Folks,
I have a problem. I cannot open any folders on my XP desktop including MY Computer and Windows Explorer. From Start I cannot open the Control Panel. Because I was having troubles with an IE trojan I switched to Mozilla Firefox several months ago. I have had Ad-Aware, Spybot, and Trend Micro PC-cillin installed for several month and used them when I thought I had problems. I ran all three of these programs this evening and found no problems. I used the instructions posted on this Web site to run Ad-Aware and Spybot. About a week ago I lost access to all folders. I had to run HijackThis from the command prompt after a DOS CD. Here are the results:

Logfile of HijackThis v1.99.1
Scan saved at 9:43:35 PM, on 4/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\efax\HotTray.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\cmd.exe
C:\Programs\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mviag.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersin\Internet Settings,ProxyServer =

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: (no name) - {EF03455F-852E-1172-33A0-55AC7653ED04} - C:\WINDOWS\system32\crco32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [1FC.tmp] C:\DOCUME~1\FRANKE~1\LOCALS~1\Temp\1FC.tmp.exe 0 28129
O4 - HKLM\..\Run: [1FF.tmp] C:\DOCUME~1\FRANKE~1\LOCALS~1\Temp\1FF.tmp.exe 0 28129
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/166d52a3eb3907a4ef06/...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093617938812
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D5F1695-2E39-474F-9B20-0242285C06C2}: NameServer = 132.194.10.19,132.194.10.3
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\crxq32.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


Here is the log from Spybot:


--- Search result list ---
SpywareStormer: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\InetCtls.Inet

SpywareStormer: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\InetCtls.Inet.1

SpywareStormer: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}

Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Avenue A, Inc.: Tracking cookie (Firefox: default) (Cookie, nothing done)


BFast: Tracking cookie (Firefox: default) (Cookie, nothing done)


BFast: Tracking cookie (Firefox: default) (Cookie, nothing done)


Bluemountain: Tracking cookie (Firefox: default) (Cookie, nothing done)


Bluemountain: Tracking cookie (Firefox: default) (Cookie, nothing done)


Bluemountain: Tracking cookie (Firefox: default) (Cookie, nothing done)


ClickAgents: Tracking cookie (Firefox: default) (Cookie, nothing done)


ClickAgents: Tracking cookie (Firefox: default) (Cookie, nothing done)


Commission Junction: Tracking cookie (Firefox: default) (Cookie, nothing done)


Commission Junction: Tracking cookie (Firefox: default) (Cookie, nothing done)


DoubleClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


Aornum: Tracking cookie (Firefox: default) (Cookie, nothing done)


Aornum: Tracking cookie (Firefox: default) (Cookie, nothing done)


MediaPlex: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


ValueClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitsLink: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitsLink: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitsLink: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitsLink: Tracking cookie (Firefox: default) (Cookie, nothing done)


CoreMetrics: Tracking cookie (Firefox: default) (Cookie, nothing done)


WebTrends live: Tracking cookie (Firefox: default) (Cookie, nothing done)


WebTrends live: Tracking cookie (Firefox: default) (Cookie, nothing done)


WebTrends live: Tracking cookie (Firefox: default) (Cookie, nothing done)


WebTrends live: Tracking cookie (Firefox: default) (Cookie, nothing done)


WebTrends live: Tracking cookie (Firefox: default) (Cookie, nothing done)


WebTrends live: Tracking cookie (Firefox: default) (Cookie, nothing done)


WebTrends live: Tracking cookie (Firefox: default) (Cookie, nothing done)


WebTrends live: Tracking cookie (Firefox: default) (Cookie, nothing done)


WebTrends live: Tracking cookie (Firefox: default) (Cookie, nothing done)


Common Dialogs: History (273 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Log: Activity: COM+.log (Backup file, nothing done)
C:\WINDOWS\COM+.log

Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINDOWS\SchedLgU.Txt

Log: Activity: imsins.log (Backup file, nothing done)
C:\WINDOWS\imsins.log

Log: Activity: OEWABLog.txt (Backup file, nothing done)
C:\WINDOWS\OEWABLog.txt

Log: Activity: ntbtlog.txt (Backup file, nothing done)
C:\WINDOWS\ntbtlog.txt

Log: Install: comsetup.log (Backup file, nothing done)
C:\WINDOWS\comsetup.log

Log: Install: Directx.log (Backup file, nothing done)
C:\WINDOWS\Directx.log

Log: Install: ocgen.log (Backup file, nothing done)
C:\WINDOWS\ocgen.log

Log: Install: setupact.log (Backup file, nothing done)
C:\WINDOWS\setupact.log

Log: Install: setupapi.log (Backup file, nothing done)
C:\WINDOWS\setupapi.log

Log: Install: setuperr.log (Backup file, nothing done)
C:\WINDOWS\setuperr.log

Log: Install: setuplog.txt (Backup file, nothing done)
C:\WINDOWS\setuplog.txt

Log: Install: svcpack.log (Backup file, nothing done)
C:\WINDOWS\svcpack.log

Log: Install: wmsetup.log (Backup file, nothing done)
C:\WINDOWS\wmsetup.log

Log: Install: DtcInstall.log (Backup file, nothing done)
C:\WINDOWS\DtcInstall.log

Log: Shutdown: System32\wbem\logs\mofcomp.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\mofcomp.log

Log: Shutdown: System32\wbem\logs\setup.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\setup.log

Log: Shutdown: System32\wbem\logs\wbemcore.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemcore.log

Log: Shutdown: System32\wbem\logs\wbemess.lo_ (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.lo_

Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: Shutdown: System32\wbem\logs\wbemprox.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemprox.log

Log: Shutdown: System32\wbem\logs\wbemsnmp.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemsnmp.log

Log: Shutdown: System32\wbem\logs\winmgmt.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\winmgmt.log

Log: Shutdown: System32\wbem\logs\wmiadap.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiadap.log

Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

Cookie: Cookie (15) (Cookie, nothing done)


Cache: Cache (3164) (Cache, nothing done)


Cookie: Cookie (968) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 ß2 (build: 20041211) ---

2004-05-12 blindman.exe (1.0.0.0)
2004-12-11 SpyBotSD.exe (1.4.0.0)
2004-05-12 TeaTimer.exe (1.3.0.12)
2004-04-27 unins000.exe (51.13.0.0)
2004-05-12 Update.exe (1.3.0.0)
2004-11-29 advcheck.dll (1.0.1.0)
2004-05-12 borlndmm.dll (7.0.4.453)
2004-05-12 delphimm.dll (7.0.4.453)
2004-10-20 SDHelper.dll (1.3.0.12)
2004-05-12 Tools.dll (2.0.0.0)
2004-05-12 UnzDll.dll (1.73.1.1)
2004-05-12 ZipDll.dll (1.73.2.0)
2005-04-07 Includes\Beta.sbi (*)
2005-02-16 Includes\Beta.uti (*)
2005-03-03 Includes\Cookies.sbi (*)
2005-04-07 Includes\Dialer.sbi (*)
2005-04-07 Includes\Hijackers.sbi (*)
2005-03-22 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2005-04-07 Includes\Malware.sbi (*)
2005-03-17 Includes\PUPS.sbi (*)
2005-03-17 Includes\Revision.sbi (*)
2005-02-09 Includes\Security.sbi (*)
2005-04-07 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2005-04-07 Includes\Trojans.sbi (*)



--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB886903)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Security update for Microsoft Data Access Components
/ DataAccess: Security Update for Microsoft Data Access Components
/ DirectX / DX9 / SP1: DirectX 9 Hotfix - KB839643
/ Internet Explorer 6 / SP1: Windows XP Hotfix - KB889293
/ Windows Media Player: Windows Media Player Hotfix [See KB837272 for more information]
/ Windows Media Player / SP0: Windows Media Player Hotfix [See wm828026 for more information]
/ Windows Media Player: Windows Media Update 817787
/ Windows Media Player: Windows Media Update 819639
/ Windows Media Player: Windows Media Update 828026
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB885884
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Windows XP Hotfix - KB893066
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)


--- Startup entries list ---
Located: HK_LM:Run, 1FC.tmp
command: C:\DOCUME~1\FRANKE~1\LOCALS~1\Temp\1FC.tmp.exe 0 28129
file:

Located: HK_LM:Run, 1FF.tmp
command: C:\DOCUME~1\FRANKE~1\LOCALS~1\Temp\1FF.tmp.exe 0 28129
file:

Located: HK_LM:Run, AtiPTA
command: atiptaxx.exe
file: C:\WINDOWS\system32\atiptaxx.exe
size: 192512
MD5: 06f44e470a0e581c82f874af31c21f8b

Located: HK_LM:Run, dvd43
command: C:\Program Files\dvd43\dvd43_tray.exe
file: C:\Program Files\dvd43\dvd43_tray.exe
size: 784896
MD5: 9d76a446bb27bf51a7ddd32213cd6b4d

Located: HK_LM:Run, IntelliType
command: "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
file: C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
size: 94208
MD5: b5eca5948d7f8eaa00333231f33ea31a

Located: HK_LM:Run, KernelFaultCheck
command: %systemroot%\system32\dumprep 0 -k
file: C:\WINDOWS\system32\dumprep.exe
size: 10752
MD5: 13922eb54890c77005268882629a31fe

Located: HK_LM:Run, masqform.exe
command: C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
file:

Located: HK_LM:Run, pccguide.exe
command: "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
file: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
size: 815166
MD5: c8edffafd3f00fc5b116e6e0f0aa3c39

Located: HK_LM:Run, PinnacleDriverCheck
command: C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
file: C:\WINDOWS\System32\PSDrvCheck.exe
size: 406016
MD5: 39d31d333c39caa9a13b738804b43284

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 98304
MD5: 76a3a30b58405c2c6d833895253a51a9

Located: HK_LM:Run, RoxioAudioCentral
command: "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
file:

Located: HK_LM:Run, RoxioDragToDisc
command: "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
file: C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
size: 1470464
MD5: 8c57857a286a24e5ce40fb863fbdd172

Located: HK_LM:Run, RoxioEngineUtility
command: "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
file:

Located: HK_LM:Run, Share-to-Web Namespace Daemon
command: C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
file: C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
size: 57344
MD5: d4f5faa2fd2dc5923c82ee5808beed7c

Located: HK_LM:Run, SunJavaUpdateSched
command: C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
file: C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
size: 32881
MD5: d7b9be63c406103ee1405fe473ac0697

Located: HK_LM:Run, tgcmd
command: "C:\Program Files\Support.com\bin\tgcmd.exe" /server
file: C:\Program Files\Support.com\bin\tgcmd.exe
size: 1544192
MD5: b8ce229eb356ac23926e3fe89b4669b0

Located: HK_LM:Run, TkBellExe
command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 151597
MD5: a05da809ac0d86d916d09e3a908d3a06

Located: HK_CU:Run, ATI Launchpad
command: "C:\Program Files\ATI Multimedia\main\launchpd.exe"
file: C:\Program Files\ATI Multimedia\main\launchpd.exe
size: 77824
MD5: 960f335324bbe86a883a290721ae1443

Located: HK_CU:Run, SpybotSD TeaTimer
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1038336
MD5: 58f7e6434d285f4c98ad3621e0bd8c8d

Located: Startup (common), Adobe Gamma Loader.exe.lnk
command: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
file: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
size: 113664
MD5: c2ff17734176cd15221c10044ef0ba1a

Located: Startup (common), Adobe Gamma Loader.lnk
command: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
file: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
size: 113664
MD5: c2ff17734176cd15221c10044ef0ba1a

Located: Startup (common), Billminder.lnk
command: C:\QUICKENW\BILLMIND.EXE
file: C:\QUICKENW\BILLMIND.EXE
size: 36864
MD5: ea454202f9276a4f6283aa8b2954d852

Located: Startup (common), eFax.com Tray Menu.lnk
command: C:\Program Files\Common Files\efax\HotTray.exe
file: C:\Program Files\Common Files\efax\HotTray.exe
size: 23040
MD5: 26295edaffc7ff553649836a304e5e0e

Located: Startup (common), Live Menu.lnk
command: C:\Program Files\Common Files\efax\Dllcmd32.exe
file: C:\Program Files\Common Files\efax\Dllcmd32.exe
size: 18432
MD5: 657ee914db428cdf473ec98808d7b27c

Located: Startup (common), Microsoft Office.lnk
command: C:\Program Files\Microsoft Office\Office10\OSA.EXE
file: C:\Program Files\Microsoft Office\Office10\OSA.EXE
size: 83360
MD5: 5bc65464354a9fd3beaa28e18839734a

Located: Startup (common), Quicken Startup.lnk
command: C:\QUICKENW\QWDLLS.EXE
file: C:\QUICKENW\QWDLLS.EXE
size: 36864
MD5: f5c99b3b20e0f4b0356e6accd785eed9

Located: Startup (common), WinZip Quick Pick.lnk
command: C:\Program Files\WinZip\WZQKPICK.EXE
file: C:\Program Files\WinZip\WZQKPICK.EXE
size: 118784
MD5: 67b2e7b6ae3b400d832f0456068ea83d

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll



--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 5/15/2003 12:47:54 AM
Date (last access): 4/25/2005 3:21:44 PM
Date (last write): 5/15/2003 12:47:54 AM
Filesize: 50376
Attributes: archive
MD5: 0C0E1B2BCAED8DF401BE94D538BCB412
CRC32: 1D771322
Version: 6.0.0.878

{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
BHO name:
CLSID name: Google Toolbar Helper
description: Google toolbar
classification: Open for discussion
known filename: googletoolbar.dll<br>googletoolbar*.dll<br>(* = number)<br>googletoolbar_en_*.**-big.dll<br>Googletoolbar_en_*.*.**-deleon.dll
info link: http://toolbar.google.com/
info source: TonyKlein
Path: c:\windows\
Long name: GoogleToolbar2.dll
Short name: GOOGLE~1.DLL
Date (created): 12/16/2004 9:40:26 AM
Date (last access): 4/25/2005 3:03:22 PM
Date (last write): 12/2/2004 2:59:32 PM
Filesize: 720896
Attributes: readonly archive
MD5: D4E9B7B696E8C40A0E5CB76621A03EE4
CRC32: 019AF69C
Version: 2.0.114.9

{EF03455F-852E-1172-33A0-55AC7653ED04} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: crco32.dll
Short name:
Date (created): 3/7/2005 5:11:58 AM
Date (last access): 4/25/2005 3:03:22 PM
Date (last write): 3/7/2005 5:11:58 AM
Filesize: 79166
Attributes: hidden sysfile archive
MD5: DD70E58138477AAD9BF567C2EBDBBAF3
CRC32: 21E86DAB



--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

Yahoo! Backgammon (Yahoo! Backgammon)
DPF name: Yahoo! Backgammon
CLSID name:
Installer:
Codebase: http://download.games.yahoo.com/games/clients/y/at0_x.cab

{01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class)
DPF name:
CLSID name: Support.com Configuration Class
Installer: C:\WINDOWS\Downloaded Program Files\tgctlcm.inf
Codebase: http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: tgctlcm.dll
Short name:
Date (created): 2/20/2002 3:14:50 AM
Date (last access): 4/25/2005 2:49:22 PM
Date (last write): 2/20/2002 3:14:50 AM
Filesize: 200704
Attributes: archive
MD5: BA653CCE1544A8224B5134B68D1AA5BE
CRC32: D781FF6D
Version: 5.5.318.0

{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object)
DPF name:
CLSID name: QuickTime Object
Installer: C:\WINDOWS\Downloaded Program Files\QTPlugin.inf
Codebase: http://www.apple.com/qtactivex/qtplugin.cab
description: Apple Quicktime
classification: Legitimate
known filename: QTPLUGIN.OCX
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\QuickTime\
Long name: QTPlugin.ocx
Short name:
Date (created): 8/29/2004 9:21:14 AM
Date (last access): 4/25/2005 3:26:16 PM
Date (last write): 8/29/2004 9:21:16 AM
Filesize: 360504
Attributes: archive
MD5: F88CD154B9627646E9DDA1679155E4E3
CRC32: 5B04FF79
Version: 6.5.1.17

{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://download.macromedia.com/pub/shockwa...director/sw.cab
description: Macromedia ShockWave Flash Player 7
classification: Unknown
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Director\
Long name: SwDir.dll
Short name:
Date (created): 1/28/2003 12:38:54 PM
Date (last access): 4/25/2005 3:03:22 PM
Date (last write): 1/9/2002 3:28:02 AM
Filesize: 32768
Attributes: archive
MD5: 92FA0AE21D3A08B65D291724AA7D0E43
CRC32: 7B63A9DB
Version: 8.5.1.102

{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class)
DPF name:
CLSID name: YInstStarter Class
Installer: C:\WINDOWS\Downloaded Program Files\yinst.inf
Codebase: http://download.yahoo.com/dl/installs/yinst.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: yinsthelper.dll
Short name: YINSTH~1.DLL
Date (created): 7/11/2001 5:55:28 PM
Date (last access): 4/25/2005 2:49:22 PM
Date (last write): 7/11/2001 5:55:28 PM
Filesize: 81920
Attributes: archive
MD5: F18F29A87DD4F311ED377B54E850DBEF
CRC32: 9C5F5456
Version: 2001.7.11.1

{33564D57-9980-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\wmv9dmo.inf
Codebase: http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
description: Microsoft WMV Video Codec
classification: Legitimate
known filename: WMV9DMO.CAB
info link:
info source: Patrick M. Kolla

{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine)
DPF name:
CLSID name: Office Update Installation Engine
Installer: C:\WINDOWS\Downloaded Program Files\opuc.inf
Codebase: http://office.microsoft.com/officeupdate/content/opuc.cab
Path: C:\WINDOWS\
Long name: opuc.dll
Short name:
Date (created): 8/27/2003 5:10:30 AM
Date (last access): 4/25/2005 2:50:54 PM
Date (last write): 8/27/2003 5:10:30 AM
Filesize: 314368
Attributes: archive
MD5: 1E32EC4A8A17B19926B49EA5F6B79A76
CRC32: E98FC293
Version: 11.0.5626.0

{41F17733-B041-4099-A042-B518BB6A408C} ()
DPF name:
CLSID name:
Installer:
Codebase: http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

{56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class)
DPF name:
CLSID name: RdxIE Class
Installer:
Codebase: http://207.188.7.150/166d52a3eb3907a4ef06/...ip/RdxIE601.cab
description: Netster
classification: Confirmed as malware
known filename:
info link:
info source:
Path: C:\WINDOWS\Downloaded Program Files\
Long name: RdxIE.dll
Short name:
Date (created): 12/6/2002 4:17:14 PM
Date (last access): 4/25/2005 2:49:22 PM
Date (last write): 12/6/2002 4:17:14 PM
Filesize: 520328
Attributes: archive
MD5: 012201D36BE9DDBAA3F06A907F7D61B2
CRC32: CC72A495
Version: 6.0.0.9

{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\wuweb.inf
Codebase: http://v5.windowsupdate.microsoft.com/v5co...b?1093617938812
Path: C:\WINDOWS\system32\
Long name: wuweb.dll
Short name:
Date (created): 8/3/2004 1:59:06 PM
Date (last access): 4/25/2005 3:03:22 PM
Date (last write): 8/3/2004 1:59:18 PM
Filesize: 120288
Attributes: archive
MD5: A26DA1E6345613306E646F9EAD26855F
CRC32: EA955411
Version: 5.4.3790.2182

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2)
DPF name: Java Runtime Environment 1.4.2
CLSID name: Java Plug-in 1.4.2_04
Installer: C:\WINDOWS\Downloaded Program Files\jinstall-1_4_2_04.inf
Codebase: http://java.sun.com/products/plugin/autodl...indows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\j2re1.4.2_04\bin\
Long name: NPJPI142_04.dll
Short name: NPJPI1~1.DLL
Date (created): 2/22/2068 11:44:46 PM
Date (last access): 1/24/2005 10:24:24 PM
Date (last write): 2/22/2004 11:44:42 PM
Filesize: 65650
Attributes: archive
MD5: 2BCA54CB6A12A5EFBF922C0C1856F30D
CRC32: 3D4A4E94
Version: 1.4.2.40

{8EDAD21C-3584-4E66-A8AB-EB0E5584767D} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\activate.inf
Codebase: http://toolbar.google.com/data/GoogleActivate.cab

{9F1C11AA-197B-4942-BA54-47A8489BB47F} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\iuctl.inf
Codebase: http://v4.windowsupdate.microsoft.com/CAB/...7868.2067939815
description: Windows Update
classification: Legitimate
known filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
info link:
info source: Patrick M. Kolla

{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2)
DPF name: Java Runtime Environment 1.4.2
CLSID name: Java Plug-in 1.4.2_04
Installer:
Codebase: http://java.sun.com/products/plugin/autodl...indows-i586.cab
Path: C:\Program Files\Java\j2re1.4.2_04\bin\
Long name: NPJPI142_04.dll
Short name: NPJPI1~1.DLL
Date (created): 2/22/2068 11:44:46 PM
Date (last access): 4/25/2005 3:37:50 PM
Date (last write): 2/22/2004 11:44:42 PM
Filesize: 65650
Attributes: archive
MD5: 2BCA54CB6A12A5EFBF922C0C1856F30D
CRC32: 3D4A4E94
Version: 1.4.2.40

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\macromed\flash\
Long name: flash.ocx
Short name:
Date (created): 12/8/2003 3:01:58 PM
Date (last access): 4/21/2005 11:07:20 AM
Date (last write): 7/17/2004 11:41:30 AM
Filesize: 832872
Attributes: archive
MD5: 1240074B72B4F6F2D6AEE92DB1D29AED
CRC32: 1587660D
Version: 6.0.79.0



--- Process list ---
PID: 0 ( 0) [System]
PID: 644 ( 4) \SystemRoot\System32\smss.exe
PID: 740 ( 644) \??\C:\WINDOWS\system32\winlogon.exe
PID: 784 ( 740) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 796 ( 740) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 992 ( 784) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1176 ( 784) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1536 ( 784) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: 7435B108B935E42EA92CA94F59C8E717
PID: 1716 ( 784) C:\WINDOWS\System32\drivers\CDAC11BA.EXE
size: 52736
MD5: 2C8DD508D8736394D931F38EB4016FB2
PID: 2004 (1860) C:\WINDOWS\Explorer.EXE
size: 1032192
MD5: A0732187050030AE399B241436565E64
PID: 256 ( 784) C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
size: 864338
MD5: 474A016A35549B212A58F062CD0FF006
PID: 316 ( 784) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 432 ( 784) C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
size: 286792
MD5: 41D260FBD4E5D9525D458C7B21C3065F
PID: 460 ( 784) C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
size: 188484
MD5: 5F975641C10E9A58DAE9B0E723364AE9
PID: 636 ( 784) C:\WINDOWS\System32\MsPMSPSv.exe
size: 53248
MD5: 668056D5C3C11AB7D266819A96B964E8
PID: 708 (2004) C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
size: 57344
MD5: D4F5FAA2FD2DC5923C82EE5808BEED7C
PID: 720 (2004) C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 151597
MD5: A05DA809AC0D86D916D09E3A908D3A06
PID: 800 (2004) C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
size: 94208
MD5: B5ECA5948D7F8EAA00333231F33EA31A
PID: 124 (2004) C:\WINDOWS\system32\atiptaxx.exe
size: 192512
MD5: 06F44E470A0E581C82F874AF31C21F8B
PID: 924 (2004) C:\Program Files\Support.com\bin\tgcmd.exe
size: 1544192
MD5: B8CE229EB356AC23926E3FE89B4669B0
PID: 988 (2004) C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
size: 32881
MD5: D7B9BE63C406103EE1405FE473AC0697
PID: 1040 (2004) C:\Program Files\QuickTime\qttask.exe
size: 98304
MD5: 76A3A30B58405C2C6D833895253A51A9
PID: 1132 (2004) C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
size: 815166
MD5: C8EDFFAFD3F00FC5B116E6E0F0AA3C39
PID: 1140 (2004) C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
size: 1470464
MD5: 8C57857A286A24E5CE40FB863FBDD172
PID: 1164 (2004) C:\Program Files\dvd43\dvd43_tray.exe
size: 784896
MD5: 9D76A446BB27BF51A7DDD32213CD6B4D
PID: 1228 (2004) C:\Program Files\ATI Multimedia\main\launchpd.exe
size: 77824
MD5: 960F335324BBE86A883A290721AE1443
PID: 1236 (2004) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1038336
MD5: 58F7E6434D285F4C98AD3621E0BD8C8D
PID: 1360 (2004) C:\Program Files\Common Files\efax\HotTray.exe
size: 23040
MD5: 26295EDAFFC7FF553649836A304E5E0E
PID: 1352 (2004) C:\Program Files\Common Files\efax\Dllcmd32.exe
size: 18432
MD5: 657EE914DB428CDF473EC98808D7B27C
PID: 1380 (2004) C:\QUICKENW\QWDLLS.EXE
size: 36864
MD5: F5C99B3B20E0F4B0356E6ACCD785EED9
PID: 1408 (2004) C:\Program Files\WinZip\WZQKPICK.EXE
size: 118784
MD5: 67B2E7B6AE3B400D832F0456068EA83D
PID: 1800 ( 992) C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
size: 65536
MD5: E508B0095D4871A6DB4AB32B878501EE
PID: 2256 ( 784) C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
size: 585789
MD5: FB55153CDA34073AF9B3137893BC1E67
PID: 3836 (3828) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4442624
MD5: 8893DEA8D1B395BE17401B8B9C0ED8BE
PID: 4 ( 0) System
PID: 716 ( 644) csrss.exe
PID: 1084 ( 784) svchost.exe
PID: 1220 ( 784) svchost.exe
PID: 1368 ( 784) svchost.exe
PID: 2820 ( 784) alg.exe


--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 4/25/2005 3:37:50 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar
res://C:\WINDOWS\system32\mviag.dll/sp.html#28129
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1D5F1695-2E39-474F-9B20-0242285C06C2}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1D5F1695-2E39-474F-9B20-0242285C06C2}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9A0FBB63-F4A6-4661-A1F8-6C53CD339557}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9A0FBB63-F4A6-4661-A1F8-6C53CD339557}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A3A69CC3-6796-46F2-B6EA-F5D3C31AADF2}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A3A69CC3-6796-46F2-B6EA-F5D3C31AADF2}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1189D677-A10E-4BC8-913B-0BF332DD750D}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1189D677-A10E-4BC8-913B-0BF332DD750D}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FF2447C0-F3F2-4CE4-83F9-B245BA978B93}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FF2447C0-F3F2-4CE4-83F9-B245BA978B93}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9567C113-E90F-45C7-A978-CA6BB937FF87}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9567C113-E90F-45C7-A978-CA6BB937FF87}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace



--- System Services ---
Service (registry key): 11Fßä#·ºÄÖ`I
Display name: Network Security Service (NSS)
Object name: LocalSystem
Image path: C:\WINDOWS\crxq32.exe /s
Start: 2
Type: 32
Error Control: 0

Service (registry key): .NET CLR Data
Start: 0
Type: 0
Error Control: 0

Service (registry key): .NET CLR Networking
Start: 0
Type: 0
Error Control: 0

Service (registry key): .NETFramework
Start: 0
Type: 0
Error Control: 0

Service (registry key): 61883
Display name: 61883 Unit Device
Image path: System32\DRIVERS\61883.sys
Image size: 48128
Image MD5: 86D7B1E70661D754685B9AC6D749AAE5
Start: 3
Type: 1
Error Control: 1

Service (registry key): Abiosdsk
Start: 4
Type: 1
Error Control: 0

Service (registry key): abp480n5
Start: 4
Type: 1
Error Control: 1

Service (registry key): ac97intc
Display name: Intel® 82801 Audio Driver Install Service (WDM)
Image path: system32\drivers\ac97intc.sys
Image size: 96256
Image MD5: 0F2D66D5F08EBE2F77BB904288DCF6F0
Start: 3
Type: 1
Error Control: 1

Service (registry key): ACPI
Display name: Microsoft ACPI Driver
Image path: system32\DRIVERS\ACPI.sys
Image size: 187776
Image MD5: A10C7534F7223F4A73A948967D00E69B
Start: 0
Type: 1
Error Control: 1

Service (registry key): ACPIEC
Start: 4
Type: 1
Error Control: 1

Service (registry key): adpu160m
Start: 4
Type: 1
Error Control: 1

Service (registry key): aec
Display name: Microsoft Kernel Acoustic Echo Canceller
Image path: system32\drivers\aec.sys
Image size: 142464
Image MD5: 841F385C6CFAF66B58FBD898722BB4F0
Start: 3
Type: 1
Error Control: 1

Service (registry key): AFD
Display name: AFD Networking Support Environment
Description: AFD Networking Support Environment
Image path: \SystemRoot\System32\drivers\afd.sys
Start: 1
Type: 1
Error Control: 1

Service (registry key): agp440
Display name: Intel AGP Bus Filter
Image path: System32\DRIVERS\agp440.sys
Image size: 42368
Image MD5: 2C428FA0C3E3A01ED93C9B2A27D8D4BB
Start: 0
Type: 1
Error Control: 1

Service (registry key): Aha154x
Start: 4
Type: 1
Error Control: 1

Service (registry key): aic78u2
Start: 4
Type: 1
Error Control: 1

S

Hi fedlin,

Download http://www.mvps.org/winhelp2002/DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'.

Run Spybot-S&D. Go to the Mode menu, and make sure "Advanced Mode" is selected. On the left hand side, choose Tools -> Resident and uncheck "Resident TeaTimer" and OK any prompts. Restart your computer. After the fixes are done, you can turn it back on.

1. Download AboutBuster
   
   Unzip it to your desktop but don't run it yet we'll do that later on down in this list in SAFE MODE.
   
2. Print out these instructions so you have them handy as some of the steps need to be done in safe mode and you may not be able to go online. We need IE to remain closed throughout the process.
   
3. Make sure your PC is configured to show hidden files.How do I show hidden files?
   
4. Click "Start", "Run...", type "services.msc" and click on "OK". Search for Network Security Service. Change the startup type to "Disabled".
   
5. Restart your computer in Safe Mode. How do I Safe Boot my computer?
   
6. Scan with Hijack This and put check the following:
   
   R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mviag.dll/sp.html#28129
   
   R1 - HKCU\Software\Microsoft\Windows\CurrentVersin\Internet Settings,ProxyServer =
   
   
   R3 - Default URLSearchHook is missing
   
   O2 - BHO: (no name) - {EF03455F-852E-1172-33A0-55AC7653ED04} - C:\WINDOWS\system32\crco32.dll
   
   O4 - HKLM\..\Run: [1FC.tmp] C:\DOCUME~1\FRANKE~1\LOCALS~1\Temp\1FC.tmp.exe 0 28129
   O4 - HKLM\..\Run: [1FF.tmp] C:\DOCUME~1\FRANKE~1\LOCALS~1\Temp\1FF.tmp.exe 0 28129
   
   O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/166d52a3eb3907a4ef06/...ip/RdxIE601.cab
   
   O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\crxq32.exe (file missing)
   Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".
   
   Folders and files with a tilde (~), means that there is a file/folder that starts with the six characters in front of the tilde, note that there may be spaces in the name. If there are more than one, please report them back and do not delete!
   
   Delete the following files in red (it could be that they are deleted already):
   
   C:\WINDOWS\system32\mviag.dll
   C:\WINDOWS\system32\crco32.dll
   All Files in C:\Documents And Settings\FRANKE~1\Local Settings\Temp
   C:\WINDOWS\crxq32.exe
   
7. Double click on the AboutBuster tool you downloaded earlier. Follow the instruction prompts to use the program and let it do two scans (it will ask). When finished, press the "Save log" button. I will want a copy of that log after all steps are completed here.
   
8. Scan with Adaware and let it remove any bad files found.
   
9. Clean out temporary and tif files. Go to "Start" -> "Run" and type in the box: "cleanmgr". Let it scan your system for files to remove. Make sure these 3 are checked and then press "Ok" to remove:
   
   Temporary Files
   Temporary Internet Files
   Recycle Bin
   
10. Restart in normal mode.
    
11. NOTE: Two possibly three or four files may have been deleted from your computer by the hijacker and may need to be replaced.
    
    Control.exe
    Shell.dll
    SDHelper.dll (if you are using Spybot Search & Destroy)
    Hosts file (no extension)
    
    If control.exe, shell.dll or SDHelper is missing
    Go here: http://spywareinfo.com/~merijn/winfiles.html and download the needed file.
    
    For a missing Hosts file:
    Download Hoster
    Press "Restore Original Hosts" and press "OK"
    Exit Program.
    Note: if you were using a custom Hosts file you will need to replace any of those entries yourself!
    
    If you have Spybot S&D installed and SDHelper.dll is missing, replace it here:
    http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)
    
12. Additional: Check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your ActiveX security settings in Internet Explorer as recommended.
    
    ActiveX controls and plug-ins:
    • Download signed ActiveX controls (Prompt)
    • Download unsigned ActiveX controls (Disable)
    • Initialize and script ActiveX controls not marked as safe (Disable)
    • Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
    • Script ActiveX controls marked safe for scripting (Prompt)
    
    Do an online scan at the following site. Let it remove any infected files found.
    Trend Micro (PC-Cillin) - Free On-line Scan

When you are all done, post the new HijackThis log and the AboutBuster log here for review.

I have completed all of the instructions given me. I can now get to all of my folders! Thank you!!!! My HijackThis and AboutBuster Logs are below but first I have several questions as follows:

I have both XP and PC-Cillin firwalls active. From what I understand I need to turn one off. Which one do you recommend that I leave active on my machine?

One of the steps you gave me was to change the startuptype of Network Security Services to "Disable." Should I keep it that way?

I have Spybot, Adaware, and PC-cillin anti-spyware. How often do you recomend that I run them? Should I also download and run Microsoft's Anti-Spyware Beta?

Thanks Again,
fedlin


Logfile of HijackThis v1.99.1
Scan saved at 12:09:21 PM, on 4/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programs\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mviag.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: (no name) - {EF03455F-852E-1172-33A0-55AC7653ED04} - C:\WINDOWS\system32\crco32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [1FC.tmp] C:\DOCUME~1\FRANKE~1\LOCALS~1\Temp\1FC.tmp.exe 0 28129
O4 - HKLM\..\Run: [1FF.tmp] C:\DOCUME~1\FRANKE~1\LOCALS~1\Temp\1FF.tmp.exe 0 28129
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/166d52a3eb3907a4ef06/...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093617938812
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D5F1695-2E39-474F-9B20-0242285C06C2}: NameServer = 132.194.10.19,132.194.10.3
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


About Buster Log

Scanned at: 12:54:13 PM on: 4/27/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 25


Removed Data Streams:
C:\WINDOWS\SchedLgU.Txt:eqdml


Removed 8 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 25


Removed Data Streams:
C:\WINDOWS\SchedLgU.Txt:eqdml


Attempted Clean Of Temp folder.
Pages Reset... Done!

Hi fedlin,

I recommend running the firewall from Trend Micro. Windows Firewall only filters incoming, and not6 outgoing data streams.

Yep. As a matter of fact it's gone now. Network Security Services was the reinfector in this infection and got killed off by About:Buster.

Well... It's a difficult one. There is not one perfect anti spyware solution, they all complement each other. Unfortunately they also hinder each other. I myself have never run MSAS, but from what I read it is good. So if you want to download it and install it. You will not be the first log I've seen it running with the others.

You're running from Safe Mode, please post a log from Normal Mode. Safe Mode doesn't load everything, and what I can't see, I can't fix.

Run HijackThis, click on "Scan" and check the boxes next to all these items.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mviag.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =


R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {EF03455F-852E-1172-33A0-55AC7653ED04} - C:\WINDOWS\system32\crco32.dll

O4 - HKLM\..\Run: [1FC.tmp] C:\DOCUME~1\FRANKE~1\LOCALS~1\Temp\1FC.tmp.exe 0 28129
O4 - HKLM\..\Run: [1FF.tmp] C:\DOCUME~1\FRANKE~1\LOCALS~1\Temp\1FF.tmp.exe 0 28129

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/166d52a3eb3907a4ef06/...ip/RdxIE601.cab

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Restart your computer in Safe Mode. How do I Safe Boot my computer?

Show hidden files. How do I show hidden files?
At the end if the fix you can return the files to hidden status if you want.

Folders and files with a tilde (~), means that there is a file/folder that starts with the six characters in front of the tilde, note that there may be spaces in the name. If there are more than one, please report them back and do not delete!

Delete the following files in red (it could be that they are deleted already):

C:\WINDOWS\system32\mviag.dll
C:\WINDOWS\system32\crco32.dll
All files in C:\Documents And Settings\FRANKE~1\Local Settings\Temp

Restart your computer and post a new log in this thread.

Sorry for taking so long but I have been extreemely busy. I ran HijackThis again and could find any of the boxes you asked to check so I did not fix anything. Am I not understanding something here? Here is the log.

Logfile of HijackThis v1.99.1
Scan saved at 1:46:23 PM, on 5/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\efax\HotTray.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Programs\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093617938812
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D5F1695-2E39-474F-9B20-0242285C06C2}: NameServer = 132.194.10.19,132.194.10.3
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

I have many files with a ~ and I am not sure what you are asking for. Are you loking for files like this:
SCO_01~2.XLS (6 characters before the ~) ( I have several copies of this file.
SOCOPR~2.XLS ( I have several copies of this file.
SAMPLE~1.DOC
DESKto~1
OPEFO~1
TRASH.~MBX
SHARED~mbx
----------

I did print Screens on all my ~ files/folders and put them in Word files but I don't see a way to insert them here. I hope that you are looking for a subset which I can type. I could send the Word via e-mail if I had an e-mail address. My e-mail address is:

Removed email address! Spammers do lurk here to harvest them.

I did not find:
C:\Windows\system32\mviag.dll or
C:\Windows\system32\crco32.dll

I don't have folders or files in C:\Documents and Settings\FRANK E~1\Local Settings\Temp (~1)???? but I do have a number of file folders a a large number of files in:
C:\Documents And Settings\FRANK E~\Local Settings\Temp.

I do not know how to copy a list of just the file names from a Windows Explorer search so again I did Print Screens and put in a Word file. Is there a way to copy just the file names and not the files from a Windows Explorer search? If you want me to type in all of the folder and file names I can do that.

Thanks,
fedlin

Hi fedlin,

Things can change awfully fast in just a few days! Bet you saw that too! This log is clean. Do you still have any problems?