started at 4:07:26 PM 4/29/2007

Listing files found while scanning....

VundoFix V6.3.21

Checking Java version...

Scan started at 9:49:49 AM 5/1/2007

Listing files found while scanning....

C:\Windows\system32\ddccyxv.dll

Beginning removal...

Now the OTMoveit....

File/Folder C:\Windows\system32\vyadd.bak1 not found.
C:\Windows\system32\kjsdhdtj.dll unregistered successfully.
File move failed. C:\Windows\system32\kjsdhdtj.dll scheduled to be moved on reboot.
File/Folder C:\Windows\system32\stvwa.bak1 not found.

Created on 05/01/2007 09:31:25

And last the HijackThis Log.

Deckard's System Scanner v20070426.43
Run by Joe on 2007-05-01 at 10:23:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Joe.exe) -------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:23:23 AM, on 5/1/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchFilterHost.exe
D:\Users\Joe\Desktop\dss.exe
D:\Users\Joe\Desktop\HIJACK~1\Joe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36E77F70-0C24-4156-9E0C-356577F51A31} - C:\Windows\system32\kjsdhdtj.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6C622D52-0612-414B-A063-105A614D396F} - C:\Windows\system32\ddccyxv.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SD_Tips] iexplore http://www.spywarede.../tips_vista.htm
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecu...vex/TmHcmsX.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

-- Files created between 2007-04-01 and 2007-05-01 -----------------------------

2007-04-29 22:52:54 0 d-------- C:\Program Files\ieSpell
2007-04-29 02:28:01 24576 --a------ C:\Windows\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2007-04-28 19:03:56 0 d-------- C:\VundoFix Backups
2007-04-28 17:05:44 0 d-------- C:\Program Files\Microsoft Works
2007-04-28 17:00:00 0 d-------- C:\Program Files\Microsoft.NET
2007-04-28 16:41:50 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2007-04-28 16:39:36 0 d-------- C:\Users\All Users\Microsoft Help
2007-04-28 16:36:14 0 dr-h----- C:\MSOCache
2007-04-28 16:30:07 0 d-------- C:\Users\All Users\Office Genuine Advantage
2007-04-17 23:46:43 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2007-04-17 23:46:37 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-04-17 08:58:54 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2007-04-17 08:58:08 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-16 00:43:46 63 --a------ C:\Windows\system\SysSD.dll
2007-04-16 00:43:19 1011712 --a------ C:\Windows\system32\VchReg.dll <Not Verified; Max Secure Software; Voucher Registration>
2007-04-16 00:43:19 270336 --a------ C:\Windows\system32\CheckDll.dll <Not Verified; Max Secure Software; Spyware Detector>
2007-04-16 00:43:17 0 d-------- C:\Program Files\SpywareDetector
2007-04-15 20:31:12 0 d-------- C:\Program Files\Lavasoft
2007-04-15 14:54:33 0 d-------- C:\Users\Joe\.housecall6.6
2007-04-15 14:44:42 0 d-------- C:\Users\All Users\CA
2007-04-15 14:44:31 0 d-------- C:\Program Files\Common Files\Scanner
2007-04-15 13:57:45 996 --a------ C:\Windows\system32\BlockedCookies
2007-04-15 13:51:31 86016 --a------ C:\Windows\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2007-04-15 13:50:01 0 d-------- C:\Program Files\PrvDef4.0
2007-04-15 10:22:56 0 d-------- C:\Windows\BDOSCAN8
2007-04-13 22:17:16 125460 --a------ C:\Windows\system32\kjsdhdtj.dll
2007-04-10 14:06:39 0 dr------- C:\Users\Joe\Documents
2007-04-10 14:05:41 0 d-------- C:\Users\All Users\Adobe
2007-04-10 14:05:23 0 d-------- C:\Program Files\Common Files\Adobe
2007-04-06 11:58:35 1168 --a------ C:\Windows\mozver.dat
2007-04-06 11:55:36 0 --a------ C:\Windows\nsreg.dat
2007-04-05 16:02:18 0 d-------- C:\Windows\Sun
2007-04-03 19:08:13 0 d-------- C:\Users\Public\Application Data
2007-04-03 18:50:33 0 d-------- C:\Users\All Users\Yahoo! Companion
2007-04-03 18:49:56 0 d-------- C:\Windows\system32\Macromed
2007-04-03 18:49:09 0 d-------- C:\Users\All Users\yahoo!
2007-04-03 18:46:18 0 d-------- C:\Program Files\MSN Messenger
2007-04-03 18:44:14 0 d-------- C:\Program Files\Yahoo!
2007-04-03 18:35:54 2936832 --a------ C:\Windows\system32\MA2_6.scr
2007-04-03 18:16:09 0 d-------- C:\Program Files\Java
2007-04-03 18:15:53 0 d-------- C:\Program Files\Common Files\Java
2007-04-03 18:14:55 0 d-------- C:\Users\All Users\DVD Shrink
2007-04-03 18:14:54 0 d-------- C:\Users\Joe\Desktop
2007-04-03 18:14:51 0 d-------- C:\Program Files\DVD Shrink
2007-04-03 17:47:26 212480 --a------ C:\Windows\PCDLIB32.DLL <Not Verified; Eastman Kodak; Kodak Photo CD Access Developer Toolkit>
2007-04-03 17:47:26 0 d-------- C:\Program Files\ArcSoft
2007-04-03 17:46:37 0 d-------- C:\Users\All Users\EPSON
2007-04-03 17:43:52 495616 --a------ C:\Windows\system32\PICSDK2.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2007-04-03 17:43:52 73728 --a------ C:\Windows\system32\PICSDK.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2007-04-03 17:43:52 77824 --a------ C:\Windows\system32\PICEntry.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2007-04-03 17:43:51 45056 --a------ C:\Windows\system32\EpPicPrt.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2007-04-03 17:43:51 73220 --a------ C:\Windows\system32\EPPICPrinterDB.dat
2007-04-03 17:43:51 1140 --a------ C:\Windows\system32\EPPICPresetData_PT.dat
2007-04-03 17:43:51 1130 --a------ C:\Windows\system32\EPPICPresetData_FR.dat
2007-04-03 17:43:51 1137 --a------ C:\Windows\system32\EPPICPresetData_ES.dat
2007-04-03 17:43:51 1104 --a------ C:\Windows\system32\EPPICPresetData_EN.dat
2007-04-03 17:43:51 1130 --a------ C:\Windows\system32\EPPICPresetData_CF.dat
2007-04-03 17:43:51 1140 --a------ C:\Windows\system32\EPPICPresetData_BP.dat
2007-04-03 17:43:51 4943 --a------ C:\Windows\system32\EPPICPattern6.dat
2007-04-03 17:43:51 15670 --a------ C:\Windows\system32\EPPICPattern5.dat
2007-04-03 17:43:51 10673 --a------ C:\Windows\system32\EPPICPattern4.dat
2007-04-03 17:43:51 21021 --a------ C:\Windows\system32\EPPICPattern3.dat
2007-04-03 17:43:51 13280 --a------ C:\Windows\system32\EPPICPattern2.dat
2007-04-03 17:43:49 31053 --a------ C:\Windows\system32\EPPICPattern131.dat
2007-04-03 17:43:49 27417 --a------ C:\Windows\system32\EPPICPattern121.dat
2007-04-03 17:43:49 29114 --a------ C:\Windows\system32\EPPICPattern1.dat
2007-04-03 17:43:49 45056 --a------ C:\Windows\system32\EpPicMgr.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2007-04-03 17:42:43 0 d-------- C:\epson
2007-04-03 17:32:08 0 d-------- C:\Program Files\epson
2007-04-03 17:17:05 22768 --a------ C:\Windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2007-04-03 15:50:49 0 d-------- C:\Windows\Panther
2007-04-03 15:50:32 0 d--hs---- C:\Boot
2007-04-03 15:20:59 0 d-------- C:\Program Files\Avanquest update
2007-04-03 15:19:40 0 d-------- C:\Users\All Users\BVRP Software
2007-04-03 15:19:40 0 d-------- C:\Program Files\Motorola Phone Tools
2007-04-03 15:19:40 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-04-03 15:17:05 0 d-------- C:\Program Files\Common Files\InstallShield
2007-04-03 14:58:29 0 d------c- C:\Windows\system32\DRVSTORE
2007-04-03 14:58:15 0 d-------- C:\Program Files\MSXML 4.0
2007-04-03 14:55:54 0 d-------- C:\Windows\SoftwareDistribution
2007-04-03 14:54:11 0 d-------- C:\Windows\Debug
2007-04-03 14:51:47 0 d-------- C:\Windows\Prefetch
2007-04-03 14:51:33 0 d--hs---- C:\System Volume Information
2007-04-03 14:45:05 12 --a------ C:\Windows\bthservsdp.dat
2007-04-03 14:39:49 0 d-------- C:\Program Files\Microsoft IntelliType Pro
2007-04-03 14:35:24 0 d-------- C:\Windows\PCHEALTH
2007-04-03 14:35:19 0 d--hs---- C:\Windows\Installer
2007-04-03 14:26:57 0 -rahs---- C:\MSDOS.SYS
2007-04-03 14:26:57 0 -rahs---- C:\IO.SYS
2007-04-03 14:02:33 0 d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Templates
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Start Menu
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\SendTo
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Recent
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\PrintHood
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\NetHood
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\My Documents
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Local Settings
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Cookies
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Application Data
2007-04-03 13:08:48 2359296 --ahs---- C:\Users\Joe\NTUSER.DAT
2007-04-03 13:08:48 0 d--h----- C:\Users\Joe\AppData

-- Find3M Report ---------------------------------------------------------------

2007-04-29 22:53:35 0 d-------- C:\Users\Joe\AppData\Roaming\ieSpell
2007-04-28 17:04:28 0 d-------- C:\Program Files\MSBuild
2007-04-17 23:46:37 0 d-------- C:\Users\Joe\AppData\Roaming\SUPERAntiSpyware.com
2007-04-12 08:10:36 0 d-------- C:\Program Files\Windows Defender
2007-04-12 07:49:56 0 d-------- C:\Program Files\Windows Mail
2007-04-10 14:30:44 0 d-------- C:\Users\Joe\AppData\Roaming\Adobe
2007-04-08 16:48:14 0 d-------- C:\Users\Joe\AppData\Roaming\ArcSoft
2007-04-08 13:37:45 0 d-------- C:\Users\Joe\AppData\Roaming\LimeWire
2007-04-06 14:06:49 0 d-------- C:\Users\Joe\AppData\Roaming\Macromedia
2007-04-06 11:56:06 0 d-------- C:\Users\Joe\AppData\Roaming\Talkback
2007-04-06 11:55:29 0 d-------- C:\Users\Joe\AppData\Roaming\Mozilla
2007-04-03 19:08:14 0 d-------- C:\Users\Joe\AppData\Roaming\Vso
2007-04-03 19:08:14 34 --a------ C:\Users\Joe\AppData\Roaming\pcouffin.log
2007-04-03 19:07:30 7824 --a------ C:\Users\Joe\AppData\Roaming\pcouffin.cat
2007-04-03 19:05:01 0 d-------- C:\Users\Joe\AppData\Roaming\yahoo!
2007-04-03 18:19:40 0 d-------- C:\Users\Joe\AppData\Roaming\ImgBurn
2007-04-03 15:32:37 0 d-------- C:\Users\Joe\AppData\Roaming\InstallShield
2007-04-03 14:57:49 262 --a------ C:\Users\Joe\AppData\Roaming\WinssCookie.txt
2007-04-03 13:09:26 0 d-------- C:\Users\Joe\AppData\Roaming\Identities

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
{36E77F70-0C24-4156-9E0C-356577F51A31} C:\Windows\system32\kjsdhdtj.dll
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} C:\Program Files\Yahoo!\Common\yiesrvc.dll
{6C622D52-0612-414B-A063-105A614D396F} C:\Windows\system32\ddccyxv.dll [x]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"itype"="\"C:\\Program Files\\Microsoft IntelliType Pro\\itype.exe\""
"OneCareUI"="\"C:\\Program Files\\Microsoft Windows OneCare Live\\winssnotify.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"SD_Tips"="iexplore [url="http://www.spywaredetector.net/tips_vista.htm""]http://www.spywaredetector.net/tips_vista.htm"[/url]
"SystemTraySD"="C:\\Program Files\\SpywareDetector\\SDSystemTray.exe -AUTO"
"SDAutoLiveupdate"="C:\\Program Files\\SpywareDetector\\LiveUpdateSD.exe -AUTO"
"GrooveMonitor"="\"C:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Sidebar"="C:\\Program Files\\Windows Sidebar\\sidebar.exe /autoRun"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"ehTray.exe"="C:\\Windows\\ehome\\ehTray.exe"
"YSearchProtection"="C:\\Program Files\\Yahoo!\\Search Protection\\SearchProtection.exe"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=dword:00000002
"ConsentPromptBehaviorUser"=dword:00000001
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000000
"EnableSecureUIAPaths"=dword:00000001
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000001
"ValidateAdminCodeSignatures"=dword:00000000
"scforceoption"=dword:00000000
"FilterAdministratorToken"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\UIPI]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\UIPI\Clipboard]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\UIPI\Clipboard\ExceptionFormats]
"CF_TEXT"=dword:00000001
"CF_BITMAP"=dword:00000002
"CF_OEMTEXT"=dword:00000007
"CF_DIB"=dword:00000008
"CF_PALETTE"=dword:00000009
"CF_UNICODETEXT"=dword:0000000d
"CF_DIBV5"=dword:00000011

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6C622D52-0612-414B-A063-105A614D396F}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="Groove GFS Stub Execution Hook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="credssp.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Notification Packages REG_MULTI_SZ scecli\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0\0
Authentication Packages REG_MULTI_SZ msv1_0\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AppInfo
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\KeyIso
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\NTDS
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\OneCareMP
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\ProfSvc
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sacsvr
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SWPRV
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\TabletInputService
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\TBS
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\TrustedInstaller
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\volmgr.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\volmgrx.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ nsi\0lltdsvc\0SSDPSRV\0upnphost\0SCardSvr\0w32time\0EventSystem\0RemoteRegistry\0WinHttpAutoProxySvc\0lanmanworkstation\0TBS\0SLUINotify\0THREADORDER\0fdrespub\0netprofm\0fdphost\0wcncsvc\0QWAVE\0Mcx2Svc\0WebClient\0\0
LocalSystemNetworkRestricted REG_MULTI_SZ hidserv\0UxSms\0WdiSystemHost\0Netman\0trkwks\0AudioEndpointBuilder\0WUDFSvc\0irmon\0sysmain\0IPBusEnum\0dot3svc\0PcaSvc\0EMDMgmt\0TabletInputService\0wlansvc\0WPDBusEnum\0\0
NetworkServiceNetworkRestricted REG_MULTI_SZ PolicyAgent\0\0
LocalServiceNoNetwork REG_MULTI_SZ PLA\0DPS\0BFE\0mpssvc\0ehstart\0\0
NetworkService REG_MULTI_SZ CryptSvc\0DHCP\0TermService\0KtmRm\0DNSCache\0NapAgent\0nlasvc\0WinRM\0WECSVC\0Tapisrv\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WerSvcGroup REG_MULTI_SZ wersvc\0\0
swprv REG_MULTI_SZ swprv\0\0
LocalServiceNetworkRestricted REG_MULTI_SZ DHCP\0eventlog\0AudioSrv\0LmHosts\0wscsvc\0p2pimsvc\0PNRPSvc\0p2psvc\0WPCSvc\0PnrpAutoReg\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
regsvc REG_MULTI_SZ RemoteRegistry\0\0
wcssvc REG_MULTI_SZ WcsPlugInService\0\0
DcomLaunch REG_MULTI_SZ PlugPlay\0DcomLaunch\0\0
wdisvc REG_MULTI_SZ WdiServiceHost\0\0
sdrsvc REG_MULTI_SZ sdrsvc\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
secsvcs REG_MULTI_SZ WinDefend\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0
WindowsMobile REG_MULTI_SZ wcescomm\0rapimgr\0\0
LocalServiceRestricted REG_MULTI_SZ WcesComm\0RapiMgr\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
AeLookupSvc
wercplsupport
CertPropSvc
SCPolicySvc
gpsvc
IKEEXT
LogonHours
PCAudit
iphlpsvc
AppInfo
msiscsi
MMCSS
ProfSvc
EapHost
SessionEnv
hkmsvc

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b6687acd-e21c-11db-99e3-806e6f6e6963}]
shell\AutoRun\command F:\autorun.exe

-- End of Deckard's System Scanner: finished at 2007-05-01 at 10:23:55 ---------

and my searches are still being hijacked to the yahabags/homepage crap. It,s not quite there yet.

#6
Buckeye_Sam

Posted 01 May 2007 - 12:52 PM

Malware Expert

Member
10,019 posts

This file is still present.

C:\Windows\system32\kjsdhdtj.dll

Delete it with OTMoveIt and then post a new hijackthis log.
Let me know if you are still being redirected.

#7
joebd0

Posted 01 May 2007 - 01:37 PM

New Member

Topic Starter
Member
7 posts

C:\Windows\system32\kjsdhdtj.dll file still there, here are the logs.

OTMoveIT Log

C:\Windows\system32\kjsdhdtj.dll unregistered successfully.
File move failed. C:\Windows\system32\kjsdhdtj.dll scheduled to be moved on reboot.

Created on 05/01/2007 14:26:49

Hijack log.

Deckard's System Scanner v20070426.43
Run by Joe on 2007-05-01 at 14:32:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Joe.exe) -------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 2:33:07 PM, on 5/1/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\Users\Joe\Desktop\dss.exe
D:\Users\Joe\Desktop\HIJACK~1\Joe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36E77F70-0C24-4156-9E0C-356577F51A31} - C:\Windows\system32\kjsdhdtj.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6C622D52-0612-414B-A063-105A614D396F} - C:\Windows\system32\ddccyxv.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SD_Tips] iexplore http://www.spywarede.../tips_vista.htm
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecu...vex/TmHcmsX.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

-- Files created between 2007-04-01 and 2007-05-01 -----------------------------

2007-04-29 22:52:54 0 d-------- C:\Program Files\ieSpell
2007-04-29 02:28:01 24576 --a------ C:\Windows\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2007-04-28 19:03:56 0 d-------- C:\VundoFix Backups
2007-04-28 17:05:44 0 d-------- C:\Program Files\Microsoft Works
2007-04-28 17:00:00 0 d-------- C:\Program Files\Microsoft.NET
2007-04-28 16:41:50 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2007-04-28 16:39:36 0 d-------- C:\Users\All Users\Microsoft Help
2007-04-28 16:36:14 0 dr-h----- C:\MSOCache
2007-04-28 16:30:07 0 d-------- C:\Users\All Users\Office Genuine Advantage
2007-04-17 23:46:43 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2007-04-17 23:46:37 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-04-17 08:58:54 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2007-04-17 08:58:08 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-16 00:43:46 63 --a------ C:\Windows\system\SysSD.dll
2007-04-16 00:43:19 1011712 --a------ C:\Windows\system32\VchReg.dll <Not Verified; Max Secure Software; Voucher Registration>
2007-04-16 00:43:19 270336 --a------ C:\Windows\system32\CheckDll.dll <Not Verified; Max Secure Software; Spyware Detector>
2007-04-16 00:43:17 0 d-------- C:\Program Files\SpywareDetector
2007-04-15 20:31:12 0 d-------- C:\Program Files\Lavasoft
2007-04-15 14:54:33 0 d-------- C:\Users\Joe\.housecall6.6
2007-04-15 14:44:42 0 d-------- C:\Users\All Users\CA
2007-04-15 14:44:31 0 d-------- C:\Program Files\Common Files\Scanner
2007-04-15 13:57:45 996 --a------ C:\Windows\system32\BlockedCookies
2007-04-15 13:51:31 86016 --a------ C:\Windows\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2007-04-15 13:50:01 0 d-------- C:\Program Files\PrvDef4.0
2007-04-15 10:22:56 0 d-------- C:\Windows\BDOSCAN8
2007-04-13 22:17:16 125460 --a------ C:\Windows\system32\kjsdhdtj.dll
2007-04-10 14:06:39 0 dr------- C:\Users\Joe\Documents
2007-04-10 14:05:41 0 d-------- C:\Users\All Users\Adobe
2007-04-10 14:05:23 0 d-------- C:\Program Files\Common Files\Adobe
2007-04-06 11:58:35 1168 --a------ C:\Windows\mozver.dat
2007-04-06 11:55:36 0 --a------ C:\Windows\nsreg.dat
2007-04-05 16:02:18 0 d-------- C:\Windows\Sun
2007-04-03 19:08:13 0 d-------- C:\Users\Public\Application Data
2007-04-03 18:50:33 0 d-------- C:\Users\All Users\Yahoo! Companion
2007-04-03 18:49:56 0 d-------- C:\Windows\system32\Macromed
2007-04-03 18:49:09 0 d-------- C:\Users\All Users\yahoo!
2007-04-03 18:46:18 0 d-------- C:\Program Files\MSN Messenger
2007-04-03 18:44:14 0 d-------- C:\Program Files\Yahoo!
2007-04-03 18:35:54 2936832 --a------ C:\Windows\system32\MA2_6.scr
2007-04-03 18:16:09 0 d-------- C:\Program Files\Java
2007-04-03 18:15:53 0 d-------- C:\Program Files\Common Files\Java
2007-04-03 18:14:55 0 d-------- C:\Users\All Users\DVD Shrink
2007-04-03 18:14:54 0 d-------- C:\Users\Joe\Desktop
2007-04-03 18:14:51 0 d-------- C:\Program Files\DVD Shrink
2007-04-03 17:47:26 212480 --a------ C:\Windows\PCDLIB32.DLL <Not Verified; Eastman Kodak; Kodak Photo CD Access Developer Toolkit>
2007-04-03 17:47:26 0 d-------- C:\Program Files\ArcSoft
2007-04-03 17:46:37 0 d-------- C:\Users\All Users\EPSON
2007-04-03 17:43:52 495616 --a------ C:\Windows\system32\PICSDK2.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2007-04-03 17:43:52 73728 --a------ C:\Windows\system32\PICSDK.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2007-04-03 17:43:52 77824 --a------ C:\Windows\system32\PICEntry.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2007-04-03 17:43:51 45056 --a------ C:\Windows\system32\EpPicPrt.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2007-04-03 17:43:51 73220 --a------ C:\Windows\system32\EPPICPrinterDB.dat
2007-04-03 17:43:51 1140 --a------ C:\Windows\system32\EPPICPresetData_PT.dat
2007-04-03 17:43:51 1130 --a------ C:\Windows\system32\EPPICPresetData_FR.dat
2007-04-03 17:43:51 1137 --a------ C:\Windows\system32\EPPICPresetData_ES.dat
2007-04-03 17:43:51 1104 --a------ C:\Windows\system32\EPPICPresetData_EN.dat
2007-04-03 17:43:51 1130 --a------ C:\Windows\system32\EPPICPresetData_CF.dat
2007-04-03 17:43:51 1140 --a------ C:\Windows\system32\EPPICPresetData_BP.dat
2007-04-03 17:43:51 4943 --a------ C:\Windows\system32\EPPICPattern6.dat
2007-04-03 17:43:51 15670 --a------ C:\Windows\system32\EPPICPattern5.dat
2007-04-03 17:43:51 10673 --a------ C:\Windows\system32\EPPICPattern4.dat
2007-04-03 17:43:51 21021 --a------ C:\Windows\system32\EPPICPattern3.dat
2007-04-03 17:43:51 13280 --a------ C:\Windows\system32\EPPICPattern2.dat
2007-04-03 17:43:49 31053 --a------ C:\Windows\system32\EPPICPattern131.dat
2007-04-03 17:43:49 27417 --a------ C:\Windows\system32\EPPICPattern121.dat
2007-04-03 17:43:49 29114 --a------ C:\Windows\system32\EPPICPattern1.dat
2007-04-03 17:43:49 45056 --a------ C:\Windows\system32\EpPicMgr.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2007-04-03 17:42:43 0 d-------- C:\epson
2007-04-03 17:32:08 0 d-------- C:\Program Files\epson
2007-04-03 17:17:05 22768 --a------ C:\Windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2007-04-03 15:50:49 0 d-------- C:\Windows\Panther
2007-04-03 15:50:32 0 d--hs---- C:\Boot
2007-04-03 15:20:59 0 d-------- C:\Program Files\Avanquest update
2007-04-03 15:19:40 0 d-------- C:\Users\All Users\BVRP Software
2007-04-03 15:19:40 0 d-------- C:\Program Files\Motorola Phone Tools
2007-04-03 15:19:40 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-04-03 15:17:05 0 d-------- C:\Program Files\Common Files\InstallShield
2007-04-03 14:58:29 0 d------c- C:\Windows\system32\DRVSTORE
2007-04-03 14:58:15 0 d-------- C:\Program Files\MSXML 4.0
2007-04-03 14:55:54 0 d-------- C:\Windows\SoftwareDistribution
2007-04-03 14:54:11 0 d-------- C:\Windows\Debug
2007-04-03 14:51:47 0 d-------- C:\Windows\Prefetch
2007-04-03 14:51:33 0 d--hs---- C:\System Volume Information
2007-04-03 14:45:05 12 --a------ C:\Windows\bthservsdp.dat
2007-04-03 14:39:49 0 d-------- C:\Program Files\Microsoft IntelliType Pro
2007-04-03 14:35:24 0 d-------- C:\Windows\PCHEALTH
2007-04-03 14:35:19 0 d--hs---- C:\Windows\Installer
2007-04-03 14:26:57 0 -rahs---- C:\MSDOS.SYS
2007-04-03 14:26:57 0 -rahs---- C:\IO.SYS
2007-04-03 14:02:33 0 d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Templates
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Start Menu
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\SendTo
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Recent
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\PrintHood
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\NetHood
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\My Documents
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Local Settings
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Cookies
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Application Data
2007-04-03 13:08:48 2359296 --ahs---- C:\Users\Joe\NTUSER.DAT
2007-04-03 13:08:48 0 d--h----- C:\Users\Joe\AppData

-- Find3M Report ---------------------------------------------------------------

2007-04-29 22:53:35 0 d-------- C:\Users\Joe\AppData\Roaming\ieSpell
2007-04-28 17:04:28 0 d-------- C:\Program Files\MSBuild
2007-04-17 23:46:37 0 d-------- C:\Users\Joe\AppData\Roaming\SUPERAntiSpyware.com
2007-04-12 08:10:36 0 d-------- C:\Program Files\Windows Defender
2007-04-12 07:49:56 0 d-------- C:\Program Files\Windows Mail
2007-04-10 14:30:44 0 d-------- C:\Users\Joe\AppData\Roaming\Adobe
2007-04-08 16:48:14 0 d-------- C:\Users\Joe\AppData\Roaming\ArcSoft
2007-04-08 13:37:45 0 d-------- C:\Users\Joe\AppData\Roaming\LimeWire
2007-04-06 14:06:49 0 d-------- C:\Users\Joe\AppData\Roaming\Macromedia
2007-04-06 11:56:06 0 d-------- C:\Users\Joe\AppData\Roaming\Talkback
2007-04-06 11:55:29 0 d-------- C:\Users\Joe\AppData\Roaming\Mozilla
2007-04-03 19:08:14 0 d-------- C:\Users\Joe\AppData\Roaming\Vso
2007-04-03 19:08:14 34 --a------ C:\Users\Joe\AppData\Roaming\pcouffin.log
2007-04-03 19:07:30 7824 --a------ C:\Users\Joe\AppData\Roaming\pcouffin.cat
2007-04-03 19:05:01 0 d-------- C:\Users\Joe\AppData\Roaming\yahoo!
2007-04-03 18:19:40 0 d-------- C:\Users\Joe\AppData\Roaming\ImgBurn
2007-04-03 15:32:37 0 d-------- C:\Users\Joe\AppData\Roaming\InstallShield
2007-04-03 14:57:49 262 --a------ C:\Users\Joe\AppData\Roaming\WinssCookie.txt
2007-04-03 13:09:26 0 d-------- C:\Users\Joe\AppData\Roaming\Identities

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
{36E77F70-0C24-4156-9E0C-356577F51A31} C:\Windows\system32\kjsdhdtj.dll
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} C:\Program Files\Yahoo!\Common\yiesrvc.dll
{6C622D52-0612-414B-A063-105A614D396F} C:\Windows\system32\ddccyxv.dll [x]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"itype"="\"C:\\Program Files\\Microsoft IntelliType Pro\\itype.exe\""
"OneCareUI"="\"C:\\Program Files\\Microsoft Windows OneCare Live\\winssnotify.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"SD_Tips"="iexplore [url="http://www.spywaredetector.net/tips_vista.htm""]http://www.spywaredetector.net/tips_vista.htm"[/url]
"SystemTraySD"="C:\\Program Files\\SpywareDetector\\SDSystemTray.exe -AUTO"
"SDAutoLiveupdate"="C:\\Program Files\\SpywareDetector\\LiveUpdateSD.exe -AUTO"
"GrooveMonitor"="\"C:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Sidebar"="C:\\Program Files\\Windows Sidebar\\sidebar.exe /autoRun"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"ehTray.exe"="C:\\Windows\\ehome\\ehTray.exe"
"YSearchProtection"="C:\\Program Files\\Yahoo!\\Search Protection\\SearchProtection.exe"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=dword:00000002
"ConsentPromptBehaviorUser"=dword:00000001
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000000
"EnableSecureUIAPaths"=dword:00000001
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000001
"ValidateAdminCodeSignatures"=dword:00000000
"scforceoption"=dword:00000000
"FilterAdministratorToken"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\UIPI]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\UIPI\Clipboard]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\UIPI\Clipboard\ExceptionFormats]
"CF_TEXT"=dword:00000001
"CF_BITMAP"=dword:00000002
"CF_OEMTEXT"=dword:00000007
"CF_DIB"=dword:00000008
"CF_PALETTE"=dword:00000009
"CF_UNICODETEXT"=dword:0000000d
"CF_DIBV5"=dword:00000011

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6C622D52-0612-414B-A063-105A614D396F}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="Groove GFS Stub Execution Hook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="credssp.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Notification Packages REG_MULTI_SZ scecli\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0\0
Authentication Packages REG_MULTI_SZ msv1_0\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AppInfo
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\KeyIso
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\NTDS
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\OneCareMP
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\ProfSvc
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sacsvr
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SWPRV
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\TabletInputService
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\TBS
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\TrustedInstaller
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\volmgr.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\volmgrx.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ nsi\0lltdsvc\0SSDPSRV\0upnphost\0SCardSvr\0w32time\0EventSystem\0RemoteRegistry\0WinHttpAutoProxySvc\0lanmanworkstation\0TBS\0SLUINotify\0THREADORDER\0fdrespub\0netprofm\0fdphost\0wcncsvc\0QWAVE\0Mcx2Svc\0WebClient\0\0
LocalSystemNetworkRestricted REG_MULTI_SZ hidserv\0UxSms\0WdiSystemHost\0Netman\0trkwks\0AudioEndpointBuilder\0WUDFSvc\0irmon\0sysmain\0IPBusEnum\0dot3svc\0PcaSvc\0EMDMgmt\0TabletInputService\0wlansvc\0WPDBusEnum\0\0
NetworkServiceNetworkRestricted REG_MULTI_SZ PolicyAgent\0\0
LocalServiceNoNetwork REG_MULTI_SZ PLA\0DPS\0BFE\0mpssvc\0ehstart\0\0
NetworkService REG_MULTI_SZ CryptSvc\0DHCP\0TermService\0KtmRm\0DNSCache\0NapAgent\0nlasvc\0WinRM\0WECSVC\0Tapisrv\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WerSvcGroup REG_MULTI_SZ wersvc\0\0
swprv REG_MULTI_SZ swprv\0\0
LocalServiceNetworkRestricted REG_MULTI_SZ DHCP\0eventlog\0AudioSrv\0LmHosts\0wscsvc\0p2pimsvc\0PNRPSvc\0p2psvc\0WPCSvc\0PnrpAutoReg\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
regsvc REG_MULTI_SZ RemoteRegistry\0\0
wcssvc REG_MULTI_SZ WcsPlugInService\0\0
DcomLaunch REG_MULTI_SZ PlugPlay\0DcomLaunch\0\0
wdisvc REG_MULTI_SZ WdiServiceHost\0\0
sdrsvc REG_MULTI_SZ sdrsvc\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
secsvcs REG_MULTI_SZ WinDefend\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0
WindowsMobile REG_MULTI_SZ wcescomm\0rapimgr\0\0
LocalServiceRestricted REG_MULTI_SZ WcesComm\0RapiMgr\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
AeLookupSvc
wercplsupport
CertPropSvc
SCPolicySvc
gpsvc
IKEEXT
LogonHours
PCAudit
iphlpsvc
AppInfo
msiscsi
MMCSS
ProfSvc
EapHost
SessionEnv
hkmsvc

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b6687acd-e21c-11db-99e3-806e6f6e6963}]
shell\AutoRun\command F:\autorun.exe

-- End of Deckard's System Scanner: finished at 2007-05-01 at 14:33:42 ---------

#8
joebd0

Posted 02 May 2007 - 07:53 AM

New Member

Topic Starter
Member
7 posts

Hey Sam I don't know how exacyly but I think it is gone, here is the log.

Deckard's System Scanner v20070426.43
Run by Joe on 2007-05-02 at 08:51:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Joe.exe) -------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:51:41 AM, on 5/2/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\SearchFilterHost.exe
D:\Users\Joe\Desktop\dss.exe
D:\Users\Joe\Desktop\HIJACK~1\Joe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36E77F70-0C24-4156-9E0C-356577F51A31} - C:\Windows\system32\kjsdhdtj.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6C622D52-0612-414B-A063-105A614D396F} - C:\Windows\system32\ddccyxv.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SD_Tips] iexplore http://www.spywarede.../tips_vista.htm
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecu...vex/TmHcmsX.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

-- Files created between 2007-04-02 and 2007-05-02 -----------------------------

2007-05-01 19:08:12 0 d-------- C:\Program Files\PC MightyMax
2007-05-01 19:08:00 0 d-------- C:\Windows\Downloaded Installations
2007-05-01 16:14:19 0 d-------- C:\Windows\pss
2007-05-01 14:55:59 0 d-------- C:\VundoFix Backups
2007-04-29 22:52:54 0 d-------- C:\Program Files\ieSpell
2007-04-29 02:28:01 24576 --a------ C:\Windows\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2007-04-28 17:05:44 0 d-------- C:\Program Files\Microsoft Works
2007-04-28 17:00:00 0 d-------- C:\Program Files\Microsoft.NET
2007-04-28 16:41:50 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2007-04-28 16:39:36 0 d-------- C:\Users\All Users\Microsoft Help
2007-04-28 16:36:14 0 dr-h----- C:\MSOCache
2007-04-28 16:30:07 0 d-------- C:\Users\All Users\Office Genuine Advantage
2007-04-17 23:46:43 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2007-04-17 23:46:37 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-04-17 08:58:54 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2007-04-17 08:58:08 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-16 00:43:46 63 --a------ C:\Windows\system\SysSD.dll
2007-04-16 00:43:19 1011712 --a------ C:\Windows\system32\VchReg.dll <Not Verified; Max Secure Software; Voucher Registration>
2007-04-16 00:43:19 270336 --a------ C:\Windows\system32\CheckDll.dll <Not Verified; Max Secure Software; Spyware Detector>
2007-04-16 00:43:17 0 d-------- C:\Program Files\SpywareDetector
2007-04-15 20:31:12 0 d-------- C:\Program Files\Lavasoft
2007-04-15 14:54:33 0 d-------- C:\Users\Joe\.housecall6.6
2007-04-15 14:44:42 0 d-------- C:\Users\All Users\CA
2007-04-15 14:44:31 0 d-------- C:\Program Files\Common Files\Scanner
2007-04-15 13:57:45 996 --a------ C:\Windows\system32\BlockedCookies
2007-04-15 13:51:31 86016 --a------ C:\Windows\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2007-04-15 13:50:01 0 d-------- C:\Program Files\PrvDef4.0
2007-04-15 10:22:56 0 d-------- C:\Windows\BDOSCAN8
2007-04-10 14:06:39 0 dr------- C:\Users\Joe\Documents
2007-04-10 14:05:41 0 d-------- C:\Users\All Users\Adobe
2007-04-10 14:05:23 0 d-------- C:\Program Files\Common Files\Adobe
2007-04-06 11:58:35 1168 --a------ C:\Windows\mozver.dat
2007-04-06 11:55:36 0 --a------ C:\Windows\nsreg.dat
2007-04-05 16:02:18 0 d-------- C:\Windows\Sun
2007-04-03 19:08:13 0 d-------- C:\Users\Public\Application Data
2007-04-03 18:50:33 0 d-------- C:\Users\All Users\Yahoo! Companion
2007-04-03 18:49:56 0 d-------- C:\Windows\system32\Macromed
2007-04-03 18:49:09 0 d-------- C:\Users\All Users\yahoo!
2007-04-03 18:46:18 0 d-------- C:\Program Files\MSN Messenger
2007-04-03 18:44:14 0 d-------- C:\Program Files\Yahoo!
2007-04-03 18:35:54 2936832 --a------ C:\Windows\system32\MA2_6.scr
2007-04-03 18:16:09 0 d-------- C:\Program Files\Java
2007-04-03 18:15:53 0 d-------- C:\Program Files\Common Files\Java
2007-04-03 18:14:55 0 d-------- C:\Users\All Users\DVD Shrink
2007-04-03 18:14:54 0 d-------- C:\Users\Joe\Desktop
2007-04-03 18:14:51 0 d-------- C:\Program Files\DVD Shrink
2007-04-03 17:47:26 212480 --a------ C:\Windows\PCDLIB32.DLL <Not Verified; Eastman Kodak; Kodak Photo CD Access Developer Toolkit>
2007-04-03 17:47:26 0 d-------- C:\Program Files\ArcSoft
2007-04-03 17:46:37 0 d-------- C:\Users\All Users\EPSON
2007-04-03 17:43:52 495616 --a------ C:\Windows\system32\PICSDK2.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2007-04-03 17:43:52 73728 --a------ C:\Windows\system32\PICSDK.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2007-04-03 17:43:52 77824 --a------ C:\Windows\system32\PICEntry.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2007-04-03 17:43:51 45056 --a------ C:\Windows\system32\EpPicPrt.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2007-04-03 17:43:51 73220 --a------ C:\Windows\system32\EPPICPrinterDB.dat
2007-04-03 17:43:51 1140 --a------ C:\Windows\system32\EPPICPresetData_PT.dat
2007-04-03 17:43:51 1130 --a------ C:\Windows\system32\EPPICPresetData_FR.dat
2007-04-03 17:43:51 1137 --a------ C:\Windows\system32\EPPICPresetData_ES.dat
2007-04-03 17:43:51 1104 --a------ C:\Windows\system32\EPPICPresetData_EN.dat
2007-04-03 17:43:51 1130 --a------ C:\Windows\system32\EPPICPresetData_CF.dat
2007-04-03 17:43:51 1140 --a------ C:\Windows\system32\EPPICPresetData_BP.dat
2007-04-03 17:43:51 4943 --a------ C:\Windows\system32\EPPICPattern6.dat
2007-04-03 17:43:51 15670 --a------ C:\Windows\system32\EPPICPattern5.dat
2007-04-03 17:43:51 10673 --a------ C:\Windows\system32\EPPICPattern4.dat
2007-04-03 17:43:51 21021 --a------ C:\Windows\system32\EPPICPattern3.dat
2007-04-03 17:43:51 13280 --a------ C:\Windows\system32\EPPICPattern2.dat
2007-04-03 17:43:49 31053 --a------ C:\Windows\system32\EPPICPattern131.dat
2007-04-03 17:43:49 27417 --a------ C:\Windows\system32\EPPICPattern121.dat
2007-04-03 17:43:49 29114 --a------ C:\Windows\system32\EPPICPattern1.dat
2007-04-03 17:43:49 45056 --a------ C:\Windows\system32\EpPicMgr.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2007-04-03 17:42:43 0 d-------- C:\epson
2007-04-03 17:32:08 0 d-------- C:\Program Files\epson
2007-04-03 17:17:05 22768 --a------ C:\Windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2007-04-03 15:50:49 0 d-------- C:\Windows\Panther
2007-04-03 15:50:32 0 d--hs---- C:\Boot
2007-04-03 15:20:59 0 d-------- C:\Program Files\Avanquest update
2007-04-03 15:19:40 0 d-------- C:\Users\All Users\BVRP Software
2007-04-03 15:19:40 0 d-------- C:\Program Files\Motorola Phone Tools
2007-04-03 15:19:40 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-04-03 15:17:05 0 d-------- C:\Program Files\Common Files\InstallShield
2007-04-03 14:58:29 0 d------c- C:\Windows\system32\DRVSTORE
2007-04-03 14:58:15 0 d-------- C:\Program Files\MSXML 4.0
2007-04-03 14:55:54 0 d-------- C:\Windows\SoftwareDistribution
2007-04-03 14:54:11 0 d-------- C:\Windows\Debug
2007-04-03 14:51:47 0 d-------- C:\Windows\Prefetch
2007-04-03 14:51:33 0 d--hs---- C:\System Volume Information
2007-04-03 14:45:05 12 --a------ C:\Windows\bthservsdp.dat
2007-04-03 14:39:49 0 d-------- C:\Program Files\Microsoft IntelliType Pro
2007-04-03 14:35:24 0 d-------- C:\Windows\PCHEALTH
2007-04-03 14:35:19 0 d--hs---- C:\Windows\Installer
2007-04-03 14:26:57 0 -rahs---- C:\MSDOS.SYS
2007-04-03 14:26:57 0 -rahs---- C:\IO.SYS
2007-04-03 14:02:33 0 d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Templates
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Start Menu
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\SendTo
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Recent
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\PrintHood
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\NetHood
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\My Documents
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Local Settings
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Cookies
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Application Data
2007-04-03 13:08:48 2359296 --ahs---- C:\Users\Joe\NTUSER.DAT
2007-04-03 13:08:48 0 d--h----- C:\Users\Joe\AppData

-- Find3M Report ---------------------------------------------------------------

2007-04-29 22:53:35 0 d-------- C:\Users\Joe\AppData\Roaming\ieSpell
2007-04-28 17:04:28 0 d-------- C:\Program Files\MSBuild
2007-04-17 23:46:37 0 d-------- C:\Users\Joe\AppData\Roaming\SUPERAntiSpyware.com
2007-04-12 08:10:36 0 d-------- C:\Program Files\Windows Defender
2007-04-12 07:49:56 0 d-------- C:\Program Files\Windows Mail
2007-04-10 14:30:44 0 d-------- C:\Users\Joe\AppData\Roaming\Adobe
2007-04-08 16:48:14 0 d-------- C:\Users\Joe\AppData\Roaming\ArcSoft
2007-04-08 13:37:45 0 d-------- C:\Users\Joe\AppData\Roaming\LimeWire
2007-04-06 14:06:49 0 d-------- C:\Users\Joe\AppData\Roaming\Macromedia
2007-04-06 11:56:06 0 d-------- C:\Users\Joe\AppData\Roaming\Talkback
2007-04-06 11:55:29 0 d-------- C:\Users\Joe\AppData\Roaming\Mozilla
2007-04-03 19:08:14 0 d-------- C:\Users\Joe\AppData\Roaming\Vso
2007-04-03 19:08:14 34 --a------ C:\Users\Joe\AppData\Roaming\pcouffin.log
2007-04-03 19:07:30 7824 --a------ C:\Users\Joe\AppData\Roaming\pcouffin.cat
2007-04-03 19:05:01 0 d-------- C:\Users\Joe\AppData\Roaming\yahoo!
2007-04-03 18:19:40 0 d-------- C:\Users\Joe\AppData\Roaming\ImgBurn
2007-04-03 15:32:37 0 d-------- C:\Users\Joe\AppData\Roaming\InstallShield
2007-04-03 14:57:49 262 --a------ C:\Users\Joe\AppData\Roaming\WinssCookie.txt
2007-04-03 13:09:26 0 d-------- C:\Users\Joe\AppData\Roaming\Identities

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
{36E77F70-0C24-4156-9E0C-356577F51A31} C:\Windows\system32\kjsdhdtj.dll [x]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} C:\Program Files\Yahoo!\Common\yiesrvc.dll
{6C622D52-0612-414B-A063-105A614D396F} C:\Windows\system32\ddccyxv.dll [x]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"SD_Tips"="iexplore [url="http://www.spywaredetector.net/tips_vista.htm""]http://www.spywaredetector.net/tips_vista.htm"[/url]
"OneCareUI"="\"C:\\Program Files\\Microsoft Windows OneCare Live\\winssnotify.exe\""
"itype"="\"C:\\Program Files\\Microsoft IntelliType Pro\\itype.exe\""
"GrooveMonitor"="\"C:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"YSearchProtection"="C:\\Program Files\\Yahoo!\\Search Protection\\SearchProtection.exe"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"Sidebar"="C:\\Program Files\\Windows Sidebar\\sidebar.exe /autoRun"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ehTray.exe"="C:\\Windows\\ehome\\ehTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=dword:00000002
"ConsentPromptBehaviorUser"=dword:00000001
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000000
"EnableSecureUIAPaths"=dword:00000001
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000001
"ValidateAdminCodeSignatures"=dword:00000000
"scforceoption"=dword:00000000
"FilterAdministratorToken"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\UIPI]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\UIPI\Clipboard]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\UIPI\Clipboard\ExceptionFormats]
"CF_TEXT"=dword:00000001
"CF_BITMAP"=dword:00000002
"CF_OEMTEXT"=dword:00000007
"CF_DIB"=dword:00000008
"CF_PALETTE"=dword:00000009
"CF_UNICODETEXT"=dword:0000000d
"CF_DIBV5"=dword:00000011

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6C622D52-0612-414B-A063-105A614D396F}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="Groove GFS Stub Execution Hook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="credssp.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Notification Packages REG_MULTI_SZ scecli\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0\0
Authentication Packages REG_MULTI_SZ msv1_0\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AppInfo
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\KeyIso
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\NTDS
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\OneCareMP
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\ProfSvc
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sacsvr
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SWPRV
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\TabletInputService
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\TBS
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\TrustedInstaller
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\volmgr.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\volmgrx.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDAutoLiveupdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SDAutoLiveupdate"
"hkey"="HKLM"
"command"="C:\\Program Files\\SpywareDetector\\LiveUpdateSD.exe -AUTO"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:00000005
"DAY"=dword:00000001
"HOUR"=dword:00000010
"MINUTE"=dword:0000000e
"SECOND"=dword:00000014

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SUPERAntiSpyware"
"hkey"="HKCU"
"command"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:00000005
"DAY"=dword:00000001
"HOUR"=dword:00000010
"MINUTE"=dword:0000000e
"SECOND"=dword:00000014

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTraySD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SystemTraySD"
"hkey"="HKLM"
"command"="C:\\Program Files\\SpywareDetector\\SDSystemTray.exe -AUTO"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:00000005
"DAY"=dword:00000001
"HOUR"=dword:00000010
"MINUTE"=dword:0000000e
"SECOND"=dword:00000014

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\AVG Anti-Spyware Guard]
"AVG Anti-Spyware Guard"=dword:00000002
"YEAR"=dword:000007d7
"MONTH"=dword:00000005
"DAY"=dword:00000001
"HOUR"=dword:00000010
"MINUTE"=dword:0000000e
"SECOND"=dword:00000014

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\SDService]
"SDService"=dword:00000002
"YEAR"=dword:000007d7
"MONTH"=dword:00000005
"DAY"=dword:00000001
"HOUR"=dword:00000010
"MINUTE"=dword:0000000e
"SECOND"=dword:00000013

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\VundoFixSvc]
"VundoFixSvc"=dword:00000003
"YEAR"=dword:000007d7
"MONTH"=dword:00000005
"DAY"=dword:00000001
"HOUR"=dword:00000010
"MINUTE"=dword:0000000e
"SECOND"=dword:00000013

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ nsi\0lltdsvc\0SSDPSRV\0upnphost\0SCardSvr\0w32time\0EventSystem\0RemoteRegistry\0WinHttpAutoProxySvc\0lanmanworkstation\0TBS\0SLUINotify\0THREADORDER\0fdrespub\0netprofm\0fdphost\0wcncsvc\0QWAVE\0Mcx2Svc\0WebClient\0\0
LocalSystemNetworkRestricted REG_MULTI_SZ hidserv\0UxSms\0WdiSystemHost\0Netman\0trkwks\0AudioEndpointBuilder\0WUDFSvc\0irmon\0sysmain\0IPBusEnum\0dot3svc\0PcaSvc\0EMDMgmt\0TabletInputService\0wlansvc\0WPDBusEnum\0\0
NetworkServiceNetworkRestricted REG_MULTI_SZ PolicyAgent\0\0
LocalServiceNoNetwork REG_MULTI_SZ PLA\0DPS\0BFE\0mpssvc\0ehstart\0\0
NetworkService REG_MULTI_SZ CryptSvc\0DHCP\0TermService\0KtmRm\0DNSCache\0NapAgent\0nlasvc\0WinRM\0WECSVC\0Tapisrv\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WerSvcGroup REG_MULTI_SZ wersvc\0\0
swprv REG_MULTI_SZ swprv\0\0
LocalServiceNetworkRestricted REG_MULTI_SZ DHCP\0eventlog\0AudioSrv\0LmHosts\0wscsvc\0p2pimsvc\0PNRPSvc\0p2psvc\0WPCSvc\0PnrpAutoReg\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
regsvc REG_MULTI_SZ RemoteRegistry\0\0
wcssvc REG_MULTI_SZ WcsPlugInService\0\0
DcomLaunch REG_MULTI_SZ PlugPlay\0DcomLaunch\0\0
wdisvc REG_MULTI_SZ WdiServiceHost\0\0
sdrsvc REG_MULTI_SZ sdrsvc\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
secsvcs REG_MULTI_SZ WinDefend\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0
WindowsMobile REG_MULTI_SZ wcescomm\0rapimgr\0\0
LocalServiceRestricted REG_MULTI_SZ WcesComm\0RapiMgr\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
AeLookupSvc
wercplsupport
CertPropSvc
SCPolicySvc
gpsvc
IKEEXT
LogonHours
PCAudit
iphlpsvc
AppInfo
msiscsi
MMCSS
ProfSvc
EapHost
SessionEnv
hkmsvc

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b6687acd-e21c-11db-99e3-806e6f6e6963}]
shell\AutoRun\command F:\autorun.exe

-- End of Deckard's System Scanner: finished at 2007-05-02 at 08:52:39 ---------

#9
Buckeye_Sam

Posted 02 May 2007 - 12:03 PM

Malware Expert

Member
10,019 posts

Indeed it is! :whistling:

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
RR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {36E77F70-0C24-4156-9E0C-356577F51A31} - C:\Windows\system32\kjsdhdtj.dll (file missing)
O2 - BHO: (no name) - {6C622D52-0612-414B-A063-105A614D396F} - C:\Windows\system32\ddccyxv.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Reboot and post a new hijackthis log.
Let me know how everything is working now.

#10
joebd0

Posted 02 May 2007 - 05:38 PM

New Member

Topic Starter
Member
7 posts

her it is

Deckard's System Scanner v20070426.43
Run by Joe on 2007-05-02 at 18:35:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Joe.exe) -------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 6:35:53 PM, on 5/2/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Users\Joe\Desktop\dss.exe
D:\Users\Joe\Desktop\HIJACK~1\Joe.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecu...vex/TmHcmsX.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

-- Files created between 2007-04-02 and 2007-05-02 -----------------------------

2007-05-02 15:07:13 0 d-------- C:\Users\Joe\Contacts
2007-05-02 14:27:01 0 d-------- C:\Program Files\Microsoft Money 2007
2007-05-01 19:08:12 0 d-------- C:\Program Files\PC MightyMax
2007-05-01 19:08:00 0 d-------- C:\Windows\Downloaded Installations
2007-05-01 16:14:19 0 d-------- C:\Windows\pss
2007-05-01 14:55:59 0 d-------- C:\VundoFix Backups
2007-04-29 22:52:54 0 d-------- C:\Program Files\ieSpell
2007-04-29 02:28:01 24576 --a------ C:\Windows\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2007-04-28 17:05:44 0 d-------- C:\Program Files\Microsoft Works
2007-04-28 17:00:00 0 d-------- C:\Program Files\Microsoft.NET
2007-04-28 16:41:50 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2007-04-28 16:39:36 0 d-------- C:\Users\All Users\Microsoft Help
2007-04-28 16:36:14 0 dr-h----- C:\MSOCache
2007-04-28 16:30:07 0 d-------- C:\Users\All Users\Office Genuine Advantage
2007-04-17 23:46:43 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2007-04-17 23:46:37 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-04-17 08:58:54 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2007-04-17 08:58:08 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-16 00:43:46 63 --a------ C:\Windows\system\SysSD.dll
2007-04-16 00:43:19 1011712 --a------ C:\Windows\system32\VchReg.dll <Not Verified; Max Secure Software; Voucher Registration>
2007-04-16 00:43:19 270336 --a------ C:\Windows\system32\CheckDll.dll <Not Verified; Max Secure Software; Spyware Detector>
2007-04-16 00:43:17 0 d-------- C:\Program Files\SpywareDetector
2007-04-15 20:31:12 0 d-------- C:\Program Files\Lavasoft
2007-04-15 14:54:33 0 d-------- C:\Users\Joe\.housecall6.6
2007-04-15 14:44:42 0 d-------- C:\Users\All Users\CA
2007-04-15 14:44:31 0 d-------- C:\Program Files\Common Files\Scanner
2007-04-15 13:57:45 996 --a------ C:\Windows\system32\BlockedCookies
2007-04-15 13:51:31 86016 --a------ C:\Windows\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2007-04-15 13:50:01 0 d-------- C:\Program Files\PrvDef4.0
2007-04-15 10:22:56 0 d-------- C:\Windows\BDOSCAN8
2007-04-10 14:06:39 0 dr------- C:\Users\Joe\Documents
2007-04-10 14:05:41 0 d-------- C:\Users\All Users\Adobe
2007-04-10 14:05:23 0 d-------- C:\Program Files\Common Files\Adobe
2007-04-06 11:58:35 1168 --a------ C:\Windows\mozver.dat
2007-04-06 11:55:36 0 --a------ C:\Windows\nsreg.dat
2007-04-05 16:02:18 0 d-------- C:\Windows\Sun
2007-04-03 19:08:13 0 d-------- C:\Users\Public\Application Data
2007-04-03 18:50:33 0 d-------- C:\Users\All Users\Yahoo! Companion
2007-04-03 18:49:56 0 d-------- C:\Windows\system32\Macromed
2007-04-03 18:49:09 0 d-------- C:\Users\All Users\yahoo!
2007-04-03 18:46:18 0 d-------- C:\Program Files\MSN Messenger
2007-04-03 18:44:14 0 d-------- C:\Program Files\Yahoo!
2007-04-03 18:35:54 2936832 --a------ C:\Windows\system32\MA2_6.scr
2007-04-03 18:16:09 0 d-------- C:\Program Files\Java
2007-04-03 18:15:53 0 d-------- C:\Program Files\Common Files\Java
2007-04-03 18:14:55 0 d-------- C:\Users\All Users\DVD Shrink
2007-04-03 18:14:54 0 d-------- C:\Users\Joe\Desktop
2007-04-03 18:14:51 0 d-------- C:\Program Files\DVD Shrink
2007-04-03 17:47:26 212480 --a------ C:\Windows\PCDLIB32.DLL <Not Verified; Eastman Kodak; Kodak Photo CD Access Developer Toolkit>
2007-04-03 17:47:26 0 d-------- C:\Program Files\ArcSoft
2007-04-03 17:46:37 0 d-------- C:\Users\All Users\EPSON
2007-04-03 17:43:52 495616 --a------ C:\Windows\system32\PICSDK2.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2007-04-03 17:43:52 73728 --a------ C:\Windows\system32\PICSDK.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2007-04-03 17:43:52 77824 --a------ C:\Windows\system32\PICEntry.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2007-04-03 17:43:51 45056 --a------ C:\Windows\system32\EpPicPrt.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2007-04-03 17:43:51 73220 --a------ C:\Windows\system32\EPPICPrinterDB.dat
2007-04-03 17:43:51 1140 --a------ C:\Windows\system32\EPPICPresetData_PT.dat
2007-04-03 17:43:51 1130 --a------ C:\Windows\system32\EPPICPresetData_FR.dat
2007-04-03 17:43:51 1137 --a------ C:\Windows\system32\EPPICPresetData_ES.dat
2007-04-03 17:43:51 1104 --a------ C:\Windows\system32\EPPICPresetData_EN.dat
2007-04-03 17:43:51 1130 --a------ C:\Windows\system32\EPPICPresetData_CF.dat
2007-04-03 17:43:51 1140 --a------ C:\Windows\system32\EPPICPresetData_BP.dat
2007-04-03 17:43:51 4943 --a------ C:\Windows\system32\EPPICPattern6.dat
2007-04-03 17:43:51 15670 --a------ C:\Windows\system32\EPPICPattern5.dat
2007-04-03 17:43:51 10673 --a------ C:\Windows\system32\EPPICPattern4.dat
2007-04-03 17:43:51 21021 --a------ C:\Windows\system32\EPPICPattern3.dat
2007-04-03 17:43:51 13280 --a------ C:\Windows\system32\EPPICPattern2.dat
2007-04-03 17:43:49 31053 --a------ C:\Windows\system32\EPPICPattern131.dat
2007-04-03 17:43:49 27417 --a------ C:\Windows\system32\EPPICPattern121.dat
2007-04-03 17:43:49 29114 --a------ C:\Windows\system32\EPPICPattern1.dat
2007-04-03 17:43:49 45056 --a------ C:\Windows\system32\EpPicMgr.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2007-04-03 17:42:43 0 d-------- C:\epson
2007-04-03 17:32:08 0 d-------- C:\Program Files\epson
2007-04-03 17:17:05 22768 --a------ C:\Windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2007-04-03 15:50:49 0 d-------- C:\Windows\Panther
2007-04-03 15:50:32 0 d--hs---- C:\Boot
2007-04-03 15:20:59 0 d-------- C:\Program Files\Avanquest update
2007-04-03 15:19:40 0 d-------- C:\Users\All Users\BVRP Software
2007-04-03 15:19:40 0 d-------- C:\Program Files\Motorola Phone Tools
2007-04-03 15:19:40 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-04-03 15:17:05 0 d-------- C:\Program Files\Common Files\InstallShield
2007-04-03 14:58:29 0 d------c- C:\Windows\system32\DRVSTORE
2007-04-03 14:58:15 0 d-------- C:\Program Files\MSXML 4.0
2007-04-03 14:55:54 0 d-------- C:\Windows\SoftwareDistribution
2007-04-03 14:54:11 0 d-------- C:\Windows\Debug
2007-04-03 14:51:47 0 d-------- C:\Windows\Prefetch
2007-04-03 14:51:33 0 d--hs---- C:\System Volume Information
2007-04-03 14:45:05 12 --a------ C:\Windows\bthservsdp.dat
2007-04-03 14:39:49 0 d-------- C:\Program Files\Microsoft IntelliType Pro
2007-04-03 14:35:24 0 d-------- C:\Windows\PCHEALTH
2007-04-03 14:35:19 0 d--hs---- C:\Windows\Installer
2007-04-03 14:26:57 0 -rahs---- C:\MSDOS.SYS
2007-04-03 14:26:57 0 -rahs---- C:\IO.SYS
2007-04-03 14:02:33 0 d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Templates
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Start Menu
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\SendTo
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Recent
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\PrintHood
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\NetHood
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\My Documents
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Local Settings
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Cookies
2007-04-03 13:08:50 0 d--hs---- C:\Users\Joe\Application Data
2007-04-03 13:08:48 2359296 --ahs---- C:\Users\Joe\NTUSER.DAT
2007-04-03 13:08:48 0 d--h----- C:\Users\Joe\AppData

-- Find3M Report ---------------------------------------------------------------

2007-04-29 22:53:35 0 d-------- C:\Users\Joe\AppData\Roaming\ieSpell
2007-04-28 17:04:28 0 d-------- C:\Program Files\MSBuild
2007-04-17 23:46:37 0 d-------- C:\Users\Joe\AppData\Roaming\SUPERAntiSpyware.com
2007-04-12 08:10:36 0 d-------- C:\Program Files\Windows Defender
2007-04-12 07:49:56 0 d-------- C:\Program Files\Windows Mail
2007-04-10 14:30:44 0 d-------- C:\Users\Joe\AppData\Roaming\Adobe
2007-04-08 16:48:14 0 d-------- C:\Users\Joe\AppData\Roaming\ArcSoft
2007-04-08 13:37:45 0 d-------- C:\Users\Joe\AppData\Roaming\LimeWire
2007-04-06 14:06:49 0 d-------- C:\Users\Joe\AppData\Roaming\Macromedia
2007-04-06 11:56:06 0 d-------- C:\Users\Joe\AppData\Roaming\Talkback
2007-04-06 11:55:29 0 d-------- C:\Users\Joe\AppData\Roaming\Mozilla
2007-04-03 19:08:14 0 d-------- C:\Users\Joe\AppData\Roaming\Vso
2007-04-03 19:08:14 34 --a------ C:\Users\Joe\AppData\Roaming\pcouffin.log
2007-04-03 19:07:30 7824 --a------ C:\Users\Joe\AppData\Roaming\pcouffin.cat
2007-04-03 19:05:01 0 d-------- C:\Users\Joe\AppData\Roaming\yahoo!
2007-04-03 18:19:40 0 d-------- C:\Users\Joe\AppData\Roaming\ImgBurn
2007-04-03 15:32:37 0 d-------- C:\Users\Joe\AppData\Roaming\InstallShield
2007-04-03 14:57:49 262 --a------ C:\Users\Joe\AppData\Roaming\WinssCookie.txt
2007-04-03 13:09:26 0 d-------- C:\Users\Joe\AppData\Roaming\Identities

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} C:\Program Files\Yahoo!\Common\yiesrvc.dll
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"OneCareUI"="\"C:\\Program Files\\Microsoft Windows OneCare Live\\winssnotify.exe\""
"itype"="\"C:\\Program Files\\Microsoft IntelliType Pro\\itype.exe\""
"GrooveMonitor"="\"C:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"YSearchProtection"="C:\\Program Files\\Yahoo!\\Search Protection\\SearchProtection.exe"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"Sidebar"="C:\\Program Files\\Windows Sidebar\\sidebar.exe /autoRun"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ehTray.exe"="C:\\Windows\\ehome\\ehTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=dword:00000002
"ConsentPromptBehaviorUser"=dword:00000001
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000000
"EnableSecureUIAPaths"=dword:00000001
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000001
"ValidateAdminCodeSignatures"=dword:00000000
"scforceoption"=dword:00000000
"FilterAdministratorToken"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\UIPI]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\UIPI\Clipboard]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\UIPI\Clipboard\ExceptionFormats]
"CF_TEXT"=dword:00000001
"CF_BITMAP"=dword:00000002
"CF_OEMTEXT"=dword:00000007
"CF_DIB"=dword:00000008
"CF_PALETTE"=dword:00000009
"CF_UNICODETEXT"=dword:0000000d
"CF_DIBV5"=dword:00000011

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6C622D52-0612-414B-A063-105A614D396F}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="Groove GFS Stub Execution Hook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="credssp.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Notification Packages REG_MULTI_SZ scecli\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0\0
Authentication Packages REG_MULTI_SZ msv1_0\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AppInfo
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\KeyIso
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\NTDS
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\OneCareMP
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\ProfSvc
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sacsvr
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SWPRV
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\TabletInputService
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\TBS
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\TrustedInstaller
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\volmgr.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\volmgrx.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDAutoLiveupdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SDAutoLiveupdate"
"hkey"="HKLM"
"command"="C:\\Program Files\\SpywareDetector\\LiveUpdateSD.exe -AUTO"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:00000005
"DAY"=dword:00000001
"HOUR"=dword:00000010
"MINUTE"=dword:0000000e
"SECOND"=dword:00000014

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SUPERAntiSpyware"
"hkey"="HKCU"
"command"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:00000005
"DAY"=dword:00000001
"HOUR"=dword:00000010
"MINUTE"=dword:0000000e
"SECOND"=dword:00000014

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTraySD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SystemTraySD"
"hkey"="HKLM"
"command"="C:\\Program Files\\SpywareDetector\\SDSystemTray.exe -AUTO"
"inimapping"="0"
"YEAR"=dword:000007d7
"MONTH"=dword:00000005
"DAY"=dword:00000001
"HOUR"=dword:00000010
"MINUTE"=dword:0000000e
"SECOND"=dword:00000014

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\AVG Anti-Spyware Guard]
"AVG Anti-Spyware Guard"=dword:00000002
"YEAR"=dword:000007d7
"MONTH"=dword:00000005
"DAY"=dword:00000001
"HOUR"=dword:00000010
"MINUTE"=dword:0000000e
"SECOND"=dword:00000014

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\SDService]
"SDService"=dword:00000002
"YEAR"=dword:000007d7
"MONTH"=dword:00000005
"DAY"=dword:00000001
"HOUR"=dword:00000010
"MINUTE"=dword:0000000e
"SECOND"=dword:00000013

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\VundoFixSvc]
"VundoFixSvc"=dword:00000003
"YEAR"=dword:000007d7
"MONTH"=dword:00000005
"DAY"=dword:00000001
"HOUR"=dword:00000010
"MINUTE"=dword:0000000e
"SECOND"=dword:00000013

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ nsi\0lltdsvc\0SSDPSRV\0upnphost\0SCardSvr\0w32time\0EventSystem\0RemoteRegistry\0WinHttpAutoProxySvc\0lanmanworkstation\0TBS\0SLUINotify\0THREADORDER\0fdrespub\0netprofm\0fdphost\0wcncsvc\0QWAVE\0Mcx2Svc\0WebClient\0\0
LocalSystemNetworkRestricted REG_MULTI_SZ hidserv\0UxSms\0WdiSystemHost\0Netman\0trkwks\0AudioEndpointBuilder\0WUDFSvc\0irmon\0sysmain\0IPBusEnum\0dot3svc\0PcaSvc\0EMDMgmt\0TabletInputService\0wlansvc\0WPDBusEnum\0\0
NetworkServiceNetworkRestricted REG_MULTI_SZ PolicyAgent\0\0
LocalServiceNoNetwork REG_MULTI_SZ PLA\0DPS\0BFE\0mpssvc\0ehstart\0\0
NetworkService REG_MULTI_SZ CryptSvc\0DHCP\0TermService\0KtmRm\0DNSCache\0NapAgent\0nlasvc\0WinRM\0WECSVC\0Tapisrv\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WerSvcGroup REG_MULTI_SZ wersvc\0\0
swprv REG_MULTI_SZ swprv\0\0
LocalServiceNetworkRestricted REG_MULTI_SZ DHCP\0eventlog\0AudioSrv\0LmHosts\0wscsvc\0p2pimsvc\0PNRPSvc\0p2psvc\0WPCSvc\0PnrpAutoReg\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
regsvc REG_MULTI_SZ RemoteRegistry\0\0
wcssvc REG_MULTI_SZ WcsPlugInService\0\0
DcomLaunch REG_MULTI_SZ PlugPlay\0DcomLaunch\0\0
wdisvc REG_MULTI_SZ WdiServiceHost\0\0
sdrsvc REG_MULTI_SZ sdrsvc\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
secsvcs REG_MULTI_SZ WinDefend\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0
WindowsMobile REG_MULTI_SZ wcescomm\0rapimgr\0\0
LocalServiceRestricted REG_MULTI_SZ WcesComm\0RapiMgr\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
AeLookupSvc
wercplsupport
CertPropSvc
SCPolicySvc
gpsvc
IKEEXT
LogonHours
PCAudit
iphlpsvc
AppInfo
msiscsi
MMCSS
ProfSvc
EapHost
SessionEnv
hkmsvc

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b6687acd-e21c-11db-99e3-806e6f6e6963}]
shell\AutoRun\command F:\autorun.exe

-- End of Deckard's System Scanner: finished at 2007-05-02 at 18:36:31 ---------

#11
Buckeye_Sam

Posted 04 May 2007 - 07:59 AM

Malware Expert

Member
10,019 posts

Looks good to me! :whistling:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
  - Change the Download signed ActiveX controls to Prompt
  - Change the Download unsigned ActiveX controls to Disable
  - Change the Initialize and script ActiveX controls not marked as safe to Disable
  - Change the Installation of desktop items to Prompt
  - Change the Launching programs and files in an IFRAME to Prompt
  - Change the Navigate sub-frames across different domains to Prompt
  - When all these settings have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.