Annoying virus...

ac19189 · 5th January 2008

Running Windows XP sp1 just got some virus named ntos.exe that came in on a free game i downloaded.. Bloody stupid thing.. Anyway short an simple I got annoyed ran windows repair with a legal copy of windows xp let it do its thing. Booted into a cd GUI aka Winternals manually edited the ntos.exe out of my registry the orignal entry was located in.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ under UserInit I then deleted ntos.exe from my system32 folder an booted into safe mode then cleared any entrys left in registry...

Ended up running the repair more then three times... Anyway long story short my IE is slow as sin when I boot up an my svchost.exe is running high memory an cpu I end task on it an my IE goes kind of back to normal...

My normal boot up has almost doubled before it take around 3 seconds after the onboard virus scan did its thing to start up the windows gui now it takes around 20 seconds to 1 min. I dont normally ask for help but man I dont want to format so please someone help me out here.

Im going to reboot then ill edit my post with a hijackthis log... Sorry was to big to post as a single post... I made a reply to this post with the rest of the log...

Got some more info on the svchost.exe proc thats giving me the hard time this is what I got from it while it was running at 99percent cpu..

==================================================
Process Name : svchost.exe
ProcessID : 1568
Priority : Normal
Product Name : Microsoft® Windows® Operating System
Version : 5.1.2600.0 (xpclient.010817-1148)
Description : Generic Host Process for Win32 Services
Company : Microsoft Corporation
Window Title :
File Size : 12,800
File Created Date : 3/31/2003 12:00:00 PM
File Modified Date : 3/31/2003 12:00:00 PM
Filename : C:\WINDOWS\System32\svchost.exe
Base Address : 0x01000000
Created On : 1/4/2008 5:08:41 PM
Visible Windows : 0
Hidden Windows : 0
User Name :
Mem Usage : 7516 K
Mem Usage Peak : 7516 K
Page Faults : 1905
Pagefile Usage : 6476 K
Pagefile Peak Usage : 6476 K
File Attributes : A
==================================================

==================================================
Module Name : svchost.exe
Base Address : 0x01000000
Module Size : 0x00006000
Version : 5.1.2600.0 (xpclient.010817-1148)
Description : Generic Host Process for Win32 Services
Company : Microsoft Corporation
Product Name : Microsoft® Windows® Operating System
Modified Date : 3/31/2003 4:00:00 AM
File Size : 12,800
Filename : C:\WINDOWS\System32\svchost.exe
File Attributes : A
==================================================

==================================================
Module Name : ntdll.dll
Base Address : 0x77F50000
Module Size : 0x000A7000
Version : 5.1.2600.1106 (xpsp1.020828-1920)
Description : NT Layer DLL
Company : Microsoft Corporation
Product Name : Microsoft® Windows® Operating System
Modified Date : 3/31/2003 4:00:00 AM
File Size : 668,672
Filename : C:\WINDOWS\System32\ntdll.dll
File Attributes : A
==================================================

==================================================
Module Name : kernel32.dll
Base Address : 0x77E60000
Module Size : 0x000E6000
Version : 5.1.2600.1106 (xpsp1.020828-1920)
Description : Windows NT BASE API Client DLL
Company : Microsoft Corporation
Product Name : Microsoft® Windows® Operating System
Modified Date : 3/31/2003 4:00:00 AM
File Size : 930,304
Filename : C:\WINDOWS\system32\kernel32.dll
File Attributes : A
==================================================

==================================================
Module Name : ADVAPI32.dll
Base Address : 0x77DD0000
Module Size : 0x0008D000
Version : 5.1.2600.1106 (xpsp1.020828-1920)
Description : Advanced Windows 32 Base API
Company : Microsoft Corporation
Product Name : Microsoft® Windows® Operating System
Modified Date : 3/31/2003 4:00:00 AM
File Size : 558,080
Filename : C:\WINDOWS\system32\ADVAPI32.dll
File Attributes : A
==================================================

==================================================
Module Name : RPCRT4.dll
Base Address : 0x78000000
Module Size : 0x00086000
Version : 5.1.2600.1106 (xpsp1.020828-1920)
Description : Remote Procedure Call Runtime
Company : Microsoft Corporation
Product Name : Microsoft® Windows® Operating System
Modified Date : 3/31/2003 4:00:00 AM
File Size : 530,432
Filename : C:\WINDOWS\system32\RPCRT4.dll
File Attributes : A
==================================================

==================================================
Module Name : dnsrslvr.dll
Base Address : 0x76770000
Module Size : 0x0000D000
Version : 5.1.2600.0 (xpclient.010817-1148)
Description : DNS Caching Resolver Service
Company : Microsoft Corporation
Product Name : Microsoft® Windows® Operating System
Modified Date : 3/31/2003 4:00:00 AM
File Size : 44,032
Filename : c:\windows\system32\dnsrslvr.dll
File Attributes : A
==================================================

==================================================
Module Name : msvcrt.dll
Base Address : 0x77C10000
Module Size : 0x00053000
Version : 7.0.2600.1106 (xpsp1.020828-1920)
Description : Windows NT CRT DLL
Company : Microsoft Corporation
Product Name : Microsoft® Windows® Operating System
Modified Date : 3/31/2003 4:00:00 AM
File Size : 323,072
Filename : C:\WINDOWS\system32\msvcrt.dll
File Attributes : A
==================================================

==================================================
Module Name : USER32.dll
Base Address : 0x77D40000
Module Size : 0x0008C000
Version : 5.1.2600.1106 (xpsp1.020828-1920)
Description : Windows XP USER API Client DLL
Company : Microsoft Corporation
Product Name : Microsoft® Windows® Operating System
Modified Date : 3/31/2003 4:00:00 AM
File Size : 560,128
Filename : C:\WINDOWS\system32\USER32.dll
File Attributes : A
==================================================

==================================================
Module Name : GDI32.dll
Base Address : 0x77C70000
Module Size : 0x00040000
Version : 5.1.2600.1106 (xpsp1.020828-1920)
Description : GDI Client DLL
Company : Microsoft Corporation
Product Name : Microsoft® Windows® Operating System
Modified Date : 3/31/2003 4:00:00 AM
File Size : 250,368
Filename : C:\WINDOWS\system32\GDI32.dll
File Attributes : A
==================================================

==================================================
Module Name : DNSAPI.dll
Base Address : 0x76F20000
Module Size : 0x00025000
Version : 5.1.2600.1106 (xpsp1.020828-1920)
Description : DNS Client API DLL
Company : Microsoft Corporation
Product Name : Microsoft® Windows® Operating System
Modified Date : 3/31/2003 4:00:00 AM
File Size : 139,264
Filename : C:\WINDOWS\System32\DNSAPI.dll
File Attributes : A
==================================================

==================================================
Module Name : WS2_32.dll
Base Address : 0x71AB0000
Module Size : 0x00015000
Version : 5.1.2600.0 (xpclient.010817-1148)
Description : Windows Socket 2.0 32-Bit DLL
Company : Microsoft Corporation
Product Name : Microsoft® Windows® Operating System
Modified Date : 3/31/2003 4:00:00 AM
File Size : 75,264
Filename : C:\WINDOWS\System32\WS2_32.dll
File Attributes : A
==================================================

==================================================
Module Name : WS2HELP.dll
Base Address : 0x71AA0000
Module Size : 0x00008000
Version : 5.1.2600.0 (xpclient.010817-1148)
Description : Windows Socket 2.0 Helper for Windows NT
Company : Microsoft Corporation
Product Name : Microsoft® Windows® Operating System
Modified Date : 3/31/2003 4:00:00 AM
File Size : 18,944
Filename : C:\WINDOWS\System32\WS2HELP.dll
File Attributes : A
==================================================

==================================================
Module Name : iphlpapi.dll
Base Address : 0x76D60000
Module Size : 0x00017000
Version : 5.1.2600.2 (xpsp1.020828-1920)
Description : IP Helper API
Company : Microsoft Corporation
Product Name : Microsoft® Windows® Operating System
Modified Date : 3/31/2003 4:00:00 AM
File Size : 82,944
Filename : C:\WINDOWS\System32\iphlpapi.dll
File Attributes : A
==================================================

==================================================
Module Name : MSWSOCK.dll
Base Address : 0x71A50000
Module Size : 0x0003B000
Version : 5.1.2600.0 (xpclient.010817-1148)
Description : Microsoft Windows Sockets 2.0 Service Provider
Company : Microsoft Corporation
Product Name : Microsoft® Windows® Operating System
Modified Date : 3/31/2003 4:00:00 AM
File Size : 228,352
Filename : C:\WINDOWS\System32\MSWSOCK.dll
File Attributes : A
==================================================

==================================================
Module Name : wshtcpip.dll
Base Address : 0x71A90000
Module Size : 0x00008000
Version : 5.1.2600.0 (xpclient.010817-1148)
Description : Windows Sockets Helper DLL
Company : Microsoft Corporation
Product Name : Microsoft® Windows® Operating System
Modified Date : 3/31/2003 4:00:00 AM
File Size : 17,408
Filename : C:\WINDOWS\System32\wshtcpip.dll
File Attributes : A
==================================================

StartupList report, 1/4/2008, 4:40:47 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\ac19189\Desktop\Apps\Installs\Tools\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\ac19189\Desktop\Apps\Installs\Tools\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\ac19189\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

ac19189 · 5th January 2008

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\SYSTEM32\Userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

MessengerPlus3 = "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
Logitech Hardware Abstraction Layer = KHALMNPR.EXE
Kernel and Hardware Abstraction Layer = KHALMNPR.EXE
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
vptray = C:\PROGRA~1\SYMANT~1\VPTray.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

Title = UnHackMe Rootkit Check

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SpybotSD TeaTimer = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
UnHackMe Monitor = C:\Program Files\UnHackMe\hackmon.exe
ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

[ApprovedByRegRun2]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

[@UnHackMe]
1 = C:\PROGRA~1\UnHackMe\UnHackMe.exe /p Partizan

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}] *
StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",HideIconsUser

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*No subkeys found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

*No BHO's found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll

[{556DDE35-E955-11D0-A707-000000521957}]
CODEBASE = http://www.xblock.com/download/xclean_micro.exe

[Java Plug-in 1.6.0_03]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll

[Java Plug-in 1.6.0_03]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll

[Java Plug-in 1.6.0_03]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash9d.ocx

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\mswsock.dll
Protocol #5: C:\WINDOWS\system32\mswsock.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Adobe LM Service: "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (disabled)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Antivirus Filter Driver: \SystemRoot\system32\drivers\av5flt.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
ICatch VI PC CAMERA: System32\Drivers\SPCA561.SYS (manual start)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Password Validation: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (manual start)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
Microsoft Composite Battery Driver: System32\DRIVERS\compbatt.sys (system)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Creative AC3 Software Decoder: System32\drivers\ctac32k.sys (manual start)
Creative Audio Driver (WDM): system32\drivers\ctaud2k.sys (manual start)
Creative DVD-Audio Device Driver: System32\drivers\ctdvda2k.sys (manual start)
Creative SBLive! Gameport: System32\DRIVERS\ctljystk.sys (manual start)
Creative Proxy Driver: System32\drivers\ctprxy2k.sys (manual start)
Creative SoundFont Management Device Driver: System32\drivers\ctsfm2k.sys (manual start)
Symantec AntiVirus Definition Watcher: "C:\Program Files\Symantec AntiVirus\DefWatch.exe" (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
drvmcdb: system32\drivers\drvmcdb.sys (system)
dtscsi: \SystemRoot\System32\Drivers\dtscsi.sys (manual start)
E-mu Plug-in Architecture Driver: System32\drivers\emupia2k.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FreshIO: \??\C:\Program Files\FreshDevices\FreshDiagnose\FreshIO.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Google Updater Service: "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" (disabled)
Creative Hardware Abstract Layer Driver: System32\drivers\ha10kx2k.sys (manual start)
Creative P16V HAL Driver: System32\drivers\hap16v2k.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID UPS Battery Driver: System32\DRIVERS\HidBatt.sys (manual start)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe" (disabled)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: System32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Logitech SetPoint Keyboard Driver: System32\DRIVERS\L8042Kbd.sys (manual start)
SetPoint PS/2 Mouse Filter Driver: System32\DRIVERS\L8042mou.Sys (manual start)
Logitech PS/2 Mouse Filter Driver: System32\DRIVERS\L8042Pr2.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Logitech Bluetooth Service: C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe (disabled)
Logitech SetPoint KMDF HID Filter Driver: System32\DRIVERS\LHidFilt.Sys (manual start)
Logitech HID/USB Mouse Filter Driver: System32\DRIVERS\LHidFlt2.sys (manual start)
SetPoint HID Mouse Filter Driver: System32\DRIVERS\LHidKE.Sys (manual start)
Logitech USB Receiver device driver: system32\drivers\LHidUsb.Sys (manual start)
SetPoint USB Receiver Device Driver: System32\Drivers\LHidUsbK.Sys (manual start)
Logitech Keyboard Class Filter Driver: System32\DRIVERS\LKbdFlt2.sys (manual start)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
LogMeIn Kernel Information Provider: \??\C:\Program Files\LogMeIn\x86\RaInfo.sys (autostart)
LogMeIn Maintenance Service: "C:\Program Files\LogMeIn\x86\RaMaint.exe" (disabled)
LMImirr: System32\DRIVERS\LMImirr.sys (manual start)
LogMeIn Remote File System Driver: \??\C:\WINDOWS\System32\drivers\LMIRfsDriver.sys (autostart)
Logitech SetPoint KMDF Mouse Filter Driver: System32\DRIVERS\LMouFilt.Sys (manual start)
Logitech Mouse Class Filter Driver: System32\DRIVERS\LMouFlt2.sys (manual start)
SetPoint Mouse Filter Driver: System32\DRIVERS\LMouKE.Sys (manual start)
LogMeIn: "C:\Program Files\LogMeIn\x86\LogMeIn.exe" (disabled)
TCP/IP Print Server: %SystemRoot%\System32\tcpsvcs.exe (disabled)
SetPoint USB Keyboard Filter: System32\Drivers\LUsbKbd.Sys (manual start)
Macromedia Licensing Service: "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe" (manual start)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" (disabled)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
MSCSPTISRV: "C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe" (disabled)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080103.002\naveng.sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080103.002\navex15.sys (manual start)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Netgroup Packet Filter: system32\drivers\npf.sys (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
nvatabus: System32\DRIVERS\nvatabus.sys (system)
Service for NVIDIA(R) nForce(TM) Audio Enumerator: system32\drivers\nvax.sys (manual start)
nVidia WDM Video Capture (universal): System32\DRIVERS\nvcap.sys (autostart)
NVIDIA nForce MCP Networking Adapter Driver: System32\DRIVERS\NVENET.sys (manual start)
Service for NVIDIA(R) nForce(TM) Audio: system32\drivers\nvapu.sys (manual start)
NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
nVidia WDM A/V Crossbar: System32\DRIVERS\NVxbar.sys (autostart)
NVIDIA nForce AGP Bus Filter: System32\DRIVERS\nv_agp.sys (system)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (disabled)
Creative OS Services Driver: system32\drivers\ctoss2k.sys (manual start)
PACSPTISVR: "C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe" (disabled)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
Partizan: system32\drivers\Partizan.sys (system)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
PfModNT: \??\C:\WINDOWS\System32\drivers\PfModNT.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (disabled)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
LiveShare P2P Server: "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe" (disabled)
RoxMediaDB: "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe" (disabled)
RoxUpnpRenderer: "C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe" (disabled)
RoxUpnpServer: "C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe" (disabled)
Roxio Hard Drive Watcher: "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe" (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (disabled)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
RxFilter: system32\DRIVERS\RxFilter.sys (system)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVRoam: "C:\Program Files\Symantec AntiVirus\SavRoam.exe" (manual start)
SAVRT: \??\C:\Program Files\Symantec AntiVirus\savrt.sys (system)
SAVRTPEL: \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (disabled)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (disabled)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Simple TCP/IP Services: %SystemRoot%\System32\tcpsvcs.exe (autostart)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Sygate Personal Firewall Pro: C:\Program Files\Sygate\SPF\smc.exe (disabled)
Symantec Network Drivers Service: "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" (manual start)
SNMP Service: %SystemRoot%\System32\snmp.exe (disabled)
SNMP Trap Service: %SystemRoot%\System32\snmptrap.exe (disabled)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
sptd: System32\Drivers\sptd.sys (system)
Sony SPTI Service: "C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe" (disabled)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Spy Sweeper File System Filer Driver: 0BB9: SYSTEM32\Drivers\SSFS0BB9.SYS (system)
Spy Sweeper Hookrack MiniDriver: SYSTEM32\Drivers\SSHRMD.SYS (system)
Spy Sweeper Interdiction Driver: SYSTEM32\Drivers\SSIDRV.SYS (system)
Webroot Spy Sweeper Keylogger Shield Keyboard Filter: System32\Drivers\sskbfd.sys (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{86904FB9-D29C-4376-A3F5-775B035A18CA} (manual start)
Symantec AntiVirus: "C:\Program Files\Symantec AntiVirus\Rtvscan.exe" (autostart)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (disabled)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Teefer for NT: SYSTEM32\Drivers\Teefer.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (disabled)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
User Privilege Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Virtual Disk Bus: System32\DRIVERS\vdiskbus.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Wdf01000: System32\DRIVERS\Wdf01000.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Webroot Spy Sweeper Engine: C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe (autostart)
SyGate for NT, wg3n: \SystemRoot\SYSTEM32\Drivers\wg3n.sys (autostart)
SyGate for NT, wg4n: \SystemRoot\SYSTEM32\Drivers\wg4n.sys (autostart)
SyGate for NT, wg5n: \SystemRoot\SYSTEM32\Drivers\wg5n.sys (autostart)
SyGate for NT, wg6n: \SystemRoot\SYSTEM32\Drivers\wg6n.sys (autostart)
WinDriver6: system32\drivers\windrvr6.sys (manual start)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
wpsdrvnt: \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys (system)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Washer AutoComplete: C:\WINDOWS\System32\wwSecure.exe (disabled)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 37,504 bytes
Report generated in 0.187 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

**noahdfear** · 5th January 2008

Welcome to WindowsBBS ac19189

Thanks for the startup list, but that's not what we want to see at this time, if at all. Please read through this topic then post a HijackThis log using the current version as well as a main.txt log from Deckard's System Scanner.

Is there a reason why you have not applied any windows updates since Service Pack 1? (don't add any updates at this time until we verify the system is clean)

ac19189 · 6th January 2008

Deckard's System Scanner v20071014.68
Run by ac19189 on 2008-01-05 19:20:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 2 Restore Point(s) --
2: 2008-01-06 03:20:13 UTC - RP12 - Deckard's System Scanner Restore Point
1: 2008-01-06 02:55:30 UTC - RP11 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as ac19189.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:15 PM, on 1/5/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\ac19189\Desktop\dss.exe
C:\DOCUME~1\ac19189\Desktop\ac19189.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/homepage.htm
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: (no name) - {9C398C0E-5E4C-42B6-86CF-52CB277E082F} - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
O9 - Extra 'Tools' menuitem: Spybot - {9C398C0E-5E4C-42B6-86CF-52CB277E082F} - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) -
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{97AA54B4-D10A-4133-A7E3-DD393E854238}: NameServer = 192.168.1.1,4.2.2.2
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6127 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
R3 emupia (E-mu Plug-in Architecture Driver) - c:\windows\system32\drivers\emupia2k.sys <Not Verified; Creative Technology Ltd; E-mu Plug-In Architecture>
R3 vdiskbus (Virtual Disk Bus) - c:\windows\system32\drivers\vdiskbus.sys <Not Verified; Winternals; Virtual Disk>

S0 Partizan - c:\windows\system32\drivers\partizan.sys <Not Verified; Greatis Software; RegRun Security Suite>
S2 nvcap (nVidia WDM Video Capture (universal)) - c:\windows\system32\drivers\nvcap.sys
S3 AvFlt (Antivirus Filter Driver) - c:\windows\system32\drivers\av5flt.sys <Not Verified; Panda Software; Panda Antivirus>
S3 CA561 (ICatch VI PC CAMERA) - c:\windows\system32\drivers\spca561.sys <Not Verified; SP; Microsoft(R) Windows NT(R) Operating System>
S3 dtscsi - c:\windows\system32\drivers\dtscsi.sys (file missing)
S3 FreshIO - c:\program files\freshdevices\freshdiagnose\freshio.sys
S3 l8042pr2 (Logitech PS/2 Mouse Filter Driver) - c:\windows\system32\drivers\l8042pr2.sys <Not Verified; Logitech; MouseWare>
S3 LHidUsbK (SetPoint USB Receiver Device Driver) - c:\windows\system32\drivers\lhidusbk.sys <Not Verified; Logitech, Inc.; Logitech SetPoint(TM)>
S3 LUsbKbd (SetPoint USB Keyboard Filter) - c:\windows\system32\drivers\lusbkbd.sys <Not Verified; Logitech, Inc.; Logitech SetPoint(TM)>
S3 WinDriver6 - c:\windows\system32\drivers\windrvr6.sys <Not Verified; Jungo; WinDriver Device Driver>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 PACSPTISVR - "c:\program files\common files\sony shared\avlib\pacsptisvr.exe" <Not Verified; ; PACSPTISVR Module>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: nVidia WDM A/V Crossbar
Device ID: DISPLAY\NVXBAR\5&3A653080&0&CA000003&02&00
Manufacturer: nVidia
Name: nVidia WDM A/V Crossbar
PNP Device ID: DISPLAY\NVXBAR\5&3A653080&0&CA000003&02&00
Service:

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: nVidia WDM Video Capture (universal)
Device ID: DISPLAY\NVCAP\5&3A653080&0&CA000002&02&00
Manufacturer: nVidia
Name: nVidia WDM Video Capture (universal)
PNP Device ID: DISPLAY\NVCAP\5&3A653080&0&CA000002&02&00
Service:

Class GUID: {4D36E97B-E325-11CE-BFC1-08002BE10318}
Description: SCSI/RAID Host Controller
Device ID: ACPI\PNPA000\4&7631C1C6&1
Manufacturer: Unknown Manufacturer
Name: SCSI/RAID Host Controller
PNP Device ID: ACPI\PNPA000\4&7631C1C6&1
Service: ack5o43c

-- Files created between 2007-12-05 and 2008-01-05 -----------------------------

2008-01-05 16:23:17 288 --a------ C:\WINDOWS\System32\DVCStateBkp-{00000001-00000000-00000007-00001102-00000002-80661102}.dat
2008-01-05 16:23:17 288 --a------ C:\WINDOWS\System32\DVCState-{00000001-00000000-00000007-00001102-00000002-80661102}.dat
2008-01-05 16:22:37 135696 --a------ C:\WINDOWS\System32\drivers\HAP16V2K.SYS <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-01-05 16:22:36 145504 --a------ C:\WINDOWS\System32\drivers\EMUPIA2K.SYS <Not Verified; Creative Technology Ltd; E-mu Plug-In Architecture>
2008-01-05 16:22:36 136448 --a------ C:\WINDOWS\System32\drivers\CTSFM2K.SYS <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-01-05 16:22:36 6144 --a------ C:\WINDOWS\System32\drivers\CTPRXY2K.SYS <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-01-05 16:22:36 186068 --a------ C:\WINDOWS\System32\drivers\CTAC32K.SYS <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-01-05 16:22:34 270336 --a------ C:\WINDOWS\System32\SFMS32.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-01-05 16:22:34 49152 --a------ C:\WINDOWS\CTDCRES.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-01-05 16:22:33 36864 --a----c- C:\WINDOWS\System32\REGPLIB.EXE
2008-01-05 16:22:33 110592 --a------ C:\WINDOWS\System32\PIAPROXY.DLL <Not Verified; Creative Technology Ltd; E-mu PIA>
2008-01-05 16:22:33 131072 --a------ C:\WINDOWS\System32\OpenAL32.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-01-05 16:22:33 184320 --a----c- C:\WINDOWS\PSCONV.EXE
2008-01-05 16:22:33 49152 --a----c- C:\WINDOWS\MIDIDEF.EXE <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-01-05 16:22:32 49152 --a----c- C:\WINDOWS\System32\KILLAPPS.EXE
2008-01-05 16:22:32 20480 --a----c- C:\WINDOWS\System32\ENSDEF.EXE <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-01-05 16:22:32 77824 --a----c- C:\WINDOWS\System32\EAXAC3.DLL <Not Verified; Creative Labs; EAX-AC3 DLL>
2008-01-05 16:22:32 45056 --a----c- C:\WINDOWS\System32\CTSPKHLP.DLL <Not Verified; Creative Technology Ltd; CtSpkHlp Dynamic Link Library>
2008-01-05 16:22:32 110592 --a----c- C:\WINDOWS\System32\CTSCAL.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-01-05 16:22:32 94208 --a----c- C:\WINDOWS\DEVREG.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-01-05 16:22:31 655360 --a------ C:\WINDOWS\System32\CTSBLFX.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-01-05 16:22:31 155648 --a------ C:\WINDOWS\System32\CTOSUSER.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-01-05 16:22:31 28672 --a----c- C:\WINDOWS\System32\CTMMEP.DLL <Not Verified; Creative Technology Ltd; Ctmmep Dynamic Link Library>
2008-01-05 16:22:31 24576 --a----c- C:\WINDOWS\System32\CTHELPER.EXE <Not Verified; Creative Technology Ltd; CtHelper Application>
2008-01-05 16:22:31 36864 --a----c- C:\WINDOWS\System32\CTEMUPIA.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-01-05 16:22:30 110592 --a------ C:\WINDOWS\System32\CTDPROXY.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-01-05 16:22:30 139353 --a------ C:\WINDOWS\System32\CTDCIFCE.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-01-05 16:22:30 372736 --a------ C:\WINDOWS\System32\CTDC0001.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-01-05 16:22:29 356445 --a------ C:\WINDOWS\System32\CTDC0000.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-01-05 16:22:29 495616 --a----c- C:\WINDOWS\System32\CTAUDFX.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-01-05 16:22:29 106496 --a----c- C:\WINDOWS\System32\CTASIO.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-01-05 16:22:29 57344 --a----c- C:\WINDOWS\System32\CTAGENT.DLL <Not Verified; Creative Technology Ltd; ctagent>
2008-01-05 16:22:28 126976 --a------ C:\WINDOWS\System32\COMMONFX.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-01-05 16:22:28 53248 --a----c- C:\WINDOWS\System32\AC3API.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-01-05 16:04:13 0 d-------- C:\Program Files\DaemonTools_WhenUSave_Installer
2008-01-05 16:03:56 0 d-------- C:\Program Files\DAEMON Tools
2008-01-05 11:33:05 0 d-------- C:\New Folder
2008-01-05 08:04:38 11254 --a------ C:\WINDOWS\System32\locate.com
2008-01-05 08:03:14 0 d-------- C:\MGtools
2008-01-05 07:57:24 0 d-------- C:\Documents and Settings\ac19189\Application Data\Grisoft
2008-01-05 07:57:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-05 07:54:50 1238373 --a------ C:\MGtools.exe
2008-01-05 00:23:22 0 dr-h----- C:\Documents and Settings\ac19189\Recent
2008-01-05 00:20:23 0 d-------- C:\Program Files\CCleaner
2008-01-04 18:03:26 0 d-------- C:\Documents and Settings\ac19189\.housecall6.6
2008-01-04 16:20:04 25600 --a------ C:\WINDOWS\System32\Partizan.exe <Not Verified; Greatis Software; RegRun Security Suite>
2008-01-04 16:20:04 31138 --a------ C:\WINDOWS\System32\drivers\Partizan.sys <Not Verified; Greatis Software; RegRun Security Suite>
2008-01-04 16:02:29 0 d-------- C:\WINDOWS\System32\CatRoot2
2008-01-04 15:41:25 8944 --a------ C:\WINDOWS\System32\drivers\UnHackMeDrv.sys <Not Verified; Greatis Software, LLC.; UnHackme>
2008-01-04 02:55:43 0 d-------- C:\Documents and Settings\Administrator\Application Data\WinRAR
2008-01-04 01:19:27 0 d-------- C:\Program Files\Symantec
2008-01-04 01:19:12 0 d-------- C:\Program Files\Symantec AntiVirus
2008-01-04 01:19:12 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-04 00:38:24 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-01-04 00:33:41 0 d-------- C:\WINDOWS\Prefetch
2008-01-04 00:24:43 0 d-------- C:\Program Files\msn gaming zone
2008-01-04 00:20:31 0 --a------ C:\CONFIG.SYS
2008-01-04 00:20:31 0 --a------ C:\AUTOEXEC.BAT
2008-01-03 12:03:10 0 d-------- C:\WINDOWS\LastGood
2008-01-03 12:02:09 0 d-------- C:\Program Files\Common Files\Logishrd
2008-01-03 11:28:21 0 d-------- C:\WINDOWS\LastGood.Tmp
2008-01-03 11:14:36 0 d-------- C:\Documents and Settings\ac19189\Application Data\DAEMON Tools Pro
2008-01-03 11:14:30 0 d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-01-02 23:43:26 0 d-------- C:\Documents and Settings\Default User\Application Data\DivX
2008-01-02 23:41:57 0 d-------- C:\Program Files\Online Services
2008-01-01 20:11:58 0 d-------- C:\Program Files\Sort Text Lists Alphabetically Software
2007-12-31 18:22:00 0 d-------- C:\Program Files\CDex_150
2007-12-31 18:20:29 0 d-------- C:\Program Files\Rockstar Custom Tracks
2007-12-28 12:29:42 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-12-28 12:23:57 0 d-------- C:\Program Files\Security Task Manager
2007-12-26 09:50:45 0 d-------- C:\Program Files\Handbrake
2007-12-21 02:25:31 0 d-------- C:\Program Files\ImageShackToolbar
2007-12-19 08:54:03 0 d-------- C:\Program Files\Buildalot
2007-12-19 08:26:54 0 d-------- C:\Documents and Settings\All Users\Application Data\HipSoft
2007-12-18 10:04:12 0 d-------- C:\Program Files\Stun3 Demo

-- Find3M Report ---------------------------------------------------------------

2008-01-05 17:09:48 0 d-------- C:\Program Files\Google
2008-01-04 17:57:33 0 d-------- C:\Documents and Settings\ac19189\Application Data\Adobe
2008-01-04 01:19:12 0 d-------- C:\Program Files\Common Files
2008-01-04 01:10:09 0 d-------- C:\Program Files\MobMapUpdater
2008-01-04 01:08:41 0 d-------- C:\Program Files\BitTyrant
2008-01-04 00:50:46 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-04 00:18:03 23388 --a------ C:\WINDOWS\System32\emptyregdb.dat
2008-01-03 21:15:17 0 d-------- C:\Program Files\BPFTP Server
2008-01-03 21:15:17 0 d-------- C:\Documents and Settings\ac19189\Application Data\BitTyrant
2008-01-03 21:15:16 0 d-------- C:\Program Files\Cheat Engine
2008-01-03 13:35:12 0 d-------- C:\Program Files\TagRename
2008-01-03 13:14:46 164 --a------ C:\install.dat
2008-01-03 12:04:00 0 d-------- C:\Program Files\Common Files\Logitech
2008-01-03 12:02:13 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-03 00:10:52 0 d--h----- C:\Program Files\WindowsUpdate
2008-01-02 13:06:32 0 d-------- C:\Program Files\CheMax
2008-01-01 23:28:44 0 d-------- C:\Documents and Settings\ac19189\Application Data\BPFTP
2007-12-17 19:44:02 0 d-------- C:\Program Files\Codec Pack - All In 1
2007-12-17 19:42:46 737280 --a----c- C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-11-27 07:32:11 0 d--h----- C:\Documents and Settings\ac19189\Application Data\ijjigame
2007-11-26 21:44:56 0 d-------- C:\Program Files\DriftCity
2007-11-26 21:44:44 0 d-------- C:\Documents and Settings\ac19189\Application Data\NHN Corporation
2007-11-26 21:37:06 0 d-------- C:\Program Files\NHN USA
2007-11-24 22:12:03 0 d-------- C:\Program Files\BYOND2
2007-11-21 13:17:08 0 d-------- C:\Program Files\VentSrv
2007-11-19 12:44:38 0 d-------- C:\Program Files\Ventrilo
2007-11-17 10:49:12 0 d-------- C:\Program Files\PremiumSoft
2007-11-17 09:57:47 0 d-------- C:\Program Files\HeidiSQL
2007-11-16 21:48:14 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-11-16 19:50:48 0 d-------- C:\Program Files\Apache Group
2007-11-08 20:16:44 0 d-------- C:\Documents and Settings\ac19189\Application Data\BYOND
2007-11-05 17:54:38 0 d-------- C:\Program Files\Common Files\L&H
2007-11-05 17:54:15 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-11-05 17:53:53 0 d-------- C:\Program Files\Microsoft Works
2007-11-05 17:53:07 0 d-------- C:\Program Files\Microsoft.NET

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [08/09/2007 08:04 AM]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [09/21/2007 03:10 AM C:\WINDOWS\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [09/21/2007 03:10 AM C:\WINDOWS\KHALMNPR.Exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [02/04/2004 10:37 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [06/09/2004 08:31 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [08/02/2004 07:36 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 01:25 AM]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [09/14/2006 12:09 PM]
"CTHelper"="CTHELPER.EXE" [08/28/2003 12:45 AM C:\WINDOWS\system32\CTHELPER.EXE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/2007 03:46 PM]
"UnHackMe Monitor"="C:\Program Files\UnHackMe\hackmon.exe" [09/17/2007 03:37 PM]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [03/31/2003 04:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [01/05/2008 05:09 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [1/3/2008 12:02:57 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"=0 (0x0)
"DisableLockWorkStation"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"NoViewOnDrive"=0 (0x0)
"NoSMHelp"=1 (0x1)
"NoUserNameInStartMenu"=1 (0x1)
"NoRecentDocsHistory"=0 (0x0)
"NoRecentDocsMenu"=00000000
"NoInstrumentation"=1 (0x1)
"NoLowDiskSpaceChecks"=1 (0x1)
"NoBandCustomize"=0 (0x0)
"NoToolbarsCustomize"=0 (0x0)
"NoStartMenuNetworkPlaces"=0 (0x0)
"NoNetworkConnections"=0 (0x0)
"NoSMConfigurePrograms"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoAutoUpdate"=0 (0x0)
"NoTrayContextMenu"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 10/02/2007 03:51 PM 75064 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRS SSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoa dGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Webroo tSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Filseclab Messenger.lnk]
backup=C:\WINDOWS\pss\Filseclab Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Disc Detector]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileCacheBoost]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FUIClearHis]
C:\Program Files\FreshDevices\FreshUI\freshui.exe 0 1 2 4 5 8 10 12 13 14 17

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HijackThis startup scan]
"C:\Documents and Settings\ac19189\Desktop\Apps\Installs\Tools\HijackThis.exe" /startupscan

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
"C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
"C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]
"C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"nwiz.exe" /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
"C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService]
C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\program files\steam\steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
"C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XFILTER]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccPwdSvc"=3 (0x3)
"IDriverT"=3 (0x3)
"RoxWatch"=2 (0x2)
"RoxUpnpServer"=2 (0x2)
"RoxUPnPRenderer"=3 (0x3)
"RoxMediaDB"=3 (0x3)
"RoxLiveShare"=2 (0x2)
"wwSecSvc"=2 (0x2)
"SavRoam"=3 (0x3)
"SABSVC"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=3 (0x3)
"PREVXAgent"=2 (0x2)
"gusvc"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)
"PortReporter"=3 (0x3)
"MSCSPTISRV"=3 (0x3)
"SPTISRV"=3 (0x3)
"PACSPTISVR"=3 (0x3)
"LogMeIn"=2 (0x2)
"LMIMaint"=2 (0x2)
"mysql"=2 (0x2)
"Apache2.2"=2 (0x2)
"ose"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"SNDSrvc"=3 (0x3)
"WebrootSpySweeperService"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)
"DefWatch"=2 (0x2)
"aawservice"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Kernel and Hardware Abstraction Layer"=KHALMNPR.EXE
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"UpdReg"=C:\WINDOWS\UpdReg.EXE

-- End of Deckard's System Scanner: finished at 2008-01-05 19:24:34 ------------

I think thats what you wanted... lol...

**noahdfear** · 6th January 2008

It appears you have HijackThis.exe sitting on your desktop. Please move it to a folder of it's own.

Scan again with Hijackthis and fix the following entries.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/homepage.htm << fix this unless it's a custom hompeage you set
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

Close Hijackthis.

Copy the bolded command below, then click Start>Run and paste it in and hit enter.

"%userprofile%\desktop\dss.exe" /daft

The Deckards file association repair tool will open. Click Scan then select the box next to cpl in the list and click Finish.

Delete the following folder then empty the recycle bin.

C:\Program Files\DaemonTools_WhenUSave_Installer

If svchost is still running high cpu cycles, download Process Explorer from Sysinternals.

Run the program and click View>Lower Pane View>DLLs
If the lower pane is not showing, click View>Show Lower Pane.
Once the CPU column in the upper pane populates, you should be able to see the svchost process with high usage. Select it.
Once the lower pane populates with the dlls loaded under that process, click File>Save As
Save it to your desktop and post the contents of that log. Provided you don't change the name, it will be svchost.exe.txt

ac19189 · 7th January 2008

Process PID CPU Description Company Name
System Idle Process 0 98.46
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 1080 Windows NT Session Manager Microsoft Corporation
csrss.exe 1172 Client Server Runtime Process Microsoft Corporation
winlogon.exe 1196 Windows NT Logon Application Microsoft Corporation
services.exe 1240 1.54 Services and Controller app Microsoft Corporation
svchost.exe 1436 Generic Host Process for Win32 Services Microsoft Corporation
GoogleToolbarNotifier.exe 1448 GoogleToolbarNotifier Google Inc.
svchost.exe 1552 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1660 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1692 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1756 Spooler SubSystem App Microsoft Corporation
alg.exe 1896 Application Layer Gateway Service Microsoft Corporation
nvsvc32.exe 1940 NVIDIA Driver Helper Service, Version 56.56 NVIDIA Corporation
tcpsvcs.exe 1968 TCP/IP Services Application Microsoft Corporation
svchost.exe 1984 Generic Host Process for Win32 Services Microsoft Corporation
SpySweeper.exe 208 Spy Sweeper Engine Webroot Software, Inc.
lsass.exe 1252 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1024 Windows Explorer Microsoft Corporation
VPTray.exe 1156 Symantec AntiVirus Symantec Corporation
TeaTimer.exe 1324 System settings protector Safer Networking Limited
SetPoint.exe 1372 Logitech SetPoint Event Manager (UNICODE) Logitech, Inc.
KHALMNPR.exe 384 Logitech KHAL Main Process Logitech, Inc.
procexp.exe 920 Sysinternals Process Explorer Sysinternals
IEXPLORE.EXE 1368 Internet Explorer Microsoft Corporation
ctfmon.exe 1152 CTF Loader Microsoft Corporation

Process: svchost.exe Pid: 1660

Name Description Company Name Version
ADVAPI32.dll Advanced Windows 32 Base API Microsoft Corporation 5.01.2600.1106
ctype.nls
DNSAPI.dll DNS Client API DLL Microsoft Corporation 5.01.2600.1106
dnsrslvr.dll DNS Caching Resolver Service Microsoft Corporation 5.01.2600.0000
GDI32.dll GDI Client DLL Microsoft Corporation 5.01.2600.1106
iphlpapi.dll IP Helper API Microsoft Corporation 5.01.2600.0002
kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation 5.01.2600.1106
locale.nls
msvcrt.dll Windows NT CRT DLL Microsoft Corporation 7.00.2600.1106
mswsock.dll Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation 5.01.2600.0000
ntdll.dll NT Layer DLL Microsoft Corporation 5.01.2600.1106
RPCRT4.dll Remote Procedure Call Runtime Microsoft Corporation 5.01.2600.1106
sortkey.nls
sorttbls.nls
svchost.exe Generic Host Process for Win32 Services Microsoft Corporation 5.01.2600.0000
unicode.nls
USER32.dll Windows XP USER API Client DLL Microsoft Corporation 5.01.2600.1106
WS2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation 5.01.2600.0000
WS2HELP.dll Windows Socket 2.0 Helper for Windows NT Microsoft Corporation 5.01.2600.0000
wshtcpip.dll Windows Sockets Helper DLL Microsoft Corporation 5.01.2600.0000

Removed what you told me to an yes thats a custom homepage also as another note every time I start IE ctfmon.exe trys to load itself into my startup I find that kind of funny but meh.. I dont normally care because normally I dont have it bug me.. Maybe while ur at it u can tell me why my ie doesnt save my bloody settings ARG! It keeps going back to default in a way.. I setup my tool bars etc remove links move the address bar an wha not on one line move google search bar with my nav buttons so I have two lines lock it an next thing I know randomly it resets itself to a simi default setting it never seems to save.. It doesnt save on reboot an time to time it will just reset itself when I close ie.

**noahdfear** · 7th January 2008

Never heard of IE initiating ctfmon

Here's some info regarding ctfmon.

The svchost process you selected appears to be the one responsible for starting and running the DNS Client service. Lets see if clearing the dns cache will make any difference. Open a command window and type or paste the following then hit enter.

ipconfig /flushdns

Check the event viewer for any dns related errors.

Very odd behavior with the IE toolbar too. I'll see if I can dig up anything on it.

It doesn't appear that your machine is infected at this point, so I strongly recommend applying all critical Windows Updates till you're current.

ac19189 · 7th January 2008

Uhg I was hoping it be a virus or something x.x I thought I set my page file to auto clear on reboot an dns to auto clear when ie is closed or the system is rebooted but I did the dns flush an im going to reboot to see if its fixed.. As for ctfmon its part of office I have disabled it now. Unregistered the dlls hooked to the exe an removed the app that comes with office that runs it... Stupid language bar.. XD Anyway ill edit this post as soon as im done rebooting i hope this will fix it..

Well I think it may have fixed it kind of ironic... Ill need to keep my eye on it an see how it goes.. An if you can help with the ie tool bar thing it be such a huge help its been going on for months now an I have looked all over the place for answers I cant find a single thing...

**noahdfear** · 7th January 2008

Disable Spybot's TeaTimer then reboot to take effect. Set the toolbar to your liking, close and reboot. Re-enable TeaTimer.

Disabling TeaTimer

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

ac19189 · 7th January 2008

...Why would teatimer effect the ie bars if I may ask? Im going to give it a shot but i just find that kind of weird...

**noahdfear** · 8th January 2008

TeaTimer might prevent the settings from 'sticking' while enabled. Once set, re-enable it and they should remain.

ac19189 · 26th January 2008

Well that didnt fix it however I did find out something funny.
Im running a program via 98 compatibility mode that opens up ie. An when I open ie via that program the default settings kick in and save so I think thats what my trouble is. I could be wrong but I think that is the issue I havent been able to find much trouble any other place however I think windows update does reset it too.. Meh Ill keep playing with it I guess.