[popeil]

Programs run so far

ATF Cleaner
Malwarebytes' Anti-Malware
Hijack This

I'm getting what looks to be a fake "Dial Up Connection" dialogue box pop up. When this happens, a random .exe file shows up in task manager (ex. 7X1wxj7y.exe or v2BbfjPb.exe). When I kill this process it goes away for a while but comes back. If I leave the machine unattended for while it becomes unresponsive and I must use a hard reboot.

Also have mirar toolbar on Internet Explorer which I can't seem to get rid of.

Malwarebyotes log
Malwarebytes' Anti-Malware 1.24
Database version: 1057
Windows 5.1.2600 Service Pack 2

11:07:43 AM 8/16/2008
mbam-log-8-16-2008 (11-07-43).txt

Scan type: Quick Scan
Objects scanned: 62719
Time elapsed: 30 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 23
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 3
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ofpihdsr.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qoMfFWNE.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\hvffbjfn.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\xxyabXQi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\yxqhnp.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8a396018-6ffc-4069-affc-20cb3f97764e} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{8a396018-6ffc-4069-affc-20cb3f97764e} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e772d811-3364-42a4-8638-4ef2030f30bd} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e772d811-3364-42a4-8638-4ef2030f30bd} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4c5ab1ec-0add-4825-aa2d-d046a4b35fac} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4c5ab1ec-0add-4825-aa2d-d046a4b35fac} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xxyabxqi (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\Interface\{892b2785-b0d0-4aa2-ae6a-0ed60b00a979} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{00476c87-a276-49bf-86bc-ff005732430b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{99c6d1bb-7555-474c-91da-d8fb62a9cc75} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99c6d1bb-7555-474c-91da-d8fb62a9cc75} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6d54a7c0-c379-11d3-b377-0800460222f0} (Adware.Iwon) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\RX ToolBar (Adware.RXToolbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1871ccc1 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm1b42ff5d (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{4c5ab1ec-0add-4825-aa2d-d046a4b35fac} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{ca0b9b71-c2af-11d3-b376-0800460222f0} (Adware.Iwon) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomffwne -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomffwne -> Delete on reboot.

Folders Infected:
C:\Program Files\dynamic toolbar (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\MyWay (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Program Files\MyWay\myBar (Adware.MyWay) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\qoMfFWNE.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ENWFfMoq.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ENWFfMoq.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yxqhnp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ofpihdsr.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rsdhipfo.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hvffbjfn.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\xxyabXQi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\n6oWXJbY.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\idcpmynt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ehdytpsh.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qoMffCTM.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\BSOLC5L7\cntr[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\BSOLC5L7\kb671231[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\I5M1LZYI\kb65666[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\I5M1LZYI\kb767887[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\71KDYQM4\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\v2B6fjPb.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7X1wxj7y.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM1b42ff5d.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM1b42ff5d.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

Hijack This log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:17 PM, on 8/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
D:\CleanUp\Ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\DIGStream\digstream.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Justin\Mozilla\firefox.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\taskmgr.exe
D:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vwvortex.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: Mirar - {FDAF11B6-C509-4FAD-9027-01C3D1081BB2} - C:\WINDOWS\system32\winef75.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [CoolWallpaperSoftware] C:\Program Files\CoolWallpaper\cwm_tray.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [BM1b42ff5d] Rundll32.exe "C:\WINDOWS\system32\hvffbjfn.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1182021769125
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - D:\CleanUp\Ewido\security suite\ewidoctrl.exe
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

--
End of file - 6374 bytes

Edited by Mike, 22 August 2008 - 12:08 PM.
Removed codeboxs for clarity

[Advertisements]

Hi there,

Sorry for the big delay,

Please re-name Hijack This to ABC.exe run it and post me it's log.

Also,

Please download OTViewIt by OldTimer.
Double click on OTViewIt.exe and select Scan in the upper right corner.
In a few minutes a notepad file will appear, please post the contents of that here in your next post.

Please do not post them in codeboxs, just normally

Edited by Mike, 22 August 2008 - 10:48 AM.

[Mike]

Hi there,

Sorry for the big delay,

Please re-name Hijack This to ABC.exe run it and post me it's log.

Also,

Please download OTViewIt by OldTimer.
Double click on OTViewIt.exe and select Scan in the upper right corner.
In a few minutes a notepad file will appear, please post the contents of that here in your next post.

Please do not post them in codeboxs, just normally

Edited by Mike, 22 August 2008 - 10:48 AM.

[popeil]

Hijack This Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:54:36 PM, on 8/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
D:\CleanUp\Ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\DIGStream\digstream.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
D:\Justin\Mozilla\firefox.exe
D:\Program Files\Hijack This\ABC.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vwvortex.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [CoolWallpaperSoftware] C:\Program Files\CoolWallpaper\cwm_tray.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1182021769125
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - D:\CleanUp\Ewido\security suite\ewidoctrl.exe
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

--
End of file - 6307 bytes



OTViewIt Results

OTViewIt logfile created on: 8/22/2008 1:56:26 PM
OTViewIt by OldTimer - Version 1.0.0.5 Folder = D:\Justin\Mozilla\Download
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

254.53 Mb Total Physical Memory | 48.93 Mb Available Physical Memory | 19.22% Memory free
625.93 Mb Paging File | 424.08 Mb Available in Paging File | 67.75% Paging File free
Paging file location(s): C:\pagefile.sys 384 768;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 15.60 Gb Total Space | 3.37 Gb Free Space | 21.59% Space Free | Partition Type: FAT32
Drive D: | 40.29 Gb Total Space | 26.27 Gb Free Space | 65.21% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 232.88 Gb Total Space | 209.34 Gb Free Space | 89.89% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: VAIO
Current User Name: Justin
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user

===== Processes - Non-Microsoft Only =====

[03/08/2002 03:33 AM | 0,030,0544 | ---- | M] (Lexmark International, Inc.) - C:\WINDOWS\system32\LEXBCES.EXE
[03/08/2002 03:30 AM | 0,016,9984 | ---- | M] (Lexmark International, Inc.) - C:\WINDOWS\system32\LEXPPS.EXE
[09/06/2007 01:28 PM | 0,011,0592 | ---- | M] (Apple, Inc.) - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
[02/09/2003 09:07 PM | 0,005,2736 | ---- | M] (Macrovision) - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
[11/11/2004 07:53 PM | 0,001,6448 | ---- | M] (ewido networks) - D:\CleanUp\Ewido\security suite\ewidoctrl.exe
[02/04/2003 08:22 AM | 0,018,1312 | ---- | M] () - C:\WINDOWS\System32\ScsiAccess.EXE
[09/06/2001 08:18 PM | 0,012,1856 | ---- | M] (Trend Micro Inc.) - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
[09/06/2001 08:25 PM | 0,029,4982 | ---- | M] (Trend Micro Inc.) - C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
[09/06/2001 08:20 PM | 0,023,5520 | ---- | M] (Trend Micro Inc.) - C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
[05/18/2005 02:49 PM | 0,028,2624 | ---- | M] (Walt Disney Internet Group) - C:\Program Files\DIGStream\digstream.exe
[03/30/2008 10:36 AM | 0,026,7048 | ---- | M] (Apple Inc.) - D:\Program Files\iTunes\iTunesHelper.exe
[06/10/2008 04:27 AM | 0,014,4784 | ---- | M] (Sun Microsystems, Inc.) - C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
[03/30/2008 10:36 AM | 0,050,4104 | ---- | M] (Apple Inc.) - C:\Program Files\iPod\bin\iPodService.exe
[07/18/2008 08:43 PM | 0,030,7712 | ---- | M] (Mozilla Corporation) - D:\Justin\Mozilla\firefox.exe
[08/22/2008 01:52 PM | 0,139,7248 | ---- | M] (OldTimer Tools) - D:\Justin\Mozilla\Download\OTViewIt.exe

===== Win32 Services - Non-Microsoft Only =====

(Apple Mobile Device) Apple Mobile Device [Auto | Running]
[09/06/2007 01:28 PM | 0,011,0592 | ---- | M] (Apple, Inc.) - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

(C-DillaCdaC11BA) C-DillaCdaC11BA [Auto | Running]
[02/09/2003 09:07 PM | 0,005,2736 | ---- | M] (Macrovision) - C:\WINDOWS\System32\drivers\CDAC11BA.EXE

(dmadmin) Logical Disk Manager Administrative Service [On_Demand | Stopped]
[04/13/2008 08:12 PM | 0,022,4768 | ---- | M] (Microsoft Corp., Veritas Software) - C:\WINDOWS\System32\dmadmin.exe

(ewido security suite control) ewido security suite control [Auto | Running]
[11/11/2004 07:53 PM | 0,001,6448 | ---- | M] (ewido networks) - D:\CleanUp\Ewido\security suite\ewidoctrl.exe

(Intuit Fuse Service) Intuit Fuse Service [On_Demand | Stopped]
[02/19/2005 07:06 PM | 0,006,9632 | ---- | M] (Intuit) - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe

(iPod Service) iPod Service [On_Demand | Running]
[03/30/2008 10:36 AM | 0,050,4104 | ---- | M] (Apple Inc.) - C:\Program Files\iPod\bin\iPodService.exe

(LexBceS) LexBce Server [Auto | Running]
[03/08/2002 03:33 AM | 0,030,0544 | ---- | M] (Lexmark International, Inc.) - C:\WINDOWS\system32\LEXBCES.EXE

(ScsiAccess) ScsiAccess [Auto | Running]
[02/04/2003 08:22 AM | 0,018,1312 | ---- | M] () - C:\WINDOWS\System32\ScsiAccess.EXE

(SPTISRV) Sony SPTI Service [On_Demand | Stopped]
[07/31/2001 08:39 PM | 0,006,5536 | ---- | M] (Sony Corporation) - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

(Tmntsrv) Trend NT Realtime Service [Auto | Running]
[09/06/2001 08:18 PM | 0,012,1856 | ---- | M] (Trend Micro Inc.) - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

===== Driver Services - Non-Microsoft Only =====

(ASPI32) ASPI32 [System | Running]
[09/10/1999 12:06 PM | 0,002,5244 | ---- | M] (Adaptec) - C:\WINDOWS\System32\drivers\ASPI32.SYS

(BCM42XX) Broadcom iLine10™ Network Adapter Driver [On_Demand | Stopped]
[08/17/2001 12:11 PM | 0,005,4271 | ---- | M] (Broadcom Corporation) - C:\WINDOWS\System32\DRIVERS\bcm42xx5.sys

(BCMModem) BCM V.90 56K Modem [On_Demand | Stopped]
[08/17/2001 01:28 PM | 0,087,1388 | ---- | M] (BCM) - C:\WINDOWS\System32\DRIVERS\BCMDM.sys

(CdaC15BA) CdaC15BA [Auto | Running]
[02/09/2003 09:07 PM | 0,001,1376 | ---- | M] () - C:\WINDOWS\System32\drivers\CdaC15BA.SYS

(dmboot) dmboot [Disabled | Stopped]
[04/13/2008 02:44 PM | 0,079,9744 | ---- | M] (Microsoft Corp., Veritas Software) - C:\WINDOWS\System32\drivers\dmboot.sys

(DMICall) Sony DMI Call service [System | Running]
[12/05/2000 04:18 PM | 0,000,3952 | R--- | M] (Sony Corporation) - C:\WINDOWS\System32\DRIVERS\DMICall.sys

(dmio) dmio [Disabled | Stopped]
[04/13/2008 02:44 PM | 0,015,3344 | ---- | M] (Microsoft Corp., Veritas Software) - C:\WINDOWS\System32\drivers\dmio.sys

(dmload) dmload [Disabled | Stopped]
[08/18/2001 05:00 AM | 0,000,5888 | ---- | M] (Microsoft Corp., Veritas Software.) - C:\WINDOWS\System32\drivers\dmload.sys

(GEARAspiWDM) GEARAspiWDM [On_Demand | Running]
[01/29/2008 12:01 PM | 0,001,6168 | ---- | M] (GEAR Software Inc.) - C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys

(genmcmn) Scroll Mouse Driver [On_Demand | Running]
[05/10/2005 06:28 PM | 0,001,0235 | ---- | M] ( ) - C:\WINDOWS\system32\DRIVERS\gmfiltr.sys

(genmcmnUSB) USB Scroll Mouse Driver [On_Demand | Stopped]
[03/04/2005 11:40 AM | 0,000,6991 | ---- | M] () - C:\WINDOWS\system32\DRIVERS\gflmouhid.sys

(i81x) i81x [On_Demand | Running]
[08/08/2001 06:13 AM | 0,015,8140 | R--- | M] (Intel® Corporation) - C:\WINDOWS\System32\DRIVERS\i81xnt5.sys

(iAimFP0) iAimFP0 [On_Demand | Stopped]
[08/08/2001 06:13 AM | 0,001,2479 | R--- | M] (Intel® Corporation) - C:\WINDOWS\System32\DRIVERS\wADV01nt.sys

(iAimFP1) iAimFP1 [On_Demand | Stopped]
[08/08/2001 06:13 AM | 0,001,2031 | R--- | M] (Intel® Corporation) - C:\WINDOWS\System32\DRIVERS\wADV02NT.sys

(iAimFP2) iAimFP2 [On_Demand | Stopped]
[08/08/2001 06:13 AM | 0,001,1679 | R--- | M] (Intel® Corporation) - C:\WINDOWS\System32\DRIVERS\wADV05NT.sys

(iAimFP3) iAimFP3 [On_Demand | Stopped]
[08/08/2001 06:13 AM | 0,001,1999 | R--- | M] (Intel® Corporation) - C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys

(iAimFP4) iAimFP4 [On_Demand | Stopped]
[08/08/2001 06:13 AM | 0,001,9359 | R--- | M] (Intel® Corporation) - C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys

(iAimTV0) iAimTV0 [On_Demand | Stopped]
[08/08/2001 06:13 AM | 0,002,9215 | R--- | M] (Intel® Corporation) - C:\WINDOWS\System32\DRIVERS\wATV01nt.sys

(iAimTV1) iAimTV1 [On_Demand | Stopped]
[08/08/2001 06:13 AM | 0,001,9199 | R--- | M] (Intel® Corporation) - C:\WINDOWS\System32\DRIVERS\wATV02NT.sys

(iAimTV2) iAimTV2 [On_Demand | Stopped]
File not found - C:\WINDOWS\System32\DRIVERS\wATV03nt.sys

(iAimTV3) iAimTV3 [On_Demand | Stopped]
[08/08/2001 06:13 AM | 0,003,3503 | R--- | M] (Intel® Corporation) - C:\WINDOWS\System32\DRIVERS\wATV04nt.sys

(iAimTV4) iAimTV4 [On_Demand | Running]
[08/08/2001 06:13 AM | 0,002,3519 | R--- | M] (Intel® Corporation) - C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys

(LMIInfo) LogMeIn Kernel Information Provider [Auto | Stopped]
File not found - C:\Program Files\LogMeIn\RaInfo.sys

(LMImirr) LMImirr [On_Demand | Running]
[12/15/2005 02:57 PM | 0,000,7400 | ---- | M] (3am Labs, Inc.) - C:\WINDOWS\system32\DRIVERS\LMImirr.sys

(ltmodem5) Lucent Modem Driver [On_Demand | Running]
[05/08/2001 05:57 PM | 0,046,7985 | ---- | M] (Windows ® 2000 DDK provider) - C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys

(mrtRate) mrtRate [Auto | Running]
[02/28/2001 10:42 AM | 0,003,4712 | ---- | M] (Marimba, Inc.) - C:\WINDOWS\System32\drivers\MrtRate.sys

(Ptilink) Direct Parallel Link Driver [On_Demand | Running]
[08/18/2001 05:00 AM | 0,001,7792 | ---- | M] (Parallel Technologies, Inc.) - C:\WINDOWS\System32\DRIVERS\ptilink.sys

(PxHelp20) PxHelp20 [Boot | Running]
[10/18/2006 03:00 AM | 0,003,6624 | ---- | M] (Sonic Solutions) - C:\WINDOWS\System32\DRIVERS\PxHelp20.sys

(rtl8139) Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver [On_Demand | Running]
[08/04/2004 01:31 AM | 0,002,0992 | ---- | M] (Realtek Semiconductor Corporation) - C:\WINDOWS\System32\DRIVERS\RTL8139.SYS

(Secdrv) Secdrv [On_Demand | Stopped]
[11/13/2007 05:25 AM | 0,002,0480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) - C:\WINDOWS\System32\DRIVERS\secdrv.sys

(smwdm) smwdm [On_Demand | Running]
[07/25/2001 03:40 PM | 0,043,8200 | ---- | M] (Analog Devices, Inc.) - C:\WINDOWS\system32\drivers\smwdm.sys

(SonyFanC) FAN Control Device Service [System | Running]
[09/06/2001 04:21 PM | 0,006,8116 | ---- | M] (Sony Corporation) - C:\WINDOWS\System32\Drivers\SonyFanC.sys

(SONYPVU1) Sony USB Filter Driver (SONYPVU1) [On_Demand | Stopped]
[08/17/2001 01:56 PM | 0,000,7552 | ---- | M] (Sony Corporation) - C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS

(tmfilter) tmfilter [Auto | Running]
[08/01/2001 03:36 PM | 0,014,8192 | ---- | M] (TrendMicro) - C:\WINDOWS\System32\DRIVERS\tmxpflt.sys

(tmpreflt) tmpreflt [Auto | Running]
[08/01/2001 03:37 PM | 0,001,6064 | ---- | M] (TrendMicro) - C:\WINDOWS\System32\DRIVERS\tmpreflt.sys

(V7) V7 [Auto | Running]
[03/09/2000 11:24 AM | 0,000,7196 | ---- | M] (IBM Corporation) - C:\WINDOWS\System32\drivers\V7.SYS

(vsapint) vsapint [Auto | Running]
[07/21/2003 10:46 AM | 0,083,9408 | ---- | M] (Trend Micro Inc.) - C:\WINDOWS\System32\DRIVERS\vsapint.sys

===== Run Keys =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CoolWallpaperSoftware" = C:\Program Files\CoolWallpaper\cwm_tray.exe [02/02/2002 11:34 AM | 0,005,7344 | ---- | M] ()
"DIGStream" = C:\Program Files\DIGStream\digstream.exe [05/18/2005 02:49 PM | 0,028,2624 | ---- | M] (Walt Disney Internet Group)
"IgfxTray" = C:\WINDOWS\System32\igfxtray.exe [08/08/2001 12:25 AM | 0,014,3360 | ---- | M] (Intel Corporation)
"iTunesHelper" = "D:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM | 0,026,7048 | ---- | M] (Apple Inc.)
"LogMeIn GUI" = "C:\Program Files\LogMeIn\LogMeInSystray.exe" File not found
"Pop3trap.exe" = "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe" [09/06/2001 08:25 PM | 0,029,4982 | ---- | M] (Trend Micro Inc.)
"QAGENT" = C:\Program Files\QUICKENW\QAGENT.EXE [07/31/2001 04:41 PM | 0,009,4208 | ---- | M] ()
"QuickTime Task" = "D:\Program Files\QuickTime\QTTask.exe" -atboottime [03/28/2008 11:37 PM | 0,041,3696 | ---- | M] (Apple Inc.)
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM | 0,014,4784 | ---- | M] (Sun Microsystems, Inc.)
"WebTrapNT.exe" = "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe" [09/06/2001 08:20 PM | 0,023,5520 | ---- | M] (Trend Micro Inc.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = Reg Error: Value load does not exist or could not be read.
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed" = 1
"NoChange" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed" = 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.

===== Startup Folders =====

[All Users Startup Folder - C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

[Justin Startup Folder - C:\Documents and Settings\Justin\Start Menu\Programs\Startup]

===== BHO's =====

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
HKLM CLSID: (AcroIEHlprObj Class) - [04/16/2001 04:39 PM | 0,003,7808 | ---- | M] () C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
HKLM CLSID: (SSVHelper Class) - [06/10/2008 04:27 AM | 0,050,9328 | ---- | M] (Sun Microsystems, Inc.) C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

===== Toolbars =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{B1E741E7-1E77-40D4-9FD8-51949B9CCBD0}"
HKLM CLSID: (Pa&nicware Pop-Up Stopper Pro) - [03/08/2002 12:34 PM | 0,022,5280 | ---- | M] () C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{6A85D97D-665D-4825-8341-9501AD9F56A3}"
HKLM CLSID: (Reg Error: Key does not exist or could not be opened.) - File not found Reg Error: Key does not exist or could not be opened.

"{E6AE90A4-1B01-47F0-AA78-E6B122E145E9}"
HKLM CLSID: (Reg Error: Key does not exist or could not be opened.) - File not found Reg Error: Key does not exist or could not be opened.

===== Policies =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}" = 1
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}" = 1073741857
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}" = 32

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername" = 0
"legalnoticecaption" =
"legalnoticetext" =
"shutdownwithoutlogon" = 1
"undockwithoutlogon" = 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = FF 00 00 00 [binary data]

===== Desktop Components =====

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"FriendlyName" = "My Current Home Page"
"Source" = "About:Home"
"SubscribedURL" = "About:Home"

===== Shared Task Scheduler =====

===== AppInit_Dlls =====

===== Lsa Authentication Packages =====

===== Lsa Security Packages =====

===== Authorized Applications List =====

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = C:\WINDOWS\system32\sessmgr.exe [04/13/2008 08:12 PM | 0,014,1312 | ---- | M] (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [04/13/2008 02:53 PM | 0,055,8080 | ---- | M] (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = C:\WINDOWS\system32\sessmgr.exe [04/13/2008 08:12 PM | 0,014,1312 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe" = C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe [09/06/2001 08:20 PM | 0,023,5520 | ---- | M] (Trend Micro Inc.)
"C:\Program Files\support.com\client\bin\tgcmd.exe" = C:\Program Files\support.com\client\bin\tgcmd.exe File not found
"C:\Program Files\Messenger\MSMSGS.EXE" = C:\Program Files\Messenger\MSMSGS.EXE [04/13/2008 08:12 PM | 0,169,5232 | -HS- | M] (Microsoft Corporation)
"C:\Program Files\WinMX\WinMX.exe" = C:\Program Files\WinMX\WinMX.exe [09/09/2002 09:39 PM | 0,074,5472 | ---- | M] (Frontcode Technologies)
"D:\Program Files\Kazaa\kazaa.exe" = D:\Program Files\Kazaa\kazaa.exe File not found
"C:\WINDOWS\System32\fxsclnt.exe" = C:\WINDOWS\System32\fxsclnt.exe File not found
"C:\WINDOWS\System32\mmc.exe" = C:\WINDOWS\System32\mmc.exe [04/13/2008 08:12 PM | 0,141,4656 | ---- | M] (Microsoft Corporation)
"C:\WINDOWS\System32\lexpps.exe" = C:\WINDOWS\System32\lexpps.exe [03/08/2002 03:30 AM | 0,016,9984 | ---- | M] (Lexmark International, Inc.)
"D:\Justin\Mozilla\firefox.exe" = D:\Justin\Mozilla\firefox.exe [07/18/2008 08:43 PM | 0,030,7712 | ---- | M] (Mozilla Corporation)
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" = C:\Program Files\Internet Explorer\IEXPLORE.EXE [06/23/2008 05:20 AM | 0,062,5664 | ---- | M] (Microsoft Corporation)
"C:\WINDOWS\System32\rundll32.exe" = C:\WINDOWS\System32\rundll32.exe [04/13/2008 08:12 PM | 0,003,3280 | ---- | M] (Microsoft Corporation)
"C:\WINDOWS\System32\dpvsetup.exe" = C:\WINDOWS\System32\dpvsetup.exe [04/13/2008 08:12 PM | 0,008,3456 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Windows Media Player\wmplayer.exe" = C:\Program Files\Windows Media Player\wmplayer.exe [05/09/2006 10:25 PM | 0,006,2976 | ---- | M] (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [04/13/2008 02:53 PM | 0,055,8080 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe [04/16/2008 10:37 PM | 0,766,0656 | ---- | M] (Mozilla Corporation)
"D:\Program Files\BitComet\BitComet.exe" = D:\Program Files\BitComet\BitComet.exe [02/08/2007 04:49 AM | 0,452,6144 | ---- | M] (www.BitComet.com)
"C:\Program Files\TurboTax\Basic 2006\32bit\ttax.exe" = C:\Program Files\TurboTax\Basic 2006\32bit\ttax.exe File not found
"C:\Program Files\TurboTax\Basic 2006\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Basic 2006\32bit\updatemgr.exe File not found
"C:\Program Files\Kodak\Kodak EasyShare software\BIN\EasyShare.exe" = C:\Program Files\Kodak\Kodak EasyShare software\BIN\EasyShare.exe File not found
"C:\Program Files\TurboTax\Basic 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Basic 2007\32bit\ttax.exe [02/05/2008 04:25 PM | 1,033,5520 | ---- | M] (Intuit, Inc.)
"C:\Program Files\TurboTax\Basic 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Basic 2007\32bit\updatemgr.exe [10/22/2007 06:56 PM | 0,359,7600 | ---- | M] (Intuit, Inc.)
"D:\Program Files\Skype\Skype.exe" = D:\Program Files\Skype\Skype.exe [01/29/2007 04:36 PM | 2,537,0152 | ---- | M] (Skype Technologies S.A.)
"D:\Program Files\iTunes\iTunes.exe" = D:\Program Files\iTunes\iTunes.exe [03/30/2008 10:36 AM | 2,063,8504 | ---- | M] (Apple Inc.)

===== HKLM Winlogon Settings =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell]
"explorer.exe" - [04/13/2008 08:12 PM | 0,103,3728 | ---- | M] (Microsoft Corporation) C:\WINDOWS\explorer.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit]
"C:\WINDOWS\system32\userinit.exe" - [04/13/2008 08:12 PM | 0,002,6112 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\userinit.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost]
"logonui.exe" - [04/13/2008 08:12 PM | 0,051,4560 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\logonui.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet]
"rundll32 shell32" - [04/13/2008 08:12 PM | 0,846,1312 | ---- | M] (Microsoft Corporation) C:\WINDOWS\System32\shell32.dll
"Control_RunDLL "sysdm.cpl"" - [04/13/2008 08:12 PM | 0,030,0544 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\sysdm.cpl

===== User's Winlogon Settings =====

===== Winlogon Notify Settings =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
"DllName" = C:\WINDOWS\system32\LMIinit.dll [12/15/2005 02:57 PM | 0,001,0472 | ---- | M] (3am Labs, Inc.)

===== Safeboot Options =====

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
"AlternateShell" = cmd.exe

===== Disabled MsConfig Items =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]

===== DNS Name Servers =====

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{29A9585D-0084-40DB-BBE3-974646E6CBA5}]
Servers: | Description: 1394 Net Adapter

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{9AAF5E25-756A-4B17-9DAE-87167938F74E}]
Servers: | Description: Broadcom 4211 iLine10™ Network Adapter

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{D4570F51-F68C-441C-9776-0DDBDA81FCD2}]
Servers: | Description: Realtek RTL8139 Family PCI Fast Ethernet NIC



[Files/Folders - Created Within 30 days]
[08/19/2008 04:49 PM | -HSD | C] - C:\FOUND.009
[08/17/2008 03:01 PM | 0,001,7144 | ---- | M] (Malwarebytes Corporation) - C:\WINDOWS\System32\drivers\mbam.sys
[04/13/2008 12:36 PM | 0,014,4384 | ---- | M] (Windows ® Server 2003 DDK provider) - C:\WINDOWS\System32\drivers\hdaudbus.sys
[08/17/2008 03:01 PM | 0,003,8472 | ---- | M] (Malwarebytes Corporation) - C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[06/10/2008 01:21 AM | 0,013,5168 | ---- | M] (Sun Microsystems, Inc.) - C:\WINDOWS\System32\java.exe
[06/10/2008 01:21 AM | 0,013,5168 | ---- | M] (Sun Microsystems, Inc.) - C:\WINDOWS\System32\javaw.exe
[06/10/2008 02:32 AM | 0,013,9264 | ---- | M] (Sun Microsystems, Inc.) - C:\WINDOWS\System32\javaws.exe
[08/21/2008 08:13 PM | ---D | C] - C:\WINDOWS\System32\en
[08/18/2008 05:02 PM | 0,154,0111 | -HS- | M] () - C:\WINDOWS\System32\qrrgehwj.ini
[08/13/2008 08:12 PM | 0,002,9760 | ---- | M] () - C:\WINDOWS\System32\v2B6fjPb.exe
[09/17/2007 04:48 AM | 0,000,1261 | ---- | M] () - C:\WINDOWS\System32\pid.inf
[08/21/2008 08:13 PM | ---D | C] - C:\WINDOWS\System32\scripting
[08/21/2008 08:13 PM | 0,008,0898 | ---- | M] () - C:\WINDOWS\System32\7X1wxj7y.exe
[08/22/2008 01:48 PM | 0,005,4156 | -H-- | M] () - C:\WINDOWS\QTFont.qfn
[07/29/2008 04:43 PM | 0,000,1409 | ---- | M] () - C:\WINDOWS\QTFont.for
[08/21/2008 08:13 PM | ---D | C] - C:\WINDOWS\l2schemas
[2 C:\WINDOWS\*.tmp files]
[08/21/2008 08:45 PM | ---D | C] - C:\WINDOWS\Prefetch
[08/21/2008 07:00 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At44.job
[08/21/2008 08:10 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At45.job
[08/21/2008 09:00 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At46.job
[08/21/2008 10:25 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At47.job
[08/14/2008 11:16 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At48.job
[08/13/2008 08:13 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At1.job
[08/13/2008 08:13 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At2.job
[08/13/2008 08:13 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At3.job
[08/13/2008 08:13 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At4.job
[08/13/2008 08:13 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At5.job
[08/13/2008 08:13 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At6.job
[08/13/2008 08:13 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At7.job
[08/13/2008 08:13 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At8.job
[08/21/2008 08:00 AM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At9.job
[08/13/2008 08:13 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At10.job
[08/19/2008 10:00 AM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At11.job
[08/19/2008 11:00 AM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At12.job
[08/19/2008 12:00 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At13.job
[08/19/2008 01:01 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At14.job
[08/19/2008 02:01 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At15.job
[08/19/2008 03:00 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At16.job
[08/19/2008 04:00 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At17.job
[08/21/2008 05:00 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At18.job
[08/21/2008 06:00 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At19.job
[08/21/2008 07:00 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At20.job
[08/21/2008 08:00 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At21.job
[08/21/2008 09:00 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At22.job
[08/21/2008 10:00 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At23.job
[08/14/2008 11:00 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At24.job
[08/13/2008 08:28 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At25.job
[08/13/2008 08:28 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At26.job
[08/13/2008 08:28 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At27.job
[08/13/2008 08:28 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At28.job
[08/13/2008 08:28 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At29.job
[08/13/2008 08:28 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At30.job
[08/13/2008 08:28 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At31.job
[08/13/2008 08:28 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At32.job
[08/21/2008 08:38 AM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At33.job
[08/13/2008 08:28 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At34.job
[08/19/2008 10:33 AM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At35.job
[08/19/2008 11:33 AM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At36.job
[08/19/2008 12:52 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At37.job
[08/19/2008 01:46 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At38.job
[08/19/2008 04:50 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At39.job
[08/19/2008 04:50 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At40.job
[08/19/2008 04:50 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At41.job
[08/21/2008 05:00 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At42.job
[08/21/2008 06:14 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At43.job
[08/16/2008 10:10 AM | ---D | C] - C:\Documents and Settings\All Users\Application Data\Malwarebytes
[08/16/2008 10:11 AM | ---D | C] - C:\Documents and Settings\Justin\Application Data\Malwarebytes
[08/02/2008 05:01 PM | 0,001,4336 | ---- | M] () - C:\Documents and Settings\Justin\My Documents\gym comparo.xls
[08/16/2008 12:10 PM | 0,000,0685 | ---- | M] () - C:\Documents and Settings\Justin\Desktop\HijackThis.lnk
[08/20/2008 06:01 PM | 0,000,0672 | ---- | M] () - C:\Documents and Settings\Justin\Desktop\mbam.lnk
[08/21/2008 08:13 PM | ---D | C] - C:\Program Files\msn

[Files/Folders - Modified Within 30 days]
[08/21/2008 07:58 PM | 0,025,0048 | RHS- | M] () - C:\ntldr
[08/14/2008 08:32 PM | 0,000,0157 | -H-- | M] () - C:\PCEP-9992-9301-2124-2270.DAT
[08/19/2008 04:49 PM | -HSD | M] - C:\FOUND.009
[08/17/2008 03:01 PM | 0,001,7144 | ---- | M] (Malwarebytes Corporation) - C:\WINDOWS\System32\drivers\mbam.sys
[08/17/2008 03:01 PM | 0,003,8472 | ---- | M] (Malwarebytes Corporation) - C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[08/22/2008 01:48 PM | 0,000,2206 | ---- | M] () - C:\WINDOWS\System32\wpa.dbl
[08/21/2008 08:48 PM | 0,006,4200 | ---- | M] () - C:\WINDOWS\System32\perfc009.dat
[08/21/2008 08:48 PM | 0,040,7670 | ---- | M] () - C:\WINDOWS\System32\perfh009.dat
[08/21/2008 08:13 PM | ---D | M] - C:\WINDOWS\System32\en
[08/21/2008 08:44 PM | 0,013,8056 | ---- | M] () - C:\WINDOWS\System32\FNTCACHE.DAT
[08/21/2008 08:48 PM | 0,047,9748 | ---- | M] () - C:\WINDOWS\System32\PerfStringBackup.INI
[08/18/2008 05:02 PM | 0,154,0111 | -HS- | M] () - C:\WINDOWS\System32\qrrgehwj.ini
[08/13/2008 08:12 PM | 0,002,9760 | ---- | M] () - C:\WINDOWS\System32\v2B6fjPb.exe
[08/21/2008 08:13 PM | ---D | M] - C:\WINDOWS\System32\scripting
[08/21/2008 08:13 PM | 0,008,0898 | ---- | M] () - C:\WINDOWS\System32\7X1wxj7y.exe
[08/21/2008 08:47 PM | 0,000,1031 | ---- | M] () - C:\WINDOWS\win.ini
[08/22/2008 01:47 PM | 0,000,2048 | --S- | M] () - C:\WINDOWS\bootstat.dat
[08/22/2008 01:48 PM | 0,005,4156 | -H-- | M] () - C:\WINDOWS\QTFont.qfn
[07/29/2008 04:43 PM | 0,000,1409 | ---- | M] () - C:\WINDOWS\QTFont.for
[08/21/2008 08:13 PM | ---D | M] - C:\WINDOWS\l2schemas
[2 C:\WINDOWS\*.tmp files]
[08/21/2008 08:45 PM | ---D | M] - C:\WINDOWS\Prefetch
[08/21/2008 08:35 PM | 0,000,2675 | ---- | M] () - C:\WINDOWS\imsins.BAK
[08/22/2008 01:47 PM | 0,000,0006 | -H-- | M] () - C:\WINDOWS\tasks\SA.DAT
[08/21/2008 07:00 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At44.job
[08/21/2008 08:10 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At45.job
[08/21/2008 09:00 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At46.job
[08/21/2008 10:25 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At47.job
[08/14/2008 11:16 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At48.job
[08/15/2008 05:28 PM | 0,000,0284 | ---- | M] () - C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[08/13/2008 08:13 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At1.job
[08/13/2008 08:13 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At2.job
[08/13/2008 08:13 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At3.job
[08/13/2008 08:13 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At4.job
[08/13/2008 08:13 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At5.job
[08/13/2008 08:13 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At6.job
[08/13/2008 08:13 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At7.job
[08/13/2008 08:13 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At8.job
[08/21/2008 08:00 AM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At9.job
[08/13/2008 08:13 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At10.job
[08/19/2008 10:00 AM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At11.job
[08/19/2008 11:00 AM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At12.job
[08/19/2008 12:00 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At13.job
[08/19/2008 01:01 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At14.job
[08/19/2008 02:01 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At15.job
[08/19/2008 03:00 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At16.job
[08/19/2008 04:00 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At17.job
[08/21/2008 05:00 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At18.job
[08/21/2008 06:00 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At19.job
[08/21/2008 07:00 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At20.job
[08/21/2008 08:00 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At21.job
[08/21/2008 09:00 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At22.job
[08/21/2008 10:00 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At23.job
[08/14/2008 11:00 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At24.job
[08/13/2008 08:28 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At25.job
[08/13/2008 08:28 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At26.job
[08/13/2008 08:28 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At27.job
[08/13/2008 08:28 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At28.job
[08/13/2008 08:28 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At29.job
[08/13/2008 08:28 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At30.job
[08/13/2008 08:28 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At31.job
[08/13/2008 08:28 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At32.job
[08/21/2008 08:38 AM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At33.job
[08/13/2008 08:28 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At34.job
[08/19/2008 10:33 AM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At35.job
[08/19/2008 11:33 AM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At36.job
[08/19/2008 12:52 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At37.job
[08/19/2008 01:46 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At38.job
[08/19/2008 04:50 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At39.job
[08/19/2008 04:50 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At40.job
[08/19/2008 04:50 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At41.job
[08/21/2008 05:00 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At42.job
[08/21/2008 06:14 PM | 0,000,0350 | ---- | M] () - C:\WINDOWS\tasks\At43.job
[08/16/2008 10:10 AM | ---D | M] - C:\Documents and Settings\All Users\Application Data\Malwarebytes
[08/16/2008 10:11 AM | ---D | M] - C:\Documents and Settings\Justin\Application Data\Malwarebytes
[08/02/2008 05:01 PM | 0,001,4336 | ---- | M] () - C:\Documents and Settings\Justin\My Documents\gym comparo.xls
[08/16/2008 12:10 PM | 0,000,0685 | ---- | M] () - C:\Documents and Settings\Justin\Desktop\HijackThis.lnk
[08/20/2008 06:01 PM | 0,000,0672 | ---- | M] () - C:\Documents and Settings\Justin\Desktop\mbam.lnk

< End of report >

[Mike]

Hi there

Thanks for the logs, I have two questions for you.

• Is there a reason for running programs from the D:\ Drive? Is the C:\ drive a partition just for the operating system?
• Did you install CoolWallPaperSoftware?

You have both TrendMicro and Ewido running, this will only cause slowdowns - as I see ewido is running from your D:\ drive, so that might be the one you wish to remove.

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  [kill explorer]
  C:\WINDOWS\System32\qrrgehwj.ini
  C:\WINDOWS\System32\v2B6fjPb.exe
  C:\WINDOWS\System32\7X1wxj7y.exe
  C:\WINDOWS\tasks\At?.job
  C:\WINDOWS\tasks\At??.job
  emptytemp
  purity
  [start explorer]

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Then,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Re-run OTViewIt and post back with the logs

[popeil]

* Is there a reason for running programs from the D:\ Drive? Is the C:\ drive a partition just for the operating system?
I ran out of room on the C:\ drive so I just started installing stuff on the D:\ drive. Is there a disadvantage to doing this?

* Did you install CoolWallPaperSoftware?
Not willingly!





OTMOveIt2
Explorer killed successfully
C:\WINDOWS\System32\qrrgehwj.ini moved successfully.
C:\WINDOWS\System32\v2B6fjPb.exe moved successfully.
C:\WINDOWS\System32\7X1wxj7y.exe moved successfully.
< C:\WINDOWS\tasks\At?.job >
C:\WINDOWS\tasks\At1.job moved successfully.
C:\WINDOWS\tasks\At2.job moved successfully.
C:\WINDOWS\tasks\At3.job moved successfully.
C:\WINDOWS\tasks\At4.job moved successfully.
C:\WINDOWS\tasks\At5.job moved successfully.
C:\WINDOWS\tasks\At6.job moved successfully.
C:\WINDOWS\tasks\At7.job moved successfully.
C:\WINDOWS\tasks\At8.job moved successfully.
C:\WINDOWS\tasks\At9.job moved successfully.
< C:\WINDOWS\tasks\At??.job >
C:\WINDOWS\tasks\At44.job moved successfully.
C:\WINDOWS\tasks\At45.job moved successfully.
C:\WINDOWS\tasks\At46.job moved successfully.
C:\WINDOWS\tasks\At47.job moved successfully.
C:\WINDOWS\tasks\At48.job moved successfully.
C:\WINDOWS\tasks\At10.job moved successfully.
C:\WINDOWS\tasks\At11.job moved successfully.
C:\WINDOWS\tasks\At12.job moved successfully.
C:\WINDOWS\tasks\At13.job moved successfully.
C:\WINDOWS\tasks\At14.job moved successfully.
C:\WINDOWS\tasks\At15.job moved successfully.
C:\WINDOWS\tasks\At16.job moved successfully.
C:\WINDOWS\tasks\At17.job moved successfully.
C:\WINDOWS\tasks\At18.job moved successfully.
C:\WINDOWS\tasks\At19.job moved successfully.
C:\WINDOWS\tasks\At20.job moved successfully.
C:\WINDOWS\tasks\At21.job moved successfully.
C:\WINDOWS\tasks\At22.job moved successfully.
C:\WINDOWS\tasks\At23.job moved successfully.
C:\WINDOWS\tasks\At24.job moved successfully.
C:\WINDOWS\tasks\At25.job moved successfully.
C:\WINDOWS\tasks\At26.job moved successfully.
C:\WINDOWS\tasks\At27.job moved successfully.
C:\WINDOWS\tasks\At28.job moved successfully.
C:\WINDOWS\tasks\At29.job moved successfully.
C:\WINDOWS\tasks\At30.job moved successfully.
C:\WINDOWS\tasks\At31.job moved successfully.
C:\WINDOWS\tasks\At32.job moved successfully.
C:\WINDOWS\tasks\At33.job moved successfully.
C:\WINDOWS\tasks\At34.job moved successfully.
C:\WINDOWS\tasks\At35.job moved successfully.
C:\WINDOWS\tasks\At36.job moved successfully.
C:\WINDOWS\tasks\At37.job moved successfully.
C:\WINDOWS\tasks\At38.job moved successfully.
C:\WINDOWS\tasks\At39.job moved successfully.
C:\WINDOWS\tasks\At40.job moved successfully.
C:\WINDOWS\tasks\At41.job moved successfully.
C:\WINDOWS\tasks\At42.job moved successfully.
C:\WINDOWS\tasks\At43.job moved successfully.
< emptytemp >
File delete failed. C:\DOCUME~1\Justin\LOCALS~1\Temp\etilqs_AcSNbk8PyUMNE3DmWSx4 scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08232008_133923

Files moved on Reboot...
File C:\DOCUME~1\Justin\LOCALS~1\Temp\etilqs_AcSNbk8PyUMNE3DmWSx4 not found!


Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware 1.25
Database version: 1078
Windows 5.1.2600 Service Pack 3

2:06:59 PM 8/23/2008
mbam-log-08-23-2008 (14-06-59).txt

Scan type: Quick Scan
Objects scanned: 66369
Time elapsed: 16 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{00476c87-a276-49bf-86bc-ff005732430b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{892b2785-b0d0-4aa2-ae6a-0ed60b00a979} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{99c6d1bb-7555-474c-91da-d8fb62a9cc75} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99c6d1bb-7555-474c-91da-d8fb62a9cc75} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\n6oWXJbY.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7X1wxj7y.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.



OTViewIt
OTViewIt logfile created on: 8/23/2008 2:18:09 PM
OTViewIt by OldTimer - Version 1.0.0.5 Folder = D:\Justin\Mozilla\Download
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

254.53 Mb Total Physical Memory | 40.82 Mb Available Physical Memory | 16.04% Memory free
625.93 Mb Paging File | 438.26 Mb Available in Paging File | 70.02% Paging File free
Paging file location(s): C:\pagefile.sys 384 768;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 15.60 Gb Total Space | 3.34 Gb Free Space | 21.40% Space Free | Partition Type: FAT32
Drive D: | 40.29 Gb Total Space | 26.27 Gb Free Space | 65.21% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 232.88 Gb Total Space | 209.34 Gb Free Space | 89.89% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: VAIO
Current User Name: Justin
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user

===== Processes - Non-Microsoft Only =====

[03/08/2002 03:33 AM | 0,030,0544 | ---- | M] (Lexmark International, Inc.) - C:\WINDOWS\system32\LEXBCES.EXE
[03/08/2002 03:30 AM | 0,016,9984 | ---- | M] (Lexmark International, Inc.) - C:\WINDOWS\system32\LEXPPS.EXE
[09/06/2007 01:28 PM | 0,011,0592 | ---- | M] (Apple, Inc.) - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
[02/09/2003 09:07 PM | 0,005,2736 | ---- | M] (Macrovision) - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
[11/11/2004 07:53 PM | 0,001,6448 | ---- | M] (ewido networks) - D:\CleanUp\Ewido\security suite\ewidoctrl.exe
[02/04/2003 08:22 AM | 0,018,1312 | ---- | M] () - C:\WINDOWS\System32\ScsiAccess.EXE
[09/06/2001 08:18 PM | 0,012,1856 | ---- | M] (Trend Micro Inc.) - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
[09/06/2001 08:25 PM | 0,029,4982 | ---- | M] (Trend Micro Inc.) - C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
[09/06/2001 08:20 PM | 0,023,5520 | ---- | M] (Trend Micro Inc.) - C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
[05/18/2005 02:49 PM | 0,028,2624 | ---- | M] (Walt Disney Internet Group) - C:\Program Files\DIGStream\digstream.exe
[03/30/2008 10:36 AM | 0,026,7048 | ---- | M] (Apple Inc.) - D:\Program Files\iTunes\iTunesHelper.exe
[06/10/2008 04:27 AM | 0,014,4784 | ---- | M] (Sun Microsystems, Inc.) - C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
[03/30/2008 10:36 AM | 0,050,4104 | ---- | M] (Apple Inc.) - C:\Program Files\iPod\bin\iPodService.exe
[07/18/2008 08:43 PM | 0,030,7712 | ---- | M] (Mozilla Corporation) - D:\Justin\Mozilla\firefox.exe
[08/22/2008 01:52 PM | 0,139,7248 | ---- | M] (OldTimer Tools) - D:\Justin\Mozilla\Download\OTViewIt.exe

===== Win32 Services - Non-Microsoft Only =====

(Apple Mobile Device) Apple Mobile Device [Auto | Running]
[09/06/2007 01:28 PM | 0,011,0592 | ---- | M] (Apple, Inc.) - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

(C-DillaCdaC11BA) C-DillaCdaC11BA [Auto | Running]
[02/09/2003 09:07 PM | 0,005,2736 | ---- | M] (Macrovision) - C:\WINDOWS\System32\drivers\CDAC11BA.EXE

(dmadmin) Logical Disk Manager Administrative Service [On_Demand | Stopped]
[04/13/2008 08:12 PM | 0,022,4768 | ---- | M] (Microsoft Corp., Veritas Software) - C:\WINDOWS\System32\dmadmin.exe

(ewido security suite control) ewido security suite control [Auto | Running]
[11/11/2004 07:53 PM | 0,001,6448 | ---- | M] (ewido networks) - D:\CleanUp\Ewido\security suite\ewidoctrl.exe

(Intuit Fuse Service) Intuit Fuse Service [On_Demand | Stopped]
[02/19/2005 07:06 PM | 0,006,9632 | ---- | M] (Intuit) - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe

(iPod Service) iPod Service [On_Demand | Running]
[03/30/2008 10:36 AM | 0,050,4104 | ---- | M] (Apple Inc.) - C:\Program Files\iPod\bin\iPodService.exe

(LexBceS) LexBce Server [Auto | Running]
[03/08/2002 03:33 AM | 0,030,0544 | ---- | M] (Lexmark International, Inc.) - C:\WINDOWS\system32\LEXBCES.EXE

(ScsiAccess) ScsiAccess [Auto | Running]
[02/04/2003 08:22 AM | 0,018,1312 | ---- | M] () - C:\WINDOWS\System32\ScsiAccess.EXE

(SPTISRV) Sony SPTI Service [On_Demand | Stopped]
[07/31/2001 08:39 PM | 0,006,5536 | ---- | M] (Sony Corporation) - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

(Tmntsrv) Trend NT Realtime Service [Auto | Running]
[09/06/2001 08:18 PM | 0,012,1856 | ---- | M] (Trend Micro Inc.) - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

===== Driver Services - Non-Microsoft Only =====

(ASPI32) ASPI32 [System | Running]
[09/10/1999 12:06 PM | 0,002,5244 | ---- | M] (Adaptec) - C:\WINDOWS\System32\drivers\ASPI32.SYS

(BCM42XX) Broadcom iLine10™ Network Adapter Driver [On_Demand | Stopped]
[08/17/2001 12:11 PM | 0,005,4271 | ---- | M] (Broadcom Corporation) - C:\WINDOWS\System32\DRIVERS\bcm42xx5.sys

(BCMModem) BCM V.90 56K Modem [On_Demand | Stopped]
[08/17/2001 01:28 PM | 0,087,1388 | ---- | M] (BCM) - C:\WINDOWS\System32\DRIVERS\BCMDM.sys

(CdaC15BA) CdaC15BA [Auto | Running]
[02/09/2003 09:07 PM | 0,001,1376 | ---- | M] () - C:\WINDOWS\System32\drivers\CdaC15BA.SYS

(dmboot) dmboot [Disabled | Stopped]
[04/13/2008 02:44 PM | 0,079,9744 | ---- | M] (Microsoft Corp., Veritas Software) - C:\WINDOWS\System32\drivers\dmboot.sys

(DMICall) Sony DMI Call service [System | Running]
[12/05/2000 04:18 PM | 0,000,3952 | R--- | M] (Sony Corporation) - C:\WINDOWS\System32\DRIVERS\DMICall.sys

(dmio) dmio [Disabled | Stopped]
[04/13/2008 02:44 PM | 0,015,3344 | ---- | M] (Microsoft Corp., Veritas Software) - C:\WINDOWS\System32\drivers\dmio.sys

(dmload) dmload [Disabled | Stopped]
[08/18/2001 05:00 AM | 0,000,5888 | ---- | M] (Microsoft Corp., Veritas Software.) - C:\WINDOWS\System32\drivers\dmload.sys

(GEARAspiWDM) GEARAspiWDM [On_Demand | Running]
[01/29/2008 12:01 PM | 0,001,6168 | ---- | M] (GEAR Software Inc.) - C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys

(genmcmn) Scroll Mouse Driver [On_Demand | Running]
[05/10/2005 06:28 PM | 0,001,0235 | ---- | M] ( ) - C:\WINDOWS\system32\DRIVERS\gmfiltr.sys

(genmcmnUSB) USB Scroll Mouse Driver [On_Demand | Stopped]
[03/04/2005 11:40 AM | 0,000,6991 | ---- | M] () - C:\WINDOWS\system32\DRIVERS\gflmouhid.sys

(i81x) i81x [On_Demand | Running]
[08/08/2001 06:13 AM | 0,015,8140 | R--- | M] (Intel® Corporation) - C:\WINDOWS\System32\DRIVERS\i81xnt5.sys

(iAimFP0) iAimFP0 [On_Demand | Stopped]
[08/08/2001 06:13 AM | 0,001,2479 | R--- | M] (Intel® Corporation) - C:\WINDOWS\System32\DRIVERS\wADV01nt.sys

(iAimFP1) iAimFP1 [On_Demand | Stopped]
[08/08/2001 06:13 AM | 0,001,2031 | R--- | M] (Intel® Corporation) - C:\WINDOWS\System32\DRIVERS\wADV02NT.sys

(iAimFP2) iAimFP2 [On_Demand | Stopped]
[08/08/2001 06:13 AM | 0,001,1679 | R--- | M] (Intel® Corporation) - C:\WINDOWS\System32\DRIVERS\wADV05NT.sys

(iAimFP3) iAimFP3 [On_Demand | Stopped]
[08/08/2001 06:13 AM | 0,001,1999 | R--- | M] (Intel® Corporation) - C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys

(iAimFP4) iAimFP4 [On_Demand | Stopped]
[08/08/2001 06:13 AM | 0,001,9359 | R--- | M] (Intel® Corporation) - C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys

(iAimTV0) iAimTV0 [On_Demand | Stopped]
[08/08/2001 06:13 AM | 0,002,9215 | R--- | M] (Intel® Corporation) - C:\WINDOWS\System32\DRIVERS\wATV01nt.sys

(iAimTV1) iAimTV1 [On_Demand | Stopped]
[08/08/2001 06:13 AM | 0,001,9199 | R--- | M] (Intel® Corporation) - C:\WINDOWS\System32\DRIVERS\wATV02NT.sys

(iAimTV2) iAimTV2 [On_Demand | Stopped]
File not found - C:\WINDOWS\System32\DRIVERS\wATV03nt.sys

(iAimTV3) iAimTV3 [On_Demand | Stopped]
[08/08/2001 06:13 AM | 0,003,3503 | R--- | M] (Intel® Corporation) - C:\WINDOWS\System32\DRIVERS\wATV04nt.sys

(iAimTV4) iAimTV4 [On_Demand | Running]
[08/08/2001 06:13 AM | 0,002,3519 | R--- | M] (Intel® Corporation) - C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys

(LMIInfo) LogMeIn Kernel Information Provider [Auto | Stopped]
File not found - C:\Program Files\LogMeIn\RaInfo.sys

(LMImirr) LMImirr [On_Demand | Running]
[12/15/2005 02:57 PM | 0,000,7400 | ---- | M] (3am Labs, Inc.) - C:\WINDOWS\system32\DRIVERS\LMImirr.sys

(ltmodem5) Lucent Modem Driver [On_Demand | Running]
[05/08/2001 05:57 PM | 0,046,7985 | ---- | M] (Windows ® 2000 DDK provider) - C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys

(mrtRate) mrtRate [Auto | Running]
[02/28/2001 10:42 AM | 0,003,4712 | ---- | M] (Marimba, Inc.) - C:\WINDOWS\System32\drivers\MrtRate.sys

(Ptilink) Direct Parallel Link Driver [On_Demand | Running]
[08/18/2001 05:00 AM | 0,001,7792 | ---- | M] (Parallel Technologies, Inc.) - C:\WINDOWS\System32\DRIVERS\ptilink.sys

(PxHelp20) PxHelp20 [Boot | Running]
[10/18/2006 03:00 AM | 0,003,6624 | ---- | M] (Sonic Solutions) - C:\WINDOWS\System32\DRIVERS\PxHelp20.sys

(rtl8139) Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver [On_Demand | Running]
[08/04/2004 01:31 AM | 0,002,0992 | ---- | M] (Realtek Semiconductor Corporation) - C:\WINDOWS\System32\DRIVERS\RTL8139.SYS

(Secdrv) Secdrv [On_Demand | Stopped]
[11/13/2007 05:25 AM | 0,002,0480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) - C:\WINDOWS\System32\DRIVERS\secdrv.sys

(smwdm) smwdm [On_Demand | Running]
[07/25/2001 03:40 PM | 0,043,8200 | ---- | M] (Analog Devices, Inc.) - C:\WINDOWS\system32\drivers\smwdm.sys

(SonyFanC) FAN Control Device Service [System | Running]
[09/06/2001 04:21 PM | 0,006,8116 | ---- | M] (Sony Corporation) - C:\WINDOWS\System32\Drivers\SonyFanC.sys

(SONYPVU1) Sony USB Filter Driver (SONYPVU1) [On_Demand | Stopped]
[08/17/2001 01:56 PM | 0,000,7552 | ---- | M] (Sony Corporation) - C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS

(tmfilter) tmfilter [Auto | Running]
[08/01/2001 03:36 PM | 0,014,8192 | ---- | M] (TrendMicro) - C:\WINDOWS\System32\DRIVERS\tmxpflt.sys

(tmpreflt) tmpreflt [Auto | Running]
[08/01/2001 03:37 PM | 0,001,6064 | ---- | M] (TrendMicro) - C:\WINDOWS\System32\DRIVERS\tmpreflt.sys

(V7) V7 [Auto | Running]
[03/09/2000 11:24 AM | 0,000,7196 | ---- | M] (IBM Corporation) - C:\WINDOWS\System32\drivers\V7.SYS

(vsapint) vsapint [Auto | Running]
[07/21/2003 10:46 AM | 0,083,9408 | ---- | M] (Trend Micro Inc.) - C:\WINDOWS\System32\DRIVERS\vsapint.sys

===== Run Keys =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CoolWallpaperSoftware" = C:\Program Files\CoolWallpaper\cwm_tray.exe [02/02/2002 11:34 AM | 0,005,7344 | ---- | M] ()
"DIGStream" = C:\Program Files\DIGStream\digstream.exe [05/18/2005 02:49 PM | 0,028,2624 | ---- | M] (Walt Disney Internet Group)
"IgfxTray" = C:\WINDOWS\System32\igfxtray.exe [08/08/2001 12:25 AM | 0,014,3360 | ---- | M] (Intel Corporation)
"iTunesHelper" = "D:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM | 0,026,7048 | ---- | M] (Apple Inc.)
"LogMeIn GUI" = "C:\Program Files\LogMeIn\LogMeInSystray.exe" File not found
"Pop3trap.exe" = "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe" [09/06/2001 08:25 PM | 0,029,4982 | ---- | M] (Trend Micro Inc.)
"QAGENT" = C:\Program Files\QUICKENW\QAGENT.EXE [07/31/2001 04:41 PM | 0,009,4208 | ---- | M] ()
"QuickTime Task" = "D:\Program Files\QuickTime\QTTask.exe" -atboottime [03/28/2008 11:37 PM | 0,041,3696 | ---- | M] (Apple Inc.)
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM | 0,014,4784 | ---- | M] (Sun Microsystems, Inc.)
"WebTrapNT.exe" = "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe" [09/06/2001 08:20 PM | 0,023,5520 | ---- | M] (Trend Micro Inc.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = Reg Error: Value load does not exist or could not be read.
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed" = 1
"NoChange" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed" = 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.

===== Startup Folders =====

[All Users Startup Folder - C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

[Justin Startup Folder - C:\Documents and Settings\Justin\Start Menu\Programs\Startup]

===== BHO's =====

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
HKLM CLSID: (AcroIEHlprObj Class) - [04/16/2001 04:39 PM | 0,003,7808 | ---- | M] () C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
HKLM CLSID: (SSVHelper Class) - [06/10/2008 04:27 AM | 0,050,9328 | ---- | M] (Sun Microsystems, Inc.) C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

===== Toolbars =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{B1E741E7-1E77-40D4-9FD8-51949B9CCBD0}"
HKLM CLSID: (Pa&nicware Pop-Up Stopper Pro) - [03/08/2002 12:34 PM | 0,022,5280 | ---- | M] () C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{6A85D97D-665D-4825-8341-9501AD9F56A3}"
HKLM CLSID: (Reg Error: Key does not exist or could not be opened.) - File not found Reg Error: Key does not exist or could not be opened.

"{E6AE90A4-1B01-47F0-AA78-E6B122E145E9}"
HKLM CLSID: (Reg Error: Key does not exist or could not be opened.) - File not found Reg Error: Key does not exist or could not be opened.

===== Policies =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}" = 1
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}" = 1073741857
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}" = 32

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername" = 0
"legalnoticecaption" =
"legalnoticetext" =
"shutdownwithoutlogon" = 1
"undockwithoutlogon" = 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = FF 00 00 00 [binary data]

===== Desktop Components =====

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"FriendlyName" = "My Current Home Page"
"Source" = "About:Home"
"SubscribedURL" = "About:Home"

===== Shared Task Scheduler =====

===== AppInit_Dlls =====

===== Lsa Authentication Packages =====

===== Lsa Security Packages =====

===== Authorized Applications List =====

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = C:\WINDOWS\system32\sessmgr.exe [04/13/2008 08:12 PM | 0,014,1312 | ---- | M] (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [04/13/2008 02:53 PM | 0,055,8080 | ---- | M] (Microsoft Corporation)


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = C:\WINDOWS\system32\sessmgr.exe [04/13/2008 08:12 PM | 0,014,1312 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe" = C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe [09/06/2001 08:20 PM | 0,023,5520 | ---- | M] (Trend Micro Inc.)
"C:\Program Files\support.com\client\bin\tgcmd.exe" = C:\Program Files\support.com\client\bin\tgcmd.exe File not found
"C:\Program Files\Messenger\MSMSGS.EXE" = C:\Program Files\Messenger\MSMSGS.EXE [04/13/2008 08:12 PM | 0,169,5232 | -HS- | M] (Microsoft Corporation)
"C:\Program Files\WinMX\WinMX.exe" = C:\Program Files\WinMX\WinMX.exe [09/09/2002 09:39 PM | 0,074,5472 | ---- | M] (Frontcode Technologies)
"D:\Program Files\Kazaa\kazaa.exe" = D:\Program Files\Kazaa\kazaa.exe File not found
"C:\WINDOWS\System32\fxsclnt.exe" = C:\WINDOWS\System32\fxsclnt.exe File not found
"C:\WINDOWS\System32\mmc.exe" = C:\WINDOWS\System32\mmc.exe [04/13/2008 08:12 PM | 0,141,4656 | ---- | M] (Microsoft Corporation)
"C:\WINDOWS\System32\lexpps.exe" = C:\WINDOWS\System32\lexpps.exe [03/08/2002 03:30 AM | 0,016,9984 | ---- | M] (Lexmark International, Inc.)
"D:\Justin\Mozilla\firefox.exe" = D:\Justin\Mozilla\firefox.exe [07/18/2008 08:43 PM | 0,030,7712 | ---- | M] (Mozilla Corporation)
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" = C:\Program Files\Internet Explorer\IEXPLORE.EXE [06/23/2008 05:20 AM | 0,062,5664 | ---- | M] (Microsoft Corporation)
"C:\WINDOWS\System32\rundll32.exe" = C:\WINDOWS\System32\rundll32.exe [04/13/2008 08:12 PM | 0,003,3280 | ---- | M] (Microsoft Corporation)
"C:\WINDOWS\System32\dpvsetup.exe" = C:\WINDOWS\System32\dpvsetup.exe [04/13/2008 08:12 PM | 0,008,3456 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Windows Media Player\wmplayer.exe" = C:\Program Files\Windows Media Player\wmplayer.exe [05/09/2006 10:25 PM | 0,006,2976 | ---- | M] (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [04/13/2008 02:53 PM | 0,055,8080 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe [04/16/2008 10:37 PM | 0,766,0656 | ---- | M] (Mozilla Corporation)
"D:\Program Files\BitComet\BitComet.exe" = D:\Program Files\BitComet\BitComet.exe [02/08/2007 04:49 AM | 0,452,6144 | ---- | M] (www.BitComet.com)
"C:\Program Files\TurboTax\Basic 2006\32bit\ttax.exe" = C:\Program Files\TurboTax\Basic 2006\32bit\ttax.exe File not found
"C:\Program Files\TurboTax\Basic 2006\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Basic 2006\32bit\updatemgr.exe File not found
"C:\Program Files\Kodak\Kodak EasyShare software\BIN\EasyShare.exe" = C:\Program Files\Kodak\Kodak EasyShare software\BIN\EasyShare.exe File not found
"C:\Program Files\TurboTax\Basic 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Basic 2007\32bit\ttax.exe [02/05/2008 04:25 PM | 1,033,5520 | ---- | M] (Intuit, Inc.)
"C:\Program Files\TurboTax\Basic 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Basic 2007\32bit\updatemgr.exe [10/22/2007 06:56 PM | 0,359,7600 | ---- | M] (Intuit, Inc.)
"D:\Program Files\Skype\Skype.exe" = D:\Program Files\Skype\Skype.exe [01/29/2007 04:36 PM | 2,537,0152 | ---- | M] (Skype Technologies S.A.)
"D:\Program Files\iTunes\iTunes.exe" = D:\Program Files\iTunes\iTunes.exe [03/30/2008 10:36 AM | 2,063,8504 | ---- | M] (Apple Inc.)

===== HKLM Winlogon Settings =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell]
"explorer.exe" - [04/13/2008 08:12 PM | 0,103,3728 | ---- | M] (Microsoft Corporation) C:\WINDOWS\explorer.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit]
"C:\WINDOWS\system32\userinit.exe" - [04/13/2008 08:12 PM | 0,002,6112 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\userinit.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost]
"logonui.exe" - [04/13/2008 08:12 PM | 0,051,4560 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\logonui.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet]
"rundll32 shell32" - [04/13/2008 08:12 PM | 0,846,1312 | ---- | M] (Microsoft Corporation) C:\WINDOWS\System32\shell32.dll
"Control_RunDLL "sysdm.cpl"" - [04/13/2008 08:12 PM | 0,030,0544 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\sysdm.cpl

===== User's Winlogon Settings =====

===== Winlogon Notify Settings =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
"DllName" = C:\WINDOWS\system32\LMIinit.dll [12/15/2005 02:57 PM | 0,001,0472 | ---- | M] (3am Labs, Inc.)

===== Safeboot Options =====

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
"AlternateShell" = cmd.exe

===== Disabled MsConfig Items =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]

===== DNS Name Servers =====

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{29A9585D-0084-40DB-BBE3-974646E6CBA5}]
Servers: | Description: 1394 Net Adapter

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{9AAF5E25-756A-4B17-9DAE-87167938F74E}]
Servers: | Description: Broadcom 4211 iLine10™ Network Adapter

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{D4570F51-F68C-441C-9776-0DDBDA81FCD2}]
Servers: | Description: Realtek RTL8139 Family PCI Fast Ethernet NIC



[Files/Folders - Created Within 30 days]
[08/19/2008 04:49 PM | -HSD | C] - C:\FOUND.009
[08/23/2008 01:39 PM | ---D | C] - C:\_OTMoveIt
[08/17/2008 03:01 PM | 0,001,7144 | ---- | M] (Malwarebytes Corporation) - C:\WINDOWS\System32\drivers\mbam.sys
[04/13/2008 12:36 PM | 0,014,4384 | ---- | M] (Windows ® Server 2003 DDK provider) - C:\WINDOWS\System32\drivers\hdaudbus.sys
[08/17/2008 03:01 PM | 0,003,8472 | ---- | M] (Malwarebytes Corporation) - C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[06/10/2008 01:21 AM | 0,013,5168 | ---- | M] (Sun Microsystems, Inc.) - C:\WINDOWS\System32\java.exe
[06/10/2008 01:21 AM | 0,013,5168 | ---- | M] (Sun Microsystems, Inc.) - C:\WINDOWS\System32\javaw.exe
[06/10/2008 02:32 AM | 0,013,9264 | ---- | M] (Sun Microsystems, Inc.) - C:\WINDOWS\System32\javaws.exe
[08/21/2008 08:13 PM | ---D | C] - C:\WINDOWS\System32\en
[09/17/2007 04:48 AM | 0,000,1261 | ---- | M] () - C:\WINDOWS\System32\pid.inf
[08/21/2008 08:13 PM | ---D | C] - C:\WINDOWS\System32\scripting
[08/22/2008 11:13 PM | 0,008,1922 | ---- | M] () - C:\WINDOWS\System32\7X1wxj7y.exe_
[08/23/2008 02:14 PM | 0,005,4156 | -H-- | M] () - C:\WINDOWS\QTFont.qfn
[07/29/2008 04:43 PM | 0,000,1409 | ---- | M] () - C:\WINDOWS\QTFont.for
[08/21/2008 08:13 PM | ---D | C] - C:\WINDOWS\l2schemas
[2 C:\WINDOWS\*.tmp files]
[08/21/2008 08:45 PM | ---D | C] - C:\WINDOWS\Prefetch
[08/16/2008 10:10 AM | ---D | C] - C:\Documents and Settings\All Users\Application Data\Malwarebytes
[08/16/2008 10:11 AM | ---D | C] - C:\Documents and Settings\Justin\Application Data\Malwarebytes
[08/02/2008 05:01 PM | 0,001,4336 | ---- | M] () - C:\Documents and Settings\Justin\My Documents\gym comparo.xls
[08/16/2008 12:10 PM | 0,000,0685 | ---- | M] () - C:\Documents and Settings\Justin\Desktop\HijackThis.lnk
[08/22/2008 11:07 PM | 0,029,1840 | ---- | M] (OldTimer Tools) - C:\Documents and Settings\Justin\Desktop\OTMoveIt2.exe
[08/20/2008 06:01 PM | 0,000,0672 | ---- | M] () - C:\Documents and Settings\Justin\Desktop\mbam.lnk
[08/21/2008 08:13 PM | ---D | C] - C:\Program Files\msn

[Files/Folders - Modified Within 30 days]
[08/21/2008 07:58 PM | 0,025,0048 | RHS- | M] () - C:\ntldr
[08/14/2008 08:32 PM | 0,000,0157 | -H-- | M] () - C:\PCEP-9992-9301-2124-2270.DAT
[08/19/2008 04:49 PM | -HSD | M] - C:\FOUND.009
[08/23/2008 01:39 PM | ---D | M] - C:\_OTMoveIt
[08/17/2008 03:01 PM | 0,001,7144 | ---- | M] (Malwarebytes Corporation) - C:\WINDOWS\System32\drivers\mbam.sys
[08/17/2008 03:01 PM | 0,003,8472 | ---- | M] (Malwarebytes Corporation) - C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[08/23/2008 02:13 PM | 0,000,2206 | ---- | M] () - C:\WINDOWS\System32\wpa.dbl
[08/21/2008 08:48 PM | 0,006,4200 | ---- | M] () - C:\WINDOWS\System32\perfc009.dat
[08/21/2008 08:48 PM | 0,040,7670 | ---- | M] () - C:\WINDOWS\System32\perfh009.dat
[08/21/2008 08:13 PM | ---D | M] - C:\WINDOWS\System32\en
[08/21/2008 08:44 PM | 0,013,8056 | ---- | M] () - C:\WINDOWS\System32\FNTCACHE.DAT
[08/21/2008 08:48 PM | 0,047,9748 | ---- | M] () - C:\WINDOWS\System32\PerfStringBackup.INI
[08/21/2008 08:13 PM | ---D | M] - C:\WINDOWS\System32\scripting
[08/22/2008 11:13 PM | 0,008,1922 | ---- | M] () - C:\WINDOWS\System32\7X1wxj7y.exe_
[08/21/2008 08:47 PM | 0,000,1031 | ---- | M] () - C:\WINDOWS\win.ini
[08/23/2008 02:12 PM | 0,000,2048 | --S- | M] () - C:\WINDOWS\bootstat.dat
[08/23/2008 02:14 PM | 0,005,4156 | -H-- | M] () - C:\WINDOWS\QTFont.qfn
[07/29/2008 04:43 PM | 0,000,1409 | ---- | M] () - C:\WINDOWS\QTFont.for
[08/21/2008 08:13 PM | ---D | M] - C:\WINDOWS\l2schemas
[2 C:\WINDOWS\*.tmp files]
[08/21/2008 08:45 PM | ---D | M] - C:\WINDOWS\Prefetch
[08/21/2008 08:35 PM | 0,000,2675 | ---- | M] () - C:\WINDOWS\imsins.BAK
[08/23/2008 02:12 PM | 0,000,0006 | -H-- | M] () - C:\WINDOWS\tasks\SA.DAT
[08/15/2008 05:28 PM | 0,000,0284 | ---- | M] () - C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[08/16/2008 10:10 AM | ---D | M] - C:\Documents and Settings\All Users\Application Data\Malwarebytes
[08/16/2008 10:11 AM | ---D | M] - C:\Documents and Settings\Justin\Application Data\Malwarebytes
[08/02/2008 05:01 PM | 0,001,4336 | ---- | M] () - C:\Documents and Settings\Justin\My Documents\gym comparo.xls
[08/16/2008 12:10 PM | 0,000,0685 | ---- | M] () - C:\Documents and Settings\Justin\Desktop\HijackThis.lnk
[08/22/2008 11:07 PM | 0,029,1840 | ---- | M] (OldTimer Tools) - C:\Documents and Settings\Justin\Desktop\OTMoveIt2.exe
[08/20/2008 06:01 PM | 0,000,0672 | ---- | M] () - C:\Documents and Settings\Justin\Desktop\mbam.lnk

< End of report >

[Mike]

Hi there

The tools we use make backups, if you could I would like you to run them from the C:\ drive.

Let's get rid of CoolWallPaperSoftware, please go to start > control panel > add or remove programs and uninstall it.

• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  [kill explorer]
  C:\WINDOWS\System32\7X1wxj7y.exe_
  C:\Program Files\CoolWallpaper
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\CoolWallpaperSoftware
  emptytemp
  purity
  [start explorer]

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


And we are going to do an online scan, it takes a long(long) time but is worth it so bare with me!


Go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

How is your PC running?

[popeil]

Cool Wallpaper removed.



Explorer killed successfully
C:\WINDOWS\System32\7X1wxj7y.exe_ moved successfully.
File/Folder C:\Program Files\CoolWallpaper not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\CoolWallpaperSoftware >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\CoolWallpaperSoftware not found.
< emptytemp >
File delete failed. C:\DOCUME~1\Justin\LOCALS~1\Temp\etilqs_8GGHjMgG4NKqET7Pvs3t scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08232008_220120

Files moved on Reboot...
File C:\DOCUME~1\Justin\LOCALS~1\Temp\etilqs_8GGHjMgG4NKqET7Pvs3t not found!



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, August 24, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 24, 2008 14:54:39
Records in database: 1140518
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 97822
Threat name: 5
Infected objects: 13
Suspicious objects: 0
Duration of the scan: 06:13:08


File name / Threat name / Threats count
C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP1764\A0104053.exe Infected: Trojan-Downloader.Win32.Agent.abrf 1
C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP1767\A0108477.exe Infected: Trojan-Downloader.Win32.Agent.abrf 1
C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP1767\A0109116.dll Infected: Trojan-Downloader.Win32.BHO.pe 1
C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP1768\A0109173.exe Infected: Trojan-Downloader.Win32.Agent.abrf 1
C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP1769\A0109179.dll Infected: Trojan-Downloader.Win32.BHO.pe 1
C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP1769\A0109180.exe Infected: Trojan-Downloader.Win32.Agent.acrd 1
C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP1769\A0109194.dll Infected: Trojan-Downloader.Win32.BHO.pe 1
C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP1765\A0105080.exe Infected: Trojan-Downloader.Win32.Agent.abrf 1
C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP1765\A0105087.dll Infected: Trojan-Downloader.Win32.BHO.pe 1
C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP1756\A0099929.dll Infected: not-a-virus:AdWare.Win32.Wintol.ao 1
C:\_OTMoveIt\MovedFiles\08232008_133923\WINDOWS\System32\v2B6fjPb.exe Infected: Trojan-Downloader.Win32.Firu.qz 1
C:\_OTMoveIt\MovedFiles\08232008_133923\WINDOWS\System32\7X1wxj7y.exe Infected: Trojan-Downloader.Win32.Agent.acrd 1
C:\_OTMoveIt\MovedFiles\08232008_220120\WINDOWS\System32\7X1wxj7y.exe_ Infected: Trojan-Downloader.Win32.Agent.acrd 1

The selected area was scanned.



The PC is running better after the procedures from the previous post.

[Mike]

That looks good

The stuff kaspersky found are either in quarantine or system restore, both of which we will get rid of now.

Let's remove the tools I had you use.

Please open OTMoveIt2:

• Double click OTMoveIt.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.

Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.

Right-click on "My Computer." The "System Properties" dialogue box will appear, showing a number of tabs. From here you can reset System Restore and configure Automatic Updates.

First, click the System Restore tab.

• Check the box beside "Turn off System Restore"
• Click "Apply"
• At the prompt, click "Yes"

Wait while your system deletes existing Restore Points, this may take a few moments.

• Uncheck the box beside "Turn off System Restore"
• Click "Apply"
• At the prompt, click "Yes"

Your system will now create a new Restore Point.

Now that your are clean, you'll want to stay that way.

Some important things that you should keep in mind in order to protect yourself:

• Use common sense. This is the big one! Don't download programs from suspicious sites and be careful where you browse.
  Things you can do to avoid downloading bad programs:
  • Google the program. Read reviews and opinions from other people on the internet, if you dont see any reports of foul play - then there more than likely is none.
  • Stay away from Cracks! However luring the thought of free software can be it's not worth the hassle and potential danger of getting infected.
  • Download the program directly from the website of the developer - then you can be certain you haven't downloaded a bogus copy.
  • Read the EULA (End User License Agreement) - Find out exactly what you are downloading. A good tool to aid you in this would be EULAyzer.
• Keep your programs updated! Software developers update their programs to patch possible security risks. Do a scan once in a while for outdated programs using Secunia's Software Inspector
• Keep your protection programs up to date! No matter how good your Antivirus or Antispyware program is, without an updated set of definitions it will do you no good against the new infections. If you run a free program make sure to update them at least once a week.
• Make sure that windows updates is enabled. Keeping your system up to date is a must - to turn on automatic updates take a look at this article by Microsoft.

I have listed two programs to boost your security while using no resources.

• SpywareBlaster Take a look at the tutorial here.
• ZonedOut Adds thousands of websites to your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Also consider using an alternative web browser. Two big named ones, both far superior to Internet Explorer in terms of security and performance, would be Firefox and Opera.

Make a habit of scanning your computer for viruses every week or so and backing up important files regularly.

Please also read Expert Tony Klein's excellent article: How I got Infected in the First Place

Please post back and tell me if everything is OK, so that I may mark this thread as Resolved.

[popeil]

I get an error when trying to remove OTMoveIt2. "Unable to contact the internet. CleanUp list download failed!" I added the program to the list of programs allowed to my firewall. Should I just delete the .exe file?

[Mike]

I want to get rid of all the tools, please see if you can run this

please download OTCleanIt.

• Save it to your desktop.
• Double Click on OTCleanIt.exe, a window will appear.
• Please press the CleanUp! Button.

This will remove the tools we used during the process of cleaning your computer.

Tell me how it goes.

[popeil]

Mike-

That worked.

The PC is running much better now.

Thank you for taking the time to help. It's greatly appreciated.

[Mike]

I'm glad to hear it

Take care and enjoy your day still!

Mike

[Mike]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.