Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mule_st_key (Trojan.Agent) -> Delete on reboot.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\Welcome\Application Data\m (Trojan.Agent) -> Delete on reboot.
Files Infected:
C:\Documents and Settings\Welcome\Application Data\m\list.oct (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wintems.exe (Trojan.Spammer) -> Delete on reboot.
C:\Documents and Settings\Welcome\Application Data\m\flec006.exe (Trojan.Agent) -> Delete on reboot.
but nothing happend after re-boot
and the escan says
the system is infect with bagel virus and says that the following files are infected
1.mkdlec.exe
2.soras.sys
3.flec006.exe
every time i run, i am unable to run any updates, download from rapidshare, run any downloaded programs when the downloaded programs run its says its not a win32 application. please help me out
this is the log file got from Deckard's System Scanner on 2008-08-09 00:19:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
-- Last 5 Restore Point(s) --
13: 2008-08-08 18:49:56 UTC - RP231 - Deckard's System Scanner Restore Point
12: 2008-08-08 18:37:40 UTC - RP230 - Printer Driver Nitro PDF Driver 5 Installed
11: 2008-08-08 18:37:17 UTC - RP229 - Printer Driver Nitro PDF Driver 5 Installed
10: 2008-08-08 18:36:55 UTC - RP228 - Printer Driver Nitro PDF Driver 5 Installed
9: 2008-08-06 15:41:44 UTC - RP227 - System Checkpoint
-- First Restore Point --
1: 2008-08-03 09:10:41 UTC - RP219 - Printer Driver Nitro PDF Driver 5 Installed
Backed up registry hives.
Performed disk cleanup.
System Drive C: has 0.81 GiB (less than 15%) free.
-- HijackThis Clone ------------------------------------------------------------
Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-09 00:24:00
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\eScan\Vista\avpmapp.exe
C:\Program Files\eScan\TRAYSSER.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
C:\Program Files\eScan\CONSCTL.EXE
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\DAP\DAP.exe
C:\Program Files\eScan\TRAYICOS.EXE
C:\Program Files\Common Files\MicroWorld\Agent\MWAGENT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Tally\tallylicserver.exe
C:\Tally\tally72.exe
C:\Documents and Settings\Welcome\Application Data\m\flec006.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\eScan\Vista\escanmon.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Welcome\My Documents\My Completed Downloads\dss.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {61D176B3-4AE0-4521-9107-741BF4E34403} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"
O4 - HKLM\..\Run: [eScan Updater] C:\PROGRA~1\eScan\TRAYICOS.EXE /App
O4 - HKLM\..\Run: [MailScan Dispatcher] "C:\PROGRA~1\eScan\LAUNCH.EXE" /startup
O4 - HKLM\..\Run: [mwavscan_autoscan] "C:\PROGRA~1\eScan\mwavscan.com" /s /AUTORUNBOOT
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - (no file)
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://download.micr.../OGAControl.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.micr...heckControl.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://download.micr...helpcontrol.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://www.zapak.com...nx.1.0.0.60.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.h...nosticsxp2k.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} () - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase5036.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1211991369343
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} (CPlayFirstSandScriptControl Object) - http://www.zapak.com...pt.1.0.0.21.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.1.6.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{474274AF-BF53-407F-941A-A876A80E07FD}: NameServer = 61.1.96.69,61.1.96.71
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{FF87A27A-7802-49B4-A223-9638F62C7727}: NameServer = 61.1.96.69,61.1.96.71
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: eScan Monitor Service - MicroWorld Technologies Inc. - C:\Program Files\eScan\Vista\avpmapp.exe
O23 - Service: eScan Server-Updater (eScan-trayicos) - MicroWorld Technologies Inc. - C:\Program Files\eScan\TRAYSSER.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Tally License Server (NT) (Tally License Server) - Unknown owner - C:\Tally\tallylicserver.exe
O24 - Desktop Component 0: - http://l.yimg.com/us...ailcommonlib.js
--
End of file - 12065 bytes
-- File Associations -----------------------------------------------------------
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\notepad.exe" "%1"
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R1 srosa (Megadrv3) - c:\windows\system32\drivers\srosa.sys
R2 CdaC15BA - c:\windows\system32\drivers\cdac15ba.sys <Not Verified; Macrovision Europe Ltd; Security Windows NT>
R3 ProcObsrves (Process Creation Monitor) - c:\program files\escan\procobsrves.sys <Not Verified; MicroWorld Technologies Inc.; eScan/eConceal>
S3 slnt (Silan SC92031 PCI Fast Ethernet Adapter) - c:\windows\system32\drivers\slnt.sys <Not Verified; Silan Micro-Electronics Inc.; Silan Micro-Electronics Inc.>
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 C-DillaCdaC11BA - c:\windows\system32\drivers\cdac11ba.exe <Not Verified; Macrovision; SafeCast Windows NT>
R2 eScan Monitor Service - c:\progra~1\escan\vista\avpmapp.exe <Not Verified; MicroWorld Technologies Inc.; eScan For Windows>
R2 eScan-trayicos (eScan Server-Updater) - c:\progra~1\escan\traysser.exe <Not Verified; MicroWorld Technologies Inc.; eScan for Windows>
R2 MWAgent - c:\program files\common files\microworld\agent\mwaser.exe <Not Verified; MicroWorld Technologies Inc.; eScan for Windows>
R2 Tally License Server (Tally License Server (NT)) - c:\tally\tallylicserver.exe -s
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: System Interrupt Controller
Device ID: PCI\VEN_1106&DEV_5364&SUBSYS_00000000&REV_00\3&2411E6FE&0&05
Manufacturer:
Name: System Interrupt Controller
PNP Device ID: PCI\VEN_1106&DEV_5364&SUBSYS_00000000&REV_00\3&2411E6FE&0&05
Service:
-- Scheduled Tasks -------------------------------------------------------------
2008-08-03 20:00:02 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-06-18 00:12:58 346 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1204915249.job
-- Files created between 2008-07-09 and 2008-08-09 -----------------------------
2008-08-08 23:36:41 0 d-------- C:\Program Files\Trend Micro
2008-08-08 22:50:56 0 d-------- C:\327882R2FWJFW
2008-08-08 22:49:31 0 d-------- C:\Combo-Fix
2008-08-08 22:45:56 68349 --a------ C:\WINDOWS\system32\mdelk.exe
2008-08-08 22:37:47 21312 --a------ C:\WINDOWS\choice.exe
2008-08-08 22:37:26 0 d-------- C:\ie-spyad
2008-08-08 22:24:15 0 dr-h----- C:\Documents and Settings\Welcome\Recent
2008-08-07 23:34:14 0 d-------- C:\Documents and Settings\Welcome\Application Data\Malwarebytes
2008-08-07 23:34:10 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-07 23:34:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-03 21:33:45 0 d-------- C:\Program Files\CDisplay
2008-08-03 14:45:16 0 d-------- C:\WINDOWS\LastGood.Tmp
2008-08-03 14:26:02 0 d-------- C:\PUB
2008-08-03 14:24:50 136730 --a------ C:\WINDOWS\winsbak2.reg
2008-08-03 14:24:50 14936 --a------ C:\WINDOWS\winsbak.reg
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\remoteservice\Templates
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\remoteservice\Start Menu
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\remoteservice\Favorites
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\remoteservice\Documents
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\remoteservice\Desktop
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\remoteservice\Application Data
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\LocalService\Templates
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\LocalService\Favorites
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\LocalService\Documents
2008-08-03 14:24:49 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-08-03 14:24:48 0 d-------- C:\Documents and Settings\NetworkService\Desktop
2008-08-03 14:24:47 0 d-------- C:\Program Files\Common Files\MicroWorld
2008-08-03 14:24:20 49152 --a------ C:\WINDOWS\killproc.exe <Not Verified; MicroWorld Technologies Inc.; eScan/MailScan/ X-Spam/eConceal>
2008-08-03 14:24:14 509952 --a------ C:\WINDOWS\system32\eInstall.exe <Not Verified; MicroWorld Technologies Inc.; eScan for Windows>
2008-08-03 14:24:13 155648 --a------ C:\WINDOWS\system32\mwnsp.dll <Not Verified; MicroWorld Technologies Inc.; MicroWorld Internet Traffic Scanner>
2008-08-03 14:24:13 1540096 --a------ C:\WINDOWS\system32\contfilt.dll <Not Verified; MicroWorld Technologies Inc.; eScan/WebScan for Windows>
2008-08-03 14:24:12 130560 --a------ C:\WINDOWS\system32\ZIPDLL.DLL <Not Verified; ; BCB/Delphi Zip>
2008-08-03 14:24:12 125440 --a------ C:\WINDOWS\system32\UNZDLL.DLL <Not Verified; ; BCB/Delphi UnZip>
2008-08-03 14:24:12 8464 --a------ C:\WINDOWS\system32\sporder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-08-03 14:24:12 425984 --a------ C:\WINDOWS\system32\mwtsp.dll <Not Verified; MicroWorld Technologies Inc.; MicroWorld Internet Traffic Scanner>
2008-08-03 14:24:12 32768 --a------ C:\WINDOWS\system32\esmxlog.dll
2008-08-03 14:24:12 8192 --a------ C:\WINDOWS\sporder.exe <Not Verified; Microsoft Corporation; Microsoft® Windows NT® Operating System>
2008-08-03 14:24:12 8464 --a------ C:\WINDOWS\sporder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-08-03 14:24:12 97280 --a------ C:\WINDOWS\inst_tspx.exe <Not Verified; MicroWorld Technologies Inc.; eScan/MailScan/eConceal/X-Spam>
2008-08-03 14:24:12 57344 --a------ C:\WINDOWS\inst_tsp.exe <Not Verified; MicroWorld Technologies Inc.; eScan/MailScan/eConceal/X-Spam>
2008-08-03 14:24:10 0 d-------- C:\WINDOWS\system32\FLCSS.EXE
2008-08-03 14:24:10 0 d-------- C:\WINDOWS\system32\ES_SETUP
2008-08-03 14:24:10 0 d-------- C:\Program Files\eScan
2008-08-03 14:24:10 0 d-------- C:\AVPDOS
2008-07-26 00:10:24 0 d-------- C:\Program Files\mIRC
2008-07-18 23:15:52 0 d-------- C:\Documents and Settings\Welcome\.housecall6.6
2008-07-16 00:39:27 0 d-------- C:\Documents and Settings\Welcome\Application Data\Nitro PDF
2008-07-16 00:37:45 0 d-------- C:\Program Files\Nitro PDF
2008-07-16 00:37:45 0 d-------- C:\Program Files\Common Files\Nitro PDF
2008-07-16 00:37:45 0 d-------- C:\Program Files\Common Files\BCL Technologies
2008-07-16 00:37:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Nitro PDF
2008-07-15 22:56:44 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-15 22:56:20 50688 --a------ C:\WINDOWS\system32\wbhelp2.dll <Not Verified; Stardock.Net, Inc; WindowBlinds for Win32 x86 machines>
2008-07-15 22:56:17 0 d-------- C:\Program Files\DAP
2008-07-15 21:46:11 0 d-------- C:\pdfedit2
2008-07-15 21:41:14 0 d-------- C:\pdfedit
2008-07-12 23:39:16 30720 --a------ C:\WINDOWS\system32\rrr.EXE <Not Verified; Microsoft Corporation; Microsoft® Win32 SDK>
2008-07-12 22:28:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-07-12 22:22:52 0 d-------- C:\temp
2008-07-12 21:31:58 0 d-------- C:\WINDOWS\system32\Adobe
2008-07-11 21:55:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-11 21:55:55 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
-- Find3M Report ---------------------------------------------------------------
2008-07-26 00:19:16 90876 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-07-05 23:07:24 0 d-------- C:\Program Files\Common Files\Ahead
2008-06-23 23:54:38 0 d-------- C:\Program Files\TheLearningPit
2008-06-19 23:37:22 0 d-------- C:\Program Files\Ahead
2008-06-19 22:40:52 1220 --a------ C:\WINDOWS\system32\yybdgMoq.ini2
2008-05-22 21:26:04 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-12 15:23:04 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{61D176B3-4AE0-4521-9107-741BF4E34403}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [09/21/2006 04:36 PM C:\WINDOWS\system32\VTTimer.exe]
"S3Trayp"="S3trayp.exe" [02/06/2007 07:30 AM C:\WINDOWS\system32\S3Trayp.exe]
"HDAudDeck"="C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe" [05/11/2007 03:47 PM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 08:24 PM]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01/02/2007 02:52 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/31/2008 11:13 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/24/2008 10:00 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [03/01/2007 03:57 PM]
"SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [05/15/2007 03:55 PM]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [05/15/2007 03:55 PM]
"DownloadAccelerator"="C:\Program Files\DAP\DAP.exe" [07/15/2008 10:56 PM]
"Nitro PDF Printer Monitor"="C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe" [07/10/2008 01:59 PM]
"eScan Updater"="C:\PROGRA~1\eScan\TRAYICOS.exe" [07/11/2008 04:35 PM]
"MailScan Dispatcher"="C:\PROGRA~1\eScan\LAUNCH.exe" [07/16/2008 04:10 PM]
"mwavscan_autoscan"="C:\PROGRA~1\eScan\mwavscan.com /s /AUTORUNBOOT" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:54 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 12:00 PM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 05:43 PM]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [5/13/2008 11:54:58 PM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau C:\WINDOWS\system32\qoMgdbyy
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4ade6824-b6e7-11dc-8001-00e0206049c4}]
AutoRun\command- I:\
explore\Command- I:\RECYCLER\autorun.exe -ExploreCurDir
open\Command- I:\RECYCLER\autorun.exe -OpenCurDir
-- End of Deckard's System Scanner: finished at 2008-08-09 00:24:49 ------------