Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Recovery Console NOT Installed - Combo.Fix Warns [RESOLVED]


  • This topic is locked This topic is locked

#1
scottportraits

scottportraits

    Member

  • Member
  • PipPipPip
  • 152 posts
Feb 18, 2008

Hi Malware Techs,

Just got through scrubbing down and restoring my system from a trojan that got in through a bad e-mail I should never have opened. Did ALL the scans and used all the online products you require .... and this one symptom remains after all that. Have logs from the many scans and fixes, including SUPER Anti-Spyware, AVG A/V, Kaspersky Online scan, A-Squared Online Trojan scan, Combo.fix, SDFix, Dr Web CureIt, Spybot S&D, Symantec Security Check, and Panda.

One last symptom remains, probably damage in the 'settings' for my e-mail server. I use Mozilla's mail server 'Thunderbird' with my safe-mail.net account. Been using it for years. Now a quirky problem has arisen which is baffling me.

Opening any e-mail that is already in the inbox displays it as an HTML source code usually displays, when you click that menu option in any browser. My Thunderbird settings are View > Character Encoding > Auto-detect OFF; radio button on Western (ISO-8859-1). I'm pretty sure this is how it always was.

Going to Tools > Options > Display tab shows nothing irregular....nor do any of the settings in 'Options', or account settings.

All I know is that it worked fine until I downloaded a batch of new mail and maybe clicked open a junk or spam item, now long deleted. It started after that. I ran my updated AVG virus scanner specifically on C:\Program Files\Thunderbird and came up with nothing. I can run more scans, which I'll do, but I wonder if there is a quick fix or any useful advice I might garnish from a GTG Posting. Any advice would be nice.

P.S. - I tried uninstalling Thunderbird, then reinstalling it again after a reboot. Same problem exists, so I think it must be damage lurking in the 'settings' from the trojan attack.

How can I fix this, and scan whole system for any other damage which I've yet to discover ? I've done all the scans and several times over, even in safe-mode. Now, it is a repair damage issue, since the bugs are mainly removed.

Only other symptom is that I get low ID's in gaming, and the TCP port is being rejected no matter how I configure it.

So here is the HiJackThis Log.....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:54 AM, on 2/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1a\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1a\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

--
End of file - 7611 bytes




And here's the ComboFix log:

ComboFix 08-02-18.1 - Owner 2008-02-18 9:53:27.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.478 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))
.

2008-02-18 09:49 . 2008-02-18 09:49 24,295 --a------ C:\MGtools.php
2008-02-18 06:09 . 2008-02-18 06:09 <DIR> d-------- C:\SAV32CLI
2008-02-18 04:34 . 2008-02-18 04:34 54,526,464 --a------ C:\1EF.tmp
2008-02-17 14:10 . 2008-02-17 14:10 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-17 14:00 . 2008-02-18 06:02 1,309,729 --a------ C:\SDFix.exe
2008-02-16 20:06 . 2008-02-16 20:06 <DIR> d-------- C:\Documents and Settings\Owner\DoctorWeb
2008-02-16 19:08 . 2008-02-18 05:34 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-16 19:08 . 2008-02-18 05:32 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-16 19:08 . 2008-02-18 05:32 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-16 19:08 . 2008-02-18 05:32 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-16 11:08 . 2008-02-16 11:08 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-16 11:08 . 2008-02-16 11:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-16 10:46 . 2008-02-16 10:49 54,526,464 --a------ C:\107.tmp
2008-02-13 21:08 . 2008-02-13 21:08 <DIR> d-------- C:\Program Files\Easy Video Joiner
2008-02-13 20:52 . 2008-02-13 20:52 <DIR> d-------- C:\Program Files\Pegasys Inc
2008-02-13 00:41 . 2008-02-13 00:41 <DIR> d-------- C:\Program Files\WinPcap
2008-02-13 00:40 . 2008-02-13 00:42 <DIR> d-------- C:\Program Files\WM Recorder
2008-02-13 00:40 . 2008-02-13 00:40 286,720 --a------ C:\WINDOWS\iun506.exe
2008-02-11 21:32 . 2008-02-18 08:46 9,662 --a------ C:\WINDOWS\EPISME00.SWB
2008-02-11 02:14 . 2008-02-11 02:14 <DIR> d-------- C:\Program Files\The Herbal Pharmacy
2008-02-11 02:14 . 1996-12-03 16:07 403,216 --a------ C:\WINDOWS\system32\msrepl35.dll
2008-02-11 02:14 . 1997-07-01 05:01 331,032 --a------ C:\WINDOWS\system32\Threed20.ocx
2008-02-11 02:14 . 1997-07-19 19:00 129,808 --a------ C:\WINDOWS\system32\Comdlg32.ocx
2008-02-11 02:14 . 1996-08-21 03:00 78,848 --a------ C:\WINDOWS\system32\Msoutl32.ocx
2008-02-11 02:14 . 1997-02-27 20:40 78,608 --a------ C:\WINDOWS\system32\Vb5db.dll
2008-02-11 02:14 . 1996-12-05 03:00 77,824 --a------ C:\WINDOWS\system32\Odbctl32.dll
2008-02-09 15:41 . 2005-10-20 23:32 614,400 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-02-09 15:14 . 2008-02-09 15:14 32 --ahs---- C:\WINDOWS\system32\{08026524-ADCF-41C1-955E-179AA9A443A5}.dat
2008-02-09 15:14 . 2008-02-09 15:14 32 --ahs---- C:\WINDOWS\{62956119-A394-4A40-B338-82024785660E}.dat
2008-02-09 15:13 . 2008-02-09 15:13 32 --ahs---- C:\WINDOWS\system32\{0BCDEC34-D9BE-4016-9B4C-A27AE8FF98DD}.dat
2008-02-09 15:13 . 2008-02-09 15:13 32 --ahs---- C:\WINDOWS\{0781DBA9-8D92-49E0-B1BC-B7250E2CE403}.dat
2008-02-09 15:12 . 2006-08-25 10:45 617,472 --a------ C:\WINDOWS\system32\COMCTL32.NU7
2008-02-09 15:12 . 2002-08-14 09:03 34,578 --a------ C:\WINDOWS\system32\drivers\NPDRIVER.SYS
2008-02-09 15:12 . 2002-08-14 09:03 31,744 --a------ C:\WINDOWS\system32\S32STAT.DLL
2008-02-09 15:12 . 2008-02-09 15:12 32 --ahs---- C:\WINDOWS\system32\{D0469130-AC30-4782-8CB7-80FB402B36CD}.dat
2008-02-09 15:12 . 2008-02-09 15:12 32 --ahs---- C:\WINDOWS\{AEEF3303-6814-431A-8543-A9C5F57F1C7A}.dat
2008-02-09 15:10 . 2002-08-14 18:03 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2008-02-09 15:10 . 2002-08-14 18:03 17,005 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-02-09 15:10 . 2002-08-14 18:03 5,600 --a------ C:\WINDOWS\system\WINASPI.DLL
2008-02-09 15:10 . 2002-08-14 18:03 4,672 --a------ C:\WINDOWS\system\WOWPOST.EXE
2008-02-09 15:10 . 2008-02-09 15:10 32 --ahs---- C:\WINDOWS\system32\{1BE23CE5-13B0-4346-A7FC-48656F24ED7F}.dat
2008-02-09 15:10 . 2008-02-09 15:10 32 --ahs---- C:\WINDOWS\{BEF60247-EAF0-4A0A-B211-F2764F2DC675}.dat
2008-02-09 15:09 . 2008-02-09 15:12 <DIR> d-------- C:\Program Files\Symantec
2008-02-09 15:09 . 2008-02-09 15:32 <DIR> d-------- C:\Program Files\Norton SystemWorks
2008-02-09 15:09 . 2008-02-09 15:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2008-02-09 15:09 . 2008-02-09 15:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-09 15:09 . 2002-08-29 16:14 123,619 --a------ C:\WINDOWS\system32\SYMEVNT.386
2008-02-09 15:09 . 2002-08-29 16:14 83,672 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-09 15:09 . 2002-08-29 16:14 73,224 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-09 15:09 . 2008-02-09 15:09 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-02-09 15:09 . 2008-02-09 15:09 14 --a------ C:\WINDOWS\system32\SR2.dat
2008-02-09 15:08 . 2008-02-09 15:31 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-09 15:08 . 1998-06-26 03:00 89,600 --a------ C:\WINDOWS\system32\MSCAL.OCX
2008-02-09 00:24 . 2008-02-09 00:24 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Thunderbird
2008-02-09 00:10 . 2002-04-11 23:21 13,335 --a------ C:\WINDOWS\system32\drivers\usbcm.sys
2008-02-08 21:52 . 2008-02-08 21:52 <DIR> d-------- C:\WINDOWS\Sun
2008-02-08 15:45 . 2008-02-08 15:45 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-08 03:52 . 2008-02-08 03:52 <DIR> d-------- C:\Program Files\Fisher
2008-02-08 03:06 . 2008-02-08 03:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Riverdeep Interactive Learning Limited
2008-02-08 01:46 . 2008-02-08 01:46 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SoundSpectrum
2008-02-08 01:22 . 2007-06-30 00:05 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-02-08 01:22 . 2007-09-25 02:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-08 01:21 . 2008-02-08 01:22 <DIR> d-------- C:\Program Files\Java
2008-02-08 01:20 . 2008-02-08 01:20 <DIR> d-------- C:\Program Files\GSpot
2008-02-08 01:19 . 2008-02-08 01:19 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-08 01:13 . 2008-02-08 01:13 60,416 --a------ C:\WINDOWS\ALCFDRTM.VER
2008-02-08 01:13 . 2008-02-08 01:13 60,416 --a------ C:\WINDOWS\ALCFDRTM.EXE
2008-02-08 01:12 . 2004-06-18 12:15 7,506,432 --------- C:\WINDOWS\system32\RTLCPL.exe
2008-02-08 01:12 . 2004-02-24 05:08 400,384 --------- C:\WINDOWS\system32\drivers\alcxsens.sys
2008-02-08 01:12 . 2004-02-09 09:18 155,648 --------- C:\WINDOWS\system32\RtlCPAPI.dll
2008-02-08 01:12 . 2002-02-05 07:54 141,016 --------- C:\WINDOWS\system32\alsndmgr.wav
2008-02-08 01:12 . 2004-08-02 11:10 1,048 --------- C:\WINDOWS\system32\drivers\alcxinit.dat
2008-02-08 01:12 . 2004-06-28 05:01 176 --------- C:\WINDOWS\system32\drivers\alcxhweq.dat
2008-02-08 01:06 . 2008-02-08 01:06 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-02-08 01:06 . 2008-02-08 01:06 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-02-08 01:05 . 2008-02-08 01:13 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-02-08 00:59 . 2004-06-18 12:32 15,684,608 --------- C:\WINDOWS\system32\alsndmgr.cpl
2008-02-08 00:59 . 2007-03-23 18:19 9,715,200 --a------ C:\WINDOWS\RTLCPL.exe
2008-02-08 00:59 . 2005-05-03 19:43 69,632 --a------ C:\WINDOWS\Alcmtr.exe
2008-02-08 00:59 . 2004-06-18 12:31 67,584 --------- C:\WINDOWS\soundman.exe
2008-02-07 22:00 . 2008-02-08 01:53 <DIR> d-------- C:\Program Files\Web Publish
2008-02-07 22:00 . 2004-01-20 06:08 970,752 --a------ C:\WINDOWS\system32\cdintf210.dll
2008-02-07 21:58 . 2008-02-08 03:07 <DIR> d-------- C:\Program Files\PrintMaster 16
2008-02-07 21:58 . 2008-02-07 21:58 <DIR> d-------- C:\Program Files\Common Files\Broderbund
2008-02-07 21:58 . 2008-02-07 21:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Broderbund Software
2008-02-07 20:17 . 2008-02-13 21:06 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-02-07 19:46 . 2008-02-07 19:46 <DIR> d-------- C:\WINDOWS\Drivers
2008-02-07 19:16 . 2008-02-07 19:16 <DIR> d-------- C:\WINDOWS\system32\IOSUBSYS
2008-02-07 19:16 . 2008-02-07 19:16 <DIR> d-------- C:\Program Files\Nero
2008-02-07 19:16 . 2008-02-07 19:16 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-02-07 19:16 . 2008-02-07 19:16 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Ahead
2008-02-07 18:59 . 2008-02-07 18:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DivX
2008-02-07 17:52 . 2008-02-07 17:52 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-02-07 17:29 . 2008-02-08 17:55 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-02-07 17:16 . 2008-02-18 05:36 <DIR> d-------- C:\Program Files\Windows Defender
2008-02-07 17:07 . 2008-02-07 17:07 <DIR> d-------- C:\WINDOWS\ShellNew
2008-02-07 17:07 . 2008-02-07 17:07 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-02-07 17:07 . 2008-02-07 17:07 376 --a------ C:\WINDOWS\ODBC.INI
2008-02-07 16:52 . 1998-02-07 00:37 299,520 --a------ C:\WINDOWS\uninst.exe
2008-02-07 16:51 . 2008-02-07 16:51 <DIR> d-------- C:\Program Files\ArcSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 20:50 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-02-07 20:50 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2008-02-07 20:50 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-07 19:37 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-02-07 17:02 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-04 21:59 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-01-04 21:58 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-01-04 21:58 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-01-04 21:58 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-01-04 21:58 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 21:58 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-01-04 21:58 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2008-01-04 21:58 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2008-01-04 21:58 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2008-01-04 21:58 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 21:56 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-22 23:13 1591808]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 22:40 2577632]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-07 13:15 579072]
"EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe" [2005-01-27 07:00 98304]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 22:20 866584]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 17:08 16380416 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-07 13:15 219136]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 22:05:35 360448]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 15:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 14:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-12 01:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2005-09-08 14:06 94208 C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2002-08-20 01:22 50880 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
--a------ 2002-08-20 01:23 34504 C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\combofix]
--a------ 2004-08-04 14:00 388608 C:\WINDOWS\system32\kmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 14:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
--a------ 2002-08-14 18:21 94208 C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2005-09-07 17:33 862720 C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 14:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QD FastAndSafe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RAMBooster.Net]
C:\Program Files\RAMBooster.Net\RAMBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2005-05-31 04:04 1415824 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 04:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinMem]
--a------ 2007-04-03 15:04 507392 C:\Program Files\WinCleaner Memory Optimizer\WinMemOpt.exe

R1 GhPciScan;GhostPciScanner;C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [2002-08-14 18:11]
S3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2002-08-14 09:03]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-18 14:33:52 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-02-16 05:38:51 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-02-18 14:55:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 09:55:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-18 9:56:00
ComboFix2.txt 2008-02-17 18:58:42
.
2008-02-13 21:24:35 --- E O F ---



Hope there is info in here that identifies the glich and suggests a quick, easy fix. I feel okay about touching resistry objects, which is the last part (and the part I don't try to fix myself). So walk me through it and I will be most appreciative. Or suggest another 'Fix' app to try.....whatever,

Thanks folks, you're the BEST !!

-scottportraits

Edited by scottportraits, 19 February 2008 - 07:01 PM.

  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

You shouldn't have run ComboFix yourself, it is a dangerous tool unless you know what you are doing

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.



Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
scottportraits

scottportraits

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 152 posts
Feb 23, 2008 2pm est

Hello R-112,

Sorry, didn't know Combo.Fix was perilous to run if you're uninformed, like me. Actually, ran it several times this malware incident and last year's December malware incident. Also ran other fixer's like SDFix, Dr Web CureIt, and SmithFraud. I notice these apps, once on your HD, come up in scans as 'threats' - possibly because they have process.exe files in them.

I ran Kaspersky's online scan a few days ago, myself, and here is the log from then. I am running it now, with newer definitions, and will post that log asap.
I also ran Deckard's a few days ago, so here is that log, too.....but I will run it again after the new Kaspersky scan is finalized, so the following post will have up to the moment results.
I have AVG A/V installed on my system and it runs automatically each day. The logs show nothing from these scans. Super Anti-Spyware, Spybot S&D, Lavasoft Ad-aware, and A-Squared online trojan scanner keep coming up clean, as have the Kaspersky scans.

But when I try to run Symantec's Online Security Check, for viruses, it rejects my browser, IE7, and I've set the options to run scripts. It should work, but doesn't. Also, Panda's online scanner catches two 'Hacker Tools/Rootkits', then gets frozen on one of my printer/scanner TWAIN files, an ICC profile file (which I don't use) sits for a while stuck, then I get booted.
So I am unable to run Symantec's or Panda's online scans without being stopped.

Like I say, AVG A/V, Kaspersky online, A-squared online, SUPER Anti-spyware Free, Spybot S&D, all have been coming up clean.

So here are yesterdays Kaspersky scan and Deckard's scan, with new updated ones to follow in an hour:

Kaspersky
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan Statistics
Total number of scanned objects 90790
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 01:59:05

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-02072008-141607.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\97mno13e.default\GoogleToolbarData\searchhistory.xml Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\97mno13e.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{2F3E5309-E7F2-4CFB-AD86-C66BE682FC43} Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\97mno13e.default\XUL.mfl Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\a2cache_55628558.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_258.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF5A97.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFBD14.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Sygate\SPF\debug.log Object is locked skipped
C:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped
C:\Program Files\Sygate\SPF\seclog.log Object is locked skipped
C:\Program Files\Sygate\SPF\syslog.log Object is locked skipped
C:\Program Files\Sygate\SPF\tralog.log Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010003.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP55\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{42933DCB-9B19-40B1-8D46-DF8535A095FC}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\RECYCLER\NPROTECT\00000361.windo Object is locked skipped
D:\RECYCLER\NPROTECT\00000362.windo Object is locked skipped
D:\RECYCLER\NPROTECT\00000363.windo Object is locked skipped
D:\RECYCLER\NPROTECT\00000367.servi Object is locked skipped
D:\RECYCLER\NPROTECT\00000368.secur Object is locked skipped
D:\RECYCLER\NPROTECT\00000369.runti Object is locked skipped
D:\RECYCLER\NPROTECT\00000370.runti Object is locked skipped
D:\RECYCLER\NPROTECT\00000371.messa Object is locked skipped
D:\RECYCLER\NPROTECT\00000372.manag Object is locked skipped
D:\RECYCLER\NPROTECT\00000374.enter Object is locked skipped
D:\RECYCLER\NPROTECT\00000375.enter Object is locked skipped
D:\RECYCLER\NPROTECT\00000376.drawi Object is locked skipped
D:\RECYCLER\NPROTECT\00000377.drawi Object is locked skipped
D:\RECYCLER\NPROTECT\00000378.drawi Object is locked skipped
D:\RECYCLER\NPROTECT\00000379.direc Object is locked skipped
D:\RECYCLER\NPROTECT\00000380.desig Object is locked skipped
D:\RECYCLER\NPROTECT\00000381.desig Object is locked skipped
D:\RECYCLER\NPROTECT\00000383.confi Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.

And here is Deckard's scan log from yesterday:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-02-22 18:28:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
17: 2008-02-22 23:28:54 UTC - RP17 - Deckard's System Scanner Restore Point
16: 2008-02-22 06:38:00 UTC - RP16 - Software Distribution Service 3.0
15: 2008-02-22 01:06:50 UTC - RP15 - System Checkpoint
14: 2008-02-21 00:10:23 UTC - RP14 - System Checkpoint
13: 2008-02-19 23:58:18 UTC - RP13 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-02-18 14:52:41 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:30:31 PM, on 2/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\eMule\emule.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1a\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1a\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

--
End of file - 7489 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R1 GhPciScan (GhostPciScanner) - c:\program files\norton systemworks\norton ghost\ghpciscan.sys <Not Verified; Symantec Corporation; Symantec Ghost PCI Scanner>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S3 catchme - c:\docume~1\owner\locals~1\temp\catchme.sys (file missing)
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; NetGroup - Politecnico di Torino; Remote Packet Capture Daemon>
S3 Speed Disk service - c:\progra~1\norton~1\speedd~1\nopdb.exe <Not Verified; Symantec Corporation; Norton Speed Disk>
S4 GhostStartService - c:\program files\norton systemworks\norton ghost\ghoststartservice.exe <Not Verified; Symantec Corporation; Norton Ghost Start Service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-02-22 18:30:00 412 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2008-02-22 18:18:23 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-02-16 00:38:51 482 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job


-- Files created between 2008-01-22 and 2008-02-22 -----------------------------

2008-02-18 12:06:28 1914 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-18 10:02:38 0 d-------- C:\Program Files\Trend Micro
2008-02-18 06:09:30 0 d-------- C:\SAV32CLI
2008-02-17 14:10:10 0 d-------- C:\WINDOWS\ERUNT
2008-02-17 14:00:56 1309729 --a------ C:\SDFix.exe
2008-02-16 20:06:16 0 d-------- C:\Documents and Settings\Owner\DoctorWeb
2008-02-16 19:52:28 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-16 19:52:28 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-16 19:52:28 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-16 19:52:28 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-02-16 19:08:12 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-02-16 11:08:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-16 11:08:05 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-13 21:08:51 0 d-------- C:\Program Files\Easy Video Joiner
2008-02-13 20:52:27 0 d-------- C:\Program Files\Pegasys Inc
2008-02-13 00:41:13 0 d-------- C:\Program Files\WinPcap
2008-02-13 00:40:58 286720 --a------ C:\WINDOWS\iun506.exe <Not Verified; Indigo Rose Corporation; Setup Factory 5.0 Uninstaller>
2008-02-13 00:40:57 0 d-------- C:\Program Files\WM Recorder
2008-02-11 02:14:55 77824 --a------ C:\WINDOWS\system32\Odbctl32.dll <Not Verified; Microsoft Corporation; Microsoft Open Database Connectivity>
2008-02-11 02:14:55 403216 --a------ C:\WINDOWS\system32\msrepl35.dll <Not Verified; Microsoft Corporation; Microsoft® Access>
2008-02-11 02:14:54 0 d-------- C:\Program Files\The Herbal Pharmacy
2008-02-09 15:41:30 614400 --a------ C:\WINDOWS\system32\msvcr80.dll <Not Verified; Microsoft Corporation; Microsoft® Visual Studio® .NET>
2008-02-09 15:14:16 32 --ahs---- C:\WINDOWS\system32\{08026524-ADCF-41C1-955E-179AA9A443A5}.dat
2008-02-09 15:14:16 32 --ahs---- C:\WINDOWS\{62956119-A394-4A40-B338-82024785660E}.dat
2008-02-09 15:13:46 32 --ahs---- C:\WINDOWS\system32\{0BCDEC34-D9BE-4016-9B4C-A27AE8FF98DD}.dat
2008-02-09 15:13:46 32 --ahs---- C:\WINDOWS\{0781DBA9-8D92-49E0-B1BC-B7250E2CE403}.dat
2008-02-09 15:12:56 32 --ahs---- C:\WINDOWS\system32\{D0469130-AC30-4782-8CB7-80FB402B36CD}.dat
2008-02-09 15:12:56 32 --ahs---- C:\WINDOWS\{AEEF3303-6814-431A-8543-A9C5F57F1C7A}.dat
2008-02-09 15:12:30 34578 --a------ C:\WINDOWS\system32\drivers\NPDRIVER.SYS <Not Verified; Symantec Corporation; Norton Utilities>
2008-02-09 15:12:22 31744 --a------ C:\WINDOWS\system32\S32STAT.DLL <Not Verified; Symantec Corporation; SYMSTAT>
2008-02-09 15:11:51 32 --ahs---- C:\WINDOWS\system32\{CBD6D914-7D67-4390-82F7-E0F2BBEF5D04}.dat
2008-02-09 15:11:51 32 --ahs---- C:\WINDOWS\system32\{77D5722C-9153-4890-BE9F-EE2FCD2AB331}.dat
2008-02-09 15:11:51 32 --ahs---- C:\WINDOWS\system32\{07759808-7B9C-4D58-8E2E-29F2A451036D}.dat
2008-02-09 15:11:51 32 --ahs---- C:\WINDOWS\{E8B62386-2994-4446-96C8-488775EBBF20}.dat
2008-02-09 15:11:51 32 --ahs---- C:\WINDOWS\{AD953506-9405-4C22-A731-49FD45C43A7E}.dat
2008-02-09 15:11:51 32 --ahs---- C:\WINDOWS\{5206AADC-31ED-4D5A-B3A5-A81A62E7BAA7}.dat
2008-02-09 15:11:48 24848 --a------ C:\WINDOWS\system32\msjter35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-02-09 15:11:48 123664 --a------ C:\WINDOWS\system32\Msjint35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-02-09 15:11:47 252176 --a------ C:\WINDOWS\system32\msrd2x35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-02-09 15:11:46 368912 --a------ C:\WINDOWS\system32\vbar332.dll <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Applications>
2008-02-09 15:11:46 1046288 --a------ C:\WINDOWS\system32\msjet35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-02-09 15:11:45 182784 --a------ C:\WINDOWS\system32\ddao35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-02-09 15:11:43 13792 --a------ C:\WINDOWS\system32\drivers\qdfsdrv.sys <Not Verified; Symantec Corporation; Norton CleanSweep>
2008-02-09 15:11:33 94208 --a------ C:\WINDOWS\system32\qdcsinet.dll <Not Verified; Symantec Corporation; Norton CleanSweep>
2008-02-09 15:11:33 86016 --a------ C:\WINDOWS\system32\apitrap.dll <Not Verified; Symantec Corporation; Norton CleanSweep>
2008-02-09 15:10:51 45056 --a------ C:\WINDOWS\system32\WNASPI32.DLL <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-02-09 15:10:51 17005 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-02-09 15:10:51 4672 --a------ C:\WINDOWS\system\WOWPOST.EXE <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-02-09 15:10:51 5600 --a------ C:\WINDOWS\system\WINASPI.DLL <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-02-09 15:10:03 32 --ahs---- C:\WINDOWS\system32\{1BE23CE5-13B0-4346-A7FC-48656F24ED7F}.dat
2008-02-09 15:10:03 32 --ahs---- C:\WINDOWS\{BEF60247-EAF0-4A0A-B211-F2764F2DC675}.dat
2008-02-09 15:09:55 14 --a------ C:\WINDOWS\system32\SR2.dat
2008-02-09 15:09:27 0 d-------- C:\Program Files\Norton SystemWorks
2008-02-09 15:09:18 0 d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2008-02-09 15:09:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-09 15:09:01 0 d-------- C:\Program Files\Symantec
2008-02-09 15:08:34 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-09 00:24:47 0 d-------- C:\Documents and Settings\Owner\Application Data\Thunderbird
2008-02-08 21:52:48 0 d-------- C:\WINDOWS\Sun
2008-02-08 21:52:47 0 d-------- C:\Documents and Settings\Owner\Application Data\Sun
2008-02-08 18:18:05 0 dr-h----- C:\$VAULT$.AVG
2008-02-08 17:56:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-02-08 15:45:55 0 d-------- C:\Program Files\MSXML 4.0
2008-02-08 03:52:32 0 d-------- C:\Program Files\Fisher
2008-02-08 03:06:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Riverdeep Interactive Learning Limited
2008-02-08 01:46:02 0 d-------- C:\Documents and Settings\Owner\Application Data\SoundSpectrum
2008-02-08 01:22:30 520192 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-02-08 01:21:47 0 d-------- C:\Program Files\Java
2008-02-08 01:20:32 0 d-------- C:\Program Files\GSpot
2008-02-08 01:19:22 0 d-------- C:\Program Files\Common Files\Java
2008-02-08 01:12:29 1048 -----n--- C:\WINDOWS\system32\drivers\alcxinit.dat
2008-02-08 01:12:29 176 -----n--- C:\WINDOWS\system32\drivers\alcxhweq.dat
2008-02-08 01:05:56 0 d-------- C:\WINDOWS\system32\Lang
2008-02-07 22:00:55 0 d-------- C:\Program Files\Web Publish
2008-02-07 22:00:51 970752 --a------ C:\WINDOWS\system32\cdintf210.dll <Not Verified; Amyuni Technologies
http://www.amyuni.com; Amyuni Common Driver Interface>
2008-02-07 21:58:14 0 d-------- C:\Program Files\Common Files\Broderbund
2008-02-07 21:58:08 0 d-------- C:\Program Files\PrintMaster 16
2008-02-07 21:58:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Broderbund Software
2008-02-07 19:46:08 0 d-------- C:\WINDOWS\Drivers
2008-02-07 19:16:54 0 d-------- C:\Documents and Settings\Owner\Application Data\Ahead
2008-02-07 19:16:00 0 d-------- C:\WINDOWS\system32\IOSUBSYS
2008-02-07 19:16:00 0 d-------- C:\Program Files\Nero
2008-02-07 19:16:00 0 d-------- C:\Program Files\Common Files\Ahead
2008-02-07 18:59:43 0 d-------- C:\Documents and Settings\Owner\Application Data\DivX
2008-02-07 17:52:48 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-02-07 17:29:14 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-07 17:16:01 0 d-------- C:\Program Files\Windows Defender
2008-02-07 17:07:23 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-02-07 17:07:01 0 d-------- C:\WINDOWS\ShellNew
2008-02-07 16:52:01 299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2008-02-07 16:51:33 77312 --a------ C:\WINDOWS\system32\TWAIN_32.DLL <Not Verified; Twain Working Group; Twain_32 Source Manager>
2008-02-07 16:51:33 212480 --a------ C:\WINDOWS\system32\pcdlib32.dll <Not Verified; Eastman Kodak; Kodak Photo CD Access Developer Toolkit>
2008-02-07 16:51:33 0 d-------- C:\My Documents
2008-02-07 16:51:05 0 d-------- C:\Program Files\ArcSoft
2008-02-07 16:48:35 96768 --a------ C:\WINDOWS\SlantAdj.dll
2008-02-07 16:48:35 3136 --a------ C:\WINDOWS\Ade001.bin
2008-02-07 16:48:35 73216 --a------ C:\WINDOWS\ADE.DLL <Not Verified; SEIKO EPSON CORPORATION; >
2008-02-07 16:47:58 0 d-------- C:\EPSON
2008-02-07 16:34:34 0 d-------- C:\Documents and Settings\Owner\Application Data\Leadertech
2008-02-07 16:33:14 483328 --a------ C:\WINDOWS\system32\PICSDK.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-02-07 16:33:14 45056 --a------ C:\WINDOWS\system32\EpPicPrt.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-02-07 16:33:14 66532 --a------ C:\WINDOWS\system32\EPPICPrinterDB.dat
2008-02-07 16:33:14 1140 --a------ C:\WINDOWS\system32\EPPICPresetData_PT.dat
2008-02-07 16:33:14 1130 --a------ C:\WINDOWS\system32\EPPICPresetData_FR.dat
2008-02-07 16:33:14 1137 --a------ C:\WINDOWS\system32\EPPICPresetData_ES.dat
2008-02-07 16:33:14 1104 --a------ C:\WINDOWS\system32\EPPICPresetData_EN.dat
2008-02-07 16:33:14 1130 --a------ C:\WINDOWS\system32\EPPICPresetData_CF.dat
2008-02-07 16:33:14 1140 --a------ C:\WINDOWS\system32\EPPICPresetData_BP.dat
2008-02-07 16:33:14 4943 --a------ C:\WINDOWS\system32\EPPICPattern6.dat
2008-02-07 16:33:14 15670 --a------ C:\WINDOWS\system32\EPPICPattern5.dat
2008-02-07 16:33:14 10673 --a------ C:\WINDOWS\system32\EPPICPattern4.dat
2008-02-07 16:33:14 21021 --a------ C:\WINDOWS\system32\EPPICPattern3.dat
2008-02-07 16:33:14 13280 --a------ C:\WINDOWS\system32\EPPICPattern2.dat
2008-02-07 16:33:14 29114 --a------ C:\WINDOWS\system32\EPPICPattern1.dat
2008-02-07 16:33:14 45056 --a------ C:\WINDOWS\system32\EpPicMgr.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-02-07 16:31:21 0 d-------- C:\Program Files\EPSON
2008-02-07 16:29:33 3654 --a------ C:\WINDOWS\system32\drivers\Sonyhcp.dll
2008-02-07 16:29:33 0 d-------- C:\Drivers
2008-02-07 16:27:42 0 d-------- C:\Program Files\HD Tune
2008-02-07 16:26:52 0 d-------- C:\Program Files\CONEXANT
2008-02-07 15:58:38 0 d-------- C:\Program Files\MSXML 6.0
2008-02-07 15:55:01 0 d-------- C:\Program Files\FairStars Audio Converter
2008-02-07 15:54:15 180224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-02-07 15:54:15 765952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-02-07 15:54:15 0 d-------- C:\Program Files\Xvid
2008-02-07 15:53:55 0 d-------- C:\Program Files\WinCleaner Memory Optimizer
2008-02-07 15:52:49 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-02-07 15:52:49 0 d-------- C:\Documents and Settings\Owner\Application Data\Vso
2008-02-07 15:52:49 47360 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-02-07 15:52:47 217127 --a------ C:\WINDOWS\system32\drv43260.dll <Not Verified; RealNetworks, Inc.; RealVideo 9 (32-bit)>
2008-02-07 15:52:47 208935 --a------ C:\WINDOWS\system32\drv33260.dll <Not Verified; RealNetworks, Inc.; RealVideo 8 (32-bit)>
2008-02-07 15:52:47 176165 --a------ C:\WINDOWS\system32\drv23260.dll <Not Verified; RealNetworks, Inc.; RealVideo G2 (32-bit)>
2008-02-07 15:52:45 0 d-------- C:\Program Files\VSO
2008-02-07 15:52:27 0 d-------- C:\Program Files\Vodei
2008-02-07 15:50:37 0 d-------- C:\Program Files\SoundSpectrum
2008-02-07 15:50:12 5120 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-02-07 15:50:11 0 d-------- C:\Program Files\ffdshow
2008-02-07 15:49:20 0 d-------- C:\Program Files\eMule
2008-02-07 15:46:21 0 d-------- C:\Program Files\Lavasoft
2008-02-07 15:46:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-07 15:40:40 0 d-------- C:\Program Files\SiSoftware
2008-02-07 15:34:42 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-02-07 15:31:47 0 d-------- C:\Program Files\MSBuild
2008-02-07 15:28:13 0 d-------- C:\WINDOWS\system32\XPSViewer
2008-02-07 15:27:44 0 d-------- C:\Program Files\Reference Assemblies
2008-02-07 15:25:49 0 d-------- C:\Program Files\Windows Media Connect 2
2008-02-07 15:24:50 0 d-------- C:\WINDOWS\system32\LogFiles
2008-02-07 15:24:50 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-02-07 15:19:56 0 d-------- C:\WINDOWS\RegisteredPackages
2008-02-07 15:18:21 0 d-------- C:\WINDOWS\system32\URTTemp
2008-02-07 14:46:19 0 d-------- C:\Program Files\DivX
2008-02-07 14:45:30 0 d-------- C:\Program Files\Advanced Font Viewer
2008-02-07 14:42:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-02-07 14:37:49 0 d-------- C:\WINDOWS\system32\RTCOM
2008-02-07 14:37:23 0 d-------- C:\Program Files\Realtek
2008-02-07 14:37:15 520192 --a------ C:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-02-07 14:37:15 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-02-07 14:37:01 0 d-------- C:\Program Files\Realtek Sound Manager
2008-02-07 14:37:01 0 d-------- C:\Program Files\AvRack
2008-02-07 14:31:31 0 d-------- C:\WINDOWS\network diagnostic
2008-02-07 14:26:55 0 d-------- C:\Program Files\YourWare Solutions
2008-02-07 14:20:24 0 d-------- C:\Program Files\IrfanView
2008-02-07 14:17:38 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-02-07 14:09:21 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-07 14:09:17 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2008-02-07 14:04:58 0 d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2008-02-07 14:04:58 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-02-07 13:51:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-07 13:47:34 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2008-02-07 13:47:33 0 d-------- C:\Program Files\SpywareBlaster
2008-02-07 13:44:48 0 d-------- C:\Program Files\SpywareGuard
2008-02-07 13:41:16 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-07 13:41:08 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-07 13:41:08 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-02-07 13:37:49 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2008-02-07 13:26:26 0 d-------- C:\WINDOWS\pss
2008-02-07 13:12:11 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-02-07 13:11:58 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-07 13:11:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-07 13:11:37 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-07 12:53:34 0 d-------- C:\WINDOWS\system32\PreInstall
2008-02-07 12:53:30 0 d--h----- C:\WINDOWS\$hf_mig$
2008-02-07 12:51:20 0 d--hs---- C:\Documents and Settings\Owner\UserData
2008-02-07 12:50:42 626204 -----n--- C:\WINDOWS\system32\drivers\alcxwdm.sys <Not Verified; Realtek Semiconductor Corp.; Windows ® WDM driver for Realtek AC'97 Audio>
2008-02-07 12:50:10 0 d-------- C:\Program Files\Realtek AC97
2008-02-07 12:50:07 208896 -----n--- C:\WINDOWS\alcupd.exe <Not Verified; Realtek Semiconductor Corp.; Update Application for Realtek AC'97>
2008-02-07 12:50:07 139264 -----n--- C:\WINDOWS\alcrmv.exe <Not Verified; Realtek Semiconductor Corp.; Realtek AC'97 Removing Tool>
2008-02-07 12:46:59 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-02-07 12:46:04 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-02-07 12:45:47 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-07 12:45:07 0 d-------- C:\Program Files\Common Files\InstallShield
2008-02-07 12:44:45 0 d-------- C:\ATI
2008-02-07 12:44:01 21075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
2008-02-07 12:44:01 60496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
2008-02-07 12:43:54 0 d-------- C:\Program Files\Sygate
2008-02-07 12:43:34 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-07 12:40:36 0 d-------- C:\WINDOWS\system32\NtmsData
2008-02-07 12:27:41 262144 --a------ C:\Documents and Settings\All Users\ntuser.dat
2008-02-07 12:27:34 2 --a------ C:\REQUEST_OEMRESET_ENDUSER
2008-02-07 12:22:57 0 d--hs---- C:\System Volume Information
2008-02-07 12:15:35 60 --a------ C:\WINDOWS\system32\SYSDRV.DAT
2008-02-07 12:11:34 0 d-------- C:\WINDOWS\SMINST
2008-02-07 12:02:46 0 d-------- C:\WINDOWS\I386
2008-02-07 11:59:59 0 d-------- C:\WINDOWS\CACHE


-- Find3M Report ---------------------------------------------------------------

2008-02-19 05:16:40 0 d-------- C:\Program Files\Messenger
2008-02-19 02:12:39 0 d-------- C:\Program Files\Windows NT
2008-02-19 02:12:35 0 d-------- C:\Program Files\Movie Maker
2008-02-19 01:58:29 0 d-------- C:\Program Files\Online Services
2008-02-07 15:53:13 34 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.log
2008-02-07 15:52:49 1144 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.inf
2008-02-07 15:52:49 7887 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.cat
2008-01-04 16:58:50 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 16:57:22 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-01-04 16:57:22 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-01-04 16:57:12 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-01-04 16:57:10 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-01-04 16:57:10 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-01-04 16:57:10 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-01-04 16:56:24 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [10/15/2004 10:40 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [02/07/2008 01:15 PM]
"EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe" [01/27/2005 07:00 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 10:20 PM]
"RTHDCPL"="RTHDCPL.EXE" [07/05/2007 05:08 PM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 07:43 PM C:\WINDOWS\Alcmtr.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [03/22/2006 11:13 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:00 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 03:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 02/27/2007 02:39 PM 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\combofix]
C:\WINDOWS\system32\kmd.exe /c C:\ComboFix(2)\Combobatch.bat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QD FastAndSafe]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RAMBooster.Net]
C:\Program Files\RAMBooster.Net\RAMBooster.exe -m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinMem]
C:\Program Files\WinCleaner Memory Optimizer\WinMemOpt.exe




-- End of Deckard's System Scanner: finished at 2008-02-22 18:42:17 ------------


So stay tuned for 'up to the minute' logs which are coming in after the scans run thru. Should be about an hour or so.

Thanks for the assistance, and sorry about running combo.Fix with no real knowledge of what I am doing.

-yours truly,

-scottportraits
  • 0

#4
scottportraits

scottportraits

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 152 posts
:)

Feb 23 3.45pm est

Okay -

Here is the latest up-to-date scan logs, starting with the two Deckard logs, and then the new Kaspersky scan. Sorry to do it this goofy way. Notice an infection is found in the Kaspersky scan, it is new to me....and I can't access it in C:\System Volume Information, at least not directly through explorer.exe.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, February 23, 2008 3:24:01 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/02/2008
Kaspersky Anti-Virus database records: 577001
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 90594
Number of viruses found: 1
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 01:25:09

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked

skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is

locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck

Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows

Defender\Support\MPLog-02072008-141607.log Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application

Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application

Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is

locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat

Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet

Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application

Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application

Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application

Data\Mozilla\Firefox\Profiles\97mno13e.default\cert8.db Object is locked skipped
C:\Documents and Settings\Owner\Application

Data\Mozilla\Firefox\Profiles\97mno13e.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner\Application

Data\Mozilla\Firefox\Profiles\97mno13e.default\key3.db Object is locked skipped
C:\Documents and Settings\Owner\Application

Data\Mozilla\Firefox\Profiles\97mno13e.default\parent.lock Object is locked skipped
C:\Documents and Settings\Owner\Application

Data\Mozilla\Firefox\Profiles\97mno13e.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Application

Data\Mozilla\Firefox\Profiles\97mno13e.default\urlclassifier2.sqlite Object is locked

skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds

Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application

Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application

Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows

Defender\FileTracker\{115E355A-985E-47C8-8737-851D8A366B3C} Object is locked

skipped
C:\Documents and Settings\Owner\Local Settings\Application

Data\Mozilla\Firefox\Profiles\97mno13e.default\Cache\_CACHE_001_ Object is locked

skipped
C:\Documents and Settings\Owner\Local Settings\Application

Data\Mozilla\Firefox\Profiles\97mno13e.default\Cache\_CACHE_002_ Object is locked

skipped
C:\Documents and Settings\Owner\Local Settings\Application

Data\Mozilla\Firefox\Profiles\97mno13e.default\Cache\_CACHE_003_ Object is locked

skipped
C:\Documents and Settings\Owner\Local Settings\Application

Data\Mozilla\Firefox\Profiles\97mno13e.default\Cache\_CACHE_MAP_ Object is locked

skipped
C:\Documents and Settings\Owner\Local Settings\Application

Data\Mozilla\Firefox\Profiles\97mno13e.default\XUL.mfl Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is

locked skipped
C:\Documents and Settings\Owner\Local

Settings\History\History.IE5\MSHist012008022320080224\index.dat Object is locked

skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_258.dat Object is

locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF29CE.tmp Object is locked

skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF5FAB.tmp Object is locked

skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet

Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked

skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet

Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Sygate\SPF\debug.log Object is locked skipped
C:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped
C:\Program Files\Sygate\SPF\seclog.log Object is locked skipped
C:\Program Files\Sygate\SPF\syslog.log Object is locked skipped
C:\Program Files\Sygate\SPF\tralog.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked

skipped
C:\System Volume

Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP17\change.log

Object is locked skipped


C:\System Volume

Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0000093.exe/data.r

ar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume

Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0000093.exe/data.r

ar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume

Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0000093.exe

RarSFX: infected - 2 skipped
C:\System Volume

Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0000108.exe

Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{D70A9638-0290-44A5-A101-7639EF4A0EF5

}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Sam Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Security Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\Software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\System Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked

skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked

skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked

skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked

skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked

skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\RECYCLER\NPROTECT\00000361.windo Object is locked skipped
D:\RECYCLER\NPROTECT\00000362.windo Object is locked skipped
D:\RECYCLER\NPROTECT\00000363.windo Object is locked skipped
D:\RECYCLER\NPROTECT\00000367.servi Object is locked skipped
D:\RECYCLER\NPROTECT\00000368.secur Object is locked skipped
D:\RECYCLER\NPROTECT\00000369.runti Object is locked skipped
D:\RECYCLER\NPROTECT\00000370.runti Object is locked skipped
D:\RECYCLER\NPROTECT\00000371.messa Object is locked skipped
D:\RECYCLER\NPROTECT\00000372.manag Object is locked skipped
D:\RECYCLER\NPROTECT\00000374.enter Object is locked skipped
D:\RECYCLER\NPROTECT\00000375.enter Object is locked skipped
D:\RECYCLER\NPROTECT\00000376.drawi Object is locked skipped
D:\RECYCLER\NPROTECT\00000377.drawi Object is locked skipped
D:\RECYCLER\NPROTECT\00000378.drawi Object is locked skipped
D:\RECYCLER\NPROTECT\00000379.direc Object is locked skipped
D:\RECYCLER\NPROTECT\00000380.desig Object is locked skipped
D:\RECYCLER\NPROTECT\00000381.desig Object is locked skipped
D:\RECYCLER\NPROTECT\00000383.confi Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked

skipped
D:\System Volume

Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP17\change.log

Object is locked skipped

Scan process completed.

_________________________________________________________________________

Here's Deckard's two scans:


Deckard's System Scanner v20071014.68
Run by Owner on 2008-02-23 15:26:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:26:10 PM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netdde.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1a\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1a\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

--
End of file - 7356 bytes

-- Files created between 2008-01-23 and 2008-02-23 -----------------------------

2008-02-23 00:43:11 0 d-------- C:\WINDOWS\LastGood
2008-02-18 12:06:28 1914 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-18 10:02:38 0 d-------- C:\Program Files\Trend Micro
2008-02-18 06:09:30 0 d-------- C:\SAV32CLI
2008-02-17 14:10:10 0 d-------- C:\WINDOWS\ERUNT
2008-02-17 14:00:56 1309729 --a------ C:\SDFix.exe
2008-02-16 20:06:16 0 d-------- C:\Documents and Settings\Owner\DoctorWeb
2008-02-16 19:52:28 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-16 19:52:28 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-16 19:52:28 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-16 19:52:28 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-02-16 19:08:12 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-02-16 11:08:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-16 11:08:05 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-13 21:08:51 0 d-------- C:\Program Files\Easy Video Joiner
2008-02-13 20:52:27 0 d-------- C:\Program Files\Pegasys Inc
2008-02-13 00:41:13 0 d-------- C:\Program Files\WinPcap
2008-02-13 00:40:58 286720 --a------ C:\WINDOWS\iun506.exe <Not Verified; Indigo Rose Corporation; Setup Factory 5.0 Uninstaller>
2008-02-13 00:40:57 0 d-------- C:\Program Files\WM Recorder
2008-02-11 02:14:55 77824 --a------ C:\WINDOWS\system32\Odbctl32.dll <Not Verified; Microsoft Corporation; Microsoft Open Database Connectivity>
2008-02-11 02:14:55 403216 --a------ C:\WINDOWS\system32\msrepl35.dll <Not Verified; Microsoft Corporation; Microsoft® Access>
2008-02-11 02:14:54 0 d-------- C:\Program Files\The Herbal Pharmacy
2008-02-09 15:41:30 614400 --a------ C:\WINDOWS\system32\msvcr80.dll <Not Verified; Microsoft Corporation; Microsoft® Visual Studio® .NET>
2008-02-09 15:14:16 32 --ahs---- C:\WINDOWS\system32\{08026524-ADCF-41C1-955E-179AA9A443A5}.dat
2008-02-09 15:14:16 32 --ahs---- C:\WINDOWS\{62956119-A394-4A40-B338-82024785660E}.dat
2008-02-09 15:13:46 32 --ahs---- C:\WINDOWS\system32\{0BCDEC34-D9BE-4016-9B4C-A27AE8FF98DD}.dat
2008-02-09 15:13:46 32 --ahs---- C:\WINDOWS\{0781DBA9-8D92-49E0-B1BC-B7250E2CE403}.dat
2008-02-09 15:12:56 32 --ahs---- C:\WINDOWS\system32\{D0469130-AC30-4782-8CB7-80FB402B36CD}.dat
2008-02-09 15:12:56 32 --ahs---- C:\WINDOWS\{AEEF3303-6814-431A-8543-A9C5F57F1C7A}.dat
2008-02-09 15:12:30 34578 --a------ C:\WINDOWS\system32\drivers\NPDRIVER.SYS <Not Verified; Symantec Corporation; Norton Utilities>
2008-02-09 15:12:22 31744 --a------ C:\WINDOWS\system32\S32STAT.DLL <Not Verified; Symantec Corporation; SYMSTAT>
2008-02-09 15:11:51 32 --ahs---- C:\WINDOWS\system32\{CBD6D914-7D67-4390-82F7-E0F2BBEF5D04}.dat
2008-02-09 15:11:51 32 --ahs---- C:\WINDOWS\system32\{77D5722C-9153-4890-BE9F-EE2FCD2AB331}.dat
2008-02-09 15:11:51 32 --ahs---- C:\WINDOWS\system32\{07759808-7B9C-4D58-8E2E-29F2A451036D}.dat
2008-02-09 15:11:51 32 --ahs---- C:\WINDOWS\{E8B62386-2994-4446-96C8-488775EBBF20}.dat
2008-02-09 15:11:51 32 --ahs---- C:\WINDOWS\{AD953506-9405-4C22-A731-49FD45C43A7E}.dat
2008-02-09 15:11:51 32 --ahs---- C:\WINDOWS\{5206AADC-31ED-4D5A-B3A5-A81A62E7BAA7}.dat
2008-02-09 15:11:48 24848 --a------ C:\WINDOWS\system32\msjter35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-02-09 15:11:48 123664 --a------ C:\WINDOWS\system32\Msjint35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-02-09 15:11:47 252176 --a------ C:\WINDOWS\system32\msrd2x35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-02-09 15:11:46 368912 --a------ C:\WINDOWS\system32\vbar332.dll <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Applications>
2008-02-09 15:11:46 1046288 --a------ C:\WINDOWS\system32\msjet35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-02-09 15:11:45 182784 --a------ C:\WINDOWS\system32\ddao35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-02-09 15:11:43 13792 --a------ C:\WINDOWS\system32\drivers\qdfsdrv.sys <Not Verified; Symantec Corporation; Norton CleanSweep>
2008-02-09 15:11:33 94208 --a------ C:\WINDOWS\system32\qdcsinet.dll <Not Verified; Symantec Corporation; Norton CleanSweep>
2008-02-09 15:11:33 86016 --a------ C:\WINDOWS\system32\apitrap.dll <Not Verified; Symantec Corporation; Norton CleanSweep>
2008-02-09 15:10:51 45056 --a------ C:\WINDOWS\system32\WNASPI32.DLL <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-02-09 15:10:51 17005 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-02-09 15:10:51 4672 --a------ C:\WINDOWS\system\WOWPOST.EXE <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-02-09 15:10:51 5600 --a------ C:\WINDOWS\system\WINASPI.DLL <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-02-09 15:10:03 32 --ahs---- C:\WINDOWS\system32\{1BE23CE5-13B0-4346-A7FC-48656F24ED7F}.dat
2008-02-09 15:10:03 32 --ahs---- C:\WINDOWS\{BEF60247-EAF0-4A0A-B211-F2764F2DC675}.dat
2008-02-09 15:09:55 14 --a------ C:\WINDOWS\system32\SR2.dat
2008-02-09 15:09:27 0 d-------- C:\Program Files\Norton SystemWorks
2008-02-09 15:09:18 0 d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2008-02-09 15:09:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-09 15:09:01 0 d-------- C:\Program Files\Symantec
2008-02-09 15:08:34 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-09 00:24:47 0 d-------- C:\Documents and Settings\Owner\Application Data\Thunderbird
2008-02-08 21:52:48 0 d-------- C:\WINDOWS\Sun
2008-02-08 21:52:47 0 d-------- C:\Documents and Settings\Owner\Application Data\Sun
2008-02-08 18:18:05 0 dr-h----- C:\$VAULT$.AVG
2008-02-08 17:56:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-02-08 15:45:55 0 d-------- C:\Program Files\MSXML 4.0
2008-02-08 03:52:32 0 d-------- C:\Program Files\Fisher
2008-02-08 03:06:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Riverdeep Interactive Learning Limited
2008-02-08 01:46:02 0 d-------- C:\Documents and Settings\Owner\Application Data\SoundSpectrum
2008-02-08 01:22:30 520192 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-02-08 01:21:47 0 d-------- C:\Program Files\Java
2008-02-08 01:20:32 0 d-------- C:\Program Files\GSpot
2008-02-08 01:19:22 0 d-------- C:\Program Files\Common Files\Java
2008-02-08 01:12:29 1048 -----n--- C:\WINDOWS\system32\drivers\alcxinit.dat
2008-02-08 01:12:29 176 -----n--- C:\WINDOWS\system32\drivers\alcxhweq.dat
2008-02-08 01:05:56 0 d-------- C:\WINDOWS\system32\Lang
2008-02-07 22:00:55 0 d-------- C:\Program Files\Web Publish
2008-02-07 22:00:51 970752 --a------ C:\WINDOWS\system32\cdintf210.dll <Not Verified; Amyuni Technologies
http://www.amyuni.com; Amyuni Common Driver Interface>
2008-02-07 21:58:14 0 d-------- C:\Program Files\Common Files\Broderbund
2008-02-07 21:58:08 0 d-------- C:\Program Files\PrintMaster 16
2008-02-07 21:58:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Broderbund Software
2008-02-07 19:46:08 0 d-------- C:\WINDOWS\Drivers
2008-02-07 19:16:54 0 d-------- C:\Documents and Settings\Owner\Application Data\Ahead
2008-02-07 19:16:00 0 d-------- C:\WINDOWS\system32\IOSUBSYS
2008-02-07 19:16:00 0 d-------- C:\Program Files\Nero
2008-02-07 19:16:00 0 d-------- C:\Program Files\Common Files\Ahead
2008-02-07 18:59:43 0 d-------- C:\Documents and Settings\Owner\Application Data\DivX
2008-02-07 17:52:48 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-02-07 17:29:14 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-07 17:16:01 0 d-------- C:\Program Files\Windows Defender
2008-02-07 17:07:23 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-02-07 17:07:01 0 d-------- C:\WINDOWS\ShellNew
2008-02-07 16:52:01 299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2008-02-07 16:51:33 77312 --a------ C:\WINDOWS\system32\TWAIN_32.DLL <Not Verified; Twain Working Group; Twain_32 Source Manager>
2008-02-07 16:51:33 212480 --a------ C:\WINDOWS\system32\pcdlib32.dll <Not Verified; Eastman Kodak; Kodak Photo CD Access Developer Toolkit>
2008-02-07 16:51:33 0 d-------- C:\My Documents
2008-02-07 16:51:05 0 d-------- C:\Program Files\ArcSoft
2008-02-07 16:48:35 96768 --a------ C:\WINDOWS\SlantAdj.dll
2008-02-07 16:48:35 3136 --a------ C:\WINDOWS\Ade001.bin
2008-02-07 16:48:35 73216 --a------ C:\WINDOWS\ADE.DLL <Not Verified; SEIKO EPSON CORPORATION; >
2008-02-07 16:47:58 0 d-------- C:\EPSON
2008-02-07 16:34:34 0 d-------- C:\Documents and Settings\Owner\Application Data\Leadertech
2008-02-07 16:33:14 483328 --a------ C:\WINDOWS\system32\PICSDK.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-02-07 16:33:14 45056 --a------ C:\WINDOWS\system32\EpPicPrt.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-02-07 16:33:14 66532 --a------ C:\WINDOWS\system32\EPPICPrinterDB.dat
2008-02-07 16:33:14 1140 --a------ C:\WINDOWS\system32\EPPICPresetData_PT.dat
2008-02-07 16:33:14 1130 --a------ C:\WINDOWS\system32\EPPICPresetData_FR.dat
2008-02-07 16:33:14 1137 --a------ C:\WINDOWS\system32\EPPICPresetData_ES.dat
2008-02-07 16:33:14 1104 --a------ C:\WINDOWS\system32\EPPICPresetData_EN.dat
2008-02-07 16:33:14 1130 --a------ C:\WINDOWS\system32\EPPICPresetData_CF.dat
2008-02-07 16:33:14 1140 --a------ C:\WINDOWS\system32\EPPICPresetData_BP.dat
2008-02-07 16:33:14 4943 --a------ C:\WINDOWS\system32\EPPICPattern6.dat
2008-02-07 16:33:14 15670 --a------ C:\WINDOWS\system32\EPPICPattern5.dat
2008-02-07 16:33:14 10673 --a------ C:\WINDOWS\system32\EPPICPattern4.dat
2008-02-07 16:33:14 21021 --a------ C:\WINDOWS\system32\EPPICPattern3.dat
2008-02-07 16:33:14 13280 --a------ C:\WINDOWS\system32\EPPICPattern2.dat
2008-02-07 16:33:14 29114 --a------ C:\WINDOWS\system32\EPPICPattern1.dat
2008-02-07 16:33:14 45056 --a------ C:\WINDOWS\system32\EpPicMgr.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-02-07 16:31:21 0 d-------- C:\Program Files\EPSON
2008-02-07 16:29:33 3654 --a------ C:\WINDOWS\system32\drivers\Sonyhcp.dll
2008-02-07 16:29:33 0 d-------- C:\Drivers
2008-02-07 16:27:42 0 d-------- C:\Program Files\HD Tune
2008-02-07 16:26:52 0 d-------- C:\Program Files\CONEXANT
2008-02-07 15:58:38 0 d-------- C:\Program Files\MSXML 6.0
2008-02-07 15:55:01 0 d-------- C:\Program Files\FairStars Audio Converter
2008-02-07 15:54:15 180224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-02-07 15:54:15 765952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-02-07 15:54:15 0 d-------- C:\Program Files\Xvid
2008-02-07 15:53:55 0 d-------- C:\Program Files\WinCleaner Memory Optimizer
2008-02-07 15:52:49 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-02-07 15:52:49 0 d-------- C:\Documents and Settings\Owner\Application Data\Vso
2008-02-07 15:52:49 47360 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-02-07 15:52:47 217127 --a------ C:\WINDOWS\system32\drv43260.dll <Not Verified; RealNetworks, Inc.; RealVideo 9 (32-bit)>
2008-02-07 15:52:47 208935 --a------ C:\WINDOWS\system32\drv33260.dll <Not Verified; RealNetworks, Inc.; RealVideo 8 (32-bit)>
2008-02-07 15:52:47 176165 --a------ C:\WINDOWS\system32\drv23260.dll <Not Verified; RealNetworks, Inc.; RealVideo G2 (32-bit)>
2008-02-07 15:52:45 0 d-------- C:\Program Files\VSO
2008-02-07 15:52:27 0 d-------- C:\Program Files\Vodei
2008-02-07 15:50:37 0 d-------- C:\Program Files\SoundSpectrum
2008-02-07 15:50:12 5120 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-02-07 15:50:11 0 d-------- C:\Program Files\ffdshow
2008-02-07 15:49:20 0 d-------- C:\Program Files\eMule
2008-02-07 15:46:21 0 d-------- C:\Program Files\Lavasoft
2008-02-07 15:46:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-07 15:40:40 0 d-------- C:\Program Files\SiSoftware
2008-02-07 15:34:42 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-02-07 15:31:47 0 d-------- C:\Program Files\MSBuild
2008-02-07 15:28:13 0 d-------- C:\WINDOWS\system32\XPSViewer
2008-02-07 15:27:44 0 d-------- C:\Program Files\Reference Assemblies
2008-02-07 15:25:49 0 d-------- C:\Program Files\Windows Media Connect 2
2008-02-07 15:24:50 0 d-------- C:\WINDOWS\system32\LogFiles
2008-02-07 15:24:50 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-02-07 15:19:56 0 d-------- C:\WINDOWS\RegisteredPackages
2008-02-07 15:18:21 0 d-------- C:\WINDOWS\system32\URTTemp
2008-02-07 14:46:19 0 d-------- C:\Program Files\DivX
2008-02-07 14:45:30 0 d-------- C:\Program Files\Advanced Font Viewer
2008-02-07 14:42:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-02-07 14:37:49 0 d-------- C:\WINDOWS\system32\RTCOM
2008-02-07 14:37:23 0 d-------- C:\Program Files\Realtek
2008-02-07 14:37:15 520192 --a------ C:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-02-07 14:37:15 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-02-07 14:37:01 0 d-------- C:\Program Files\Realtek Sound Manager
2008-02-07 14:37:01 0 d-------- C:\Program Files\AvRack
2008-02-07 14:31:31 0 d-------- C:\WINDOWS\network diagnostic
2008-02-07 14:26:55 0 d-------- C:\Program Files\YourWare Solutions
2008-02-07 14:20:24 0 d-------- C:\Program Files\IrfanView
2008-02-07 14:17:38 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-02-07 14:09:21 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-07 14:09:17 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2008-02-07 14:04:58 0 d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2008-02-07 14:04:58 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-02-07 13:51:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-07 13:47:34 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2008-02-07 13:47:33 0 d-------- C:\Program Files\SpywareBlaster
2008-02-07 13:44:48 0 d-------- C:\Program Files\SpywareGuard
2008-02-07 13:41:16 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-07 13:41:08 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-07 13:41:08 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-02-07 13:37:49 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2008-02-07 13:26:26 0 d-------- C:\WINDOWS\pss
2008-02-07 13:12:11 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-02-07 13:11:58 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-07 13:11:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-07 13:11:37 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-07 12:53:34 0 d-------- C:\WINDOWS\system32\PreInstall
2008-02-07 12:53:30 0 d--h----- C:\WINDOWS\$hf_mig$
2008-02-07 12:51:20 0 d--hs---- C:\Documents and Settings\Owner\UserData
2008-02-07 12:50:42 626204 -----n--- C:\WINDOWS\system32\drivers\alcxwdm.sys <Not Verified; Realtek Semiconductor Corp.; Windows ® WDM driver for Realtek AC'97 Audio>
2008-02-07 12:50:10 0 d-------- C:\Program Files\Realtek AC97
2008-02-07 12:50:07 208896 -----n--- C:\WINDOWS\alcupd.exe <Not Verified; Realtek Semiconductor Corp.; Update Application for Realtek AC'97>
2008-02-07 12:50:07 139264 -----n--- C:\WINDOWS\alcrmv.exe <Not Verified; Realtek Semiconductor Corp.; Realtek AC'97 Removing Tool>
2008-02-07 12:46:59 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-02-07 12:46:04 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-02-07 12:45:47 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-07 12:45:07 0 d-------- C:\Program Files\Common Files\InstallShield
2008-02-07 12:44:45 0 d-------- C:\ATI
2008-02-07 12:44:01 21075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
2008-02-07 12:44:01 60496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
2008-02-07 12:43:54 0 d-------- C:\Program Files\Sygate
2008-02-07 12:43:34 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-07 12:40:36 0 d-------- C:\WINDOWS\system32\NtmsData
2008-02-07 12:27:41 262144 --a------ C:\Documents and Settings\All Users\ntuser.dat
2008-02-07 12:27:34 2 --a------ C:\REQUEST_OEMRESET_ENDUSER
2008-02-07 12:22:57 0 d--hs---- C:\System Volume Information
2008-02-07 12:15:35 60 --a------ C:\WINDOWS\system32\SYSDRV.DAT
2008-02-07 12:11:34 0 d-------- C:\WINDOWS\SMINST
2008-02-07 12:02:46 0 d-------- C:\WINDOWS\I386
2008-02-07 11:59:59 0 d-------- C:\WINDOWS\CACHE


-- Find3M Report ---------------------------------------------------------------

2008-02-19 05:16:40 0 d-------- C:\Program Files\Messenger
2008-02-19 02:12:39 0 d-------- C:\Program Files\Windows NT
2008-02-19 02:12:35 0 d-------- C:\Program Files\Movie Maker
2008-02-19 01:58:29 0 d-------- C:\Program Files\Online Services
2008-02-07 15:53:13 34 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.log
2008-02-07 15:52:49 1144 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.inf
2008-02-07 15:52:49 7887 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.cat
2008-01-04 16:58:50 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 16:57:22 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-01-04 16:57:22 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-01-04 16:57:12 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-01-04 16:57:10 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-01-04 16:57:10 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-01-04 16:57:10 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-01-04 16:56:24 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [10/15/2004 10:40 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [02/07/2008 01:15 PM]
"EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe" [01/27/2005 07:00 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 10:20 PM]
"RTHDCPL"="RTHDCPL.EXE" [07/05/2007 05:08 PM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 07:43 PM C:\WINDOWS\Alcmtr.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [03/22/2006 11:13 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:00 PM]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [8/29/2003 10:05:35 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2/7/2008 5:29:21 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 03:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 02/27/2007 02:39 PM 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\combofix]
C:\WINDOWS\system32\kmd.exe /c C:\ComboFix(2)\Combobatch.bat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QD FastAndSafe]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RAMBooster.Net]
C:\Program Files\RAMBooster.Net\RAMBooster.exe -m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinMem]
C:\Program Files\WinCleaner Memory Optimizer\WinMemOpt.exe




-- End of Deckard's System Scanner: finished at 2008-02-23 15:30:29 ------------


__________________________________________________________________________


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® D CPU 3.20GHz
Percentage of Memory in Use: 56%
Physical Memory (total/avail): 893.59 MiB / 387.46 MiB
Pagefile Memory (total/avail): 5021.65 MiB / 4566.19 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1912.47 MiB

C: is Fixed (NTFS) - 74.53 GiB total, 42.78 GiB free.
D: is Fixed (NTFS) - 74.53 GiB total, 25.97 GiB free.
E: is CDROM (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is CDROM (No Media)

\\.\PHYSICALDRIVE1 - WDC WD800BB-00JHA0 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.53 GiB - D:

\\.\PHYSICALDRIVE0 - WDC WD800BB-22JHC0 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.53 GiB - C:

\\.\PHYSICALDRIVE3 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE5 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE2 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Sygate Personal Firewall v4.6 (Sygate Technologies, Inc.)
AV: AVG 7.5.516 v7.5.516 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-602CF81D51
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\YOUR-602CF81D51
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 6 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0604
ProgramFiles=C:\Program Files
PROMPT=$P$G
SAN_DIR=C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1a
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=YOUR-602CF81D51
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS
__COMPAT_LAYER=DisableNXShowUI


-- User Profiles ---------------------------------------------------------------

Owner (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> MsiExec.exe /I{58DD5143-4417-4F43-A7DD-5B8B29CEDBEA}
--> MsiExec.exe /I{6975E810-C92F-45F0-0BFD-187B312F10E8}
--> MsiExec.exe /I{C8D79874-7F2B-4346-99F1-DAA8AABF9DCA}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
ArcSoft PhotoImpression 3.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ArcSoft\PhotoImpression\Uninst.isu"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Compresor WinRAR --> C:\Program Files\WinRAR\uninstall.exe
ConvertXtoDVD 2.2.3.258h --> "C:\Program Files\VSO\ConvertXtoDVD\unins000.exe"
Copy Utility --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\EPSON\Copy Utility\Uninst.isu"
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Easy Video Joiner 5.21 --> "C:\Program Files\Easy Video Joiner\unins000.exe"
eMule --> "C:\Program Files\eMule\Uninstall.exe"
EPSON C88 User's Guide --> C:\Program Files\epson\guide\c88_e\uninstall.exe
EPSON Photo Print --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\EPSON\Photo Print\Uninst.isu"
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Smart Panel --> C:\Program Files\EPSON\Smart Panel\SPUninst.exe
EPSON TWAIN 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A3EABC0-CA06-11D4-BF77-00104B130C19}\setup.exe" UNINSTALL
EPSON Web-To-Page --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}\Setup.exe" -l0x9 -anything
FairStars Audio Converter 1.46 --> "C:\Program Files\FairStars Audio Converter\unins000.exe"
ffdshow [rev 529] [2006-11-13] --> "C:\Program Files\ffdshow\unins000.exe"
G-Force --> C:\Program Files\SoundSpectrum\G-Force\Uninstall.exe
GSpot Codec Information Appliance --> C:\Program Files\GSpot\Uninstall.exe
HD Tune 2.53 --> "C:\Program Files\HD Tune\unins000.exe"
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner&
  • 0

#5
scottportraits

scottportraits

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 152 posts
Hmmm,

Don't know why the log got cut, but here's the Deckard Extra log in it's entirety: (I hope)

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® D CPU 3.20GHz
Percentage of Memory in Use: 56%
Physical Memory (total/avail): 893.59 MiB / 387.46 MiB
Pagefile Memory (total/avail): 5021.65 MiB / 4566.19 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1912.47 MiB

C: is Fixed (NTFS) - 74.53 GiB total, 42.78 GiB free.
D: is Fixed (NTFS) - 74.53 GiB total, 25.97 GiB free.
E: is CDROM (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is CDROM (No Media)

\\.\PHYSICALDRIVE1 - WDC WD800BB-00JHA0 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.53 GiB - D:

\\.\PHYSICALDRIVE0 - WDC WD800BB-22JHC0 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.53 GiB - C:

\\.\PHYSICALDRIVE3 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE5 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE2 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Sygate Personal Firewall v4.6 (Sygate Technologies, Inc.)
AV: AVG 7.5.516 v7.5.516 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-602CF81D51
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\YOUR-602CF81D51
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 6 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0604
ProgramFiles=C:\Program Files
PROMPT=$P$G
SAN_DIR=C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1a
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=YOUR-602CF81D51
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS
__COMPAT_LAYER=DisableNXShowUI


-- User Profiles ---------------------------------------------------------------

Owner (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> MsiExec.exe /I{58DD5143-4417-4F43-A7DD-5B8B29CEDBEA}
--> MsiExec.exe /I{6975E810-C92F-45F0-0BFD-187B312F10E8}
--> MsiExec.exe /I{C8D79874-7F2B-4346-99F1-DAA8AABF9DCA}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
ArcSoft PhotoImpression 3.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ArcSoft\PhotoImpression\Uninst.isu"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Compresor WinRAR --> C:\Program Files\WinRAR\uninstall.exe
ConvertXtoDVD 2.2.3.258h --> "C:\Program Files\VSO\ConvertXtoDVD\unins000.exe"
Copy Utility --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\EPSON\Copy Utility\Uninst.isu"
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Easy Video Joiner 5.21 --> "C:\Program Files\Easy Video Joiner\unins000.exe"
eMule --> "C:\Program Files\eMule\Uninstall.exe"
EPSON C88 User's Guide --> C:\Program Files\epson\guide\c88_e\uninstall.exe
EPSON Photo Print --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\EPSON\Photo Print\Uninst.isu"
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Smart Panel --> C:\Program Files\EPSON\Smart Panel\SPUninst.exe
EPSON TWAIN 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A3EABC0-CA06-11D4-BF77-00104B130C19}\setup.exe" UNINSTALL
EPSON Web-To-Page --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}\Setup.exe" -l0x9 -anything
FairStars Audio Converter 1.46 --> "C:\Program Files\FairStars Audio Converter\unins000.exe"
ffdshow [rev 529] [2006-11-13] --> "C:\Program Files\ffdshow\unins000.exe"
G-Force --> C:\Program Files\SoundSpectrum\G-Force\Uninstall.exe
GSpot Codec Information Appliance --> C:\Program Files\GSpot\Uninstall.exe
HD Tune 2.53 --> "C:\Program Files\HD Tune\unins000.exe"
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.80 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Web Publishing Wizard 1.52 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero 7 Ultra Edition --> MsiExec.exe /I{4781569D-5404-1F26-4B2B-6DF444441031}
Norton SystemWorks 2003 --> MsiExec.exe /I{43C3D832-AC96-463A-2003-1B8D1BFA2523}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PF1250-1650 Guide --> C:\WINDOWS\uninst.exe -f"C:\Program Files\EPSON\PF1250-1650\DeIsL1.isu"
PrintMaster 16 --> MsiExec.exe /I{78A974B6-F864-41AE-9F5A-0AAF7D40E884}
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
ScanToWeb --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}\Setup.exe" ADDREMOVEDLG
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
SiSoftware Sandra Lite XI.SP1a (Win64/32/CE) --> "C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1a\unins000.exe"
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE -U -IPDRSLSM5K.inf
Sony USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SpywareGuard v2.2 --> "C:\Program Files\SpywareGuard\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Sygate Personal Firewall --> MsiExec.exe /I{F34D9A5F-484A-4E31-A9D3-908CB265B289}
The Font Thing --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Fisher\The Font Thing\DeIsL1.isu" -c"C:\Program Files\Fisher\The Font Thing\_ISREG32.DLL"
The Herbal Pharmacy --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\The Herbal Pharmacy\Uninst.isu"
TMPGEnc Plus 2.5 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C489B6E0-56CB-4B0F-B2E6-FF4C3D9FAE4F}
USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C8F7C1E5-0150-11D6-A96C-00D05908F85D}\Setup.exe" -l0x9
Vodei Multimedia Processor 2.10 --> C:\Program Files\Vodei\uninst.exe
WinCleaner Memory Optimizer Version 5.2 --> "C:\Program Files\WinCleaner Memory Optimizer\unins000.exe"
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
WinPcap 3.01 alpha --> "C:\Program Files\WinPcap\Uninstall.exe" "C:\Program Files\WinPcap\install.log"
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
WM Recorder 9.1 --> C:\WINDOWS\iun506.exe C:\Program Files\WM Recorder\irunin.ini
XML Paper Specification Shared Components Pack 1.0 -->
Xvid 1.1.3 final uninstall --> "C:\Program Files\Xvid\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type65 / Warning
Event Submitted/Written: 02/22/2008 05:33:17 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type59 / Warning
Event Submitted/Written: 02/21/2008 11:38:08 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type58 / Error
Event Submitted/Written: 02/20/2008 03:03:14 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application Joiner.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type57 / Error
Event Submitted/Written: 02/19/2008 05:36:52 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application wmplayer.exe, version 11.0.5721.5145, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type55 / Error
Event Submitted/Written: 02/19/2008 02:05:49 AM
Event ID/Source: 5000 / MPSampleSubmission
Event Description:
EventType mptelemetry, P1 80072ee2, P2 endsearch, P3 search, P4 1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type643 / Warning
Event Submitted/Written: 02/22/2008 06:31:12 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%YOUR-602CF81D5127 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %YOUR-602CF81D5127 can't undo changes that you allow.

For more information please see the following:
%YOUR-602CF81D51275

Scan ID: {94F8224B-D965-4398-A72E-4B3AED7627B7}

User: YOUR-602CF81D51\Owner

Name: %YOUR-602CF81D51271

ID: %YOUR-602CF81D51272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %YOUR-602CF81D51276

Alert Type: %YOUR-602CF81D51278

Detection Type: 1.1.1593.02

Event Record #/Type642 / Warning
Event Submitted/Written: 02/22/2008 06:31:12 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%YOUR-602CF81D5127 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %YOUR-602CF81D5127 can't undo changes that you allow.

For more information please see the following:
%YOUR-602CF81D51275

Scan ID: {C95BCCD8-34BF-4EA4-916A-394F33ADF387}

User: YOUR-602CF81D51\Owner

Name: %YOUR-602CF81D51271

ID: %YOUR-602CF81D51272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %YOUR-602CF81D51276

Alert Type: %YOUR-602CF81D51278

Detection Type: 1.1.1593.02

Event Record #/Type641 / Warning
Event Submitted/Written: 02/22/2008 06:31:12 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%YOUR-602CF81D5127 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %YOUR-602CF81D5127 can't undo changes that you allow.

For more information please see the following:
%YOUR-602CF81D51275

Scan ID: {F8085217-2ADA-4575-AB98-A50BBD90B786}

User: YOUR-602CF81D51\Owner

Name: %YOUR-602CF81D51271

ID: %YOUR-602CF81D51272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %YOUR-602CF81D51276

Alert Type: %YOUR-602CF81D51278

Detection Type: 1.1.1593.02

Event Record #/Type640 / Warning
Event Submitted/Written: 02/22/2008 06:31:09 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%YOUR-602CF81D5127 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %YOUR-602CF81D5127 can't undo changes that you allow.

For more information please see the following:
%YOUR-602CF81D51275

Scan ID: {C484494C-0771-4706-B5B2-04B1D0DB211F}

User: YOUR-602CF81D51\Owner

Name: %YOUR-602CF81D51271

ID: %YOUR-602CF81D51272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %YOUR-602CF81D51276

Alert Type: %YOUR-602CF81D51278

Detection Type: 1.1.1593.02

Event Record #/Type639 / Warning
Event Submitted/Written: 02/22/2008 06:31:09 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%YOUR-602CF81D5127 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %YOUR-602CF81D5127 can't undo changes that you allow.

For more information please see the following:
%YOUR-602CF81D51275

Scan ID: {AF5499A4-B5D2-4394-9364-87953CECC327}

User: YOUR-602CF81D51\Owner

Name: %YOUR-602CF81D51271

ID: %YOUR-602CF81D51272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %YOUR-602CF81D51276

Alert Type: %YOUR-602CF81D51278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-02-22 18:42:17 ------------



Hope this info is useful....there's alot of it. From here on you are the pilot and navigator, and I'll just follow whatever you say to do.

-scottportraits
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean, are you having any visible problems ?
  • 0

#7
scottportraits

scottportraits

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 152 posts
Sunday Feb 24 6pm est

R-112,

Yes, there are some visible problems. My 'Thunderbird' e-mail server is not displaying the e-mails in normal mode, but like HTML source code. Also, the IE7 browser is being rejected at the Symantec Security Check virus scan - can't get it to run. And Panda's online scanner runs for a while, finds two 'hacker tools/rootkits', then gets stuck on an Epson\SCANDRV\r.icm file for a while, then I get bumped or booted off the site, and the browser closes.
I am also getting low ID's for gaming.

As said in the first post : "Opening any e-mail that is already in the inbox displays it as an HTML source code usually displays, when you click that menu option in any browser. My Thunderbird settings are View > Character Encoding > Auto-detect OFF; radio button on Western (ISO-8859-1). I'm pretty sure this is how it always was."

I tried uninstalling Thunderbird, then re-installing it upon reboot, but the problem carries over, like it is embedded in the 'settings'.

That, and the Combo.Fix warning that the "Recovery Console NOT Installed on this Machine" are the main gliches. Sari, in an earlier post, assures me that someone can walk me through the process of restructuring the Recovery Console, with no full XP install disk. This article :

http://www.pnelsonco...eryConsole.html

has some solutions, but they require a floppy driver (I have none), or a full install disk. We'll need to get i386 files from somewhere, I think........

Let me tinker around here and see if there are any more tell-tale signs of damage.....I'll get back to you in a few hours....

-scottportraits

Edited by scottportraits, 24 February 2008 - 05:12 PM.

  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Those aren't malware related problems, you would be better off posting in another part of the forum. Maybe in the Browser section

Few things to do

Now lets uninstall Combofix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
The above procedure will do the following:
  • Delete ComboFix and its associated files and folders.
  • Delete VundoFix backups, if present
  • Delete the C:\Deckard folder, if present
  • Delete the C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#9
scottportraits

scottportraits

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 152 posts
Sun Feb 24 6.15pm est

Run > Combofix /u brings me this screen : "Combofix NOT as valid Win32 Application".

I will start uninstalling and reinstalling Java right now.

Thanks, and the 'Recovery Console' post I originally put under Operating System posts was sent here for malware check. Should I re-post it under XP Home OS ??

-scottportraits
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Just delete ComboFix.exe and the folder C:\ComboFix then

Thanks, and the 'Recovery Console' post I originally put under Operating System posts was sent here for malware check. Should I re-post it under XP Home OS ??

Not sure what you mean here. You shouldn't be installing the recovery console, there is no need to, if that is what you were asking



Let me know if you have any more questions
  • 0

Advertisements


#11
scottportraits

scottportraits

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 152 posts
Sun Feb 24 6.30 pm est

Just uninstalled Java and rebooted. Now, at Java's site, I am being denied the download of JDK or any SE Java....the window says contact customer support.....

...Main one I'm trying to download is "Java Runtime Enviro 6 - Update 4, First Customer Ship"....but NONE of them are being allowed. It says the transaction cannot be 'approved'......

Now I have no Java to run applets and scripts....

...navigated around, think this might be a better link for new Java downloads for Windows:

http://java.com/en/d...dows_manual.jsp

....still in the woods here....

-S

Edited by scottportraits, 24 February 2008 - 06:17 PM.

  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Use this link for the java

http://www.majorgeek...ment_d4648.html

Let me know how that goes and the other steps
  • 0

#13
scottportraits

scottportraits

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 152 posts
Sun Feb 24, 2006 8:20pm est

Okay, here's the latest scoop.

Java finally downloaded successfully from this link, which is the best one:

http://java.com/en/d...dows_manual.jsp

...and the app is called J2SE Runtime Enviro 5.0 Update 14 on my 'add/remove' programs list. The saved downloaded file is named "jre-6u3_Windows_i586_p_iftw.exe" . I felt it best to get the download from the official site, "Sun Micro", rather than MajorGeeks, because whenever I've downloaded stuff from MG's like combo.fix, SDFix, Dr Web CureIt, Vundo, etc etc they always show up in virus scans. Probably because of the process.exe files, but whatever....

Next, I have Windows Updater scheduled to check for updates daily. I went to MS's official update site and found my system checks out as 'up to date'. So I am pretty much always current with those Windows security (and other) updates.

I have both SpywareBlaster and SpywareGuard installed, and am informed there is no conflict here. Along with Spybot S&D, and occasional manual runs through SUPER Anti-Spyware Free Ed. I feel I am well protected from spyware. Spybot is NOT set to run in real-time with 'teatimer' for IE7, because I use Mozilla Firefox mostly. SpywareGuard is set to launch upon start-up, that is, it is on my run menu.

I installed IE-SPYAD for those times I do use MS's IE7 browser. I also replaced my current 'Hosts' file, and replaced it with the MVPS host's file & IP Address. I do hope this helps me prevent further annoyances from infections.

In the Tools > Internet Options > Security tab I reset all choices to default level, and for 'Internet Zones' to 'custom'.....with Unsigned ActiveX's being enabled (from default 'disabled') to 'prompt'. The 'not marked as safe' unsigned scripts choice is disabled. I am warned that this is considered unsafe by XP....but proceed as you have instructed anyway.

I will read Klein's article and compare what I read with what I do and have.

I already use Firefox with the 'No-Script' add-on installed. As I mentioned earlier, way earlier, that the trojan got in through a bad e-mail I mistakenly opened. My browsers, security apps & settings, and habits are pretty secure....so that e-mail is how I got zapped this time around. It was from another EBay bidder who lost the auction I won - and sent a bogus offer for a better deal, outside of EBay. I should never have opened that e-mail or allowed it's contents to run in my 'Thunderbird' e-mail service.

Which brings us around to the main flaw (damage from malware) in my PC cafeteria: namely, that my Mozilla Thunderbird mail server is displaying downloaded e-mails as HTML source codes, sort of. I went into this in previous posts, so please scroll up to those places to get the specifics. That and my combo.fix warning that "This Machine's Recovery Console Is NOT Installed" are the two chief problems besetting my system.

The other periferal woes include IE7 will not allow Symantec's Online Security Check to run, and the online Panda scan gets stuck and I get booted. Finally, I am getting LOW ID ratings for online gaming, like the TCP port is unreachable......yet al Network Connections settings are cool and nothing has changed in any settings since the Trojan attack.

So that's where we are today, maybe tomorrow would be a better day to do all this, today has been a b______. I would like to have a usable Recovery Console. I also need my e-mail service, Thunderbird to work for me after that scum-bag sent me a complimentary trojan for winning the item he wanted.

Beware of deals outside of EBay, and the e-mails iniviting it. That's how I got hit this round.

Thanks again, maybe Monday is a better day....what do you think ???

-scottportraits

Edited by scottportraits, 24 February 2008 - 07:45 PM.

  • 0

#14
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
I am not sure about the Thunderbird problem, you will have to post elsewhere about that


For Recovery Console do this

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.



Let me know if you got any more questions
  • 0

#15
scottportraits

scottportraits

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 152 posts
9:23pm est

Okay, that process went fairly smoothly. Here is the log from that run, kind of short :

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

So I believe the recovery console IS NOW properly installed. Should I reboot ? After rebooting, or whatever, is there a way to test the recovery console? I do have a dinky eMachines System Recovery disk.....but no XP Home full install CD. I also have no floppy disk driver, so is there a way to create a CD-ROM disk that can act like an emergency boot-up floppy ?

Thanx R-112, you got me this far.....

-scottportraits
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP