Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Lost Control Panel and Admin access. Link now on desktop [RESOLVED]

Started by GoodDoctor , Mar 19 2008 03:51 PM

  • This topic is locked This topic is locked

#1
GoodDoctor
Posted 19 March 2008 - 03:51 PM

GoodDoctor

    Member

  • Member
  • PipPip
  • 18 posts
Hello, I will truly appreciate anyone's time in helping me.

I picked up what I assume is malware. I began receiving pop ups for antispyware programs and have an internet link to a website for antispyware now on my desktop. I also realized I can not get to my control panel. I have read about this on doing internet searches and it seems to be pretty common.

I used symantec antivirus which deleted the problem as well as using superantispyware which also deleted "infections." I still can not use my control panel and I have an error message that says I need to contact my administrator.

I went through all the steps prior to posting this as directed,

1) The computer will not allow the ATF-cleaner to run.

2) I am not allowed to do a system restore.

3) I downloaded the AVG anti-spyware but I am not allowed to update it as directed. No Reports were generated by the scan.

4) I already had superantispyware and I have the results from it.

5) Panda soft recognized spyware but it apparently does not work on spyware.

6) I did the windows update. Seems to have worked.

I will post my results here and hope I am doing this correctly as I am not great with computers.

Hope I approached this correctly and I appologize in advance if I have not. Thank you for your help.

1998 Grolier Multimedia Encyclopedia
Ad-Aware 2007
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Photoshop Elements
ArcSoft PhotoImpression 3.0
AVG Anti-Spyware 7.5
Canon Digital Camera USB WIA Driver
Canon PhotoRecord
Canon Utilities PhotoStitch 3.1
Canon Utilities RAW Image Converter
Canon Utilities RemoteCapture 2.1
Canon Utilities ZoomBrowser EX
CCWare version 2.5
Creative MediaSource 5
Creative Software AutoUpdate
Creative System Information
DATA BECKER Complete Calendar Kit
Dell Printer Software Uninstall
Dentrix 9.0
Dentrix Practice Assistant
Diskeeper Server Standard Edition
Do More - Home
Documents To Go
DYMO Label Software
Easy CD Creator 5 Basic
EPSON Printer Software
EPSON Scan Server
GTW V.92 Voicemodem
HelpSpot
HijackThis 2.0.2
Ink Monitor
Intel® PRO Ethernet Adapter and Software
Intel® PROSet II
Intellisync Lite
Lernout & Hauspie TruVoice American English TTS Engine
Linksys EasyLink Advisor 1.5 (1044)
LiveReg (Symantec Corporation)
LiveUpdate 2.0 (Symantec Corporation)
Logitech Desktop Messenger
Logitech iTouch Software
Logitech MouseWare 9.79
Logitech Resource Center
Macromedia Flash Player
Microsoft .NET Framework 1.1
Microsoft Bookshelf 1996-97
Microsoft Bookshelf 1998 (Remove ONLY)
Microsoft Creative Writer 2
Microsoft Encarta 97 Encyclopedia
Microsoft Encarta Encyclopedia Standard 2002
Microsoft Office Outlook 2003
Microsoft Office XP Standard for Students and Teachers
Microsoft Picture It! Photo 2002
Microsoft Web Publishing Wizard 1.52
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
MonacoEZcolor 2.1
MUSICMATCH® Jukebox
Network Play System (Patching)
NIS eTrans 2.1
NVIDIA Drivers
NVIDIA Windows 2000/XP Display Drivers
Panda ActiveScan
Panda ActiveScan Pro
PC-Doctor for Windows
PhoneTools
PS/2 Millennium Keyboard
QuickBooks Basic 2005
QuickTime
QuickTime for Windows (32-bit)
Really Wild Animals Swinging Safari
Shadow Copy Client
Shockwave
SilverFast TWAIN
Sound Blaster Audigy
Sound Blaster Audigy
SUPERAntiSpyware Free Edition
Symantec AntiVirus
The Print Shop
The Sims
Update for Windows XP (KB898461)
Viewpoint Media Player (Remove Only)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
World Atlas 6.0 Version 6.0.2
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Toolbar

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:25:28 PM, on 3/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINNT\system32\Rundll32.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://DELL2800:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\system32\mgmrwmrv.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe" /SCB
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI05E6~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1205963362166
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1205963542947
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoft...5/asproinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = FLINNDENTAL.local
O17 - HKLM\Software\..\Telephony: DomainName = FLINNDENTAL.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = FLINNDENTAL.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = FLINNDENTAL.local
O20 - AppInit_DLLs: C:\WINNT\system32\sol718.txt
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9807 bytes




Incident Status Location

Adware:adware/startpage.aco Not disinfected c:\winnt\system32\ntnut32.exe
Spyware:spyware/fastsearchweb Not disinfected c:\winnt\system32\shdocpe.dll
Adware:adware/123mania Not disinfected c:\winnt\system32\SIPSPI32.dll
Adware:adware/tubby Not disinfected c:\winnt\system32\WER8274.DLL
Adware:adware/ncase Not disinfected c:\winnt\didduid.ini
Adware:adware/topconvert Not disinfected c:\winnt\updatetc.exe
Adware:adware/portalscan Not disinfected c:\program files\stc
Adware:adware/surfassistant Not disinfected Windows Registry
Adware:adware/powerstrip Not disinfected Windows Registry
Adware:adware/adlogix Not disinfected Windows Registry
Spyware:spyware/searchcentrix Not disinfected Windows Registry
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\administrator\Cookies\administrator@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\administrator\Cookies\administrator@atdmt[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\administrator\Cookies\administrator@com[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\administrator\Cookies\administrator@did-it[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\administrator\Cookies\administrator@go[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\administrator\Cookies\administrator@go[2].txt
Possible Virus. Not disinfected C:\Documents and Settings\Default User\Local Settings\Temp\AolCoach.cab[.\Data\Player\AolNySEV.exe]
Possible Virus. Not disinfected C:\Documents and Settings\kzimmermAN\Local Settings\Temp\AolCoach.cab[.\Data\Player\AolNySEV.exe]
Possible Virus. Not disinfected C:\Documents and Settings\mflinn\Local Settings\Temp\AolCoach.cab[.\Data\Player\AolNySEV.exe]
Possible Virus. Not disinfected C:\Documents and Settings\op\Local Settings\Temp\AolCoach.cab[.\Data\Player\AolNySEV.exe]
Possible Virus. Not disinfected C:\WINNT\system32\config\systemprofile\Local Settings\Temp\AolCoach.cab[.\Data\Player\AolNySEV.exe]
  • 0

Advertisements

#2
RatHat
Posted 19 March 2008 - 09:05 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with.

Next, I would like to make sure that you can view hidden files and folders;
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading SELECT Show hidden files and folders.
  • UNCHECK the Hide protected operating system files (recommended) option.
  • UNCHECK the Hide extensions for known file types option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please run an online scan with Kaspersky WebScanner. Note: You must use Internet Explorer to run this scan.

Click the Accept button.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display the results if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop as Kaspersky.txt.
  • Copy and paste that information in your next post.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next post, please include:
  • The MBAM report
  • The contents of Combofix.txt
  • The contents of Kaspersky.txt

Regards,
RatHat
  • 0

#3
GoodDoctor
Posted 20 March 2008 - 11:58 AM

GoodDoctor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Thank you very much for helping me through this process. I truly appreciate it.

I am having problems completing all the tasks however. I completed everything successfully up to the point of Combofix. I will post the results of the mbam log.

I downloaded combofix and it opened the window and said it was scanning, process usually takes 10 min..... and so on. I waited about an hour and it just never changed so I closed the window. My computer then froze completely and would not shut down so I had to unplug it and restart the computer. I redownloaded it and saved it to my desktop since the first time I just ran it. This time when I tried to run it the screen changed to an error message explaining some stuff and at the bottom and it said "begin physical dump of memory" and proceded to start to what I assume is dump physical memory. At this point I panicked, tried to stop it and the only way I could was to again unplug the computer.

I turned it back on and everything seems fine and there was a microsoft windows message that said, the system has recovererd from a serious error.

I hope I am not a complete idiot and causing more problems.

I then tried to run the Kaspersky Webscanner and it tried to update and it said, "update failed-no further actions can be taken."

I am beginning to get very nervous about what is on my computer and what should I be doing to protect my documents as well as my personal information?

Thank you again for your time and patients.

Hijack log completed after all of the above actions:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31, on 2008-03-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINNT\system32\Rundll32.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://DELL2800:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\system32\mgmrwmrv.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe" /SCB
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI05E6~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1205963362166
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1205963542947
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoft...5/asproinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = FLINNDENTAL.local
O17 - HKLM\Software\..\Telephony: DomainName = FLINNDENTAL.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = FLINNDENTAL.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = FLINNDENTAL.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9051 bytes


Mbam Log

Malwarebytes' Anti-Malware 1.09
Database version: 511

Scan type: Quick Scan
Objects scanned: 44298
Time elapsed: 13 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 42

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{d27987b8-7244-4de0-ae10-39b826b492f1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\180solutions (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\stc (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Sysmnt (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\FLEOK (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\180solutions\sais.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\stc\csv5p070.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Sysmnt\Ssmgr.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\avifile32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\avisynthex32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\aviwrap32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\browserad.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\cdsm32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\changeurl_30.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\didduid.ini (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\msa64chk.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\msapasrc.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\mspphe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\123messenger.per (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\ntnut.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\saiemod.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\salm.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\shdocpe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\shdocpl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\updatetc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\voiceip.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\winsb.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\system32\MSIXU.DLL (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\system32\MSNSA32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\system32\ntnut32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\system32\shdocpe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\system32\SIPSPI32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\system32\WER8274.DLL (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\2020search.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\apphelp32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\asferror32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\asycfilt32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\athprxy32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\ati2dvaa32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\ati2dvag32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\audiosrv32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\autodisc32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\licencia.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINNT\telefonos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINNT\textos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINNT\system32\BSZIP.DLL (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\winfrun32.bin (Malware.Trace) -> Quarantined and deleted successfully.
  • 0

#4
RatHat
Posted 20 March 2008 - 12:50 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
OK, well that looks like it got rid of a fair bit, even if Combofix was unsuccessful.

Lets run another scan now to see what else is hiding in there:


Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, DSS will open two Notepad files: main.txt and extra.txt
  • Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Note: A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
  • Check the box that says Scan All User Accounts
  • Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
  • Check the radio button under Rootkit Search for Yes
  • Under Additional Scans check the following:
    • Reg - ControlSets
    • Reg - Disabled MS Config Items
    • Reg - File Associations
    • Reg - Safeboot Options
    • Reg - Security Settings
    • File - Additional Folder Scans
    • File - Lop Check
    • File - Purity Scan
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

If the log is too large to post, please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

Regards,
RatHat
  • 0

#5
GoodDoctor
Posted 20 March 2008 - 01:34 PM

GoodDoctor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Thank you again for your help! I really do appreciate this!

I ran both. One question, while otscan was running, Symantec popped up and said it quarantined a trojan. Was this supposed to happen?

Here are the attachments.

Thank you



Attached File  deckard_extra_text.txt   24.33KB   205 downloads

Attached File  OTScanIt.Txt   289.33KB   107 downloads

Attached File  deckard_scans.txt   21.7KB   131 downloads
  • 0

#6
RatHat
Posted 20 March 2008 - 02:06 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Symantec probable caught something else running, not to worry.


Start OTScanIt.exe Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
YN -> C:\WINNT\system32\mgmrwmrv.exe -> %SystemRoot%\system32\mgmrwmrv.exe
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*UserInit* -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
YN ->  -> 
YN -> C:\WINNT\system32\mgmrwmrv.exe -> %SystemRoot%\system32\mgmrwmrv.exe
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*UserInit* -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
YN ->  -> 
YN -> C:\WINNT\system32\mgmrwmrv.exe -> %SystemRoot%\system32\mgmrwmrv.exe
< Winlogon settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*UserInit* -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
YN ->  -> 
YN -> C:\WINNT\system32\mgmrwmrv.exe -> %SystemRoot%\system32\mgmrwmrv.exe
< Winlogon settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon settings [HKEY_USERS\S-1-5-19] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*UserInit* -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
YN ->  -> 
YN -> C:\WINNT\system32\mgmrwmrv.exe -> %SystemRoot%\system32\mgmrwmrv.exe
< Winlogon settings [HKEY_USERS\S-1-5-19] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon settings [HKEY_USERS\S-1-5-20] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*UserInit* -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
YN ->  -> 
YN -> C:\WINNT\system32\mgmrwmrv.exe -> %SystemRoot%\system32\mgmrwmrv.exe
< Winlogon settings [HKEY_USERS\S-1-5-20] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon settings [HKEY_USERS\S-1-5-21-1003354511-1553193839-1052874480-500] > -> HKEY_USERS\S-1-5-21-1003354511-1553193839-1052874480-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*UserInit* -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
YN ->  -> 
YN -> C:\WINNT\system32\mgmrwmrv.exe -> %SystemRoot%\system32\mgmrwmrv.exe
< Winlogon settings [HKEY_USERS\S-1-5-21-1003354511-1553193839-1052874480-500] > -> HKEY_USERS\S-1-5-21-1003354511-1553193839-1052874480-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoWelcomeScreen -> 1
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoControlPanel -> 1
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\DisablePersonalDirChange -> 1
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr -> 1
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-1003354511-1553193839-1052874480-500] > -> HKEY_USERS\S-1-5-21-1003354511-1553193839-1052874480-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
YN -> HKEY_USERS\S-1-5-21-1003354511-1553193839-1052874480-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\DisablePersonalDirChange -> 1
YN -> HKEY_USERS\S-1-5-21-1003354511-1553193839-1052874480-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr -> 1
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}[HKEY_LOCAL_MACHINE] -> http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab[CKAVWebScan Object]
[Files/Folders - Created Within 90 days]
NY -> ComboFix -> %SystemDrive%\ComboFix
NY -> ComboFix[1] -> %SystemDrive%\ComboFix[1]
NY -> QooBox -> %SystemDrive%\QooBox
NY -> .ico -> %SystemRoot%\System32\.ico
NY -> 1 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp
NY -> zip.exe -> %SystemRoot%\System32\zip.exe
NY -> 3 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> ComboFix.exe -> %UserProfile%\Desktop\ComboFix.exe
NY -> @Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\ComboFix.exe:Zone.Identifier
[Extra Files]
C:\Program Files\PartyGaming
Purity
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

Let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)


Regards,
RatHat
  • 0

#7
GoodDoctor
Posted 20 March 2008 - 02:11 PM

GoodDoctor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Thanks again,

I will have to continue this tomorrow.

Truly appreciate the help!
  • 0

#8
RatHat
Posted 20 March 2008 - 02:22 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
OK, no problem, I'll be here.

Have a good Easter!
  • 0

#9
GoodDoctor
Posted 24 March 2008 - 12:19 PM

GoodDoctor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hello again,

I ran the fix and it appears to have worked as far as my control panel goes as it is now back of my computer. The only thing that did not go as directed is after the fix, it just asked to reboot and did not pop up a notepad log.

I opened up the otscan folder on my desktop and there is a log in the moved files folder, is this what I need to post?

As far as the DrWeb scan, the initial express scan did not find anything. After the express scan I followed directions and unchecked the "heuristic analysis" button but I could not find the "select drives" button at the main window. I went ahead and started another express scan and It did find something. It had a logo next to it so i clicked on it and selected the move button. I have posted the results.

GTDownLS_125.ocx;C:\WINNT\system32;Adware.Gdown;Incurable.Moved.;


As I said, the control panel is back and my computer is seemingly fine however I do still have a big message on my desktop with a link saying "warning, spyware threat on you computer" and so on and has a link on it.

Thank you so much again.
  • 0

#10
RatHat
Posted 24 March 2008 - 12:26 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Could you run DSS for me again, this time it will only give you the main.txt, so post that for me.

Also please run OTScanIt again, this time without any of the additional scans, and I will be able to tell from that if it deleted everything.

Regards,
Rathat
  • 0

Advertisements

#11
GoodDoctor
Posted 24 March 2008 - 12:52 PM

GoodDoctor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Thank you,

DSS results,

Deckard's System Scanner v20071014.68
Run by administrator on 2008-03-24 13:47:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:47, on 2008-03-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINNT\system32\mobsync.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINNT\system32\Rundll32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://DELL2800:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe" /SCB
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI05E6~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1205963362166
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1205963542947
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoft...5/asproinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = FLINNDENTAL.local
O17 - HKLM\Software\..\Telephony: DomainName = FLINNDENTAL.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = FLINNDENTAL.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = FLINNDENTAL.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9353 bytes

-- Files created between 2008-02-24 and 2008-03-24 -----------------------------

2008-03-24 11:09:03 0 d-------- C:\Documents and Settings\administrator\DoctorWeb
2008-03-20 12:34:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-20 12:34:19 0 d-------- C:\WINNT\system32\Kaspersky Lab
2008-03-20 10:20:31 98816 --a------ C:\WINNT\system32\sed.exe
2008-03-20 10:20:31 80412 --a------ C:\WINNT\system32\grep.exe
2008-03-20 10:20:31 73728 --a------ C:\WINNT\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-20 10:01:42 0 d-------- C:\Documents and Settings\administrator\Application Data\Malwarebytes
2008-03-20 10:01:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-20 10:01:34 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-19 16:25:06 0 d-------- C:\Program Files\Trend Micro
2008-03-19 16:11:27 0 d-------- C:\WINNT\system32\PreInstall
2008-03-19 16:11:24 0 d--h----- C:\WINNT\$hf_mig$
2008-03-19 15:52:50 0 d-------- C:\WINNT\system32\SoftwareDistribution
2008-03-19 14:51:53 69632 --a------ C:\WINNT\system32\asprouni.exe <Not Verified; Panda Software; Panda Software ASPRODesinstalador>
2008-03-19 14:51:11 0 d-------- C:\WINNT\system32\ASPRO
2008-03-19 13:44:12 0 d-------- C:\WINNT\system32\ActiveScan
2008-03-19 11:01:30 0 d-------- C:\Documents and Settings\administrator\Application Data\Grisoft
2008-03-19 11:01:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-18 16:34:32 0 d--h----- C:\WINNT\system32\GroupPolicy
2008-02-26 20:26:47 262144 --a------ C:\Documents and Settings\Administrator.CONSULT\NTUSER.DAT
2008-02-26 20:26:47 262144 --a------ C:\Documents and Settings\__sbs_netsetup__\NTUSER.DAT


-- Find3M Report ---------------------------------------------------------------

2008-03-24 11:29:05 0 d-------- C:\Program Files\Symantec AntiVirus
2008-03-19 15:01:19 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-19 15:01:13 0 d-------- C:\Program Files\Messenger
2008-03-19 15:01:10 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-19 15:01:10 0 d-------- C:\Program Files\Linksys EasyLink Advisor
2008-03-19 14:23:06 0 d-------- C:\Program Files\PhoneTools
2008-03-18 08:33:14 0 d-------- C:\Documents and Settings\administrator\Application Data\SUPERAntiSpyware.com
2008-03-18 08:32:35 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-22 09:47:12 0 d--h----- C:\Documents and Settings\administrator\Application Data\GTek
2008-01-16 16:39:27 99160 --a------ C:\Documents and Settings\administrator\Application Data\GDIPFONTCACHEV1.DAT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GWMDMMSG"="GWMDMMSG.exe" [2002-03-06 09:08 C:\WINNT\GWMDMMSG.exe]
"CapFax"="C:\Program Files\PhoneTools\CapFax.EXE" [2001-11-07 13:25]
"nwiz"="nwiz.exe" [2002-05-03 09:06 C:\WINNT\system32\nwiz.exe]
"NvMediaCenter"="C:\WINNT\System32\NvMcTray.dll" [2005-04-01 15:16]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 13:50 C:\WINNT\system32\SK9910DM.EXE]
"Synchronization Manager"="C:\WINNT\system32\mobsync.exe" [2004-08-03 23:56]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 15:44]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 14:18]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2003-12-01 10:38]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 03:50 C:\WINNT\LOGI_MWX.EXE]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-01 09:01]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-10-01 09:01]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 10:51]
"P17Helper"="P17.dll" [2005-05-03 05:38 C:\WINNT\system32\P17.dll]
"UpdReg"="C:\WINNT\UpdReg.EXE" [2000-05-11 01:00]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 08:59]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:06]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 08:59]
"Creative MediaSource Go"="C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe" [2005-12-12 09:36]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-10-30 11:01]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-10-25 14:24:27]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-11-15 04:31:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

*Newly Created Service* - NMSCFG



-- End of Deckard's System Scanner: finished at 2008-03-24 13:47:59 ------------












Results from OT Scan

[code=auto:0]OTScanIt logfile created on: 2008-03-24 13:49:25
OTScanIt by OldTimer - Version 1.0.6.0 Folder = C:\Documents and Settings\administrator\Desktop\OTScanIt
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy-MM-dd

511.30 Mb Total Physical Memory | 147.39 Mb Available Physical Memory | 28.83% Memory free
1.22 Gb Paging File | 0.65 Gb Available in Paging File | 53.05% Paging File free
Paging file location(s): C:\pagefile.sys 1500 3536;

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 26.90 Gb Free Space | 72.17% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive L: | 87.89 Gb Total Space | 60.24 Gb Free Space | 68.54% Space Free | Partition Type: NTFS
Drive Q: | 87.89 Gb Total Space | 60.24 Gb Free Space | 68.54% Space Free | Partition Type: NTFS
Drive S: | 87.89 Gb Total Space | 60.24 Gb Free Space | 68.54% Space Free | Partition Type: NTFS
Drive Z: | 87.89 Gb Total Space | 60.24 Gb Free Space | 68.54% Space Free | Partition Type: NTFS

Computer Name: CONSULT01
Current User Name: administrator
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user

[Processes - Non-Microsoft Only]
ccsetmgr.exe -> %CommonProgramFiles%\Symantec Shared\ccSetMgr.exe -> Symantec Corporation [Ver = 2.2.0.577 | Size = 242808 bytes | Modified Date = 2004-02-29 15:44:54 | Attr = ]
ccevtmgr.exe -> %CommonProgramFiles%\Symantec Shared\ccEvtMgr.exe -> Symantec Corporation [Ver = 2.2.0.577 | Size = 255096 bytes | Modified Date = 2004-02-29 15:44:48 | Attr = ]
aawservice.exe -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft AB [Ver = 7, 0, 2, 5 | Size = 587096 bytes | Modified Date = 2007-10-29 13:27:04 | Attr = ]
guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 2007-05-30 06:31:10 | Attr = ]
ctsvccda.exe -> %SystemRoot%\system32\CTSVCCDA.EXE -> Creative Technology Ltd [Ver = 1.0.1.0 | Size = 44032 bytes | Modified Date = 1999-12-12 19:01:00 | Attr = ]
defwatch.exe -> %ProgramFiles%\Symantec AntiVirus\DefWatch.exe -> Symantec Corporation [Ver = 9.0.0.338 | Size = 29928 bytes | Modified Date = 2004-03-12 14:17:10 | Attr = ]
dkservice.exe -> %ProgramFiles%\Executive Software\Diskeeper\DkService.exe -> Executive Software International, Inc. [Ver = 8.0.459.0 | Size = 426105 bytes | Modified Date = 2003-08-22 01:27:42 | Attr = ]
sagent2.exe -> %CommonProgramFiles%\EPSON\EBAPI\SAgent2.exe -> SEIKO EPSON CORPORATION [Ver = 2, 1, 0, 0 | Size = 90112 bytes | Modified Date = 2001-08-09 02:01:00 | Attr = ]
nmssvc.exe -> %SystemRoot%\system32\NMSSvc.Exe -> Intel Corporation [Ver = 2.2.9.0 | Size = 1118208 bytes | Modified Date = 2002-05-03 11:36:24 | Attr = ]
nvsvc32.exe -> %SystemRoot%\system32\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.13.10.2942 | Size = 61440 bytes | Modified Date = 2002-05-03 09:06:00 | Attr = ]
savroam.exe -> %ProgramFiles%\Symantec AntiVirus\SavRoam.exe -> symantec [Ver = 1.5.0.0 | Size = 169192 bytes | Modified Date = 2004-03-12 14:18:06 | Attr = ]
rtvscan.exe -> %ProgramFiles%\Symantec AntiVirus\Rtvscan.exe -> Symantec Corporation [Ver = 9.0.0.338 | Size = 1221864 bytes | Modified Date = 2004-03-12 14:17:46 | Attr = ]
gwmdmmsg.exe -> %SystemRoot%\GWMDMMSG.exe -> GTW [Ver = 3.3.24 01/30/2002 15:24:37 | Size = 101611 bytes | Modified Date = 2002-03-06 09:08:36 | Attr = ]
capfax.exe -> %ProgramFiles%\PhoneTools\capFax.exe -> BVRP Software [Ver = 1.01 | Size = 20480 bytes | Modified Date = 2001-11-07 13:25:54 | Attr = ]
sk9910dm.exe -> %SystemRoot%\system32\SK9910DM.EXE -> Silitek Corporation [Ver = 1, 0, 9, 0 | Size = 66048 bytes | Modified Date = 2001-01-03 13:50:56 | Attr = ]
ccapp.exe -> %CommonProgramFiles%\Symantec Shared\ccApp.exe -> Symantec Corporation [Ver = 2.2.0.577 | Size = 66680 bytes | Modified Date = 2004-02-29 15:44:46 | Attr = ]
vptray.exe -> %ProgramFiles%\Symantec AntiVirus\VPTray.exe -> Symantec Corporation [Ver = 9.0.0.338 | Size = 124128 bytes | Modified Date = 2004-03-12 14:18:32 | Attr = ]
itouch.exe -> %ProgramFiles%\Logitech\iTouch\iTouch.exe -> Logitech Inc. [Ver = 2.20.243 | Size = 892928 bytes | Modified Date = 2003-12-01 10:38:16 | Attr = ]
mmtask.exe -> %ProgramFiles%\MusicMatch\MusicMatch Jukebox\mmtask.exe -> TODO: <Company name> [Ver = 1.0.0.1 | Size = 53248 bytes | Modified Date = 2003-10-01 09:01:12 | Attr = ]
mm_tray.exe -> %ProgramFiles%\MusicMatch\MusicMatch Jukebox\mm_tray.exe -> MUSICMATCH, Inc. [Ver = 8.00.0126 | Size = 114688 bytes | Modified Date = 2003-10-01 09:01:12 | Attr = ]
ctsysvol.exe -> %ProgramFiles%\Creative\SBAudigy\Surround Mixer\CTSysVol.exe -> Creative Technology Ltd [Ver = 1.4.8.0 | Size = 57344 bytes | Modified Date = 2005-10-31 10:51:52 | Attr = ]
em_exec.exe -> %ProgramFiles%\Logitech\MouseWare\system\EM_EXEC.EXE -> Logitech Inc. [Ver = 9.79.019 | Size = 37888 bytes | Modified Date = 2003-11-14 08:50:00 | Attr = ]
searchprotection.exe -> %ProgramFiles%\Yahoo!\Search Protection\SearchProtection.exe -> Yahoo! Inc. [Ver = 2007, 6, 8, 1 | Size = 224248 bytes | Modified Date = 2007-06-08 08:59:38 | Attr = ]
avgas.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 43 | Size = 6731312 bytes | Modified Date = 2007-06-11 03:25:42 | Attr = ]
yahoomessenger.exe -> %ProgramFiles%\Yahoo!\Messenger\YahooMessenger.exe -> Yahoo! Inc. [Ver = 8,1,0,421 | Size = 4670704 bytes | Modified Date = 2007-08-30 17:43:18 | Attr = ]
ctcmsgou.exe -> %ProgramFiles%\Creative\MediaSource5\Go\CTCMSGoU.exe -> Creative Technology Ltd [Ver = 5.0.3.0 | Size = 143360 bytes | Modified Date = 2005-12-12 09:36:36 | Attr = ]
linksysagent.exe -> %ProgramFiles%\Linksys EasyLink Advisor\LinksysAgent.exe -> Linksys, a Division of Cisco Systems, Inc. [Ver = 2, 1, 3, 162 | Size = 392832 bytes | Modified Date = 2006-10-30 11:01:16 | Attr = ]
superantispyware.exe -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 4, 0, 0, 1154 | Size = 1481968 bytes | Modified Date = 2008-02-29 16:03:46 | Attr = ]
qbupdate.exe -> %CommonProgramFiles%\Intuit\QuickBooks\QBUpdate\qbupdate.exe -> Intuit, Inc. [Ver = 15.0 R7 | Size = 806912 bytes | Modified Date = 2005-11-15 04:31:34 | Attr = ]
otscanit.exe -> %UserProfile%\Desktop\OTScanIt\OTScanIt.exe -> OldTimer Tools [Ver = 1.0.6.0 | Size = 311808 bytes | Modified Date = 2008-03-19 18:01:26 | Attr = ]

[Win32 Services - Non-Microsoft Only]
(aawservice) Ad-Aware 2007 Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft AB [Ver = 7, 0, 2, 5 | Size = 587096 bytes | Modified Date = 2007-10-29 13:27:04 | Attr = ]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 2007-05-30 06:31:10 | Attr = ]
(ccEvtMgr) Symantec Event Manager [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\ccEvtMgr.exe -> Symantec Corporation [Ver = 2.2.0.577 | Size = 255096 bytes | Modified Date = 2004-02-29 15:44:48 | Attr = ]
(ccPwdSvc) Symantec Password Validation [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Symantec Shared\ccPwdSvc.exe -> Symantec Corporation [Ver = 2.2.0.577 | Size = 87160 bytes | Modified Date = 2004-02-29 15:44:52 | Attr = ]
(ccSetMgr) Symantec Settings Manager [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\ccSetMgr.exe -> Symantec Corporation [Ver = 2.2.0.577 | Size = 242808 bytes | Modified Date = 2004-02-29 15:44:54 | Attr = ]
(Creative Service for CDROM Access) Creative Service for CDROM Access [Win32_Own | Auto | Running] -> %SystemRoot%\system32\CTSVCCDA.EXE -> Creative Technology Ltd [Ver = 1.0.1.0 | Size = 44032 bytes | Modified Date = 1999-12-12 19:01:00 | Attr = ]
(DefWatch) Symantec AntiVirus Definition Watcher [Win32_Own | Auto | Running] -> %ProgramFiles%\Symantec AntiVirus\DefWatch.exe -> Symantec Corporation [Ver = 9.0.0.338 | Size = 29928 bytes | Modified Date = 2004-03-12 14:17:10 | Attr = ]
(Diskeeper) Diskeeper [Win32_Own | Auto | Running] -> %ProgramFiles%\Executive Software\Diskeeper\DkService.exe -> Executive Software International, Inc. [Ver = 8.0.459.0 | Size = 426105 bytes | Modified Date = 2003-08-22 01:27:42 | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %SystemRoot%\system32\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 2004-08-03 23:56:50 | Attr = ]
(EPSONStatusAgent2) EPSON Printer Status Agent2 [Win32_Own | Auto | Running] -> %CommonProgramFiles%\EPSON\EBAPI\SAgent2.exe -> SEIKO EPSON CORPORATION [Ver = 2, 1, 0, 0 | Size = 90112 bytes | Modified Date = 2001-08-09 02:01:00 | Attr = ]
(NMSSvc) Intel(R) NMS [Win32_Own | Auto | Running] -> %SystemRoot%\system32\NMSSvc.Exe -> Intel Corporation [Ver = 2.2.9.0 | Size = 1118208 bytes | Modified Date = 2002-05-03 11:36:24 | Attr = ]
(NVSvc) NVIDIA Driver Helper Service [Win32_Own | Auto | Running] -> %SystemRoot%\system32\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.13.10.2942 | Size = 61440 bytes | Modified Date = 2002-05-03 09:06:00 | Attr = ]
(PictureTaker) PictureTaker [Win32_Own | On_Demand | Stopped] -> %SystemDrive%\fixit\pt\PCTKRNT.SYS -> File not found
(SavRoam) SavRoam [Win32_Own | Auto | Running] -> %ProgramFiles%\Symantec AntiVirus\SavRoam.exe -> symantec [Ver = 1.5.0.0 | Size = 169192 bytes | Modified Date = 2004-03-12 14:18:06 | Attr = ]
(SNDSrvc) Symantec Network Drivers Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Symantec Shared\SNDSrvc.exe -> Symantec Corporation [Ver = 5.3.0.46 | Size = 193760 bytes | Modified Date = 2004-03-11 13:58:32 | Attr = ]
(Symantec AntiVirus) Symantec AntiVirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Symantec AntiVirus\Rtvscan.exe -> Symantec Corporation [Ver = 9.0.0.338 | Size = 1221864 bytes | Modified Date = 2004-03-12 14:17:46 | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
!AVG Anti-Spyware -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 43 | Size = 6731312 bytes | Modified Date = 2007-06-11 03:25:42 | Attr = ]
CapFax -> %ProgramFiles%\PhoneTools\capFax.exe -> BVRP Software [Ver = 1.01 | Size = 20480 bytes | Modified Date = 2001-11-07 13:25:54 | Attr = ]
ccApp -> %CommonProgramFiles%\Symantec Shared\ccApp.exe -> Symantec Corporation [Ver = 2.2.0.577 | Size = 66680 bytes | Modified Date = 2004-02-29 15:44:46 | Attr = ]
CTSysVol -> %ProgramFiles%\Creative\SBAudigy\Surround Mixer\CTSysVol.exe -> Creative Technology Ltd [Ver = 1.4.8.0 | Size = 57344 bytes | Modified Date = 2005-10-31 10:51:52 | Attr = ]
GWMDMMSG -> %SystemRoot%\GWMDMMSG.exe -> GTW [Ver = 3.3.24 01/30/2002 15:24:37 | Size = 101611 bytes | Modified Date = 2002-03-06 09:08:36 | Attr = ]
Hot Key Kbd 9910 Daemon -> %SystemRoot%\system32\SK9910DM.EXE -> Silitek Corporation [Ver = 1, 0, 9, 0 | Size = 66048 bytes | Modified Date = 2001-01-03 13:50:56 | Attr = ]
Logitech Utility -> %SystemRoot%\LOGI_MWX.EXE -> Logitech Inc. [Ver = 9.79.016 | Size = 19968 bytes | Modified Date = 2003-11-07 03:50:00 | Attr = ]
mmtask -> %ProgramFiles%\MusicMatch\MusicMatch Jukebox\mmtask.exe -> TODO: <Company name> [Ver = 1.0.0.1 | Size = 53248 bytes | Modified Date = 2003-10-01 09:01:12 | Attr = ]
MMTray -> %ProgramFiles%\MusicMatch\MusicMatch Jukebox\mm_tray.exe -> MUSICMATCH, Inc. [Ver = 8.00.0126 | Size = 114688 bytes | Modified Date = 2003-10-01 09:01:12 | Attr = ]
NvMediaCenter -> %SystemRoot%\system32\nvmctray.dll -> NVIDIA Corporation [Ver = 6.14.10.7189 | Size = 86016 bytes | Modified Date = 2005-04-01 15:16:00 | Attr = ]
nwiz -> %SystemRoot%\system32\nwiz.exe -> NVIDIA Corporation [Ver = 6.13.10.2942 | Size = 364544 bytes | Modified Date = 2002-05-03 09:06:00 | Attr = ]
P17Helper -> %SystemRoot%\system32\P17.dll -> [Ver = 1.0.1.41 | Size = 64512 bytes | Modified Date = 2005-05-03 05:38:42 | Attr = R ]
UpdReg -> %SystemRoot%\Updreg.EXE -> Creative Technology Ltd. [Ver = 1.0.2 | Size = 90112 bytes | Modified Date = 2000-05-11 01:00:00 | Attr = ]
vptray -> %ProgramFiles%\Symantec AntiVirus\VPTray.exe -> Symantec Corporation [Ver = 9.0.0.338 | Size = 124128 bytes | Modified Date = 2004-03-12 14:18:32 | Attr = ]
YSearchProtection -> %ProgramFiles%\Yahoo!\Search Protection\SearchProtection.exe -> Yahoo! Inc. [Ver = 2007, 6, 8, 1 | Size = 224248 bytes | Modified Date = 2007-06-08 08:59:38 | Attr = ]
zBrowser Launcher -> %ProgramFiles%\Logitech\iTouch\iTouch.exe -> Logitech Inc. [Ver = 2.20.243 | Size = 892928 bytes | Modified Date = 2003-12-01 10:38:16 | Attr = ]
< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL-> Installed = 1 ->
MAPI-> Installed = 1 ->
MSFS-> Installed = 1 ->
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Creative MediaSource Go -> %ProgramFiles%\Creative\MediaSource5\Go\CTCMSGoU.exe -> Creative Technology Ltd [Ver = 5.0.3.0 | Size = 143360 bytes | Modified Date = 2005-12-12 09:36:36 | Attr = ]
EasyLinkAdvisor -> %ProgramFiles%\Linksys EasyLink Advisor\LinksysAgent.exe -> Linksys, a Division of Cisco Systems, Inc. [Ver = 2, 1, 3, 162 | Size = 392832 bytes | Modified Date = 2006-10-30 11:01:16 | Attr = ]
Microsoft Works Update Detection -> %ProgramFiles%\Microsoft Works\WkDetect.exe -> File not found
SUPERAntiSpyware -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 4, 0, 0, 1154 | Size = 1481968 bytes | Modified Date = 2008-02-29 16:03:46 | Attr = ]
Yahoo! Pager -> %ProgramFiles%\Yahoo!\Messenger\YahooMessenger.exe -> Yahoo! Inc. [Ver = 8,1,0,421 | Size = 4670704 bytes | Modified Date = 2007-08-30 17:43:18 | Attr = ]
YSearchProtection -> %ProgramFiles%\Yahoo!\Search Protection\SearchProtection.exe -> Yahoo! Inc. [Ver = 2007, 6, 8, 1 | Size = 224248 bytes | Modified Date = 2007-06-08 08:59:38 | Attr = ]
< administrator Startup Folder > -> C:\Documents and Settings\administrator\Start Menu\Programs\Startup ->
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersProfile%\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk -> %ProgramFiles%\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe -> Logitech [Ver = 1.4.19 | Size = 169472 bytes | Modified Date = 2007-10-25 14:24:27 | Attr = ]
%AllUsersProfile%\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk -> %CommonProgramFiles%\Intuit\QuickBooks\QBUpdate\qbupdate.exe -> Intuit, Inc. [Ver = 15.0 R7 | Size = 806912 bytes | Modified Date = 2005-11-15 04:31:34 | Attr = ]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> GRISOFT s.r.o. [Ver = 7, 5, 1, 36 | Size = 79408 bytes | Modified Date = 2007-05-30 06:29:58 | Attr = ]
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 2006-12-20 12:55:48 | Attr = ]
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1046 | Size = 294912 bytes | Modified Date = 2007-04-19 12:41:36 | Attr = ]
NavLogon -> %SystemRoot%\system32\NavLogon.dll -> Symantec Corporation [Ver = 9.0.0.338 | Size = 83176 bytes | Modified Date = 2004-03-12 14:17:24 | Attr = ]
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\DisableTaskMgr -> 1 ->
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\CDRAutoRun -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\disableregistrytools -> 0 ->
< HOSTS File > (3526 bytes) -> C:\WINNT\System32\drivers\etc\Hosts ->
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome ->
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_LOCAL_MACHINE\: Main\\Local Page -> C:\windows\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home ->
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKEY_LOCAL_MACHINE\: Search\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_CURRENT_USER\: Main\\Local Page -> C:\windows\system32\blank.htm ->
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_CURRENT_USER\: Main\\Start Page -> http://www.yahoo.com/ ->
HKEY_CURRENT_USER\: SearchURL\\ -> http://home.microsoft.com/access/autosearch.asp?p=%s[yaho] ->
HKEY_CURRENT_USER\: URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2007, 9, 5, 1 | Size = 816400 bytes | Modified Date = 2007-09-05 15:48:58 | Attr = ]
HKEY_CURRENT_USER\: ProxyEnable -> 1 ->
HKEY_CURRENT_USER\: ProxyOverride -> <local> ->
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{02478D38-C3F9-4efb-9B51-7695ECA05670} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [&Yahoo! Toolbar Helper] -> Yahoo! Inc. [Ver = 2007, 9, 5, 1 | Size = 816400 bytes | Modified Date = 2007-09-05 15:48:58 | Attr = ]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [AcroIEHlprObj Class] -> [Ver = 1, 0, 0, 1 | Size = 37808 bytes | Modified Date = 2001-03-02 11:02:04 | Attr = ]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\Common\yiesrvc.dll [Yahoo! IE Services Button] -> Yahoo! Inc. [Ver = 2006, 10, 31, 3 | Size = 198136 bytes | Modified Date = 2006-10-31 14:33:52 | Attr = ]
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2007, 9, 5, 1 | Size = 816400 bytes | Modified Date = 2007-09-05 15:48:58 | Attr = ]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2007, 9, 5, 1 | Size = 816400 bytes | Modified Date = 2007-09-05 15:48:58 | Attr = ]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}:{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\Common\yiesrvc.dll [Yahoo! Services] -> Yahoo! Inc. [Ver = 2006, 10, 31, 3 | Size = 198136 bytes | Modified Date = 2006-10-31 14:33:52 | Attr = ]
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [] -> File not found
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\Common\yiesrvc.dll [Yahoo! IE Services Button] -> Yahoo! Inc. [Ver = 2006, 10, 31, 3 | Size = 198136 bytes | Modified Date = 2006-10-31 14:33:52 | Attr = ]
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
PluginsPageFriendlyName -> Microsoft ActiveX Gallery ->
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s ->
Extension\.spop -> %ProgramFiles%\Internet Explorer\PLUGINS\NPDocBox.dll [] -> InterTrust Technologies Corporation, Inc. [Ver = 1.0.30.95 | Size = 225280 bytes | Modified Date = 2001-01-30 12:56:24 | Attr = ]
< User Agent Post Platform [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform ->
SV1 -> ->
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{0251077E-7643-40F9-A9D0-6E8059DA39E7} -> () ->
{516995C7-DC69-45E4-B367-5BEC3646E9E8} -> (1394 Net Adapter) ->
{BA7BD43B-1CD4-4A61-9E6F-D89C98A5A7BA} -> (1394 Net Adapter) ->
{E66592AE-0714-4CE1-B0EA-2ABC30CC2406} -> (Intel(R) PRO/100 Network Connection) ->
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[Reg Error: Value does not exist or could not be read.] -> File not found
msdaipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[Reg Error: Value does not exist or could not be read.] -> File not found
vnd.ms.radio:{3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\msdxm.ocx[AsyncPProt Class] -> [Ver = | Size = 844314 bytes | Modified Date = 2004-08-03 21:51:04 | Attr = ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}[HKEY_LOCAL_MACHINE] -> http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab[Reg Error: Key does not exist or could not be opened.] ->
{6414512B-B978-451D-A0D8-FCFDF33E833C}[HKEY_LOCAL_MACHINE] -> http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205963362166[WUWebControl Class] ->
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}[HKEY_LOCAL_MACHINE] -> http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205963542947[MUWebControl Class] ->
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}[HKEY_LOCAL_MACHINE] -> http://acs.pandasoftware.com/activescan/as5free/asinst.cab[ActiveScan Installer Class] ->
{D27CDB6E-AE6D-11CF-96B8-444553540000}[HKEY_LOCAL_MACHINE] -> http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[Shockwave Flash Object] ->
{D6376DD2-C2BD-49B2-A1B1-138F869633F3}[HKEY_LOCAL_MACHINE] -> http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab[ASPRO Installer Class] ->
Microsoft XML Parser for Java[HKEY_LOCAL_MACHINE] -> file://C:\WINNT\Java\classes\xmldso.cab[Reg Error: Key does not exist or could not be opened.] ->



[Files/Folders - Created Within 30 days]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Created Date = 2008-03-18 08:32:31 | Attr = HS]
Deckard -> %SystemDrive%\Deckard -> [Folder | Created Date = 2008-03-20 14:06:21 | Attr = ]
AvgAsCln.sys -> %SystemRoot%\System32\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Created Date = 2008-03-19 11:01:15 | Attr = ]
ActiveScan -> %SystemRoot%\System32\ActiveScan -> [Folder | Created Date = 2008-03-19 13:44:12 | Attr = ]
ASPRO -> %SystemRoot%\System32\ASPRO -> [Folder | Created Date = 2008-03-19 14:51:11 | Attr = ]
asprouni.exe -> %SystemRoot%\System32\asprouni.exe -> Panda Software [Ver = 1, 0, 0, 1 | Size = 69632 bytes | Created Date = 2008-03-19 14:51:53 | Attr = ]
asuninst.exe -> %SystemRoot%\System32\asuninst.exe -> Panda Software [Ver = 1, 0, 0, 2 | Size = 73728 bytes | Created Date = 2008-03-19 13:44:44 | Attr = ]
fdsv.exe -> %SystemRoot%\System32\fdsv.exe -> Smallfrogs Studio [Ver = 1.0.0.10 | Size = 73728 bytes | Created Date = 2008-03-20 10:20:31 | Attr = ]
grep.exe -> %SystemRoot%\System32\grep.exe -> [Ver = | Size = 80412 bytes | Created Date = 2008-03-20 10:20:31 | Attr = ]
GroupPolicy -> %SystemRoot%\System32\GroupPolicy -> [Folder | Created Date = 2008-03-18 16:34:32 | Attr = H ]
Help.ico -> %SystemRoot%\System32\Help.ico -> [Ver = | Size = 1406 bytes | Created Date = 2008-03-19 13:44:16 | Attr = ]
Helppro.ico -> %SystemRoot%\System32\Helppro.ico -> [Ver = | Size = 1406 bytes | Created Date = 2008-03-19 14:51:17 | Attr = ]
Kaspersky Lab -> %SystemRoot%\System32\Kaspersky Lab -> [Folder | Created Date = 2008-03-20 12:34:19 | Attr = ]
pavas.ico -> %SystemRoot%\System32\pavas.ico -> [Ver = | Size = 30590 bytes | Created Date = 2008-03-19 13:44:15 | Attr = ]
pavaspro.ico -> %SystemRoot%\System32\pavaspro.ico -> [Ver = | Size = 30590 bytes | Created Date = 2008-03-19 14:51:14 | Attr = ]
PreInstall -> %SystemRoot%\System32\PreInstall -> [Folder | Created Date = 2008-03-19 16:11:27 | Attr = ]
sed.exe -> %SystemRoot%\System32\sed.exe -> [Ver = | Size = 98816 bytes | Created Date = 2008-03-20 10:20:31 | Attr = ]
SoftwareDistribution -> %SystemRoot%\System32\SoftwareDistribution -> [Folder | Created Date = 2008-03-19 15:52:50 | Attr = ]
swreg.exe -> %SystemRoot%\System32\swreg.exe -> SteelWerX [Ver = 3.0.0.0 | Size = 161792 bytes | Created Date = 2008-03-20 10:20:31 | Attr = ]
swsc.exe -> %SystemRoot%\System32\swsc.exe -> SteelWerX [Ver = 2.0.0.5 | Size = 136704 bytes | Created Date = 2008-03-20 10:20:31 | Attr = ]
swxcacls.exe -> %SystemRoot%\System32\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 2008-03-2
  • 0

#12
RatHat
Posted 24 March 2008 - 01:50 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Well you are looking clean, but could you attach the OTScanIt log for me so I can go through it properly as it has been cut off.

Thanks,
RatHat
  • 0

#13
GoodDoctor
Posted 24 March 2008 - 02:03 PM

GoodDoctor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
I truly can't thank you enough. Very impressive!

I will paste the results here.

The last couple things,

How do I get the link and message off my desktop? Should I delete all the programs I downloaded onto my desktop through this process?

What do you recommend I run on my computer to avoid this problem in the future?

Your help and advice is truly appreciated!

OTScanIt logfile created on: 2008-03-24 13:49:25
OTScanIt by OldTimer - Version 1.0.6.0	 Folder = C:\Documents and Settings\administrator\Desktop\OTScanIt
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy-MM-dd
 
511.30 Mb Total Physical Memory | 147.39 Mb Available Physical Memory | 28.83% Memory free
1.22 Gb Paging File | 0.65 Gb Available in Paging File | 53.05% Paging File free
Paging file location(s): C:\pagefile.sys 1500 3536;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 26.90 Gb Free Space | 72.17% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive L: | 87.89 Gb Total Space | 60.24 Gb Free Space | 68.54% Space Free | Partition Type: NTFS
Drive Q: | 87.89 Gb Total Space | 60.24 Gb Free Space | 68.54% Space Free | Partition Type: NTFS
Drive S: | 87.89 Gb Total Space | 60.24 Gb Free Space | 68.54% Space Free | Partition Type: NTFS
Drive Z: | 87.89 Gb Total Space | 60.24 Gb Free Space | 68.54% Space Free | Partition Type: NTFS

Computer Name: CONSULT01
Current User Name: administrator
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user

[Processes - Non-Microsoft Only]
ccsetmgr.exe -> %CommonProgramFiles%\Symantec Shared\ccSetMgr.exe -> Symantec Corporation [Ver = 2.2.0.577 | Size = 242808 bytes | Modified Date = 2004-02-29 15:44:54 | Attr =	]
ccevtmgr.exe -> %CommonProgramFiles%\Symantec Shared\ccEvtMgr.exe -> Symantec Corporation [Ver = 2.2.0.577 | Size = 255096 bytes | Modified Date = 2004-02-29 15:44:48 | Attr =	]
aawservice.exe -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft AB [Ver = 7, 0, 2, 5 | Size = 587096 bytes | Modified Date = 2007-10-29 13:27:04 | Attr =	]
guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 2007-05-30 06:31:10 | Attr =	]
ctsvccda.exe -> %SystemRoot%\system32\CTSVCCDA.EXE -> Creative Technology Ltd [Ver = 1.0.1.0 | Size = 44032 bytes | Modified Date = 1999-12-12 19:01:00 | Attr =	]
defwatch.exe -> %ProgramFiles%\Symantec AntiVirus\DefWatch.exe -> Symantec Corporation [Ver = 9.0.0.338 | Size = 29928 bytes | Modified Date = 2004-03-12 14:17:10 | Attr =	]
dkservice.exe -> %ProgramFiles%\Executive Software\Diskeeper\DkService.exe -> Executive Software International, Inc. [Ver = 8.0.459.0 | Size = 426105 bytes | Modified Date = 2003-08-22 01:27:42 | Attr =	]
sagent2.exe -> %CommonProgramFiles%\EPSON\EBAPI\SAgent2.exe -> SEIKO EPSON CORPORATION [Ver = 2, 1, 0, 0 | Size = 90112 bytes | Modified Date = 2001-08-09 02:01:00 | Attr =	]
nmssvc.exe -> %SystemRoot%\system32\NMSSvc.Exe -> Intel Corporation [Ver = 2.2.9.0 | Size = 1118208 bytes | Modified Date = 2002-05-03 11:36:24 | Attr =	]
nvsvc32.exe -> %SystemRoot%\system32\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.13.10.2942 | Size = 61440 bytes | Modified Date = 2002-05-03 09:06:00 | Attr =	]
savroam.exe -> %ProgramFiles%\Symantec AntiVirus\SavRoam.exe -> symantec [Ver = 1.5.0.0 | Size = 169192 bytes | Modified Date = 2004-03-12 14:18:06 | Attr =	]
rtvscan.exe -> %ProgramFiles%\Symantec AntiVirus\Rtvscan.exe -> Symantec Corporation [Ver = 9.0.0.338 | Size = 1221864 bytes | Modified Date = 2004-03-12 14:17:46 | Attr =	]
gwmdmmsg.exe -> %SystemRoot%\GWMDMMSG.exe -> GTW [Ver =  3.3.24 01/30/2002 15:24:37 | Size = 101611 bytes | Modified Date = 2002-03-06 09:08:36 | Attr =	]
capfax.exe -> %ProgramFiles%\PhoneTools\capFax.exe -> BVRP Software [Ver = 1.01 | Size = 20480 bytes | Modified Date = 2001-11-07 13:25:54 | Attr =	]
sk9910dm.exe -> %SystemRoot%\system32\SK9910DM.EXE -> Silitek Corporation [Ver = 1, 0, 9, 0 | Size = 66048 bytes | Modified Date = 2001-01-03 13:50:56 | Attr =	]
ccapp.exe -> %CommonProgramFiles%\Symantec Shared\ccApp.exe -> Symantec Corporation [Ver = 2.2.0.577 | Size = 66680 bytes | Modified Date = 2004-02-29 15:44:46 | Attr =	]
vptray.exe -> %ProgramFiles%\Symantec AntiVirus\VPTray.exe -> Symantec Corporation [Ver = 9.0.0.338 | Size = 124128 bytes | Modified Date = 2004-03-12 14:18:32 | Attr =	]
itouch.exe -> %ProgramFiles%\Logitech\iTouch\iTouch.exe -> Logitech Inc. [Ver = 2.20.243 | Size = 892928 bytes | Modified Date = 2003-12-01 10:38:16 | Attr =	]
mmtask.exe -> %ProgramFiles%\MusicMatch\MusicMatch Jukebox\mmtask.exe -> TODO: <Company name> [Ver = 1.0.0.1 | Size = 53248 bytes | Modified Date = 2003-10-01 09:01:12 | Attr =	]
mm_tray.exe -> %ProgramFiles%\MusicMatch\MusicMatch Jukebox\mm_tray.exe -> MUSICMATCH, Inc. [Ver = 8.00.0126 | Size = 114688 bytes | Modified Date = 2003-10-01 09:01:12 | Attr =	]
ctsysvol.exe -> %ProgramFiles%\Creative\SBAudigy\Surround Mixer\CTSysVol.exe -> Creative Technology Ltd [Ver = 1.4.8.0 | Size = 57344 bytes | Modified Date = 2005-10-31 10:51:52 | Attr =	]
em_exec.exe -> %ProgramFiles%\Logitech\MouseWare\system\EM_EXEC.EXE -> Logitech Inc. [Ver = 9.79.019 | Size = 37888 bytes | Modified Date = 2003-11-14 08:50:00 | Attr =	]
searchprotection.exe -> %ProgramFiles%\Yahoo!\Search Protection\SearchProtection.exe -> Yahoo! Inc. [Ver = 2007, 6, 8, 1 | Size = 224248 bytes | Modified Date = 2007-06-08 08:59:38 | Attr =	]
avgas.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 43 | Size = 6731312 bytes | Modified Date = 2007-06-11 03:25:42 | Attr =	]
yahoomessenger.exe -> %ProgramFiles%\Yahoo!\Messenger\YahooMessenger.exe -> Yahoo! Inc. [Ver = 8,1,0,421 | Size = 4670704 bytes | Modified Date = 2007-08-30 17:43:18 | Attr =	]
ctcmsgou.exe -> %ProgramFiles%\Creative\MediaSource5\Go\CTCMSGoU.exe -> Creative Technology Ltd [Ver = 5.0.3.0 | Size = 143360 bytes | Modified Date = 2005-12-12 09:36:36 | Attr =	]
linksysagent.exe -> %ProgramFiles%\Linksys EasyLink Advisor\LinksysAgent.exe -> Linksys, a Division of Cisco Systems, Inc. [Ver = 2, 1, 3, 162 | Size = 392832 bytes | Modified Date = 2006-10-30 11:01:16 | Attr =	]
superantispyware.exe -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 4, 0, 0, 1154 | Size = 1481968 bytes | Modified Date = 2008-02-29 16:03:46 | Attr =	]
qbupdate.exe -> %CommonProgramFiles%\Intuit\QuickBooks\QBUpdate\qbupdate.exe -> Intuit, Inc. [Ver = 15.0 R7 | Size = 806912 bytes | Modified Date = 2005-11-15 04:31:34 | Attr =	]
otscanit.exe -> %UserProfile%\Desktop\OTScanIt\OTScanIt.exe -> OldTimer Tools [Ver = 1.0.6.0 | Size = 311808 bytes | Modified Date = 2008-03-19 18:01:26 | Attr =	]

[Win32 Services - Non-Microsoft Only]
(aawservice) Ad-Aware 2007 Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft AB [Ver = 7, 0, 2, 5 | Size = 587096 bytes | Modified Date = 2007-10-29 13:27:04 | Attr =	]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 2007-05-30 06:31:10 | Attr =	]
(ccEvtMgr) Symantec Event Manager [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\ccEvtMgr.exe -> Symantec Corporation [Ver = 2.2.0.577 | Size = 255096 bytes | Modified Date = 2004-02-29 15:44:48 | Attr =	]
(ccPwdSvc) Symantec Password Validation [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Symantec Shared\ccPwdSvc.exe -> Symantec Corporation [Ver = 2.2.0.577 | Size = 87160 bytes | Modified Date = 2004-02-29 15:44:52 | Attr =	]
(ccSetMgr) Symantec Settings Manager [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\ccSetMgr.exe -> Symantec Corporation [Ver = 2.2.0.577 | Size = 242808 bytes | Modified Date = 2004-02-29 15:44:54 | Attr =	]
(Creative Service for CDROM Access) Creative Service for CDROM Access [Win32_Own | Auto | Running] -> %SystemRoot%\system32\CTSVCCDA.EXE -> Creative Technology Ltd [Ver = 1.0.1.0 | Size = 44032 bytes | Modified Date = 1999-12-12 19:01:00 | Attr =	]
(DefWatch) Symantec AntiVirus Definition Watcher [Win32_Own | Auto | Running] -> %ProgramFiles%\Symantec AntiVirus\DefWatch.exe -> Symantec Corporation [Ver = 9.0.0.338 | Size = 29928 bytes | Modified Date = 2004-03-12 14:17:10 | Attr =	]
(Diskeeper) Diskeeper [Win32_Own | Auto | Running] -> %ProgramFiles%\Executive Software\Diskeeper\DkService.exe -> Executive Software International, Inc. [Ver = 8.0.459.0 | Size = 426105 bytes | Modified Date = 2003-08-22 01:27:42 | Attr =	]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %SystemRoot%\system32\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 2004-08-03 23:56:50 | Attr =	]
(EPSONStatusAgent2) EPSON Printer Status Agent2 [Win32_Own | Auto | Running] -> %CommonProgramFiles%\EPSON\EBAPI\SAgent2.exe -> SEIKO EPSON CORPORATION [Ver = 2, 1, 0, 0 | Size = 90112 bytes | Modified Date = 2001-08-09 02:01:00 | Attr =	]
(NMSSvc) Intel(R) NMS [Win32_Own | Auto | Running] -> %SystemRoot%\system32\NMSSvc.Exe -> Intel Corporation [Ver = 2.2.9.0 | Size = 1118208 bytes | Modified Date = 2002-05-03 11:36:24 | Attr =	]
(NVSvc) NVIDIA Driver Helper Service [Win32_Own | Auto | Running] -> %SystemRoot%\system32\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.13.10.2942 | Size = 61440 bytes | Modified Date = 2002-05-03 09:06:00 | Attr =	]
(PictureTaker) PictureTaker [Win32_Own | On_Demand | Stopped] -> %SystemDrive%\fixit\pt\PCTKRNT.SYS -> File not found
(SavRoam) SavRoam [Win32_Own | Auto | Running] -> %ProgramFiles%\Symantec AntiVirus\SavRoam.exe -> symantec [Ver = 1.5.0.0 | Size = 169192 bytes | Modified Date = 2004-03-12 14:18:06 | Attr =	]
(SNDSrvc) Symantec Network Drivers Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Symantec Shared\SNDSrvc.exe -> Symantec Corporation [Ver = 5.3.0.46 | Size = 193760 bytes | Modified Date = 2004-03-11 13:58:32 | Attr =	]
(Symantec AntiVirus) Symantec AntiVirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Symantec AntiVirus\Rtvscan.exe -> Symantec Corporation [Ver = 9.0.0.338 | Size = 1221864 bytes | Modified Date = 2004-03-12 14:17:46 | Attr =	]

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
!AVG Anti-Spyware -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 43 | Size = 6731312 bytes | Modified Date = 2007-06-11 03:25:42 | Attr =	]
CapFax -> %ProgramFiles%\PhoneTools\capFax.exe -> BVRP Software [Ver = 1.01 | Size = 20480 bytes | Modified Date = 2001-11-07 13:25:54 | Attr =	]
ccApp -> %CommonProgramFiles%\Symantec Shared\ccApp.exe -> Symantec Corporation [Ver = 2.2.0.577 | Size = 66680 bytes | Modified Date = 2004-02-29 15:44:46 | Attr =	]
CTSysVol -> %ProgramFiles%\Creative\SBAudigy\Surround Mixer\CTSysVol.exe -> Creative Technology Ltd [Ver = 1.4.8.0 | Size = 57344 bytes | Modified Date = 2005-10-31 10:51:52 | Attr =	]
GWMDMMSG -> %SystemRoot%\GWMDMMSG.exe -> GTW [Ver =  3.3.24 01/30/2002 15:24:37 | Size = 101611 bytes | Modified Date = 2002-03-06 09:08:36 | Attr =	]
Hot Key Kbd 9910 Daemon -> %SystemRoot%\system32\SK9910DM.EXE -> Silitek Corporation [Ver = 1, 0, 9, 0 | Size = 66048 bytes | Modified Date = 2001-01-03 13:50:56 | Attr =	]
Logitech Utility -> %SystemRoot%\LOGI_MWX.EXE -> Logitech Inc. [Ver = 9.79.016 | Size = 19968 bytes | Modified Date = 2003-11-07 03:50:00 | Attr =	]
mmtask -> %ProgramFiles%\MusicMatch\MusicMatch Jukebox\mmtask.exe -> TODO: <Company name> [Ver = 1.0.0.1 | Size = 53248 bytes | Modified Date = 2003-10-01 09:01:12 | Attr =	]
MMTray -> %ProgramFiles%\MusicMatch\MusicMatch Jukebox\mm_tray.exe -> MUSICMATCH, Inc. [Ver = 8.00.0126 | Size = 114688 bytes | Modified Date = 2003-10-01 09:01:12 | Attr =	]
NvMediaCenter -> %SystemRoot%\system32\nvmctray.dll -> NVIDIA Corporation [Ver = 6.14.10.7189 | Size = 86016 bytes | Modified Date = 2005-04-01 15:16:00 | Attr =	]
nwiz -> %SystemRoot%\system32\nwiz.exe -> NVIDIA Corporation [Ver = 6.13.10.2942 | Size = 364544 bytes | Modified Date = 2002-05-03 09:06:00 | Attr =	]
P17Helper -> %SystemRoot%\system32\P17.dll ->  [Ver = 1.0.1.41 | Size = 64512 bytes | Modified Date = 2005-05-03 05:38:42 | Attr = R  ]
UpdReg -> %SystemRoot%\Updreg.EXE -> Creative Technology Ltd. [Ver = 1.0.2 | Size = 90112 bytes | Modified Date = 2000-05-11 01:00:00 | Attr =	]
vptray -> %ProgramFiles%\Symantec AntiVirus\VPTray.exe -> Symantec Corporation [Ver = 9.0.0.338 | Size = 124128 bytes | Modified Date = 2004-03-12 14:18:32 | Attr =	]
YSearchProtection -> %ProgramFiles%\Yahoo!\Search Protection\SearchProtection.exe -> Yahoo! Inc. [Ver = 2007, 6, 8, 1 | Size = 224248 bytes | Modified Date = 2007-06-08 08:59:38 | Attr =	]
zBrowser Launcher -> %ProgramFiles%\Logitech\iTouch\iTouch.exe -> Logitech Inc. [Ver = 2.20.243 | Size = 892928 bytes | Modified Date = 2003-12-01 10:38:16 | Attr =	]
< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ -> 
IMAIL-> Installed = 1 -> 
MAPI-> Installed = 1 -> 
MSFS-> Installed = 1 -> 
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
Creative MediaSource Go -> %ProgramFiles%\Creative\MediaSource5\Go\CTCMSGoU.exe -> Creative Technology Ltd [Ver = 5.0.3.0 | Size = 143360 bytes | Modified Date = 2005-12-12 09:36:36 | Attr =	]
EasyLinkAdvisor -> %ProgramFiles%\Linksys EasyLink Advisor\LinksysAgent.exe -> Linksys, a Division of Cisco Systems, Inc. [Ver = 2, 1, 3, 162 | Size = 392832 bytes | Modified Date = 2006-10-30 11:01:16 | Attr =	]
Microsoft Works Update Detection -> %ProgramFiles%\Microsoft Works\WkDetect.exe -> File not found
SUPERAntiSpyware -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 4, 0, 0, 1154 | Size = 1481968 bytes | Modified Date = 2008-02-29 16:03:46 | Attr =	]
Yahoo! Pager -> %ProgramFiles%\Yahoo!\Messenger\YahooMessenger.exe -> Yahoo! Inc. [Ver = 8,1,0,421 | Size = 4670704 bytes | Modified Date = 2007-08-30 17:43:18 | Attr =	]
YSearchProtection -> %ProgramFiles%\Yahoo!\Search Protection\SearchProtection.exe -> Yahoo! Inc. [Ver = 2007, 6, 8, 1 | Size = 224248 bytes | Modified Date = 2007-06-08 08:59:38 | Attr =	]
< administrator Startup Folder > -> C:\Documents and Settings\administrator\Start Menu\Programs\Startup -> 
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
%AllUsersProfile%\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk -> %ProgramFiles%\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe -> Logitech [Ver = 1.4.19 | Size = 169472 bytes | Modified Date = 2007-10-25 14:24:27 | Attr =	]
%AllUsersProfile%\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk -> %CommonProgramFiles%\Intuit\QuickBooks\QBUpdate\qbupdate.exe -> Intuit, Inc. [Ver = 15.0 R7 | Size = 806912 bytes | Modified Date = 2005-11-15 04:31:34 | Attr =	]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks -> 
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> GRISOFT s.r.o. [Ver = 7, 5, 1, 36 | Size = 79408 bytes | Modified Date = 2007-05-30 06:29:58 | Attr =	]
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 2006-12-20 12:55:48 | Attr =	]
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 
!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1046 | Size = 294912 bytes | Modified Date = 2007-04-19 12:41:36 | Attr =	]
NavLogon -> %SystemRoot%\system32\NavLogon.dll -> Symantec Corporation [Ver = 9.0.0.338 | Size = 83176 bytes | Modified Date = 2004-03-12 14:17:24 | Attr =	]
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\DisableTaskMgr -> 1 -> 
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\CDRAutoRun -> 0 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\disableregistrytools -> 0 -> 
< HOSTS File > (3526 bytes) -> C:\WINNT\System32\drivers\etc\Hosts -> 
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_LOCAL_MACHINE\: Main\\Local Page -> C:\windows\system32\blank.htm -> 
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home -> 
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 
HKEY_LOCAL_MACHINE\: Search\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_CURRENT_USER\: Main\\Local Page -> C:\windows\system32\blank.htm -> 
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_CURRENT_USER\: Main\\Start Page -> http://www.yahoo.com/ -> 
HKEY_CURRENT_USER\: SearchURL\\ -> http://home.microsoft.com/access/autosearch.asp?p=%s[yaho] -> 
HKEY_CURRENT_USER\: URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2007, 9, 5, 1 | Size = 816400 bytes | Modified Date = 2007-09-05 15:48:58 | Attr =	]
HKEY_CURRENT_USER\: ProxyEnable -> 1 -> 
HKEY_CURRENT_USER\: ProxyOverride -> <local> -> 
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{02478D38-C3F9-4efb-9B51-7695ECA05670} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [&Yahoo! Toolbar Helper] -> Yahoo! Inc. [Ver = 2007, 9, 5, 1 | Size = 816400 bytes | Modified Date = 2007-09-05 15:48:58 | Attr =	]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [AcroIEHlprObj Class] ->  [Ver = 1, 0, 0, 1 | Size = 37808 bytes | Modified Date = 2001-03-02 11:02:04 | Attr =	]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\Common\yiesrvc.dll [Yahoo! IE Services Button] -> Yahoo! Inc. [Ver = 2006, 10, 31, 3 | Size = 198136 bytes | Modified Date = 2006-10-31 14:33:52 | Attr =	]
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ -> 
{32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2007, 9, 5, 1 | Size = 816400 bytes | Modified Date = 2007-09-05 15:48:58 | Attr =	]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 
WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2007, 9, 5, 1 | Size = 816400 bytes | Modified Date = 2007-09-05 15:48:58 | Attr =	]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}:{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\Common\yiesrvc.dll [Yahoo! Services] -> Yahoo! Inc. [Ver = 2006, 10, 31, 3 | Size = 198136 bytes | Modified Date = 2006-10-31 14:33:52 | Attr =	]
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [] -> File not found
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\Common\yiesrvc.dll [Yahoo! IE Services Button] -> Yahoo! Inc. [Ver = 2006, 10, 31, 3 | Size = 198136 bytes | Modified Date = 2006-10-31 14:33:52 | Attr =	]
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 
Extension\.spop -> %ProgramFiles%\Internet Explorer\PLUGINS\NPDocBox.dll [] -> InterTrust Technologies Corporation, Inc. [Ver = 1.0.30.95 | Size = 225280 bytes | Modified Date = 2001-01-30 12:56:24 | Attr =	]
< User Agent Post Platform [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform -> 
SV1 ->  -> 
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{0251077E-7643-40F9-A9D0-6E8059DA39E7} ->	() -> 
{516995C7-DC69-45E4-B367-5BEC3646E9E8} ->	(1394 Net Adapter) -> 
{BA7BD43B-1CD4-4A61-9E6F-D89C98A5A7BA} ->	(1394 Net Adapter) -> 
{E66592AE-0714-4CE1-B0EA-2ABC30CC2406} ->	(Intel(R) PRO/100 Network Connection) -> 
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ -> 
ipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[Reg Error: Value  does not exist or could not be read.] -> File not found
msdaipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[Reg Error: Value  does not exist or could not be read.] -> File not found
vnd.ms.radio:{3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\msdxm.ocx[AsyncPProt Class] ->  [Ver =  | Size = 844314 bytes | Modified Date = 2004-08-03 21:51:04 | Attr =	]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}[HKEY_LOCAL_MACHINE] -> http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab[Reg Error: Key does not exist or could not be opened.] -> 
{6414512B-B978-451D-A0D8-FCFDF33E833C}[HKEY_LOCAL_MACHINE] -> http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205963362166[WUWebControl Class] -> 
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}[HKEY_LOCAL_MACHINE] -> http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205963542947[MUWebControl Class] -> 
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}[HKEY_LOCAL_MACHINE] -> http://acs.pandasoftware.com/activescan/as5free/asinst.cab[ActiveScan Installer Class] -> 
{D27CDB6E-AE6D-11CF-96B8-444553540000}[HKEY_LOCAL_MACHINE] -> http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[Shockwave Flash Object] -> 
{D6376DD2-C2BD-49B2-A1B1-138F869633F3}[HKEY_LOCAL_MACHINE] -> http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab[ASPRO Installer Class] -> 
Microsoft XML Parser for Java[HKEY_LOCAL_MACHINE] -> file://C:\WINNT\Java\classes\xmldso.cab[Reg Error: Key does not exist or could not be opened.] -> 



[Files/Folders - Created Within 30 days]
Config.Msi -> %SystemDrive%\Config.Msi ->  [Folder | Created Date = 2008-03-18 08:32:31 | Attr =  HS]
Deckard -> %SystemDrive%\Deckard ->  [Folder | Created Date = 2008-03-20 14:06:21 | Attr =	]
AvgAsCln.sys -> %SystemRoot%\System32\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Created Date = 2008-03-19 11:01:15 | Attr =	]
ActiveScan -> %SystemRoot%\System32\ActiveScan ->  [Folder | Created Date = 2008-03-19 13:44:12 | Attr =	]
ASPRO -> %SystemRoot%\System32\ASPRO ->  [Folder | Created Date = 2008-03-19 14:51:11 | Attr =	]
asprouni.exe -> %SystemRoot%\System32\asprouni.exe -> Panda Software [Ver = 1, 0, 0, 1 | Size = 69632 bytes | Created Date = 2008-03-19 14:51:53 | Attr =	]
asuninst.exe -> %SystemRoot%\System32\asuninst.exe -> Panda Software [Ver = 1, 0, 0, 2 | Size = 73728 bytes | Created Date = 2008-03-19 13:44:44 | Attr =	]
fdsv.exe -> %SystemRoot%\System32\fdsv.exe -> Smallfrogs Studio [Ver = 1.0.0.10 | Size = 73728 bytes | Created Date = 2008-03-20 10:20:31 | Attr =	]
grep.exe -> %SystemRoot%\System32\grep.exe ->  [Ver =  | Size = 80412 bytes | Created Date = 2008-03-20 10:20:31 | Attr =	]
GroupPolicy -> %SystemRoot%\System32\GroupPolicy ->  [Folder | Created Date = 2008-03-18 16:34:32 | Attr =  H ]
Help.ico -> %SystemRoot%\System32\Help.ico ->  [Ver =  | Size = 1406 bytes | Created Date = 2008-03-19 13:44:16 | Attr =	]
Helppro.ico -> %SystemRoot%\System32\Helppro.ico ->  [Ver =  | Size = 1406 bytes | Created Date = 2008-03-19 14:51:17 | Attr =	]
Kaspersky Lab -> %SystemRoot%\System32\Kaspersky Lab ->  [Folder | Created Date = 2008-03-20 12:34:19 | Attr =	]
pavas.ico -> %SystemRoot%\System32\pavas.ico ->  [Ver =  | Size = 30590 bytes | Created Date = 2008-03-19 13:44:15 | Attr =	]
pavaspro.ico -> %SystemRoot%\System32\pavaspro.ico ->  [Ver =  | Size = 30590 bytes | Created Date = 2008-03-19 14:51:14 | Attr =	]
PreInstall -> %SystemRoot%\System32\PreInstall ->  [Folder | Created Date = 2008-03-19 16:11:27 | Attr =	]
sed.exe -> %SystemRoot%\System32\sed.exe ->  [Ver =  | Size = 98816 bytes | Created Date = 2008-03-20 10:20:31 | Attr =	]
SoftwareDistribution -> %SystemRoot%\System32\SoftwareDistribution ->  [Folder | Created Date = 2008-03-19 15:52:50 | Attr =	]
swreg.exe -> %SystemRoot%\System32\swreg.exe -> SteelWerX [Ver = 3.0.0.0 | Size = 161792 bytes | Created Date = 2008-03-20 10:20:31 | Attr =	]
swsc.exe -> %SystemRoot%\System32\swsc.exe -> SteelWerX [Ver = 2.0.0.5 | Size = 136704 bytes | Created Date = 2008-03-20 10:20:31 | Attr =	]
swxcacls.exe -> %SystemRoot%\System32\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 2008-03-20 10:20:30 | Attr =	]
Uninstall.ico -> %SystemRoot%\System32\Uninstall.ico ->  [Ver =  | Size = 2550 bytes | Created Date = 2008-03-19 13:44:16 | Attr =	]
Uninstallpro.ico -> %SystemRoot%\System32\Uninstallpro.ico ->  [Ver =  | Size = 2550 bytes | Created Date = 2008-03-19 14:51:17 | Attr =	]
VFind.exe -> %SystemRoot%\System32\VFind.exe ->  [Ver =  | Size = 49152 bytes | Created Date = 2008-03-20 10:20:31 | Attr =	]
ZPORT4AS.dll -> %SystemRoot%\System32\ZPORT4AS.dll ->  [Ver =  | Size = 11776 bytes | Created Date = 2008-03-19 13:44:44 | Attr =	]
$hf_mig$ -> %SystemRoot%\$hf_mig$ ->  [Folder | Created Date = 2008-03-19 16:11:24 | Attr =  H ]
$MSI31Uninstall_KB893803v2$ -> %SystemRoot%\$MSI31Uninstall_KB893803v2$ ->  [Folder | Created Date = 2008-03-19 16:10:39 | Attr =  H ]
default.htm -> %SystemRoot%\default.htm ->  [Ver =  | Size = 1913 bytes | Created Date = 2008-03-18 08:08:26 | Attr =	]
erdnt -> %SystemRoot%\erdnt ->  [Folder | Created Date = 2008-03-20 10:29:07 | Attr =	]
Nircmd.exe -> %SystemRoot%\Nircmd.exe -> NirSoft [Ver = 2.05 | Size = 28160 bytes | Created Date = 2008-03-20 10:20:31 | Attr =	]
pav.sig -> %SystemRoot%\pav.sig ->  [Ver =  | Size = 81019630 bytes | Created Date = 2008-03-19 15:00:21 | Attr =	]

[Files/Folders - Modified Within 30 days]
Config.Msi -> %SystemDrive%\Config.Msi ->  [Folder | Modified Date = 2008-03-18 08:49:37 | Attr =  HS]
Deckard -> %SystemDrive%\Deckard ->  [Folder | Modified Date = 2008-03-20 14:06:21 | Attr =	]
Program Files -> %ProgramFiles% ->  [Folder | Modified Date = 2008-03-24 10:50:29 | Attr = R  ]
System Volume Information -> %SystemDrive%\System Volume Information ->  [Folder | Modified Date = 2008-03-20 14:06:38 | Attr =  HS]
WINNT -> %SystemRoot% ->  [Folder | Modified Date = 2008-03-24 10:50:29 | Attr =	]
ActiveScan -> %SystemRoot%\System32\ActiveScan ->  [Folder | Modified Date = 2008-03-19 15:01:09 | Attr =	]
ASPRO -> %SystemRoot%\System32\ASPRO ->  [Folder | Modified Date = 2008-03-19 15:01:07 | Attr =	]
CatRoot2 -> %SystemRoot%\System32\CatRoot2 ->  [Folder | Modified Date = 2008-03-24 13:47:34 | Attr =	]
config -> %SystemRoot%\System32\config ->  [Folder | Modified Date = 2008-03-19 14:29:54 | Attr =	]
dllcache -> %SystemRoot%\System32\dllcache ->  [Folder | Modified Date = 2008-03-19 16:17:42 | Attr = RHS]
drivers -> %SystemRoot%\System32\drivers ->  [Folder | Modified Date = 2008-03-19 14:33:08 | Attr =	]
GroupPolicy -> %SystemRoot%\System32\GroupPolicy ->  [Folder | Modified Date = 2008-03-18 16:34:33 | Attr =  H ]
Help.ico -> %SystemRoot%\System32\Help.ico ->  [Ver =  | Size = 1406 bytes | Modified Date = 2008-03-19 15:44:40 | Attr =	]
Helppro.ico -> %SystemRoot%\System32\Helppro.ico ->  [Ver =  | Size = 1406 bytes | Modified Date = 2008-03-19 15:27:18 | Attr =	]
Kaspersky Lab -> %SystemRoot%\System32\Kaspersky Lab ->  [Folder | Modified Date = 2008-03-20 12:34:19 | Attr =	]
pavas.ico -> %SystemRoot%\System32\pavas.ico ->  [Ver =  | Size = 30590 bytes | Modified Date = 2008-03-19 15:44:40 | Attr =	]
pavaspro.ico -> %SystemRoot%\System32\pavaspro.ico ->  [Ver =  | Size = 30590 bytes | Modified Date = 2008-03-19 15:27:17 | Attr =	]
PreInstall -> %SystemRoot%\System32\PreInstall ->  [Folder | Modified Date = 2008-03-19 16:11:27 | Attr =	]
Restore -> %SystemRoot%\System32\Restore ->  [Folder | Modified Date = 2008-03-20 14:06:38 | Attr =	]
SoftwareDistribution -> %SystemRoot%\System32\SoftwareDistribution ->  [Folder | Modified Date = 2008-03-19 15:52:50 | Attr =	]
Uninstall.ico -> %SystemRoot%\System32\Uninstall.ico ->  [Ver =  | Size = 2550 bytes | Modified Date = 2008-03-19 15:44:41 | Attr =	]
Uninstallpro.ico -> %SystemRoot%\System32\Uninstallpro.ico ->  [Ver =  | Size = 2550 bytes | Modified Date = 2008-03-19 15:27:18 | Attr =	]
wbem -> %SystemRoot%\System32\wbem ->  [Folder | Modified Date = 2008-03-19 14:35:43 | Attr =	]
wpa.dbl -> %SystemRoot%\System32\wpa.dbl ->  [Ver =  | Size = 1158 bytes | Modified Date = 2008-03-24 08:21:11 | Attr =	]
$hf_mig$ -> %SystemRoot%\$hf_mig$ ->  [Folder | Modified Date = 2008-03-19 16:11:24 | Attr =  H ]
$MSI31Uninstall_KB893803v2$ -> %SystemRoot%\$MSI31Uninstall_KB893803v2$ ->  [Folder | Modified Date = 2008-03-19 16:10:39 | Attr =  H ]
AppPatch -> %SystemRoot%\AppPatch ->  [Folder | Modified Date = 2008-03-19 15:01:23 | Attr =	]
bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 2048 bytes | Modified Date = 2008-03-24 11:28:48 | Attr =   S]
default.htm -> %SystemRoot%\default.htm ->  [Ver =  | Size = 1913 bytes | Modified Date = 2008-03-18 08:46:11 | Attr =	]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files ->  [Folder | Modified Date = 2008-03-20 14:08:23 | Attr =   S]
erdnt -> %SystemRoot%\erdnt ->  [Folder | Modified Date = 2008-03-20 14:06:43 | Attr =	]
Help -> %SystemRoot%\Help ->  [Folder | Modified Date = 2008-03-19 15:52:56 | Attr =	]
imsins.BAK -> %SystemRoot%\imsins.BAK ->  [Ver =  | Size = 1374 bytes | Modified Date = 2008-03-19 16:11:18 | Attr =	]
inf -> %SystemRoot%\inf ->  [Folder | Modified Date = 2008-03-20 12:34:19 | Attr =  H ]
Installer -> %SystemRoot%\Installer ->  [Folder | Modified Date = 2008-03-18 08:33:18 | Attr =  HS]
iTouch.ini -> %SystemRoot%\iTouch.ini ->  [Ver =  | Size = 51 bytes | Modified Date = 2008-03-24 11:29:40 | Attr =	]
java -> %SystemRoot%\java ->  [Folder | Modified Date = 2008-03-04 14:09:10 | Attr =	]
MEMORY.DMP -> %SystemRoot%\MEMORY.DMP ->  [Ver =  | Size = 536231936 bytes | Modified Date = 2008-03-20 11:21:45 | Attr =	]
Minidump -> %SystemRoot%\Minidump ->  [Folder | Modified Date = 2008-03-20 11:22:20 | Attr =	]
pav.sig -> %SystemRoot%\pav.sig ->  [Ver =  | Size = 81019630 bytes | Modified Date = 2008-03-19 15:00:25 | Attr =	]
Prefetch -> %SystemRoot%\Prefetch ->  [Folder | Modified Date = 2008-03-24 13:48:09 | Attr =	]
Registration -> %SystemRoot%\Registration ->  [Folder | Modified Date = 2008-03-19 14:29:14 | Attr =	]
security -> %SystemRoot%\security ->  [Folder | Modified Date = 2008-03-24 11:27:33 | Attr =	]
SoftwareDistribution -> %SystemRoot%\SoftwareDistribution ->  [Folder | Modified Date = 2008-03-19 15:53:27 | Attr =	]
system32 -> %SystemRoot%\system32 ->  [Folder | Modified Date = 2008-03-24 11:26:28 | Attr =	]
Temp -> %SystemRoot%\Temp ->  [Folder | Modified Date = 2008-03-24 11:29:44 | Attr =	]
win.ini -> %SystemRoot%\win.ini ->  [Ver =  | Size = 1019 bytes | Modified Date = 2008-03-19 15:00:33 | Attr =	]
SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 2008-03-24 11:28:53 | Attr =  H ]
Symantec NetDetect.job -> %SystemRoot%\tasks\Symantec NetDetect.job ->  [Ver =  | Size = 412 bytes | Modified Date = 2008-03-24 11:29:57 | Attr =	]
qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat ->  [Ver =  | Size = 6858 bytes | Modified Date = 2008-03-24 11:30:31 | Attr =	]
qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat ->  [Ver =  | Size = 6858 bytes | Modified Date = 2008-03-24 11:30:31 | Attr =	]
data.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Office\Data\data.dat ->  [Ver =  | Size = 1798 bytes | Modified Date = 2003-05-14 09:09:15 | Attr =	]
opa11.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Office\Data\opa11.dat ->  [Ver =  | Size = 8206 bytes | Modified Date = 2007-10-24 11:58:54 | Attr =	]
CalMRU.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Works\CalMRU.dat ->  [Ver =  | Size = 1804 bytes | Modified Date = 2004-03-25 11:56:16 | Attr =	]
wkcalcat.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Works\wkcalcat.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 2002-12-18 21:06:14 | Attr =	]
wklntnts.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Works\wklntnts.dat ->  [Ver =  | Size = 1106008 bytes | Modified Date = 2008-03-14 15:21:14 | Attr =	]
wklntsk.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Works\wklntsk.dat ->  [Ver =  | Size = 1106008 bytes | Modified Date = 2008-03-14 15:21:14 | Attr =	]
applnch.exe -> C:\Documents and Settings\administrator\Local Settings\Temp\applnch.exe -> Microsoft Corporation [Ver = 5.2.2893.0 (bobcatsr1(bobld).050429-1656) | Size = 378176 bytes | Modified Date = 2005-04-29 16:57:20 | Attr =	]
SSUPDATE.EXE -> C:\Documents and Settings\administrator\Local Settings\Temp\SSUPDATE.EXE -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1030 | Size = 146672 bytes | Modified Date = 2008-02-29 16:03:44 | Attr =	]
5 C:\Documents and Settings\administrator\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\administrator\Local Settings\Temp\*.tmp -> 
ExchangePerflog_8484fa31467b96074910dfdb.dat -> C:\Documents and Settings\administrator\Local Settings\Temp\ExchangePerflog_8484fa31467b96074910dfdb.dat ->  [Ver =  | Size = 1396 bytes | Modified Date = 2008-03-24 11:30:02 | Attr =	]
Perflib_Perfdata_d8c.dat -> C:\Documents and Settings\administrator\Local Settings\Temp\Perflib_Perfdata_d8c.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 2008-03-24 11:30:53 | Attr =	]
5 C:\Documents and Settings\administrator\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\administrator\Local Settings\Temp\*.tmp -> 

< End of report >

  • 0

#14
RatHat
Posted 24 March 2008 - 03:05 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Start OTScanIt.exe Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Registry - Non-Microsoft Only]
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\DisableTaskMgr -> 1
[Files/Folders - Modified Within 30 days]
NY -> 5 C:\Documents and Settings\administrator\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\administrator\Local Settings\Temp\*.tmp
NY -> 5 C:\Documents and Settings\administrator\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\administrator\Local Settings\Temp\*.tmp

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTScanIt scan.

Let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now please delete any versions of Combofix from your computer, then download a new version from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Regards,
RatHat
  • 0

#15
GoodDoctor
Posted 24 March 2008 - 03:23 PM

GoodDoctor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hello,

The last time I tried combofix, was when it shut off and went to the screen where is said it was dumping memory and I unplugged the computer. Was this because I did something wrong or because of the virus?

When I disable my malware/antivirus programs, do I just disable active scanning or do I completely disable the programs and how do I do this. Sorry for the lack of knowledge.

thanks
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP