Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Stubborn Vundo Infection - can anyone help? [CLOSED]


  • This topic is locked This topic is locked

#1
Charger1640

Charger1640

    Member

  • Member
  • PipPip
  • 15 posts
I need help exorcising the demon vundo from my computer. I've struggled for days with this. My trend micro gives me the warning but won't eliminate it. I've tried Norton, Spysweeper, and vundofix without any luck (they don't detect it) Trend Micro says the bad file is pmnnm.dll
If I add pmnnm.dll to vundofix manually it still comes back after reboot.

Thanks in advance if anyone can slay this demon....

Here is my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:43 PM, on 3/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
K:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\DOCUME~1\MARKHO~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.n...a...&bm=ho_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Horton Internet Productions
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PDUiP6600DMon] "C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Handspring\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.xara.com
O15 - Trusted Zone: *.xaraonline.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.aka...vex-2.0.4.4.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1138114010296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142794898406
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/...x/AVCheckUp.ocx
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - K:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 13517 bytes
  • 0

Advertisements


#2
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with.

Next, I would like to make sure that you can view hidden files and folders;
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading SELECT Show hidden files and folders.
  • UNCHECK the Hide protected operating system files (recommended) option.
  • UNCHECK the Hide extensions for known file types option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, DSS will open two Notepad files: main.txt and extra.txt
  • Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Note: A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\


Regards,
RatHat
  • 0

#3
Charger1640

Charger1640

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hello Rathat,

Info you requested:


Deckard's System Scanner v20071014.68
Run by ******* on 2008-03-15 04:23:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as *******.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:57:49 AM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
K:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\DOCUME~1\MARKHO~1\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\*****\Desktop\gtg\dss.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE
C:\PROGRA~1\TRENDM~1\HIJACK~1\*******.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.n...a...&bm=ho_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Internet Productions
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2E6982B8-A831-49C0-BEF7-6ECDE935E70D} - C:\WINDOWS\system32\pmnnm.dll
O2 - BHO: (no name) - {36BB0C08-AD50-464A-ADCF-390DAA995231} - C:\WINDOWS\system32\jkkjg.dll (file missing)
O2 - BHO: {814924a1-b002-b849-2ba4-7ce90dab6e05} - {50e6bad0-9ec7-4ab2-948b-200b1a429418} - C:\WINDOWS\system32\krpeimxj.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PDUiP6600DMon] "C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Handspring\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.xara.com
O15 - Trusted Zone: *.xaraonline.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.aka...vex-2.0.4.4.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1138114010296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142794898406
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/...x/AVCheckUp.ocx
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - K:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 14698 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - NOTEPAD.EXE %1
.reg - regfile - shell\open\command - NOTEPAD.EXE %1
.scr - scrfile - shell\open\command - NOTEPAD.EXE %1
.vbs - VBSFile - shell\open\command - NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 NetworkX - c:\windows\system32\ckldrv.sys
R1 SSHDRV79 - c:\windows\system32\drivers\sshdrv79.sys <Not Verified; ; ProtectCD>
R1 SSHDRV85 - c:\windows\system32\drivers\sshdrv85.sys <Not Verified; ; ProtectCD>
R1 tmtdi (Trend Micro TDI Driver) - c:\windows\system32\drivers\tmtdi.sys <Not Verified; Trend Micro Inc.; Trend Micro Network Security Component 1.0>
R2 tm_cfw (Common Firewall Driver) - c:\windows\system32\drivers\tm_cfw.sys <Not Verified; Trend Micro Inc.; Trend Network Security Component 1.0>

S3 ddxgb - c:\docume~1\markho~1\locals~1\temp\ddxgb.sys (file missing)
S3 samhid - c:\windows\system32\drivers\samhid.sys
S3 Ser2pl (Prolific2 Serial port driver) - c:\windows\system32\drivers\ser2pl.sys <Not Verified; Prolific Technology Inc.; Prolific USB-to-Serial Bridge Cable>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AdobeActiveFileMonitor5.0 (Adobe Active File Monitor V5) - k:\program files\adobe\photoshop elements 5.0\photoshopelementsfileagent.exe
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R2 Crypkey License - crypserv.exe <Not Verified; Kenonic Controls Ltd.; CrypKey Software Licensing System>
R2 PcCtlCom (Trend Micro Central Control Component) - c:\progra~1\trendm~1\intern~1\pcctlcom.exe <Not Verified; Trend Micro Incorporated.; Trend Micro Internet Security>
R2 ProtexisLicensing - c:\windows\system32\psiservice.exe <Not Verified; ; PSIService>
R2 Tmntsrv (Trend Micro Real-time Service) - c:\progra~1\trendm~1\intern~1\tmntsrv.exe <Not Verified; Trend Micro Incorporated.; Trend Micro Internet Security>
R2 TmPfw (Trend Micro Personal Firewall) - c:\progra~1\trendm~1\intern~1\tmpfw.exe <Not Verified; Trend Micro Inc.; Trend Network Security Component 1.0>
R2 tmproxy (Trend Micro Proxy Service) - c:\progra~1\trendm~1\intern~1\tmproxy.exe <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 1.0>
R3 Creative Labs Licensing Service - "c:\program files\common files\creative labs shared\service\creativelicensing.exe" <Not Verified; Creative Labs; Creative Labs Licensing Service>

S3 Imapi Helper - "c:\program files\alex feinman\iso recorder\imapihelper.exe" <Not Verified; Alex Feinman; ISO Recorder>
S3 nmraapache (Pure Networks Net2Go Service) - "c:\program files\pure networks\network magic\webserver\bin\nmraapache.exe" -k runservice <Not Verified; Pure Networks, Inc.; Pure Networks Net2Go Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: Intel® 537EP V9x DF PCI Modem
Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&5855BE9&0&18F0
Manufacturer: Intel Corporation
Name: Intel® 537EP V9x DF PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&5855BE9&0&18F0
Service: Modem


-- Scheduled Tasks -------------------------------------------------------------

2008-03-13 23:18:22 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-03-10 21:12:59 634 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - ******.job


-- Files created between 2008-02-15 and 2008-03-15 -----------------------------

2008-03-13 15:34:41 0 d-------- C:\Program Files\Common Files\Authentium
2008-03-13 15:33:37 0 d-------- C:\Documents and Settings\******\Application Data\iolo
2008-03-13 15:33:37 0 d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-03-13 14:54:10 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-03-13 10:05:21 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-03-13 10:04:53 0 d-------- C:\Program Files\Webroot
2008-03-13 10:04:53 0 d-------- C:\Documents and Settings\*******\Application Data\Webroot
2008-03-13 10:04:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-03-13 10:02:47 164 --a------ C:\install.dat
2008-03-13 00:52:49 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-03-12 21:02:10 1878 --ahs---- C:\WINDOWS\system32\mnnmp.ini2
2008-03-12 21:02:01 290816 --a------ C:\WINDOWS\system32\pmnnm.dll
2008-03-12 20:55:08 0 d-------- C:\System32
2008-03-12 20:50:25 24576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-03-12 19:44:25 0 d-------- C:\VundoFix Backups
2008-03-10 21:07:30 0 d-------- C:\Documents and Settings\*******\Application Data\Symantec
2008-03-10 20:56:31 0 d-------- C:\Program Files\Windows Sidebar
2008-03-10 20:52:03 0 d-------- C:\Program Files\Norton Internet Security
2008-03-10 20:37:53 0 d-------- C:\Program Files\Symantec
2008-03-10 20:37:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-10 19:01:46 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-09 22:48:11 0 d-------- C:\WTablet
2008-03-09 22:42:14 0 d-------- C:\WINDOWS\system32\New Folder
2008-03-09 19:03:16 0 d-------- C:\WINDOWS\system32\iDlo01
2008-03-09 19:03:15 0 d-------- C:\Temp
2008-03-09 04:01:24 0 d-------- C:\Program Files\MSXML 6.0
2008-03-08 10:48:42 2516 --ahs---- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-03-08 10:48:42 88 -r-hs---- C:\Documents and Settings\All Users\Application Data\E447EDAD8A.sys
2008-03-08 10:46:48 0 d-------- C:\Program Files\Common Files\Protexis
2008-03-08 10:39:31 0 d-------- C:\Program Files\Common Files\Corel
2008-02-28 07:16:41 0 d-------- C:\Documents and Settings\LocalService\Application Data\WTablet
2008-02-27 17:05:18 0 d-------- C:\Documents and Settings\*******\Application Data\WTablet
2008-02-27 17:03:10 0 d-------- C:\WINDOWS\system32\WTablet
2008-02-27 17:03:04 0 d-------- C:\Program Files\Tablet
2008-02-24 17:44:59 1682 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-02-24 17:44:59 168 -rahs---- C:\WINDOWS\system32\E447EDAD8A.sys
2008-02-24 17:41:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-02-24 09:24:57 0 d-------- C:\Documents and Settings\All Users\Application Data\MAGIX
2008-02-24 09:24:46 24576 --a------ C:\WINDOWS\system32\TTIC32.dll <Not Verified; PoINT Software & Systems GmbH; TTIC32>
2008-02-24 09:24:46 24576 --a------ C:\WINDOWS\system32\TTI32.dll <Not Verified; PoINT Software & Systems GmbH; TTI32>
2008-02-24 09:24:46 32768 --a------ C:\WINDOWS\system32\STRING32.dll <Not Verified; PoINT Software & Systems GmbH; STRING32>
2008-02-24 09:24:46 430080 --a------ C:\WINDOWS\system32\MXRestore.exe <Not Verified; MAGIX AG; MAGIX Restore>
2008-02-24 09:24:46 57344 --a------ C:\WINDOWS\system32\DLLTPO32.dll <Not Verified; PoINT Software & Systems GmbH; DLLTPO32>
2008-02-24 09:24:46 188416 --a------ C:\WINDOWS\system32\DLLRES32.dll <Not Verified; PoINT Software & Systems GmbH; DLLRES32>
2008-02-24 09:24:46 40960 --a------ C:\WINDOWS\system32\DLLRD32.dll <Not Verified; PoINT Software & Systems GmbH; DLLRD32>
2008-02-24 09:24:46 65536 --a------ C:\WINDOWS\system32\DLLPTL32.dll <Not Verified; PoINT Software & Systems GmbH; DLLPTL32>
2008-02-24 09:24:46 53248 --a------ C:\WINDOWS\system32\DLLPRJ32.dll <Not Verified; PoINT Software & Systems GmbH; DLLPRJ32>
2008-02-24 09:24:45 49152 --a------ C:\WINDOWS\system32\DLLPRF32.dll <Not Verified; PoINT Software & Systems GmbH; DLLPRF32>
2008-02-24 09:24:45 36864 --a------ C:\WINDOWS\system32\DLLPNT32.dll <Not Verified; PoINT Software & Systems GmbH; DLLPNT32>
2008-02-24 09:24:45 32768 --a------ C:\WINDOWS\system32\DLLMSC32.dll <Not Verified; PoINT Software & Systems GmbH; DLLMSC32>
2008-02-24 09:24:45 24576 --a------ C:\WINDOWS\system32\DLLIX.dll <Not Verified; PoINT Software & Systems GmbH; DLLIX>
2008-02-24 09:24:45 32768 --a------ C:\WINDOWS\system32\DLLISO32.dll <Not Verified; PoINT Software & Systems GmbH; DLLISO32>
2008-02-24 09:24:45 53248 --a------ C:\WINDOWS\system32\DLLIO32.dll <Not Verified; PoINT Software & Systems GmbH; DLLIO32>
2008-02-24 09:24:45 45056 --a------ C:\WINDOWS\system32\DLLIMG32.dll <Not Verified; PoINT Software & Systems GmbH; DLLIMG32>
2008-02-24 09:24:45 151552 --a------ C:\WINDOWS\system32\DLLDRV32.dll <Not Verified; PoINT Software & Systems GmbH; DLLDRV32>
2008-02-24 09:24:45 32768 --a------ C:\WINDOWS\system32\DLLDIR32.dll <Not Verified; PoINT Software & Systems GmbH; DLLDIR32>
2008-02-24 09:24:45 163840 --a------ C:\WINDOWS\system32\DLLDEV32.dll <Not Verified; PoINT Software & Systems GmbH; DLLDEV32>
2008-02-24 09:24:45 94208 --a------ C:\WINDOWS\system32\DLLCPY32.dll <Not Verified; PoINT Software & Systems GmbH; DLLCPY32>
2008-02-24 09:24:45 61440 --a------ C:\WINDOWS\system32\DLLCDF32.dll <Not Verified; PoINT Software & Systems GmbH; DLLCDF32>
2008-02-24 09:24:45 114688 --a------ C:\WINDOWS\system32\DLLCDA32.dll <Not Verified; PoINT Software & Systems GmbH; PoINT CDarchive for Windows>
2008-02-24 09:24:45 487424 --a------ C:\WINDOWS\system32\DLLAV32.dll <Not Verified; PoINT Software & Systems GmbH; PoINT CD/DVD Audio/Video SDK for Windows>
2008-02-24 09:24:44 0 d-------- C:\Program Files\Common Files\MAGIX Shared
2008-02-24 09:24:05 120200 --a------ C:\WINDOWS\system32\DLLDEV32i.dll <Not Verified; ; DLLDEV32i>
2008-02-24 09:24:05 0 d-------- C:\Program Files\MAGIX
2008-02-24 09:23:09 700416 --a------ C:\WINDOWS\system32\mgxoschk.dll <Not Verified; MAGIX AG; mgxoschk>
2008-02-24 09:23:09 0 d-------- C:\WINDOWS\system32\MAGIX
2008-02-23 12:43:30 0 d-------- C:\Program Files\iPod


-- Find3M Report ---------------------------------------------------------------

2008-03-15 04:13:36 0 d-------- C:\Documents and Settings\******\Application Data\Newsbin
2008-03-14 20:39:14 0 d-------- C:\Program Files\Trend Micro
2008-03-13 15:34:41 0 d-------- C:\Program Files\Common Files
2008-03-13 09:30:13 0 d-------- C:\Program Files\Creative
2008-03-13 00:06:14 0 d-------- C:\Program Files\Common Files\Real
2008-03-13 00:03:20 0 d-------- C:\Documents and Settings\*******\Application Data\Real
2008-03-08 10:48:44 0 d-------- C:\Documents and Settings\*******\Application Data\Corel
2008-03-01 01:32:57 0 d-------- C:\Program Files\Online Services
2008-03-01 01:27:50 0 d-------- C:\Program Files\Dell
2008-03-01 01:27:16 0 d-------- C:\Program Files\EA SPORTS
2008-03-01 01:25:18 0 d-------- C:\Program Files\Azureus
2008-02-29 16:02:38 0 d-------- C:\Program Files\Microsoft Works
2008-02-29 15:54:51 0 d-------- C:\Program Files\MasqueGames
2008-02-29 15:54:00 0 d-------- C:\Program Files\America's Army
2008-02-29 15:53:52 0 d-------- C:\Program Files\America's Army Server Manager
2008-02-27 17:26:26 0 d-------- C:\Documents and Settings\*******\Application Data\Apple Computer
2008-02-23 12:46:53 0 d-------- C:\Program Files\iTunes
2008-02-23 12:35:30 0 d-------- C:\Program Files\QuickTime
2008-02-14 22:03:38 0 d-------- C:\Program Files\Employee Scheduling
2008-02-10 08:42:16 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-09 16:21:37 0 d-------- C:\Program Files\D-Link Media Server
2008-02-08 15:55:14 0 d-------- C:\Documents and Settings\*******\Application Data\ZoomBrowser EX
2008-02-08 15:41:37 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-08 15:40:49 0 d-------- C:\Program Files\Canon
2008-02-08 15:35:54 0 d-------- C:\Program Files\Common Files\Canon
2008-02-08 10:13:19 0 d-------- C:\Program Files\Quicken
2008-02-08 10:10:27 0 d-------- C:\Program Files\TurboTax
2008-02-02 11:33:19 0 d-------- C:\Documents and Settings\*******\Application Data\Intuit
2008-02-02 11:25:32 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-02 08:34:02 0 d-------- C:\Documents and Settings\*******\Application Data\AKVIS LLC
2008-02-02 08:01:30 0 d-------- C:\Program Files\AKVIS
2008-02-01 22:36:49 0 d-------- C:\Documents and Settings\*******\Application Data\Azureus
2008-01-18 23:01:52 763 --a------ C:\WINDOWS\eReg.dat
2008-01-18 20:56:58 0 d-------- C:\Program Files\EA GAMES
2008-01-18 01:07:05 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-01-18 01:03:20 0 d-------- C:\Program Files\ATI Technologies
2008-01-17 22:00:28 0 d-------- C:\Program Files\Game Elements
2008-01-07 07:15:42 22288 --a------ C:\Documents and Settings\*******\Application Data\wklnhst.dat
2007-12-20 22:05:00 593920 --a------ C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E6982B8-A831-49C0-BEF7-6ECDE935E70D}]
03/12/2008 09:02 PM 290816 --a------ C:\WINDOWS\system32\pmnnm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36BB0C08-AD50-464A-ADCF-390DAA995231}]
C:\WINDOWS\system32\jkkjg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50e6bad0-9ec7-4ab2-948b-200b1a429418}]
C:\WINDOWS\system32\krpeimxj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
08/24/2007 11:51 PM 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
03/10/2008 09:57 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [08/24/2007 11:51 PM 316784]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 04:01 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/05/2005 11:05 PM]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 10:12 PM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [02/23/2005 06:19 PM]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [09/15/2005 11:47 AM]
"MBMon"="CTMBHA.DLL" [05/19/2005 10:54 AM C:\WINDOWS\system32\CTMBHA.DLL]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 12:44 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 12:44 PM]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [08/30/2005 06:30 PM]
"BuildBU"="c:\dell\bldbubg.exe" [01/18/2006 11:47 AM]
"@"="" []
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [05/31/2005 06:33 AM]
"PDUiP6600DMon"="C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe" [05/25/2005 10:35 AM]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [11/01/2006 01:04 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 02:10 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/14/2008 11:01 AM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [08/25/2007 12:53 AM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 08:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [12/22/2004 07:40 PM C:\WINDOWS\MIDIDEF.EXE]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [12/02/2004 08:23 PM]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [04/11/2006 08:39 PM]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe" [12/20/2006 01:38 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 07:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/18/2007 05:54 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [1/27/2006 12:54:24 PM]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [1/24/2006 7:00:06 PM]
HotSync Manager.lnk - C:\Program Files\Handspring\Hotsync.exe [6/9/2004 2:16:08 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmnnm.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd6f1e0c-89d2-11da-8ac9-806d6172696f}]
AutoRun\command- E:\CDSTART.EXE

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-03-15 06:00:31 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 33%
Physical Memory (total/avail): 3070.07 MiB / 2048.9 MiB
Pagefile Memory (total/avail): 4445.85 MiB / 3699.26 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1922.86 MiB

C: is Fixed (NTFS) - 228.13 GiB total, 38.17 GiB free.
D: is CDROM (No Media)
E: is CDROM (CDFS)
F: is Removable (FAT)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)
K: is Fixed (FAT32) - 232.83 GiB total, 22.89 GiB free.
L: is Fixed (FAT32) - 465.65 GiB total, 367.9 GiB free.

\\.\PHYSICALDRIVE0 - WDC WD2500JS-75NCB1 - 232.83 GiB - 3 partitions
\PARTITION0 - Unknown - 54.88 MiB
\PARTITION1 (bootable) - Installable File System - 228.13 GiB - C:
\PARTITION2 - Unknown - 4.64 GiB

\\.\PHYSICALDRIVE7 - Canon iP6600DStorage USB Device

\\.\PHYSICALDRIVE1 - TEAC USB HS-CF Card USB Device - 7.75 MiB - 1 partition
\PARTITION0 - 16-bit FAT - 7.75 MiB - F:

\\.\PHYSICALDRIVE3 - TEAC USB HS-MS Card USB Device

\\.\PHYSICALDRIVE4 - TEAC USB HS-SD Card USB Device

\\.\PHYSICALDRIVE2 - TEAC USB HS-xD/SM USB Device

\\.\PHYSICALDRIVE5 - WD 2500JB External USB Device - 232.88 GiB - 1 partition
\PARTITION0 - Unknown - 232.88 GiB - K:

\\.\PHYSICALDRIVE6 - WD 5000KS External USB Device - 465.76 GiB - 1 partition
\PARTITION0 - Unknown - 465.76 GiB - L:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Norton Internet Security v15.0.0.60 (Symantec Corporation)
FW: Trend Micro PC-cillin Internet Security (Firewall) v12 (Trend Micro, Inc.)
AV: Spy Sweeper with AntiVirus v5.5.7.124 (Webroot Software Inc) Disabled
AV: Norton Internet Security v15.0.0.60 (Symantec Corporation)
AV: Trend Micro PC-cillin Internet Security v12.7.1019 (Trend Micro, Inc.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\America's Army\\System\\ArmyOps.exe"="C:\\Program Files\\America's Army\\System\\ArmyOps.exe:*:Enabled:ArmyOps"
"C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"="C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe:*:Enabled:Star Wars: Empire at War"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Ascaron Entertainment\\Sacred\\Sacred.exe"="C:\\Program Files\\Ascaron Entertainment\\Sacred\\Sacred.exe:*:Enabled:Sacred"
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"="C:\\Program Files\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="C:\\Program Files\\QuickTime\\QuickTimePlayer.exe:*:Enabled:QuickTime Player"
"C:\\Program Files\\NewsBin\\nbpro.exe"="C:\\Program Files\\NewsBin\\nbpro.exe:*:Enabled:Newsbin"
"C:\\Program Files\\NovaLogic\\Delta Force Black Hawk Down\\UPDATE.EXE"="C:\\Program Files\\NovaLogic\\Delta Force Black Hawk Down\\UPDATE.EXE:*:Enabled:UPDATE"
"C:\\Program Files\\D-Link Media Server\\MediaServer.exe"="C:\\Program Files\\D-Link Media Server\\MediaServer.exe:*:Enabled:Media Server"
"C:\\Program Files\\D-Link Media Server\\MediaGUI.exe"="C:\\Program Files\\D-Link Media Server\\MediaGUI.exe:*:Enabled:D-Link_MediaServerGUI"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Disabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Disabled:AOL"
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Disabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe:*:Disabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"="C:\\Program Files\\IncrediMail\\bin\\IMApp.exe:*:Disabled:IncrediMail"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"K:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"="K:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe:*:Disabled:Adobe Photoshop Elements Media Server"
"K:\\Program Files\\TurboTax\\Home & Business 2006\\32BIT\\ttax.exe"="K:\\Program Files\\TurboTax\\Home & Business 2006\\32BIT\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"K:\\Program Files\\TurboTax\\Home & Business 2006\\32BIT\\updatemgr.exe"="K:\\Program Files\\TurboTax\\Home & Business 2006\\32BIT\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"K:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"="K:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe:*:Enabled:Battlefield 2"
"C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Pure Networks\\Network Magic\\nmsrvc.exe"="C:\\Program Files\\Pure Networks\\Network Magic\\nmsrvc.exe:LocalSubNet:Enabled:Pure Networks Network Magic Service"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\*******\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=D1DWM691
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\*******
LOGONSERVER=\\D1DWM691
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0403
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\MARKHO~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\MARKHO~1\LOCALS~1\Temp
USERDOMAIN=D1DWM691
USERNAME=*******
USERPROFILE=C:\Documents and Settings\*******
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

******* (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\SBAudigy\Program\CTZapxx.EXE" ctsbmb.ini /U /N /S /W
--> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
--> C:\PROGRA~1\VERIZO~1\Uninstall.exe Verizon
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> K:\PROGRA~1\CALLOF~1\Uninstall\Unwise.exe /u K:\PROGRA~1\CALLOF~1\Uninstall\Install.log
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> MsiExec.exe /I{95D9B4D8-B091-4fab-80EA-313EB4B82FD6}
--> MsiExec.exe /I{C4CBAD7E-DF4A-4FEC-AC17-8BC709AFB844}
--> MsiExec.exe /I{EB997E90-5EB0-4eb5-90D0-90B1D2F0CA03}
--> MsiExec.exe /I{F543B12A-13F5-487E-9314-F7D25E1BBE3E}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{25EF00BF-F17B-11D6-88EA-000476CD2443}\Setup.exe" -l0x9 UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{25EF00C6-F17B-11D6-88EA-000476CD2443}\Setup.exe" -l0x9 UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{25EF00D1-F17B-11D6-88EA-000476CD2443}\Setup.exe" -l0x9 UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{25EF03DA-F17B-11D6-88EA-000476CD2443}\Setup.exe" -l0x9 UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32B4B536-4443-42F0-9676-98373BE9114F}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32B4B536-4443-42F0-9676-98373BE9114F}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34EBD418-B8E6-4E86-89C4-33B72CF5663F}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34EBD418-B8E6-4E86-89C4-33B72CF5663F}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{52338F65-A1C3-4CDC-B733-50051682B297}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{52338F65-A1C3-4CDC-B733-50051682B297}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{569A9538-86EC-44C3-8EE4-C68B165F2A75}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{569A9538-86EC-44C3-8EE4-C68B165F2A75}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5B17E626-7885-4FC3-A66A-73548A4F01FD}\setup.exe" -l0x9
  • 0

#4
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\mnnmp.ini2
C:\WINDOWS\system32\pmnnm.dll
C:\WINDOWS\system32\krpeimxj.dll

Drivers to delete:
ddxgb

Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2E6982B8-A831-49C0-BEF7-6ECDE935E70D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36BB0C08-AD50-464A-ADCF-390DAA995231}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{50e6bad0-9ec7-4ab2-948b-200b1a429418}

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh DSS log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please run an online scan with Kaspersky WebScanner. Note: You must use Internet Explorer to run this scan.

Click the Accept button.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display the results if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop as Kaspersky.txt.
  • Copy and paste that information in your next post.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next reply, please include:
  • The contents of Avenger.txt
  • The MBAM log
  • The contents of Kaspersky.txt
  • A fresh DSS log, taken after completing all of the above

Regards,
RatHat
  • 0

#5
Charger1640

Charger1640

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
The info you requested:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\mnnmp.ini2" deleted successfully.
File "C:\WINDOWS\system32\pmnnm.dll" deleted successfully.

Error: file "C:\WINDOWS\system32\krpeimxj.dll" not found!
Deletion of file "C:\WINDOWS\system32\krpeimxj.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Driver "ddxgb" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2E6982B8-A831-49C0-BEF7-6ECDE935E70D}" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36BB0C08-AD50-464A-ADCF-390DAA995231}" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{50e6bad0-9ec7-4ab2-948b-200b1a429418}" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.





Malwarebytes' Anti-Malware 1.08
Database version: 493

Scan type: Quick Scan
Objects scanned: 62244
Time elapsed: 25 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\iDlo01 (Trojan.Downloader) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\BSZIP.DLL (Trojan.Agent) -> Quarantined and deleted successfully.



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 15, 2008 6:06:02 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/03/2008
Kaspersky Anti-Virus database records: 631660
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\

Scan Statistics:
Total number of scanned objects: 332836
Number of viruses found: 14
Number of infected objects: 29
Number of suspicious objects: 3
Duration of the scan process: 04:19:23

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Pure Networks\Network Magic\Log\logfile.nmsrvc_exe.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\ccSubSDK\submissions.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\volatile.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{0184FC47-83AA-4BBF-BAE0-FB55559E6519}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{6BF5296E-EA13-41DA-88AC-783650CC8AB5}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{C5A89E11-02DA-4D81-A061-FDA0546CC835}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{FC3BDA4B-614C-4ADF-9F74-7BEAFD87226F}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-03-15_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\1BA9AA72.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\9CC654FE.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mark Horton\Application Data\Symantec\NPMDataStore\CIMStore.xml Object is locked skipped
C:\Documents and Settings\Mark Horton\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mark Horton\Desktop\Downloaded Programs\incredimail_install.exe Infected: not-a-virus:Downloader.Win32.ImLoader.d skipped
C:\Documents and Settings\Mark Horton\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/12 Oct 2004 12:38 from Postmaster:Undeliverable Mail.eml/[From [email protected]][Date Tue, 12 Oct 2004 08:37:00 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Mark Horton\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/12 Oct 2004 12:38 from Postmaster:Undeliverable Mail.eml/[From [email protected]][Date Tue, 12 Oct 2004 08:37:00 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Mark Horton\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/12 Oct 2004 12:38 from Postmaster:Undeliverable Mail.eml Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Mark Horton\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/20 Apr 2005 19:26 from Mail Delivery System:Mail delivery failed.eml/[From "Hip" <[email protected]>][Date Wed, 20 Apr 2005 12:26:23 -0800]/UNNAMED/Price_new_16_04_05.zip/19_04_2005.exe Infected: Email-Worm.Win32.Bagle.bn skipped
C:\Documents and Settings\Mark Horton\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/20 Apr 2005 19:26 from Mail Delivery System:Mail delivery failed.eml/[From "Hip" <[email protected]>][Date Wed, 20 Apr 2005 12:26:23 -0800]/UNNAMED/Price_new_16_04_05.zip Infected: Email-Worm.Win32.Bagle.bn skipped
C:\Documents and Settings\Mark Horton\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/20 Apr 2005 19:26 from Mail Delivery System:Mail delivery failed.eml/[From "Hip" <[email protected]>][Date Wed, 20 Apr 2005 12:26:23 -0800]/UNNAMED Infected: Email-Worm.Win32.Bagle.bn skipped
C:\Documents and Settings\Mark Horton\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/20 Apr 2005 19:26 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.Bagle.bn skipped
C:\Documents and Settings\Mark Horton\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/26 Apr 2005 11:06 from Mail Delivery System:Mail delivery failed.eml/[From "Hip" <[email protected]>][Date Tue, 26 Apr 2005 18:14:04 -0800]/UNNAMED/Be_not_jealous.zip/19_04_2005.exe Infected: Email-Worm.Win32.Bagle.bn skipped
C:\Documents and Settings\Mark Horton\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/26 Apr 2005 11:06 from Mail Delivery System:Mail delivery failed.eml/[From "Hip" <[email protected]>][Date Tue, 26 Apr 2005 18:14:04 -0800]/UNNAMED/Be_not_jealous.zip Infected: Email-Worm.Win32.Bagle.bn skipped
C:\Documents and Settings\Mark Horton\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/26 Apr 2005 11:06 from Mail Delivery System:Mail delivery failed.eml/[From "Hip" <[email protected]>][Date Tue, 26 Apr 2005 18:14:04 -0800]/UNNAMED Infected: Email-Worm.Win32.Bagle.bn skipped
C:\Documents and Settings\Mark Horton\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/26 Apr 2005 11:06 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.Bagle.bn skipped
C:\Documents and Settings\Mark Horton\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Mail MS Mail: infected - 8, suspicious - 3 skipped
C:\Documents and Settings\Mark Horton\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mark Horton\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mark Horton\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mark Horton\Local Settings\Temp\clclean.0001.dir.0000\~efe2.tmp Object is locked skipped
C:\Documents and Settings\Mark Horton\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Mark Horton\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mark Horton\My Documents\Personal Folders(1).pst/Personal Folders/old mail/16 Dec 2001 22:06 from [email protected]:eBay End of Auction.eml Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Mark Horton\My Documents\Personal Folders(1).pst/Personal Folders/old mail/11 Dec 2001 23:25 from Joe:Re:/Humor.MP3.scr Infected: Email-Worm.Win32.BadtransII skipped
C:\Documents and Settings\Mark Horton\My Documents\Personal Folders(1).pst Mail MS Mail: infected - 2 skipped
C:\Documents and Settings\Mark Horton\ntuser.dat Object is locked skipped
C:\Documents and Settings\Mark Horton\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\IncrediMail\bin\IncrediMail_Install.exe Infected: not-a-virus:Downloader.Win32.ImLoader.d skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\164.tmp/data0003 Infected: Trojan.Win32.Scapur.k skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\164.tmp NSIS: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\164.tmp CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\168.tmp Infected: Trojan-Downloader.Win32.VB.caw skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\171.tmp Infected: Trojan-Downloader.Win32.VB.caw skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3B2.tmp Infected: not-a-virus:AdWare.Win32.Insider.d skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\419.tmp Infected: not-a-virus:AdWare.Win32.Insider.c skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\43C.tmp/data0003 Infected: Trojan.Win32.Scapur.k skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\43C.tmp NSIS: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\43C.tmp CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\47D.tmp Infected: Trojan-Downloader.Win32.Agent.kha skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\4E1.tmp Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\55B.tmp Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\5D6.tmp Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000064.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{4D8BC61D-3706-43B6-973F-9DC786C74506}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\Software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
K:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\change.log Object is locked skipped

Scan process completed.



Deckard's System Scanner v20071014.68
Run by Mark ******* on 2008-03-15 18:13:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Mark *******.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:14:16 PM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
K:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\DOCUME~1\MARKHO~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Mark *******\Desktop\gtg\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\MARKHO~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.n...a...&bm=ho_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ******* Internet Productions
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PDUiP6600DMon] "C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Handspring\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.xara.com
O15 - Trusted Zone: *.xaraonline.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.aka...vex-2.0.4.4.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1138114010296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142794898406
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/...x/AVCheckUp.ocx
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - K:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 14449 bytes

-- Files created between 2008-02-15 and 2008-03-15 -----------------------------

2008-03-15 13:17:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-15 13:17:38 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-15 13:17:38 0 d-------- C:\WINDOWS\LastGood
2008-03-15 12:39:08 0 d-------- C:\Documents and Settings\Mark *******\Application Data\Malwarebytes
2008-03-15 12:38:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-15 12:38:41 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-13 15:34:41 0 d-------- C:\Program Files\Common Files\Authentium
2008-03-13 15:33:37 0 d-------- C:\Documents and Settings\Mark *******\Application Data\iolo
2008-03-13 15:33:37 0 d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-03-13 14:54:10 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-03-13 10:05:21 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-03-13 10:04:53 0 d-------- C:\Program Files\Webroot
2008-03-13 10:04:53 0 d-------- C:\Documents and Settings\Mark *******\Application Data\Webroot
2008-03-13 10:04:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-03-13 10:02:47 164 --a------ C:\install.dat
2008-03-13 00:52:49 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-03-12 20:55:08 0 d-------- C:\System32
2008-03-12 20:50:25 24576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-03-12 19:44:25 0 d-------- C:\VundoFix Backups
2008-03-10 21:07:30 0 d-------- C:\Documents and Settings\Mark *******\Application Data\Symantec
2008-03-10 20:56:31 0 d-------- C:\Program Files\Windows Sidebar
2008-03-10 20:52:03 0 d-------- C:\Program Files\Norton Internet Security
2008-03-10 20:37:53 0 d-------- C:\Program Files\Symantec
2008-03-10 20:37:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-10 19:01:46 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-09 22:48:11 0 d-------- C:\WTablet
2008-03-09 22:42:14 0 d-------- C:\WINDOWS\system32\New Folder
2008-03-09 19:03:15 0 d-------- C:\Temp
2008-03-09 04:01:24 0 d-------- C:\Program Files\MSXML 6.0
2008-03-08 10:48:42 2516 --ahs---- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-03-08 10:48:42 88 -r-hs---- C:\Documents and Settings\All Users\Application Data\E447EDAD8A.sys
2008-03-08 10:46:48 0 d-------- C:\Program Files\Common Files\Protexis
2008-03-08 10:39:31 0 d-------- C:\Program Files\Common Files\Corel
2008-02-28 07:16:41 0 d-------- C:\Documents and Settings\LocalService\Application Data\WTablet
2008-02-27 17:05:18 0 d-------- C:\Documents and Settings\Mark *******\Application Data\WTablet
2008-02-27 17:03:10 0 d-------- C:\WINDOWS\system32\WTablet
2008-02-27 17:03:04 0 d-------- C:\Program Files\Tablet
2008-02-24 17:44:59 1682 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-02-24 17:44:59 168 -rahs---- C:\WINDOWS\system32\E447EDAD8A.sys
2008-02-24 17:41:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-02-24 09:24:57 0 d-------- C:\Documents and Settings\All Users\Application Data\MAGIX
2008-02-24 09:24:46 24576 --a------ C:\WINDOWS\system32\TTIC32.dll <Not Verified; PoINT Software & Systems GmbH; TTIC32>
2008-02-24 09:24:46 24576 --a------ C:\WINDOWS\system32\TTI32.dll <Not Verified; PoINT Software & Systems GmbH; TTI32>
2008-02-24 09:24:46 32768 --a------ C:\WINDOWS\system32\STRING32.dll <Not Verified; PoINT Software & Systems GmbH; STRING32>
2008-02-24 09:24:46 430080 --a------ C:\WINDOWS\system32\MXRestore.exe <Not Verified; MAGIX AG; MAGIX Restore>
2008-02-24 09:24:46 57344 --a------ C:\WINDOWS\system32\DLLTPO32.dll <Not Verified; PoINT Software & Systems GmbH; DLLTPO32>
2008-02-24 09:24:46 188416 --a------ C:\WINDOWS\system32\DLLRES32.dll <Not Verified; PoINT Software & Systems GmbH; DLLRES32>
2008-02-24 09:24:46 40960 --a------ C:\WINDOWS\system32\DLLRD32.dll <Not Verified; PoINT Software & Systems GmbH; DLLRD32>
2008-02-24 09:24:46 65536 --a------ C:\WINDOWS\system32\DLLPTL32.dll <Not Verified; PoINT Software & Systems GmbH; DLLPTL32>
2008-02-24 09:24:46 53248 --a------ C:\WINDOWS\system32\DLLPRJ32.dll <Not Verified; PoINT Software & Systems GmbH; DLLPRJ32>
2008-02-24 09:24:45 49152 --a------ C:\WINDOWS\system32\DLLPRF32.dll <Not Verified; PoINT Software & Systems GmbH; DLLPRF32>
2008-02-24 09:24:45 36864 --a------ C:\WINDOWS\system32\DLLPNT32.dll <Not Verified; PoINT Software & Systems GmbH; DLLPNT32>
2008-02-24 09:24:45 32768 --a------ C:\WINDOWS\system32\DLLMSC32.dll <Not Verified; PoINT Software & Systems GmbH; DLLMSC32>
2008-02-24 09:24:45 24576 --a------ C:\WINDOWS\system32\DLLIX.dll <Not Verified; PoINT Software & Systems GmbH; DLLIX>
2008-02-24 09:24:45 32768 --a------ C:\WINDOWS\system32\DLLISO32.dll <Not Verified; PoINT Software & Systems GmbH; DLLISO32>
2008-02-24 09:24:45 53248 --a------ C:\WINDOWS\system32\DLLIO32.dll <Not Verified; PoINT Software & Systems GmbH; DLLIO32>
2008-02-24 09:24:45 45056 --a------ C:\WINDOWS\system32\DLLIMG32.dll <Not Verified; PoINT Software & Systems GmbH; DLLIMG32>
2008-02-24 09:24:45 151552 --a------ C:\WINDOWS\system32\DLLDRV32.dll <Not Verified; PoINT Software & Systems GmbH; DLLDRV32>
2008-02-24 09:24:45 32768 --a------ C:\WINDOWS\system32\DLLDIR32.dll <Not Verified; PoINT Software & Systems GmbH; DLLDIR32>
2008-02-24 09:24:45 163840 --a------ C:\WINDOWS\system32\DLLDEV32.dll <Not Verified; PoINT Software & Systems GmbH; DLLDEV32>
2008-02-24 09:24:45 94208 --a------ C:\WINDOWS\system32\DLLCPY32.dll <Not Verified; PoINT Software & Systems GmbH; DLLCPY32>
2008-02-24 09:24:45 61440 --a------ C:\WINDOWS\system32\DLLCDF32.dll <Not Verified; PoINT Software & Systems GmbH; DLLCDF32>
2008-02-24 09:24:45 114688 --a------ C:\WINDOWS\system32\DLLCDA32.dll <Not Verified; PoINT Software & Systems GmbH; PoINT CDarchive for Windows>
2008-02-24 09:24:45 487424 --a------ C:\WINDOWS\system32\DLLAV32.dll <Not Verified; PoINT Software & Systems GmbH; PoINT CD/DVD Audio/Video SDK for Windows>
2008-02-24 09:24:44 0 d-------- C:\Program Files\Common Files\MAGIX Shared
2008-02-24 09:24:05 120200 --a------ C:\WINDOWS\system32\DLLDEV32i.dll <Not Verified; ; DLLDEV32i>
2008-02-24 09:24:05 0 d-------- C:\Program Files\MAGIX
2008-02-24 09:23:09 700416 --a------ C:\WINDOWS\system32\mgxoschk.dll <Not Verified; MAGIX AG; mgxoschk>
2008-02-24 09:23:09 0 d-------- C:\WINDOWS\system32\MAGIX
2008-02-23 12:43:30 0 d-------- C:\Program Files\iPod


-- Find3M Report ---------------------------------------------------------------

2008-03-15 16:00:55 0 d-------- C:\Documents and Settings\Mark *******\Application Data\Newsbin
2008-03-14 20:39:14 0 d-------- C:\Program Files\Trend Micro
2008-03-13 15:34:41 0 d-------- C:\Program Files\Common Files
2008-03-13 09:30:13 0 d-------- C:\Program Files\Creative
2008-03-13 00:06:14 0 d-------- C:\Program Files\Common Files\Real
2008-03-13 00:03:20 0 d-------- C:\Documents and Settings\Mark *******\Application Data\Real
2008-03-08 10:48:44 0 d-------- C:\Documents and Settings\Mark *******\Application Data\Corel
2008-03-01 01:32:57 0 d-------- C:\Program Files\Online Services
2008-03-01 01:27:50 0 d-------- C:\Program Files\Dell
2008-03-01 01:27:16 0 d-------- C:\Program Files\EA SPORTS
2008-03-01 01:25:18 0 d-------- C:\Program Files\Azureus
2008-02-29 16:02:38 0 d-------- C:\Program Files\Microsoft Works
2008-02-29 15:54:51 0 d-------- C:\Program Files\MasqueGames
2008-02-29 15:54:00 0 d-------- C:\Program Files\America's Army
2008-02-29 15:53:52 0 d-------- C:\Program Files\America's Army Server Manager
2008-02-27 17:26:26 0 d-------- C:\Documents and Settings\Mark *******\Application Data\Apple Computer
2008-02-23 12:46:53 0 d-------- C:\Program Files\iTunes
2008-02-23 12:35:30 0 d-------- C:\Program Files\QuickTime
2008-02-14 22:03:38 0 d-------- C:\Program Files\Employee Scheduling
2008-02-10 08:42:16 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-09 16:21:37 0 d-------- C:\Program Files\D-Link Media Server
2008-02-08 15:55:14 0 d-------- C:\Documents and Settings\Mark *******\Application Data\ZoomBrowser EX
2008-02-08 15:41:37 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-08 15:40:49 0 d-------- C:\Program Files\Canon
2008-02-08 15:35:54 0 d-------- C:\Program Files\Common Files\Canon
2008-02-08 10:13:19 0 d-------- C:\Program Files\Quicken
2008-02-08 10:10:27 0 d-------- C:\Program Files\TurboTax
2008-02-02 11:33:19 0 d-------- C:\Documents and Settings\Mark *******\Application Data\Intuit
2008-02-02 11:25:32 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-02 08:34:02 0 d-------- C:\Documents and Settings\Mark *******\Application Data\AKVIS LLC
2008-02-02 08:01:30 0 d-------- C:\Program Files\AKVIS
2008-02-01 22:36:49 0 d-------- C:\Documents and Settings\Mark *******\Application Data\Azureus
2008-01-18 23:01:52 763 --a------ C:\WINDOWS\eReg.dat
2008-01-18 20:56:58 0 d-------- C:\Program Files\EA GAMES
2008-01-18 01:07:05 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-01-18 01:03:20 0 d-------- C:\Program Files\ATI Technologies
2008-01-17 22:00:28 0 d-------- C:\Program Files\Game Elements
2008-01-07 07:15:42 22288 --a------ C:\Documents and Settings\Mark *******\Application Data\wklnhst.dat
2007-12-20 22:05:00 593920 --a------ C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
08/24/2007 11:51 PM 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
03/10/2008 09:57 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [08/24/2007 11:51 PM 316784]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 04:01 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/05/2005 11:05 PM]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 10:12 PM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [02/23/2005 06:19 PM]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [09/15/2005 11:47 AM]
"MBMon"="CTMBHA.DLL" [05/19/2005 10:54 AM C:\WINDOWS\system32\CTMBHA.DLL]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 12:44 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 12:44 PM]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [08/30/2005 06:30 PM]
"BuildBU"="c:\dell\bldbubg.exe" [01/18/2006 11:47 AM]
"@"="" []
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [05/31/2005 06:33 AM]
"PDUiP6600DMon"="C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe" [05/25/2005 10:35 AM]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [11/01/2006 01:04 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 02:10 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/14/2008 11:01 AM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [08/25/2007 12:53 AM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 08:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [12/22/2004 07:40 PM C:\WINDOWS\MIDIDEF.EXE]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [12/02/2004 08:23 PM]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [04/11/2006 08:39 PM]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe" [12/20/2006 01:38 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 07:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/18/2007 05:54 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [1/27/2006 12:54:24 PM]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [1/24/2006 7:00:06 PM]
HotSync Manager.lnk - C:\Program Files\Handspring\Hotsync.exe [6/9/2004 2:16:08 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmnnm.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
  • 0

#6
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

And let me know how your computer is behaving now.

Regards,
RatHat
  • 0

#7
Charger1640

Charger1640

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
RatHat,

I did not proceed because I am unable to turn off trend micro pc-illen real time scanning because I no longer have the password to make changes to it. any advice?

Charger1640
  • 0

#8
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
OK, lets try a different approach.

Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
  • Check the box that says Scan All User Accounts
  • Check the box that says Include MD5
  • Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
  • Check the radio button under Rootkit Search for Yes
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

If the log is too large to post, please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#9
Charger1640

Charger1640

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
your files attached:

Attached File  CatchMe2.txt   55.65KB   80 downloads
Attached File  OTScanIt2.Txt   301.59KB   65 downloads
  • 0

#10
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Start OTScanIt.exe Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Processes - Non-Microsoft Only]
YN -> clclean.0001 -> %SystemDrive%\DOCUME~1\MARKHO~1\LOCALS~1\Temp\clclean.000
[Registry - Non-Microsoft Only]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B}[HKEY_LOCAL_MACHINE] -> http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.4.4.cab[DownloadManager Control]
YN -> {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B}[HKEY_LOCAL_MACHINE] -> http://launch.gamespyarcade.com/software/launch/alaunch.cab[Reg Error: Key does not exist or could not be opened.]
[Files/Folders - Created Within 90 days]
NY -> E447EDAD8A.sys -> %SystemRoot%\System32\E447EDAD8A.sys
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> mnnmp.ini -> %SystemRoot%\System32\mnnmp.ini
NY -> unvckami.ini -> %SystemRoot%\System32\unvckami.ini
NY -> mgxoschk.ini -> %SystemRoot%\mgxoschk.ini
NY -> pskt.ini -> %SystemRoot%\pskt.ini
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
NY -> C:\Documents and Settings\Mark ******\Application Data\Newsbin\Newsbin.nbi:Version 8 bytes -> 
NY -> C:\Documents and Settings\Mark ******\Application Data\Newsbin\Newsbin.nbi.bak:Version 8 bytes -> 
[Extra Files]
C:\Documents and Settings\Mark Horton\Desktop\Downloaded Programs\incredimail_install.exe
C:\Program Files\IncrediMail\bin\IncrediMail_Install.exe
Purity
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new HijackThis log.

Let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Regards,
RatHat
  • 0

Advertisements


#11
Charger1640

Charger1640

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi RatHat,

Computer is running fast now. I will post the logs you asked for shortly.

A few weird things are happening:

My Outlook Express keeps crashing with a runtime error for msimn.exe
I believe this is one of the files we deleted early on

When starting my employee scheduling program, a windows box pops up to begin installing quickbooks (already installed and not related to the other program) It goes away after cancelling it out a few times.

I had some trials of corel software that are now showing expired even though I should have a few more weeks of use. Re-installed but still show expired. Not a big concern if nothing can be done for this.

Thanks Again for all your help

Charger1640
  • 0

#12
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
We haven't deleted msimn.exe or any files which would cause these errors. Lets have a look at the logs and see what they show.

Regards,
RatHat
  • 0

#13
Charger1640

Charger1640

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
RatHat,

Logs you requested:

[Processes - Non-Microsoft Only]
Process clclean.0001 killed successfully.
[Registry - Non-Microsoft Only]
Starting removal of ActiveX control {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B}
C:\WINDOWS\Downloaded Program Files\DownloadManagerV2.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B}\ deleted successfully.
Starting removal of ActiveX control {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B}\ not found.
[Files/Folders - Created Within 90 days]
C:\WINDOWS\System32\E447EDAD8A.sys moved successfully.
C:\WINDOWS\System32\mnnmp.ini moved successfully.
C:\WINDOWS\System32\unvckami.ini moved successfully.
C:\WINDOWS\mgxoschk.ini moved successfully.
C:\WINDOWS\pskt.ini moved successfully.
[Extra Files]
< C:\Documents and Settings\Mark ******\Desktop\Downloaded Programs\incredimail_install.exe >
C:\Documents and Settings\Mark ******\Desktop\Downloaded Programs\incredimail_install.exe moved successfully.
< C:\Program Files\IncrediMail\bin\IncrediMail_Install.exe >
C:\Program Files\IncrediMail\bin\IncrediMail_Install.exe moved successfully.
< Purity >
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Mark ******\Local Settings\Temp\clclean.0001.dir.0001\~df394b.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mark ******\Local Settings\Temp\clclean.0001.dir.0001\~efe2.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mark ******\Local Settings\Temporary Internet Files\Content.IE5\U4EBZAHP\iframe[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mark ******\Local Settings\Temporary Internet Files\Content.IE5\0DG2EK6B\Stubborn-Vundo-Infection-can-anyone-help-t191113[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mark ******\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mark ******\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User temp folders emptied.
SystemRoot temp folder emptied.
IE temp folders emptied
RecycleBin -> emptied.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.5.2 fix logfile created on 03162008_075025


Deckard's System Scanner v20071014.68
Run by Mark ****** on 2008-03-16 17:26:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Mark ******.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:26:18 PM, on 3/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
K:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\DOCUME~1\MARKHO~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Mark ******\Desktop\gtg\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\MARKHO~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.n...a...&bm=ho_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ****** Internet Productions
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PDUiP6600DMon] "C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Handspring\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.xara.com
O15 - Trusted Zone: *.xaraonline.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} - http://dlmanager.aka...vex-2.0.4.4.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1138114010296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142794898406
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/...x/AVCheckUp.ocx
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - K:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 14615 bytes

-- Files created between 2008-02-16 and 2008-03-16 -----------------------------

2008-03-16 08:58:04 168 -r-hs---- C:\WINDOWS\system32\E447EDAD8A.sys
2008-03-15 13:17:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-15 13:17:38 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-15 12:39:08 0 d-------- C:\Documents and Settings\Mark ******\Application Data\Malwarebytes
2008-03-15 12:38:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-15 12:38:41 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-13 15:34:41 0 d-------- C:\Program Files\Common Files\Authentium
2008-03-13 15:33:37 0 d-------- C:\Documents and Settings\Mark ******\Application Data\iolo
2008-03-13 15:33:37 0 d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-03-13 14:54:10 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-03-13 10:05:21 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-03-13 10:04:53 0 d-------- C:\Program Files\Webroot
2008-03-13 10:04:53 0 d-------- C:\Documents and Settings\Mark ******\Application Data\Webroot
2008-03-13 10:04:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-03-13 10:02:47 164 --a------ C:\install.dat
2008-03-13 00:52:49 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-03-12 20:55:08 0 d-------- C:\System32
2008-03-12 20:50:25 24576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-03-12 19:44:25 0 d-------- C:\VundoFix Backups
2008-03-10 21:07:30 0 d-------- C:\Documents and Settings\Mark ******\Application Data\Symantec
2008-03-10 20:56:31 0 d-------- C:\Program Files\Windows Sidebar
2008-03-10 20:52:03 0 d-------- C:\Program Files\Norton Internet Security
2008-03-10 20:37:53 0 d-------- C:\Program Files\Symantec
2008-03-10 20:37:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-10 19:01:46 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-09 22:48:11 0 d-------- C:\WTablet
2008-03-09 22:42:14 0 d-------- C:\WINDOWS\system32\New Folder
2008-03-09 19:03:15 0 d-------- C:\Temp
2008-03-09 04:01:24 0 d-------- C:\Program Files\MSXML 6.0
2008-03-08 10:48:42 2516 --ahs---- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-03-08 10:48:42 88 -r-hs---- C:\Documents and Settings\All Users\Application Data\E447EDAD8A.sys
2008-03-08 10:46:48 0 d-------- C:\Program Files\Common Files\Protexis
2008-03-08 10:39:31 0 d-------- C:\Program Files\Common Files\Corel
2008-02-28 07:16:41 0 d-------- C:\Documents and Settings\LocalService\Application Data\WTablet
2008-02-27 17:05:18 0 d-------- C:\Documents and Settings\Mark ******\Application Data\WTablet
2008-02-27 17:03:10 0 d-------- C:\WINDOWS\system32\WTablet
2008-02-27 17:03:04 0 d-------- C:\Program Files\Tablet
2008-02-24 17:44:59 1682 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-02-24 17:41:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-02-24 09:24:57 0 d-------- C:\Documents and Settings\All Users\Application Data\MAGIX
2008-02-24 09:24:46 24576 --a------ C:\WINDOWS\system32\TTIC32.dll <Not Verified; PoINT Software & Systems GmbH; TTIC32>
2008-02-24 09:24:46 24576 --a------ C:\WINDOWS\system32\TTI32.dll <Not Verified; PoINT Software & Systems GmbH; TTI32>
2008-02-24 09:24:46 32768 --a------ C:\WINDOWS\system32\STRING32.dll <Not Verified; PoINT Software & Systems GmbH; STRING32>
2008-02-24 09:24:46 430080 --a------ C:\WINDOWS\system32\MXRestore.exe <Not Verified; MAGIX AG; MAGIX Restore>
2008-02-24 09:24:46 57344 --a------ C:\WINDOWS\system32\DLLTPO32.dll <Not Verified; PoINT Software & Systems GmbH; DLLTPO32>
2008-02-24 09:24:46 188416 --a------ C:\WINDOWS\system32\DLLRES32.dll <Not Verified; PoINT Software & Systems GmbH; DLLRES32>
2008-02-24 09:24:46 40960 --a------ C:\WINDOWS\system32\DLLRD32.dll <Not Verified; PoINT Software & Systems GmbH; DLLRD32>
2008-02-24 09:24:46 65536 --a------ C:\WINDOWS\system32\DLLPTL32.dll <Not Verified; PoINT Software & Systems GmbH; DLLPTL32>
2008-02-24 09:24:46 53248 --a------ C:\WINDOWS\system32\DLLPRJ32.dll <Not Verified; PoINT Software & Systems GmbH; DLLPRJ32>
2008-02-24 09:24:45 49152 --a------ C:\WINDOWS\system32\DLLPRF32.dll <Not Verified; PoINT Software & Systems GmbH; DLLPRF32>
2008-02-24 09:24:45 36864 --a------ C:\WINDOWS\system32\DLLPNT32.dll <Not Verified; PoINT Software & Systems GmbH; DLLPNT32>
2008-02-24 09:24:45 32768 --a------ C:\WINDOWS\system32\DLLMSC32.dll <Not Verified; PoINT Software & Systems GmbH; DLLMSC32>
2008-02-24 09:24:45 24576 --a------ C:\WINDOWS\system32\DLLIX.dll <Not Verified; PoINT Software & Systems GmbH; DLLIX>
2008-02-24 09:24:45 32768 --a------ C:\WINDOWS\system32\DLLISO32.dll <Not Verified; PoINT Software & Systems GmbH; DLLISO32>
2008-02-24 09:24:45 53248 --a------ C:\WINDOWS\system32\DLLIO32.dll <Not Verified; PoINT Software & Systems GmbH; DLLIO32>
2008-02-24 09:24:45 45056 --a------ C:\WINDOWS\system32\DLLIMG32.dll <Not Verified; PoINT Software & Systems GmbH; DLLIMG32>
2008-02-24 09:24:45 151552 --a------ C:\WINDOWS\system32\DLLDRV32.dll <Not Verified; PoINT Software & Systems GmbH; DLLDRV32>
2008-02-24 09:24:45 32768 --a------ C:\WINDOWS\system32\DLLDIR32.dll <Not Verified; PoINT Software & Systems GmbH; DLLDIR32>
2008-02-24 09:24:45 163840 --a------ C:\WINDOWS\system32\DLLDEV32.dll <Not Verified; PoINT Software & Systems GmbH; DLLDEV32>
2008-02-24 09:24:45 94208 --a------ C:\WINDOWS\system32\DLLCPY32.dll <Not Verified; PoINT Software & Systems GmbH; DLLCPY32>
2008-02-24 09:24:45 61440 --a------ C:\WINDOWS\system32\DLLCDF32.dll <Not Verified; PoINT Software & Systems GmbH; DLLCDF32>
2008-02-24 09:24:45 114688 --a------ C:\WINDOWS\system32\DLLCDA32.dll <Not Verified; PoINT Software & Systems GmbH; PoINT CDarchive for Windows>
2008-02-24 09:24:45 487424 --a------ C:\WINDOWS\system32\DLLAV32.dll <Not Verified; PoINT Software & Systems GmbH; PoINT CD/DVD Audio/Video SDK for Windows>
2008-02-24 09:24:44 0 d-------- C:\Program Files\Common Files\MAGIX Shared
2008-02-24 09:24:05 120200 --a------ C:\WINDOWS\system32\DLLDEV32i.dll <Not Verified; ; DLLDEV32i>
2008-02-24 09:24:05 0 d-------- C:\Program Files\MAGIX
2008-02-24 09:23:09 700416 --a------ C:\WINDOWS\system32\mgxoschk.dll <Not Verified; MAGIX AG; mgxoschk>
2008-02-24 09:23:09 0 d-------- C:\WINDOWS\system32\MAGIX
2008-02-23 12:43:30 0 d-------- C:\Program Files\iPod


-- Find3M Report ---------------------------------------------------------------

2008-03-16 17:18:20 0 d-------- C:\Documents and Settings\Mark ******\Application Data\Newsbin
2008-03-16 15:26:00 0 d-------- C:\Program Files\Employee Scheduling
2008-03-16 09:18:41 22370 --a------ C:\Documents and Settings\Mark ******\Application Data\wklnhst.dat
2008-03-14 20:39:14 0 d-------- C:\Program Files\Trend Micro
2008-03-13 15:34:41 0 d-------- C:\Program Files\Common Files
2008-03-13 09:30:13 0 d-------- C:\Program Files\Creative
2008-03-13 00:06:14 0 d-------- C:\Program Files\Common Files\Real
2008-03-13 00:03:20 0 d-------- C:\Documents and Settings\Mark ******\Application Data\Real
2008-03-08 10:48:44 0 d-------- C:\Documents and Settings\Mark ******\Application Data\Corel
2008-03-01 01:32:57 0 d-------- C:\Program Files\Online Services
2008-03-01 01:27:50 0 d-------- C:\Program Files\Dell
2008-03-01 01:27:16 0 d-------- C:\Program Files\EA SPORTS
2008-03-01 01:25:18 0 d-------- C:\Program Files\Azureus
2008-02-29 16:02:38 0 d-------- C:\Program Files\Microsoft Works
2008-02-29 15:54:51 0 d-------- C:\Program Files\MasqueGames
2008-02-29 15:54:00 0 d-------- C:\Program Files\America's Army
2008-02-29 15:53:52 0 d-------- C:\Program Files\America's Army Server Manager
2008-02-27 17:26:26 0 d-------- C:\Documents and Settings\Mark ******\Application Data\Apple Computer
2008-02-23 12:46:53 0 d-------- C:\Program Files\iTunes
2008-02-23 12:35:30 0 d-------- C:\Program Files\QuickTime
2008-02-10 08:42:16 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-09 16:21:37 0 d-------- C:\Program Files\D-Link Media Server
2008-02-08 15:55:14 0 d-------- C:\Documents and Settings\Mark ******\Application Data\ZoomBrowser EX
2008-02-08 15:41:37 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-08 15:40:49 0 d-------- C:\Program Files\Canon
2008-02-08 15:35:54 0 d-------- C:\Program Files\Common Files\Canon
2008-02-08 10:13:19 0 d-------- C:\Program Files\Quicken
2008-02-08 10:10:27 0 d-------- C:\Program Files\TurboTax
2008-02-02 11:33:19 0 d-------- C:\Documents and Settings\Mark ******\Application Data\Intuit
2008-02-02 11:25:32 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-02 08:34:02 0 d-------- C:\Documents and Settings\Mark ******\Application Data\AKVIS LLC
2008-02-02 08:01:30 0 d-------- C:\Program Files\AKVIS
2008-02-01 22:36:49 0 d-------- C:\Documents and Settings\Mark ******\Application Data\Azureus
2008-01-18 23:01:52 763 --a------ C:\WINDOWS\eReg.dat
2008-01-18 20:56:58 0 d-------- C:\Program Files\EA GAMES
2008-01-18 01:07:05 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-01-18 01:03:20 0 d-------- C:\Program Files\ATI Technologies
2008-01-17 22:00:28 0 d-------- C:\Program Files\Game Elements
2007-12-20 22:05:00 593920 --a------ C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
08/24/2007 11:51 PM 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
03/10/2008 09:57 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [08/24/2007 11:51 PM 316784]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 04:01 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/05/2005 11:05 PM]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 10:12 PM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [02/23/2005 06:19 PM]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [09/15/2005 11:47 AM]
"MBMon"="CTMBHA.DLL" [05/19/2005 10:54 AM C:\WINDOWS\system32\CTMBHA.DLL]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 12:44 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 12:44 PM]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [08/30/2005 06:30 PM]
"BuildBU"="c:\dell\bldbubg.exe" [01/18/2006 11:47 AM]
"@"="" []
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [05/31/2005 06:33 AM]
"PDUiP6600DMon"="C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe" [05/25/2005 10:35 AM]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [11/01/2006 01:04 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 02:10 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/14/2008 11:01 AM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [08/25/2007 12:53 AM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 08:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [12/22/2004 07:40 PM C:\WINDOWS\MIDIDEF.EXE]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [12/02/2004 08:23 PM]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [04/11/2006 08:39 PM]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe" [12/20/2006 01:38 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 07:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/18/2007 05:54 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [1/27/2006 12:54:24 PM]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [1/24/2006 7:00:06 PM]
HotSync Manager.lnk - C:\Program Files\Handspring\Hotsync.exe [6/9/2004 2:16:08 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmnnm.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-03-16 17:26:50 ------------
  • 0

#14
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
The steps that I am about to suggest involve modifying the registry. Modfying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot preform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry
  • Go Here and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please copy the entire contents of the codebox below into Notepad:
  • Open Notepad
  • Copy the contents of the codebox below using CTRL C

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6D,73,76,31,5F,30,00,00
  • Now return to Notepad and use CTRL V to paste the script
  • Verify that you have pasted the complete script
  • Save the Notepad file to your Desktop as FixReg.reg using Save as Type: All files
  • Locate FixReg.reg on your desktop
  • Double click to run, and when prompted Allow the file to merge with your registry
  • OK your way out.

After that, Reboot. And post me a fresh DSS log.

Regards,
RatHat
  • 0

#15
Charger1640

Charger1640

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I have a question before I begin this. My computer downloaded three updates from Microsoft today - will this effect the registry edits that you gave me in the last post?

Thanks
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP