Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

www.winwax.com adwar [RESOLVED]

Started by Atle , Aug 18 2008 08:45 AM

This topic is locked

#1
Atle

Posted 18 August 2008 - 08:45 AM

New Member

Member
9 posts

When using IE, advertisement pops up with al sorts of tests, poker etc. in addition my computer works slowly and freezes now and then. Can someone help me ?

#2
Mike

Posted 22 August 2008 - 10:42 AM

Malware Monger

Retired Staff
2,745 posts

Hi there,

Sorry for the delay.

* Click here to download HJTsetup.exe

Save HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Then,

Please download OTViewIt by OldTimer.
Double click on OTViewIt.exe and select Scan in the upper right corner.
In a few minutes a notepad file will appear, please post the contents of that here in your next post.

#3
Atle

Posted 22 August 2008 - 01:35 PM

New Member

Topic Starter
Member
9 posts

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:17:20, on 22.08.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [DLPSP] "C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [A00F8A1231.exe] C:\DOCUME~1\atlegu\LOCALS~1\Temp\_A00F8A1231.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1192031636265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1192031622781
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ans.umb.no
O17 - HKLM\Software\..\Telephony: DomainName = ans.umb.no
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ans.umb.no
O20 - Winlogon Notify: 98d3ddfe382 - C:\WINDOWS\system32\__c0097644.dat
O20 - Winlogon Notify: __c004F444 - C:\WINDOWS\system32\__c004F444.dat
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 9148 bytes

And then the other one
OTViewIt logfile created on: 22.08.2008 21:33:20
OTViewIt by OldTimer - Version 1.0.0.5 Folder = C:\Documents and Settings\atlegu\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000414 | Country: Norway | Language: NOR | Date Format: dd.MM.yyyy

510,98 Mb Total Physical Memory | 148,32 Mb Available Physical Memory | 29,03% Memory free
1,22 Gb Paging File | 0,72 Gb Available in Paging File | 59,48% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19,53 Gb Total Space | 3,14 Gb Free Space | 16,09% Space Free | Partition Type: NTFS
Drive D: | 92,17 Gb Total Space | 74,29 Gb Free Space | 80,60% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 279,47 Gb Total Space | 272,84 Gb Free Space | 97,63% Space Free | Partition Type: NTFS
Drive K: | 279,32 Gb Total Space | 239,50 Gb Free Space | 85,74% Space Free | Partition Type: FAT32

Computer Name: IOR-1222
Current User Name: atlegu
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user

===== Processes - Non-Microsoft Only =====

[07.22.2008 08:42 PM | 0,011,6040 | ---- | M] (Apple Inc.) - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
[07.24.2007 03:17 PM | 0,022,9376 | ---- | M] (Apple Inc.) - C:\Program Files\Bonjour\mDNSResponder.exe
[08.25.2005 05:53 PM | 0,013,5168 | ---- | M] (Dell Inc.) - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe
[08.27.2007 03:17 PM | 0,004,7816 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
[08.27.2007 03:17 PM | 0,036,6704 | ---- | M] (F-Secure Corp.) - C:\Program Files\F-Secure\Anti-Virus\fsgk32.exe
[08.27.2007 03:21 PM | 0,011,3320 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\common\FSMA32.EXE
[08.27.2007 03:21 PM | 0,023,2104 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\common\FSMB32.EXE
[11.10.2005 12:00 AM | 0,009,0112 | ---- | M] (Dell Inc.) - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpwdnt.exe
[08.27.2007 03:21 PM | 0,012,5608 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\common\FCH32.EXE
[08.27.2007 03:17 PM | 0,004,3696 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
[08.27.2007 03:21 PM | 0,039,1792 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\common\FAMEH32.EXE
[08.27.2007 03:22 PM | 0,016,2472 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\common\FNRB32.exe
[08.27.2007 03:17 PM | 0,042,5584 | ---- | M] (F-Secure Corp.) - C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
[08.27.2007 03:22 PM | 0,010,1032 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\common\FIH32.exe
[08.27.2007 03:15 PM | 0,046,1424 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
[08.27.2007 03:19 PM | 0,046,1424 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\FWES\program\fsdfwd.exe
[08.27.2007 03:17 PM | 0,032,4208 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
[08.27.2007 03:21 PM | 0,018,2952 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\common\FSM32.EXE
[02.23.2006 12:00 AM | 0,019,2512 | ---- | M] (Dell Inc.) - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpsp.exe
[02.22.2008 05:25 AM | 0,014,4784 | ---- | M] (Sun Microsystems, Inc.) - C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
[07.30.2008 10:47 AM | 0,028,9064 | ---- | M] (Apple Inc.) - C:\Program Files\iTunes\iTunesHelper.exe
[07.20.2007 01:17 PM | 0,006,8856 | ---- | M] (Google Inc.) - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[09.28.2007 03:17 AM | 0,044,3968 | ---- | M] (Google Inc.) - C:\Program Files\Picasa2\PicasaMediaDetector.exe
[08.27.2007 03:20 PM | 0,047,3712 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\FSGUI\fsguidll.exe
[06.18.2008 08:46 PM | 0,014,7456 | ---- | M] (Lime Wire, LLC) - C:\Program Files\LimeWire\LimeWire.exe
[07.30.2008 10:47 AM | 0,053,2264 | ---- | M] (Apple Inc.) - C:\Program Files\iPod\bin\iPodService.exe
[02.22.2008 05:25 AM | 0,032,9104 | ---- | M] (Sun Microsystems, Inc.) - C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
[08.22.2008 09:32 PM | 0,139,7248 | ---- | M] (OldTimer Tools) - C:\Documents and Settings\atlegu\Desktop\OTViewIt.exe

===== Win32 Services - Non-Microsoft Only =====

(Apple Mobile Device) Apple Mobile Device [Auto | Running]
[07.22.2008 08:42 PM | 0,011,6040 | ---- | M] (Apple Inc.) - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

(Bonjour Service) Bonjour-tjeneste [Auto | Running]
[07.24.2007 03:17 PM | 0,022,9376 | ---- | M] (Apple Inc.) - C:\Program Files\Bonjour\mDNSResponder.exe

(DLPWD) Dell Printer Status Watcher [Auto | Running]
[11.10.2005 12:00 AM | 0,009,0112 | ---- | M] (Dell Inc.) - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpwdnt.exe

(DLSDB) Dell Printer Status Database [Auto | Running]
[08.25.2005 05:53 PM | 0,013,5168 | ---- | M] (Dell Inc.) - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe

(dmadmin) Logical Disk Manager Administrative Service [On_Demand | Stopped]
[04.14.2008 05:42 AM | 0,022,4768 | ---- | M] (Microsoft Corp., Veritas Software) - C:\WINDOWS\system32\dmadmin.exe

(F-Secure Gatekeeper Handler Starter) FSGKHS [Auto | Running]
[08.27.2007 03:17 PM | 0,004,7816 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe

(F-Secure Network Request Broker) F-Secure Network Request Broker [On_Demand | Running]
[08.27.2007 03:22 PM | 0,016,2472 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\common\FNRB32.exe

(FSAUA) F-Secure Automatic Update Agent [On_Demand | Running]
[08.27.2007 03:15 PM | 0,046,1424 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe

(FSDFWD) F-Secure Anti-Virus Firewall Daemon [On_Demand | Running]
[08.27.2007 03:19 PM | 0,046,1424 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\FWES\program\fsdfwd.exe

(FSMA) FSMA [Auto | Running]
[08.27.2007 03:21 PM | 0,011,3320 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\common\FSMA32.EXE

(gusvc) Google Updater Service [On_Demand | Stopped]
[07.16.2007 11:21 PM | 0,013,8168 | ---- | M] (Google) - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

(iPod Service) iPod-tjeneste [On_Demand | Running]
[07.30.2008 10:47 AM | 0,053,2264 | ---- | M] (Apple Inc.) - C:\Program Files\iPod\bin\iPodService.exe

===== Driver Services - Non-Microsoft Only =====

(aeaudio) aeaudio [On_Demand | Running]
[04.01.2002 01:15 PM | 0,000,4816 | ---- | M] (Andrea Electronics Corporation) - C:\WINDOWS\system32\drivers\aeaudio.sys

(ati2mtag) ati2mtag [On_Demand | Running]
[08.04.2004 12:29 AM | 0,070,1440 | ---- | M] (ATI Technologies Inc.) - C:\WINDOWS\system32\drivers\ati2mtag.sys

(cercsr6) cercsr6 [Boot | Stopped]
[03.22.2005 03:48 AM | 0,003,9904 | ---- | M] (Adaptec, Inc.) - C:\WINDOWS\System32\drivers\cercsr6.sys

(dmboot) dmboot [Disabled | Stopped]
[04.14.2008 12:14 AM | 0,079,9744 | ---- | M] (Microsoft Corp., Veritas Software) - C:\WINDOWS\system32\drivers\dmboot.sys

(dmio) Logical Disk Manager Driver [Boot | Running]
[04.14.2008 12:14 AM | 0,015,3344 | ---- | M] (Microsoft Corp., Veritas Software) - C:\WINDOWS\system32\drivers\dmio.sys

(dmload) dmload [Boot | Running]
[08.04.2004 02:00 PM | 0,000,5888 | ---- | M] (Microsoft Corp., Veritas Software.) - C:\WINDOWS\system32\drivers\dmload.sys

(E1000) Intel® PRO/1000 Network Connection Driver [On_Demand | Running]
[03.25.2007 08:20 PM | 0,017,1416 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\drivers\e1000325.sys

(F-Secure Filter) F-Secure File System Filter [Disabled | Stopped]
[08.27.2007 03:18 PM | 0,003,9792 | ---- | M] () - C:\Program Files\F-Secure\Anti-Virus\win2k\fsfilter.sys

(F-Secure Gatekeeper) F-Secure Gatekeeper [On_Demand | Running]
[08.27.2007 03:17 PM | 0,006,2064 | ---- | M] () - C:\Program Files\F-Secure\Anti-Virus\minifilter\fsgk.sys

(F-Secure HIPS) F-Secure HIPS [System | Running]
[08.27.2007 03:20 PM | 0,007,0768 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\HIPS\fshs.sys

(F-Secure Recognizer) F-Secure File System Recognizer [Disabled | Stopped]
[08.27.2007 03:18 PM | 0,002,5200 | ---- | M] () - C:\Program Files\F-Secure\Anti-Virus\win2k\fsrec.sys

(FSFW) F-Secure Firewall Driver [Boot | Running]
[08.27.2007 03:19 PM | 0,006,0272 | ---- | M] (F-Secure Corporation) - C:\WINDOWS\system32\drivers\fsdfw.sys

(GEARAspiWDM) GEARAspiWDM [On_Demand | Running]
[01.29.2008 12:01 PM | 0,001,6168 | ---- | M] (GEAR Software Inc.) - C:\WINDOWS\system32\drivers\GEARAspiWDM.sys

(NAL) Nal Service [On_Demand | Stopped]
[03.09.2007 05:04 PM | 0,003,1072 | ---- | M] (Intel Corporation ) - C:\WINDOWS\system32\drivers\iqvw32.sys

(OMCI) OMCI [System | Running]
[05.14.2001 06:15 PM | 0,001,0368 | ---- | M] (Dell Computer Corporation) - C:\WINDOWS\system32\drivers\omci.sys

(Ptilink) Direct Parallel Link Driver [On_Demand | Running]
[08.04.2004 02:00 PM | 0,001,7792 | ---- | M] (Parallel Technologies, Inc.) - C:\WINDOWS\system32\drivers\ptilink.sys

(PxHelp20) PxHelp20 [Boot | Running]
[09.27.2006 11:53 PM | 0,003,6560 | ---- | M] (Sonic Solutions) - C:\WINDOWS\system32\drivers\pxhelp20.sys

(Secdrv) Secdrv [Auto | Running]
[11.13.2007 12:25 PM | 0,002,0480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) - C:\WINDOWS\system32\drivers\secdrv.sys

(smwdm) smwdm [On_Demand | Running]
[02.28.2003 09:17 AM | 0,054,5024 | ---- | M] (Analog Devices, Inc.) - C:\WINDOWS\system32\drivers\smwdm.sys

(USBAAPL) Apple Mobile USB Driver [On_Demand | Stopped]
[07.10.2008 09:35 AM | 0,003,2000 | ---- | M] (Apple, Inc.) - C:\WINDOWS\system32\drivers\usbaapl.sys

===== Run Keys =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher" = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01.11.2008 11:16 PM | 0,003,9792 | ---- | M] (Adobe Systems Incorporated)
"AppleSyncNotifier" = C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [07.10.2008 09:47 AM | 0,011,6040 | ---- | M] (Apple Inc.)
"DLPSP" = "C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE" [02.23.2006 12:00 AM | 0,019,2512 | ---- | M] (Dell Inc.)
"F-Secure Manager" = "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash [08.27.2007 03:21 PM | 0,018,2952 | ---- | M] (F-Secure Corporation)
"F-Secure TNB" = "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW [08.27.2007 03:20 PM | 0,089,5600 | ---- | M] (F-Secure Corporation)
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" [07.30.2008 10:47 AM | 0,028,9064 | ---- | M] (Apple Inc.)
"QuickTime Task" = "C:\Program Files\QuickTime\QTTask.exe" -atboottime [05.27.2008 10:50 AM | 0,041,3696 | ---- | M] (Apple Inc.)
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02.22.2008 05:25 AM | 0,014,4784 | ---- | M] (Sun Microsystems, Inc.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = Reg Error: Value load does not exist or could not be read.
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"" =
"Installed" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"" =
"Installed" = 1
"NoChange" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"" =
"Installed" = 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"A00F8A1231.exe" = C:\DOCUME~1\atlegu\LOCALS~1\Temp\_A00F8A1231.exe File not found
"Picasa Media Detector" = C:\Program Files\Picasa2\PicasaMediaDetector.exe [09.28.2007 03:17 AM | 0,044,3968 | ---- | M] (Google Inc.)
"swg" = C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [07.20.2007 01:17 PM | 0,006,8856 | ---- | M] (Google Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.

===== Startup Folders =====

[All Users Startup Folder - C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

[atlegu Startup Folder - C:\Documents and Settings\atlegu\Start Menu\Programs\Startup]
[06.18.2008 08:46 PM | 0,014,7456 | ---- | M] (Lime Wire, LLC) - C:\Documents and Settings\atlegu\Start Menu\Programs\Startup\LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

===== BHO's =====

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
HKLM CLSID: (Adobe PDF Reader Link Helper) - [10.23.2006 12:08 AM | 0,006,2080 | ---- | M] (Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
HKLM CLSID: (SSVHelper Class) - [02.22.2008 05:25 AM | 0,050,9328 | ---- | M] (Sun Microsystems, Inc.) C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
HKLM CLSID: (Google Toolbar Notifier BHO) - [04.05.2008 09:40 PM | 0,073,4704 | ---- | M] (Google Inc.) C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
HKLM CLSID: (Google Toolbar Helper) - [07.16.2007 11:21 PM | 0,240,3392 | R--- | M] (Google Inc.) c:\Program Files\Google\GoogleToolbar1.dll

===== Toolbars =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"
HKLM CLSID: (&Google) - [07.16.2007 11:21 PM | 0,240,3392 | R--- | M] (Google Inc.) c:\Program Files\Google\GoogleToolbar1.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
HKLM CLSID: (&Google) - [07.16.2007 11:21 PM | 0,240,3392 | R--- | M] (Google Inc.) c:\Program Files\Google\GoogleToolbar1.dll

===== Policies =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}" = 1
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}" = 1073741857
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}" = 32

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername" = 0
"legalnoticecaption" =
"legalnoticetext" =
"shutdownwithoutlogon" = 1
"undockwithoutlogon" = 1
"MaxGPOScriptWait" = 60

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

===== Desktop Components =====

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"FriendlyName" = "My Current Home Page"
"Source" = "About:Home"
"SubscribedURL" = "About:Home"

===== Shared Task Scheduler =====

===== AppInit_Dlls =====

===== Lsa Authentication Packages =====

===== Lsa Security Packages =====

===== Authorized Applications List =====

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = C:\WINDOWS\system32\sessmgr.exe [04.14.2008 05:42 AM | 0,014,1312 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE [05.21.2008 04:37 AM | 1,284,4576 | ---- | M] (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = C:\WINDOWS\network diagnostic\xpnetdiag.exe [04.14.2008 12:23 AM | 0,055,8080 | ---- | M] (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = C:\WINDOWS\system32\sessmgr.exe [04.14.2008 05:42 AM | 0,014,1312 | ---- | M] (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = C:\WINDOWS\network diagnostic\xpnetdiag.exe [04.14.2008 12:23 AM | 0,055,8080 | ---- | M] (Microsoft Corporation)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe [06.18.2008 08:46 PM | 0,014,7456 | ---- | M] (Lime Wire, LLC)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe [07.24.2007 03:17 PM | 0,022,9376 | ---- | M] (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe [07.30.2008 10:47 AM | 2,025,2968 | ---- | M] (Apple Inc.)

===== HKLM Winlogon Settings =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell]
"Explorer.exe" - [04.14.2008 05:42 AM | 0,103,3728 | ---- | M] (Microsoft Corporation) C:\WINDOWS\explorer.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit]
"C:\WINDOWS\system32\userinit.exe" - [04.14.2008 05:42 AM | 0,002,6112 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\userinit.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost]
"logonui.exe" - [04.14.2008 05:42 AM | 0,051,4560 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\logonui.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet]
"rundll32 shell32" - [04.14.2008 05:42 AM | 0,846,1312 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
"Control_RunDLL "sysdm.cpl"" - [04.14.2008 05:42 AM | 0,030,0544 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\sysdm.cpl

===== User's Winlogon Settings =====

===== Winlogon Notify Settings =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c004F444]
"DllName" = C:\WINDOWS\system32\__c004F444.dat [08.22.2008 06:31 PM | 0,002,4576 | ---- | M] ()

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\98d3ddfe382]
"DllName" = C:\WINDOWS\system32\__c0097644.dat [08.15.2008 11:35 PM | 0,007,4240 | ---- | M] ()

===== Safeboot Options =====

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
"AlternateShell" = cmd.exe

===== Disabled MsConfig Items =====
Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ not found. -> ->

===== DNS Name Servers =====

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{9B92E789-1154-4697-AA32-47B3C09C5D85}]
Servers: | Description: 1394 Net Adapter

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{BA4C3937-DEBD-4705-A7AE-E4F207DF983F}]
Servers: | Description: Intel® PRO/1000 MT Network Connection

[Files/Folders - Created Within 30 days]
[08.20.2008 10:34 PM | 0,000,0057 | ---- | M] () - C:\xcrashdump.dat
[07.22.2008 04:45 PM | 0,079,0846 | ---- | M] () - C:\WINDOWS\System32\dllcache\apph_sp.sdb
[07.22.2008 04:45 PM | 0,000,9696 | ---- | M] () - C:\WINDOWS\System32\dllcache\drvmain.sdb
[07.22.2008 04:45 PM | 0,121,4526 | ---- | M] () - C:\WINDOWS\System32\dllcache\sysmain.sdb
[08.07.2008 04:09 PM | 0,003,9812 | -H-- | M] () - C:\WINDOWS\System32\mlfcache.dat
[08.22.2008 06:31 PM | 0,002,4576 | ---- | M] () - C:\WINDOWS\System32\__c004F444.dat
[08.15.2008 11:35 PM | 0,007,4240 | ---- | M] () - C:\WINDOWS\System32\__c0097644.dat
[08.21.2008 07:55 AM | 0,003,7376 | ---- | M] () - C:\WINDOWS\System32\~.exe
[10.23.1997 04:30 PM | 0,014,1008 | ---- | M] (Desaware) - C:\WINDOWS\System\ANIBTN16.OCX
[03.29.1994 07:38 PM | 0,001,2480 | ---- | M] () - C:\WINDOWS\System\BLASTER.VBX
[08.03.1995 11:44 AM | 0,002,3872 | ---- | M] (Dan Byström) - C:\WINDOWS\System\DBTTIP.VBX
[10.23.1997 04:30 PM | 0,030,4656 | ---- | M] (Bits Per Second Ltd) - C:\WINDOWS\System\GRAPH16.OCX
[10.23.1997 04:30 PM | 0,027,6880 | ---- | M] (Bits Per Second Ltd) - C:\WINDOWS\System\GSW16.EXE
[10.23.1997 04:30 PM | 0,004,5680 | ---- | M] (Bits Per Second Ltd) - C:\WINDOWS\System\GSWDLL16.DLL
[02.08.2000 03:17 PM | 0,009,3456 | ---- | M] (MicroHelp Inc.) - C:\WINDOWS\System\MHRUN400.DLL
[02.08.2000 03:17 PM | 0,013,0480 | ---- | M] (MicroHelp Inc.) - C:\WINDOWS\System\MHTR200.VBX
[01.11.1996 11:00 PM | 0,002,8113 | ---- | M] () - C:\WINDOWS\System\OLE2.REG
[02.08.2000 03:17 PM | 0,001,5840 | ---- | M] (Thuridion Software Engineering, Inc.) - C:\WINDOWS\System\PICCLIP.VBX
[10.23.1997 04:30 PM | 0,004,7936 | ---- | M] (Outrider Systems, Inc.) - C:\WINDOWS\System\SPIN16.OCX
[01.11.1996 11:00 PM | 0,015,7696 | ---- | M] () - C:\WINDOWS\System\STORAGE.DLL
[10.23.1997 04:30 PM | 0,011,5424 | ---- | M] (Sheridan Software Systems, Inc.) - C:\WINDOWS\System\TABCTL16.OCX
[10.23.1997 04:31 PM | 0,042,3424 | ---- | M] (APEX Software Corporation) - C:\WINDOWS\System\TG_VB4.VBX
[01.11.1996 11:00 PM | 0,001,4933 | ---- | M] () - C:\WINDOWS\System\VSHARE.386
[03.23.1998 11:00 PM | 0,004,7776 | ---- | M] (Xceed Software Inc. 1-514-442-2626 [email protected] www.xceedsoft.com) - C:\WINDOWS\System\XCDUNZIP.DLL
[03.23.1998 11:00 PM | 0,006,9596 | ---- | M] (Xceed Software Inc. (514)-442-2626 [email protected]) - C:\WINDOWS\System\XCEEDZIP.VBX
[08.16.2008 09:41 PM | 0,000,0284 | ---- | M] () - C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[08.12.2008 07:55 AM | ---D | C] - C:\Documents and Settings\All Users\Application Data\Lavasoft
[08.02.2008 04:19 PM | ---D | C] - C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[08.21.2008 10:36 PM | 0,000,0013 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3C.manifest
[08.21.2008 10:36 PM | 0,000,0011 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3O.manifest
[08.21.2008 10:36 PM | 0,000,0359 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3P.manifest
[08.21.2008 10:36 PM | 0,000,0007 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3R.manifest
[08.21.2008 10:36 PM | 0,000,0011 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3S.manifest
[08.16.2008 09:46 PM | ---D | C] - C:\Documents and Settings\atlegu\Application Data\NCH Swift Sound
[08.17.2008 06:54 PM | 0,149,5112 | ---- | M] (Adobe Systems Incorporated) - C:\Documents and Settings\atlegu\My Documents\install_flash_player.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\My Documents\install_flash_player.exe:Zone.Identifier
[08.02.2008 04:18 PM | 0,000,0826 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\Express Burn.lnk
[08.02.2008 09:41 PM | 0,000,1804 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[08.16.2008 09:45 PM | 0,000,0798 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\WavePad Sound Editor.lnk
[08.21.2008 11:34 PM | 0,077,6192 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\13.03.07_1015_1100_and_1215-1300.ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\13.03.07_1015_1100_and_1215-1300.ppt:Zone.Identifier
[08.21.2008 11:38 PM | 0,075,4688 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\22.08.08_0815_1000.ppt
[08.12.2008 07:50 AM | 1,915,3264 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\aaw2008.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\aaw2008.exe:Zone.Identifier
[08.17.2008 10:45 PM | 0,007,1309 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Bilde%204-03.jpg
[08.17.2008 10:46 PM | 0,006,8729 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Bilde%204-08.jpg
[08.06.2008 10:05 PM | 0,065,2482 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\bpmanalyzer.zip
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\bpmanalyzer.zip:Zone.Identifier
[08.22.2008 06:34 AM | 0,143,5136 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\chapter3_7e.ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\chapter3_7e.ppt:Zone.Identifier
[08.22.2008 06:35 AM | 0,169,2672 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\chapter5_7e.ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\chapter5_7e.ppt:Zone.Identifier
[08.01.2008 11:48 AM | ---D | C] - C:\Documents and Settings\atlegu\Desktop\Diverse rydding
[4 C:\Documents and Settings\atlegu\Desktop\*.tmp files]
[08.20.2008 10:40 PM | 0,059,3408 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Effects_of_Exchange_Rates_on_Export_Prices_of_Farmed_Salmon_MRE_FINAL_2_Jul
y_2008.doc
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Effects_of_Exchange_Rates_on_Export_Prices_of_Farmed_Salmon_MRE_FINAL_2_Jul
y_2008.doc:Zone.Identifier
[08.06.2008 11:20 PM | 0,298,9568 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\foredrag11[1].ppt
[08.05.2008 11:31 PM | 0,274,3808 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\foredrag1[1].ppt
[08.11.2008 11:51 PM | 0,546,5600 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\foredragnyeste.ppt
[08.05.2008 08:43 AM | 0,229,9392 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\GLOBALIZATION FISH TRADE_629.ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\GLOBALIZATION FISH TRADE_629.ppt:Zone.Identifier
[08.22.2008 09:15 PM | 0,000,1734 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\HijackThis.lnk
[08.22.2008 09:15 PM | 0,081,2344 | ---- | M] (Trend Micro Inc.) - C:\Documents and Settings\atlegu\Desktop\HJTSetup.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\HJTSetup.exe:Zone.Identifier
[08.21.2008 11:40 PM | 0,066,5600 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Introforelesning[1].ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Introforelesning[1].ppt:Zone.Identifier
[08.18.2008 04:33 PM | 0,005,0176 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Kioskvakter_18.8-18.10.xls
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Kioskvakter_18.8-18.10.xls:Zone.Identifier
[08.21.2008 11:41 PM | 0,099,7376 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Lecture2[1].ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Lecture2[1].ppt:Zone.Identifier
[08.17.2008 10:26 PM | 0,003,6352 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\LMIpaper317August[1].doc
[08.06.2008 10:06 PM | 0,000,0720 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\MixMeister BPM Analyzer.lnk
[08.20.2008 10:59 PM | ---D | C] - C:\Documents and Settings\atlegu\Desktop\MRE
[08.20.2008 10:40 PM | 0,010,3153 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\MRE(shrimp_July_2008).docx
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\MRE(shrimp_July_2008).docx:Zone.Identifier
[08.20.2008 10:39 PM | 0,029,9520 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\MRE-Shrimpr_July_2008.doc
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\MRE-Shrimpr_July_2008.doc:Zone.Identifier
[08.22.2008 09:32 PM | 0,139,7248 | ---- | M] (OldTimer Tools) - C:\Documents and Settings\atlegu\Desktop\OTViewIt.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\OTViewIt.exe:Zone.Identifier
[08.06.2008 11:05 PM | 0,002,7136 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Priser fem år.doc
[08.21.2008 11:15 PM | 0,002,8672 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\SNF_Timelisteapril.xls
[08.21.2008 11:12 PM | 0,002,8672 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\SNF_Timelistefebruar.xls
[08.21.2008 11:13 PM | 0,002,8672 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\SNF_Timelistemars.xls
[08.20.2008 10:40 PM | 0,019,4560 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\The_Price_Responsiveness_of_Salmon_SupplyReview4_revison.doc
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\The_Price_Responsiveness_of_Salmon_SupplyReview4_revison.doc:Zone.Identifie
r
[08.11.2008 11:39 PM | 0,004,3520 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\timeplan høsten 2008 endelig world 97.doc
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\timeplan høsten 2008 endelig world 97.doc:Zone.Identifier
[08.16.2008 09:44 PM | 0,038,2104 | ---- | M] (NCH Software) - C:\Documents and Settings\atlegu\Desktop\wpsetup.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\wpsetup.exe:Zone.Identifier
[08.17.2008 10:27 PM | 0,000,0162 | -H-- | M] () - C:\Documents and Settings\atlegu\Desktop\~$me_Schedule2008b[1].doc
[08.16.2008 09:40 PM | ---D | C] - C:\Program Files\Apple Software Update
[08.04.2008 06:47 PM | ---D | C] - C:\Program Files\FISHSTAT
[08.02.2008 09:41 PM | ---D | C] - C:\Program Files\iPod
[08.07.2008 08:42 AM | ---D | C] - C:\Program Files\MixMeister BPM Analyzer
[08.02.2008 10:14 PM | ---D | C] - C:\Program Files\NCH Software
[08.16.2008 09:45 PM | ---D | C] - C:\Program Files\NCH Swift Sound
[08.22.2008 09:15 PM | ---D | C] - C:\Program Files\Trend Micro

[Files/Folders - Modified Within 30 days]
[08.21.2008 10:33 PM | 5,358,75584 | -HS- | M] () - C:\hiberfil.sys
[08.22.2008 09:15 PM | R--D | M] - C:\Program Files
[08.21.2008 10:36 PM | ---D | M] - C:\WINDOWS
[08.20.2008 10:34 PM | 0,000,0057 | ---- | M] () - C:\xcrashdump.dat
[08.21.2008 10:33 PM | ---D | M] - C:\WINDOWS\System32\CatRoot2
[1 C:\WINDOWS\System32\*.tmp files]
[08.21.2008 08:09 AM | RHSD | M] - C:\WINDOWS\System32\dllcache
[08.20.2008 09:20 AM | ---D | M] - C:\WINDOWS\System32\drivers
[08.07.2008 04:09 PM | 0,003,9812 | -H-- | M] () - C:\WINDOWS\System32\mlfcache.dat
[08.21.2008 10:36 PM | 0,000,2206 | ---- | M] () - C:\WINDOWS\System32\wpa.dbl
[08.22.2008 06:31 PM | 0,002,4576 | ---- | M] () - C:\WINDOWS\System32\__c004F444.dat
[08.15.2008 11:35 PM | 0,007,4240 | ---- | M] () - C:\WINDOWS\System32\__c0097644.dat
[08.21.2008 07:55 AM | 0,003,7376 | ---- | M] () - C:\WINDOWS\System32\~.exe
[08.21.2008 08:09 AM | -H-D | M] - C:\WINDOWS\$hf_mig$
[4 C:\WINDOWS\*.tmp files]
[08.21.2008 10:33 PM | ---D | M] - C:\WINDOWS\AppPatch
[08.21.2008 10:33 PM | 0,000,2048 | --S- | M] () - C:\WINDOWS\bootstat.dat
[08.20.2008 07:03 AM | -HSD | M] - C:\WINDOWS\CSC
[08.21.2008 08:09 AM | ---D | M] - C:\WINDOWS\Help
[08.21.2008 08:09 AM | 0,000,1374 | ---- | M] () - C:\WINDOWS\imsins.BAK
[08.21.2008 08:10 AM | -H-D | M] - C:\WINDOWS\inf
[08.20.2008 09:20 AM | -HSD | M] - C:\WINDOWS\Installer
[08.22.2008 09:16 PM | ---D | M] - C:\WINDOWS\Prefetch
[08.04.2008 06:47 PM | ---D | M] - C:\WINDOWS\system
[08.21.2008 08:09 AM | ---D | M] - C:\WINDOWS\system32
[08.16.2008 09:41 PM | --SD | M] - C:\WINDOWS\Tasks
[08.22.2008 09:33 PM | ---D | M] - C:\WINDOWS\Temp
[08.16.2008 09:41 PM | 0,000,0284 | ---- | M] () - C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[08.21.2008 10:33 PM | 0,000,0006 | -H-- | M] () - C:\WINDOWS\tasks\SA.DAT
[08.12.2008 07:55 AM | ---D | M] - C:\Documents and Settings\All Users\Application Data\Lavasoft
[08.15.2008 08:39 AM | ---D | M] - C:\Documents and Settings\All Users\Application Data\Microsoft Help
[08.02.2008 04:19 PM | ---D | M] - C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[08.21.2008 10:36 PM | 0,000,0013 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3C.manifest
[08.21.2008 10:36 PM | 0,000,0011 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3O.manifest
[08.21.2008 10:36 PM | 0,000,0359 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3P.manifest
[08.21.2008 10:36 PM | 0,000,0007 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3R.manifest
[08.21.2008 10:36 PM | 0,000,0011 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3S.manifest
[08.21.2008 10:36 PM | ---D | M] - C:\Documents and Settings\atlegu\Application Data\LimeWire
[08.16.2008 09:46 PM | ---D | M] - C:\Documents and Settings\atlegu\Application Data\NCH Swift Sound
[08.03.2008 08:33 PM | 0,000,3584 | ---- | M] () - C:\Documents and Settings\atlegu\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[08.21.2008 11:19 PM | ---D | M] - C:\Documents and Settings\atlegu\Local Settings\Application Data\Microsoft
[08.17.2008 06:54 PM | 0,149,5112 | ---- | M] (Adobe Systems Incorporated) - C:\Documents and Settings\atlegu\My Documents\install_flash_player.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\My Documents\install_flash_player.exe:Zone.Identifier
[08.21.2008 11:19 PM | R--D | M] - C:\Documents and Settings\atlegu\My Documents\My Pictures
[08.02.2008 04:18 PM | 0,000,0826 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\Express Burn.lnk
[08.02.2008 09:41 PM | 0,000,1804 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[08.20.2008 01:31 PM | 0,000,2497 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\Microsoft Office Word 2003.lnk
[08.16.2008 09:45 PM | 0,000,0798 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\WavePad Sound Editor.lnk
[08.21.2008 11:34 PM | 0,077,6192 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\13.03.07_1015_1100_and_1215-1300.ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\13.03.07_1015_1100_and_1215-1300.ppt:Zone.Identifier
[08.21.2008 11:38 PM | 0,075,4688 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\22.08.08_0815_1000.ppt
[08.12.2008 07:50 AM | 1,915,3264 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\aaw2008.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\aaw2008.exe:Zone.Identifier
[08.17.2008 10:45 PM | 0,007,1309 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Bilde%204-03.jpg
[08.17.2008 10:46 PM | 0,006,8729 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Bilde%204-08.jpg
[08.06.2008 10:05 PM | 0,065,2482 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\bpmanalyzer.zip
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\bpmanalyzer.zip:Zone.Identifier
[08.22.2008 06:34 AM | 0,143,5136 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\chapter3_7e.ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\chapter3_7e.ppt:Zone.Identifier
[08.22.2008 06:35 AM | 0,169,2672 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\chapter5_7e.ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\chapter5_7e.ppt:Zone.Identifier
[08.01.2008 11:48 AM | ---D | M] - C:\Documents and Settings\atlegu\Desktop\Diverse rydding
[4 C:\Documents and Settings\atlegu\Desktop\*.tmp files]
[08.20.2008 10:40 PM | 0,059,3408 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Effects_of_Exchange_Rates_on_Export_Prices_of_Farmed_Salmon_MRE_FINAL_2_Jul
y_2008.doc
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Effects_of_Exchange_Rates_on_Export_Prices_of_Farmed_Salmon_MRE_FINAL_2_Jul
y_2008.doc:Zone.Identifier
[08.06.2008 11:20 PM | 0,298,9568 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\foredrag11[1].ppt
[08.05.2008 11:31 PM | 0,274,3808 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\foredrag1[1].ppt
[08.11.2008 11:51 PM | 0,546,5600 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\foredragnyeste.ppt
[08.05.2008 08:43 AM | 0,229,9392 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\GLOBALIZATION FISH TRADE_629.ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\GLOBALIZATION FISH TRADE_629.ppt:Zone.Identifier
[08.22.2008 09:15 PM | 0,000,1734 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\HijackThis.lnk
[08.22.2008 09:15 PM | 0,081,2344 | ---- | M] (Trend Micro Inc.) - C:\Documents and Settings\atlegu\Desktop\HJTSetup.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\HJTSetup.exe:Zone.Identifier
[08.21.2008 11:40 PM | 0,066,5600 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Introforelesning[1].ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Introforelesning[1].ppt:Zone.Identifier
[08.18.2008 04:33 PM | 0,005,0176 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Kioskvakter_18.8-18.10.xls
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Kioskvakter_18.8-18.10.xls:Zone.Identifier
[08.13.2008 10:47 PM | ---D | M] - C:\Documents and Settings\atlegu\Desktop\Kristin
[08.21.2008 11:41 PM | 0,099,7376 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Lecture2[1].ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Lecture2[1].ppt:Zone.Identifier
[08.17.2008 10:26 PM | 0,003,6352 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\LMIpaper317August[1].doc
[08.06.2008 10:06 PM | 0,000,0720 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\MixMeister BPM Analyzer.lnk
[08.20.2008 10:59 PM | ---D | M] - C:\Documents and Settings\atlegu\Desktop\MRE
[08.20.2008 10:40 PM | 0,010,3153 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\MRE(shrimp_July_2008).docx
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\MRE(shrimp_July_2008).docx:Zone.Identifier
[08.20.2008 10:39 PM | 0,029,9520 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\MRE-Shrimpr_July_2008.doc
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\MRE-Shrimpr_July_2008.doc:Zone.Identifier
[08.22.2008 09:32 PM | 0,139,7248 | ---- | M] (OldTimer Tools) - C:\Documents and Settings\atlegu\Desktop\OTViewIt.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\OTViewIt.exe:Zone.Identifier
[08.06.2008 11:05 PM | 0,002,7136 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Priser fem år.doc
[08.21.2008 11:15 PM | 0,002,8672 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\SNF_Timelisteapril.xls
[08.21.2008 11:12 PM | 0,002,8672 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\SNF_Timelistefebruar.xls
[08.21.2008 11:13 PM | 0,002,8672 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\SNF_Timelistemars.xls
[08.20.2008 10:40 PM | 0,019,4560 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\The_Price_Responsiveness_of_Salmon_SupplyReview4_revison.doc
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\The_Price_Responsiveness_of_Salmon_SupplyReview4_revison.doc:Zone.Identifie
r
[08.11.2008 11:39 PM | 0,004,3520 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\timeplan høsten 2008 endelig world 97.doc
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\timeplan høsten 2008 endelig world 97.doc:Zone.Identifier
[08.16.2008 09:44 PM | 0,038,2104 | ---- | M] (NCH Software) - C:\Documents and Settings\atlegu\Desktop\wpsetup.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\wpsetup.exe:Zone.Identifier
[08.17.2008 10:27 PM | 0,000,0162 | -H-- | M] () - C:\Documents and Settings\atlegu\Desktop\~$me_Schedule2008b[1].doc

< End of report >

#4
Mike

Posted 23 August 2008 - 03:43 AM

Malware Monger

Retired Staff
2,745 posts

Hi there

Thanks for the logs, a few things I want to look at.

Please go to Uploadmalware to upload a suspicious file for analysis.

Enter your username from this forum
Copy and paste the link to this thread
Browse for this filename: C:\WINDOWS\System32\__c004F444.dat
In the next box browse for this filename: C:\WINDOWS\System32\__c0097644.dat
And in a third box broswe and upload this file: C:\WINDOWS\System32\~.exe
In the comments, please mention that I asked you to upload this file
Click on Send File

You may need to show hidden files, which you can do by following the instructions found here.

Then,

Please go to VirSCAN.org FREE on-line scan service
Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
- C:\WINDOWS\System32\~.exe
Click on the Upload button
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.

Now,

Please open HijackThis again and choose "Do a system scan only". Please put a check next to each of the following entries (if still present):

O4 - HKCU\..\Run: [A00F8A1231.exe] C:\DOCUME~1\atlegu\LOCALS~1\Temp\_A00F8A1231.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O20 - Winlogon Notify: 98d3ddfe382 - C:\WINDOWS\system32\__c0097644.dat
O20 - Winlogon Notify: __c004F444 - C:\WINDOWS\system32\__c004F444.dat

Now please close all open windows except HJT and press "Fix checked".

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

[kill explorer]
C:\WINDOWS\System32\__c004F444.dat
C:\WINDOWS\System32\__c0097644.dat
C:\WINDOWS\System32\~.exe
C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3C.manifest
C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3O.manifest
C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3P.manifest
C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3R.manifest
C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3S.manifest
emptytemp
purity
[start explorer]

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Re-run OTViewIt and post back with the logs.

#5
Atle

Posted 23 August 2008 - 04:36 AM

New Member

Topic Starter
Member
9 posts

VirSCAN.org Scanned Report :
Scanned time : 2008/08/23 12:27:01 (CEST)
Scanner results: 42% Scanner(15/36) found malware!
File Name : ~.exe
File Size : 37376 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 0cfbefeb76ddda753c9cab5bf18d5f96
SHA1 : 731b43295a87cce2407f25a0950baf9667b5bb46
Online report : http://virscan.org/r...c4e538a3e2.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 3.5.0.22 2008.08.21 2008-08-21 2.50 -
AhnLab V3 2008.08.23.00 2008.08.23 2008-08-23 0.88 -
AntiVir 7.8.1.23 7.0.6.58 2008-08-22 2.22 TR/Drop.Small.bva
Arcavir 1.0.5 200808222101 2008-08-22 1.22 Heur.W32
AVAST! 3.0.1 080822-0 2008-08-22 0.68 Win32:Trojan-gen {Other}
AVG 7.5.51.442 270.6.7/1628 2008-08-22 1.53 -
BitDefender 7.60825.1571953 7.20634 2008-08-23 2.82 -
CA (VET) 9.0.0.143 31.6.6040 2008-08-22 5.39 Win32/SillyDl.FEL trojan.
ClamAV 0.93.3 8077 2008-08-23 0.01 -
Comodo 2.11 2.0.0.625 2008-08-23 0.42 -
CP Secure 1.1.0.715 2008.08.21 2008-08-21 6.24 -
Dr.Web 4.44.0.9170 2008.08.23 2008-08-23 3.14 -
ewido 4.0.0.2 2008.08.23 2008-08-23 2.42 -
F-Prot 4.4.4.56 20080822 2008-08-22 1.07 -
F-Secure 5.51.6100 2008.08.22.06 2008-08-22 3.05 Trojan:W32/Vundo.AG [Orion]
Fortinet 2.81-3.11 9.464 2008-08-23 1.76 W32/Vundo.BGS!tr
ViRobot 20080822 2008.08.22 2008-08-22 0.39 -
Ikarus T3.1.01.34 2008.08.23.71326 2008-08-23 3.46 Trojan-Dropper.Win32.Small.bva
JiangMin 11.0.706 2008.08.23 2008-08-23 1.17 -
Kaspersky 5.5.10 2008.08.23 2008-08-23 0.02 Trojan-Dropper.Win32.Small.bva
KingSoft 2008.1.14.15 2008.8.23.15 2008-08-23 0.57 -
McAfee 5.2.00 5368 2008-08-22 2.57 Vundo
Microsoft 1.3807 2008.08.23 2008-08-23 4.89 Trojan:Win32/Vundo.gen!V
mks_vir 2.01 2008.08.19 2008-08-19 2.59 Heur.W32
Norman 5.93.01 5.93.00 2008-08-22 4.82 Tibs.gen222
Panda 9.05.01 2008.08.22 2008-08-22 1.98 -
Trend Micro 8.700-1004 5.496.02 2008-08-23 0.03 -
Quick Heal 9.50 2008.08.22 2008-08-22 1.67 TrojanDropper.Small.bva
Rising 20.0 20.58.52.00 2008-08-23 1.13 Packer.Win32.Mian007.a
Sophos 2.77.0 4.32 2008-08-23 1.92 Troj/Virtum-Gen
Sunbelt 3.1.1571.1 2202 2008-08-22 0.50 -
Symantec 1.3.0.24 20080822.003 2008-08-22 0.05 -
nProtect 2008-08-22.00 1909009 2008-08-22 3.45 -
The Hacker 6.3.0.6 v00060 2008-08-22 0.42 -
VBA32 3.12.8.4 20080822.0823 2008-08-22 1.11 -
VirusBuster 4.5.11.10 10.84.8/598408 2008-08-22 0.85 -

Explorer killed successfully
File move failed. C:\WINDOWS\System32\__c004F444.dat scheduled to be moved on reboot.
C:\WINDOWS\System32\__c0097644.dat moved successfully.
C:\WINDOWS\System32\~.exe moved successfully.
C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3C.manifest moved successfully.
C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3O.manifest moved successfully.
C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3P.manifest moved successfully.
C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3R.manifest moved successfully.
C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3S.manifest moved successfully.
< emptytemp >
File delete failed. C:\DOCUME~1\atlegu\LOCALS~1\Temp\~DF33A3.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\atlegu\LOCALS~1\Temp\~DF33EF.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\atlegu\LOCALS~1\Temp\~DFADC3.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\atlegu\LOCALS~1\Temp\hsperfdata_atlegu\2204 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\nvcbin.def.AB37B891.TMP scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08232008_124037

Files moved on Reboot...
File move failed. C:\WINDOWS\System32\__c004F444.dat scheduled to be moved on reboot.
File C:\DOCUME~1\atlegu\LOCALS~1\Temp\~DF33A3.tmp not found!
File C:\DOCUME~1\atlegu\LOCALS~1\Temp\~DF33EF.tmp not found!
C:\DOCUME~1\atlegu\LOCALS~1\Temp\~DFADC3.tmp moved successfully.
File C:\DOCUME~1\atlegu\LOCALS~1\Temp\hsperfdata_atlegu\2204 not found!
File move failed. C:\WINDOWS\temp\nvcbin.def.AB37B891.TMP scheduled to be moved on reboot.

OTViewIt logfile created on: 23.08.2008 12:48:12
OTViewIt by OldTimer - Version 1.0.0.5 Folder = C:\Documents and Settings\atlegu\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000414 | Country: Norway | Language: NOR | Date Format: dd.MM.yyyy

510,98 Mb Total Physical Memory | 134,27 Mb Available Physical Memory | 26,28% Memory free
1,22 Gb Paging File | 0,84 Gb Available in Paging File | 69,13% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19,53 Gb Total Space | 3,23 Gb Free Space | 16,53% Space Free | Partition Type: NTFS
Drive D: | 92,17 Gb Total Space | 74,29 Gb Free Space | 80,60% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 279,47 Gb Total Space | 272,84 Gb Free Space | 97,63% Space Free | Partition Type: NTFS
Drive K: | 279,32 Gb Total Space | 239,50 Gb Free Space | 85,74% Space Free | Partition Type: FAT32

Computer Name: IOR-1222
Current User Name: atlegu
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user

===== Processes - Non-Microsoft Only =====

[07.22.2008 08:42 PM | 0,011,6040 | ---- | M] (Apple Inc.) - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
[07.24.2007 03:17 PM | 0,022,9376 | ---- | M] (Apple Inc.) - C:\Program Files\Bonjour\mDNSResponder.exe
[08.25.2005 05:53 PM | 0,013,5168 | ---- | M] (Dell Inc.) - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe
[08.27.2007 03:17 PM | 0,004,7816 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
[08.27.2007 03:21 PM | 0,011,3320 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\common\FSMA32.EXE
[08.27.2007 03:17 PM | 0,036,6704 | ---- | M] (F-Secure Corp.) - C:\Program Files\F-Secure\Anti-Virus\fsgk32.exe
[08.27.2007 03:21 PM | 0,023,2104 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\common\FSMB32.EXE
[11.10.2005 12:00 AM | 0,009,0112 | ---- | M] (Dell Inc.) - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpwdnt.exe
[08.27.2007 03:21 PM | 0,012,5608 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\common\FCH32.EXE
[08.27.2007 03:21 PM | 0,039,1792 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\common\FAMEH32.EXE
[08.27.2007 03:17 PM | 0,004,3696 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
[08.27.2007 03:15 PM | 0,046,1424 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
[08.27.2007 03:17 PM | 0,042,5584 | ---- | M] (F-Secure Corp.) - C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
[08.27.2007 03:22 PM | 0,016,2472 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\common\FNRB32.exe
[08.27.2007 03:19 PM | 0,046,1424 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\FWES\program\fsdfwd.exe
[08.27.2007 03:22 PM | 0,010,1032 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\common\FIH32.exe
[08.27.2007 03:17 PM | 0,032,4208 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
[08.27.2007 03:21 PM | 0,018,2952 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\common\FSM32.EXE
[02.23.2006 12:00 AM | 0,019,2512 | ---- | M] (Dell Inc.) - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpsp.exe
[02.22.2008 05:25 AM | 0,014,4784 | ---- | M] (Sun Microsystems, Inc.) - C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
[01.11.2008 11:16 PM | 0,003,9792 | ---- | M] (Adobe Systems Incorporated) - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[08.27.2007 03:20 PM | 0,047,3712 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\FSGUI\fsguidll.exe
[07.30.2008 10:47 AM | 0,028,9064 | ---- | M] (Apple Inc.) - C:\Program Files\iTunes\iTunesHelper.exe
[07.20.2007 01:17 PM | 0,006,8856 | ---- | M] (Google Inc.) - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[09.28.2007 03:17 AM | 0,044,3968 | ---- | M] (Google Inc.) - C:\Program Files\Picasa2\PicasaMediaDetector.exe
[06.18.2008 08:46 PM | 0,014,7456 | ---- | M] (Lime Wire, LLC) - C:\Program Files\LimeWire\LimeWire.exe
[07.30.2008 10:47 AM | 0,053,2264 | ---- | M] (Apple Inc.) - C:\Program Files\iPod\bin\iPodService.exe
[08.22.2008 09:32 PM | 0,139,7248 | ---- | M] (OldTimer Tools) - C:\Documents and Settings\atlegu\Desktop\OTViewIt.exe

===== Win32 Services - Non-Microsoft Only =====

(Apple Mobile Device) Apple Mobile Device [Auto | Running]
[07.22.2008 08:42 PM | 0,011,6040 | ---- | M] (Apple Inc.) - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

(Bonjour Service) Bonjour-tjeneste [Auto | Running]
[07.24.2007 03:17 PM | 0,022,9376 | ---- | M] (Apple Inc.) - C:\Program Files\Bonjour\mDNSResponder.exe

(DLPWD) Dell Printer Status Watcher [Auto | Running]
[11.10.2005 12:00 AM | 0,009,0112 | ---- | M] (Dell Inc.) - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpwdnt.exe

(DLSDB) Dell Printer Status Database [Auto | Running]
[08.25.2005 05:53 PM | 0,013,5168 | ---- | M] (Dell Inc.) - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe

(dmadmin) Logical Disk Manager Administrative Service [On_Demand | Stopped]
[04.14.2008 05:42 AM | 0,022,4768 | ---- | M] (Microsoft Corp., Veritas Software) - C:\WINDOWS\system32\dmadmin.exe

(F-Secure Gatekeeper Handler Starter) FSGKHS [Auto | Running]
[08.27.2007 03:17 PM | 0,004,7816 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe

(F-Secure Network Request Broker) F-Secure Network Request Broker [On_Demand | Running]
[08.27.2007 03:22 PM | 0,016,2472 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\common\FNRB32.exe

(FSAUA) F-Secure Automatic Update Agent [On_Demand | Running]
[08.27.2007 03:15 PM | 0,046,1424 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe

(FSDFWD) F-Secure Anti-Virus Firewall Daemon [On_Demand | Running]
[08.27.2007 03:19 PM | 0,046,1424 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\FWES\program\fsdfwd.exe

(FSMA) FSMA [Auto | Running]
[08.27.2007 03:21 PM | 0,011,3320 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\common\FSMA32.EXE

(gusvc) Google Updater Service [On_Demand | Stopped]
[07.16.2007 11:21 PM | 0,013,8168 | ---- | M] (Google) - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

(iPod Service) iPod-tjeneste [On_Demand | Running]
[07.30.2008 10:47 AM | 0,053,2264 | ---- | M] (Apple Inc.) - C:\Program Files\iPod\bin\iPodService.exe

===== Driver Services - Non-Microsoft Only =====

(aeaudio) aeaudio [On_Demand | Running]
[04.01.2002 01:15 PM | 0,000,4816 | ---- | M] (Andrea Electronics Corporation) - C:\WINDOWS\system32\drivers\aeaudio.sys

(ati2mtag) ati2mtag [On_Demand | Running]
[08.04.2004 12:29 AM | 0,070,1440 | ---- | M] (ATI Technologies Inc.) - C:\WINDOWS\system32\drivers\ati2mtag.sys

(cercsr6) cercsr6 [Boot | Stopped]
[03.22.2005 03:48 AM | 0,003,9904 | ---- | M] (Adaptec, Inc.) - C:\WINDOWS\System32\drivers\cercsr6.sys

(dmboot) dmboot [Disabled | Stopped]
[04.14.2008 12:14 AM | 0,079,9744 | ---- | M] (Microsoft Corp., Veritas Software) - C:\WINDOWS\system32\drivers\dmboot.sys

(dmio) Logical Disk Manager Driver [Boot | Running]
[04.14.2008 12:14 AM | 0,015,3344 | ---- | M] (Microsoft Corp., Veritas Software) - C:\WINDOWS\system32\drivers\dmio.sys

(dmload) dmload [Boot | Running]
[08.04.2004 02:00 PM | 0,000,5888 | ---- | M] (Microsoft Corp., Veritas Software.) - C:\WINDOWS\system32\drivers\dmload.sys

(E1000) Intel® PRO/1000 Network Connection Driver [On_Demand | Running]
[03.25.2007 08:20 PM | 0,017,1416 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\drivers\e1000325.sys

(F-Secure Filter) F-Secure File System Filter [Disabled | Stopped]
[08.27.2007 03:18 PM | 0,003,9792 | ---- | M] () - C:\Program Files\F-Secure\Anti-Virus\win2k\fsfilter.sys

(F-Secure Gatekeeper) F-Secure Gatekeeper [On_Demand | Running]
[08.27.2007 03:17 PM | 0,006,2064 | ---- | M] () - C:\Program Files\F-Secure\Anti-Virus\minifilter\fsgk.sys

(F-Secure HIPS) F-Secure HIPS [System | Running]
[08.27.2007 03:20 PM | 0,007,0768 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\HIPS\fshs.sys

(F-Secure Recognizer) F-Secure File System Recognizer [Disabled | Stopped]
[08.27.2007 03:18 PM | 0,002,5200 | ---- | M] () - C:\Program Files\F-Secure\Anti-Virus\win2k\fsrec.sys

(FSFW) F-Secure Firewall Driver [Boot | Running]
[08.27.2007 03:19 PM | 0,006,0272 | ---- | M] (F-Secure Corporation) - C:\WINDOWS\system32\drivers\fsdfw.sys

(GEARAspiWDM) GEARAspiWDM [On_Demand | Running]
[01.29.2008 12:01 PM | 0,001,6168 | ---- | M] (GEAR Software Inc.) - C:\WINDOWS\system32\drivers\GEARAspiWDM.sys

(NAL) Nal Service [On_Demand | Stopped]
[03.09.2007 05:04 PM | 0,003,1072 | ---- | M] (Intel Corporation ) - C:\WINDOWS\system32\drivers\iqvw32.sys

(OMCI) OMCI [System | Running]
[05.14.2001 06:15 PM | 0,001,0368 | ---- | M] (Dell Computer Corporation) - C:\WINDOWS\system32\drivers\omci.sys

(Ptilink) Direct Parallel Link Driver [On_Demand | Running]
[08.04.2004 02:00 PM | 0,001,7792 | ---- | M] (Parallel Technologies, Inc.) - C:\WINDOWS\system32\drivers\ptilink.sys

(PxHelp20) PxHelp20 [Boot | Running]
[09.27.2006 11:53 PM | 0,003,6560 | ---- | M] (Sonic Solutions) - C:\WINDOWS\system32\drivers\pxhelp20.sys

(Secdrv) Secdrv [Auto | Running]
[11.13.2007 12:25 PM | 0,002,0480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) - C:\WINDOWS\system32\drivers\secdrv.sys

(smwdm) smwdm [On_Demand | Running]
[02.28.2003 09:17 AM | 0,054,5024 | ---- | M] (Analog Devices, Inc.) - C:\WINDOWS\system32\drivers\smwdm.sys

(USBAAPL) Apple Mobile USB Driver [On_Demand | Stopped]
[07.10.2008 09:35 AM | 0,003,2000 | ---- | M] (Apple, Inc.) - C:\WINDOWS\system32\drivers\usbaapl.sys

===== Run Keys =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher" = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01.11.2008 11:16 PM | 0,003,9792 | ---- | M] (Adobe Systems Incorporated)
"AppleSyncNotifier" = C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [07.10.2008 09:47 AM | 0,011,6040 | ---- | M] (Apple Inc.)
"DLPSP" = "C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE" [02.23.2006 12:00 AM | 0,019,2512 | ---- | M] (Dell Inc.)
"F-Secure Manager" = "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash [08.27.2007 03:21 PM | 0,018,2952 | ---- | M] (F-Secure Corporation)
"F-Secure TNB" = "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW [08.27.2007 03:20 PM | 0,089,5600 | ---- | M] (F-Secure Corporation)
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" [07.30.2008 10:47 AM | 0,028,9064 | ---- | M] (Apple Inc.)
"QuickTime Task" = "C:\Program Files\QuickTime\qttask.exe" -atboottime [05.27.2008 10:50 AM | 0,041,3696 | ---- | M] (Apple Inc.)
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02.22.2008 05:25 AM | 0,014,4784 | ---- | M] (Sun Microsystems, Inc.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = Reg Error: Value load does not exist or could not be read.
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"" =
"Installed" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"" =
"Installed" = 1
"NoChange" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"" =
"Installed" = 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector" = C:\Program Files\Picasa2\PicasaMediaDetector.exe [09.28.2007 03:17 AM | 0,044,3968 | ---- | M] (Google Inc.)
"swg" = C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [07.20.2007 01:17 PM | 0,006,8856 | ---- | M] (Google Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.

===== Startup Folders =====

[All Users Startup Folder - C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

[atlegu Startup Folder - C:\Documents and Settings\atlegu\Start Menu\Programs\Startup]
[06.18.2008 08:46 PM | 0,014,7456 | ---- | M] (Lime Wire, LLC) - C:\Documents and Settings\atlegu\Start Menu\Programs\Startup\LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

===== BHO's =====

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
HKLM CLSID: (Adobe PDF Reader Link Helper) - [10.23.2006 12:08 AM | 0,006,2080 | ---- | M] (Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
HKLM CLSID: (SSVHelper Class) - [02.22.2008 05:25 AM | 0,050,9328 | ---- | M] (Sun Microsystems, Inc.) C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
HKLM CLSID: (Google Toolbar Notifier BHO) - [04.05.2008 09:40 PM | 0,073,4704 | ---- | M] (Google Inc.) C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
HKLM CLSID: (Google Toolbar Helper) - [07.16.2007 11:21 PM | 0,240,3392 | R--- | M] (Google Inc.) c:\Program Files\Google\GoogleToolbar1.dll

===== Toolbars =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"
HKLM CLSID: (&Google) - [07.16.2007 11:21 PM | 0,240,3392 | R--- | M] (Google Inc.) c:\Program Files\Google\GoogleToolbar1.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
HKLM CLSID: (&Google) - [07.16.2007 11:21 PM | 0,240,3392 | R--- | M] (Google Inc.) c:\Program Files\Google\GoogleToolbar1.dll

===== Policies =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}" = 1
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}" = 1073741857
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}" = 32

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername" = 0
"legalnoticecaption" =
"legalnoticetext" =
"shutdownwithoutlogon" = 1
"undockwithoutlogon" = 1
"MaxGPOScriptWait" = 60

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

===== Desktop Components =====

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"FriendlyName" = "My Current Home Page"
"Source" = "About:Home"
"SubscribedURL" = "About:Home"

===== Shared Task Scheduler =====

===== AppInit_Dlls =====

===== Lsa Authentication Packages =====

===== Lsa Security Packages =====

===== Authorized Applications List =====

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = C:\WINDOWS\system32\sessmgr.exe [04.14.2008 05:42 AM | 0,014,1312 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE [05.21.2008 04:37 AM | 1,284,4576 | ---- | M] (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = C:\WINDOWS\network diagnostic\xpnetdiag.exe [04.14.2008 12:23 AM | 0,055,8080 | ---- | M] (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = C:\WINDOWS\system32\sessmgr.exe [04.14.2008 05:42 AM | 0,014,1312 | ---- | M] (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = C:\WINDOWS\network diagnostic\xpnetdiag.exe [04.14.2008 12:23 AM | 0,055,8080 | ---- | M] (Microsoft Corporation)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe [06.18.2008 08:46 PM | 0,014,7456 | ---- | M] (Lime Wire, LLC)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe [07.24.2007 03:17 PM | 0,022,9376 | ---- | M] (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe [07.30.2008 10:47 AM | 2,025,2968 | ---- | M] (Apple Inc.)

===== HKLM Winlogon Settings =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell]
"Explorer.exe" - [04.14.2008 05:42 AM | 0,103,3728 | ---- | M] (Microsoft Corporation) C:\WINDOWS\explorer.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit]
"C:\WINDOWS\system32\userinit.exe" - [04.14.2008 05:42 AM | 0,002,6112 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\userinit.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost]
"logonui.exe" - [04.14.2008 05:42 AM | 0,051,4560 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\logonui.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet]
"rundll32 shell32" - [04.14.2008 05:42 AM | 0,846,1312 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
"Control_RunDLL "sysdm.cpl"" - [04.14.2008 05:42 AM | 0,030,0544 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\sysdm.cpl

===== User's Winlogon Settings =====

===== Winlogon Notify Settings =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c004F444]
"DllName" = C:\WINDOWS\system32\__c004F444.dat [08.22.2008 06:31 PM | 0,002,4576 | ---- | M] ()

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\98d3ddfe382]
"DllName" = C:\WINDOWS\system32\__c0097644.dat [08.23.2008 12:40 PM | 0,007,4240 | ---- | M] ()

===== Safeboot Options =====

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
"AlternateShell" = cmd.exe

===== Disabled MsConfig Items =====
Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ not found. -> ->

===== DNS Name Servers =====

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{9B92E789-1154-4697-AA32-47B3C09C5D85}]
Servers: | Description: 1394 Net Adapter

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{BA4C3937-DEBD-4705-A7AE-E4F207DF983F}]
Servers: | Description: Intel® PRO/1000 MT Network Connection

[Files/Folders - Created Within 30 days]
[08.20.2008 10:34 PM | 0,000,0057 | ---- | M] () - C:\xcrashdump.dat
[08.23.2008 12:40 PM | ---D | C] - C:\_OTMoveIt
[07.22.2008 04:45 PM | 0,079,0846 | ---- | M] () - C:\WINDOWS\System32\dllcache\apph_sp.sdb
[07.22.2008 04:45 PM | 0,000,9696 | ---- | M] () - C:\WINDOWS\System32\dllcache\drvmain.sdb
[07.22.2008 04:45 PM | 0,121,4526 | ---- | M] () - C:\WINDOWS\System32\dllcache\sysmain.sdb
[08.07.2008 04:09 PM | 0,003,9812 | -H-- | M] () - C:\WINDOWS\System32\mlfcache.dat
[08.22.2008 06:31 PM | 0,002,4576 | ---- | M] () - C:\WINDOWS\System32\__c004F444.dat
[08.22.2008 11:59 PM | 0,007,4240 | ---- | M] (Avira GmbH) - C:\WINDOWS\System32\__c008F8A4.dat
[08.23.2008 12:40 PM | 0,007,4240 | ---- | M] () - C:\WINDOWS\System32\__c0097644.dat
[10.23.1997 04:30 PM | 0,014,1008 | ---- | M] (Desaware) - C:\WINDOWS\System\ANIBTN16.OCX
[03.29.1994 07:38 PM | 0,001,2480 | ---- | M] () - C:\WINDOWS\System\BLASTER.VBX
[08.03.1995 11:44 AM | 0,002,3872 | ---- | M] (Dan Byström) - C:\WINDOWS\System\DBTTIP.VBX
[10.23.1997 04:30 PM | 0,030,4656 | ---- | M] (Bits Per Second Ltd) - C:\WINDOWS\System\GRAPH16.OCX
[10.23.1997 04:30 PM | 0,027,6880 | ---- | M] (Bits Per Second Ltd) - C:\WINDOWS\System\GSW16.EXE
[10.23.1997 04:30 PM | 0,004,5680 | ---- | M] (Bits Per Second Ltd) - C:\WINDOWS\System\GSWDLL16.DLL
[02.08.2000 03:17 PM | 0,009,3456 | ---- | M] (MicroHelp Inc.) - C:\WINDOWS\System\MHRUN400.DLL
[02.08.2000 03:17 PM | 0,013,0480 | ---- | M] (MicroHelp Inc.) - C:\WINDOWS\System\MHTR200.VBX
[01.11.1996 11:00 PM | 0,002,8113 | ---- | M] () - C:\WINDOWS\System\OLE2.REG
[02.08.2000 03:17 PM | 0,001,5840 | ---- | M] (Thuridion Software Engineering, Inc.) - C:\WINDOWS\System\PICCLIP.VBX
[10.23.1997 04:30 PM | 0,004,7936 | ---- | M] (Outrider Systems, Inc.) - C:\WINDOWS\System\SPIN16.OCX
[01.11.1996 11:00 PM | 0,015,7696 | ---- | M] () - C:\WINDOWS\System\STORAGE.DLL
[10.23.1997 04:30 PM | 0,011,5424 | ---- | M] (Sheridan Software Systems, Inc.) - C:\WINDOWS\System\TABCTL16.OCX
[10.23.1997 04:31 PM | 0,042,3424 | ---- | M] (APEX Software Corporation) - C:\WINDOWS\System\TG_VB4.VBX
[01.11.1996 11:00 PM | 0,001,4933 | ---- | M] () - C:\WINDOWS\System\VSHARE.386
[03.23.1998 11:00 PM | 0,004,7776 | ---- | M] (Xceed Software Inc. 1-514-442-2626 [email protected] www.xceedsoft.com) - C:\WINDOWS\System\XCDUNZIP.DLL
[03.23.1998 11:00 PM | 0,006,9596 | ---- | M] (Xceed Software Inc. (514)-442-2626 [email protected]) - C:\WINDOWS\System\XCEEDZIP.VBX
[08.16.2008 09:41 PM | 0,000,0284 | ---- | M] () - C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[08.12.2008 07:55 AM | ---D | C] - C:\Documents and Settings\All Users\Application Data\Lavasoft
[08.02.2008 04:19 PM | ---D | C] - C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[08.23.2008 12:44 PM | 0,000,0013 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3C.manifest
[08.23.2008 12:44 PM | 0,000,0011 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3O.manifest
[08.23.2008 12:44 PM | 0,000,0359 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3P.manifest
[08.23.2008 12:44 PM | 0,000,0007 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3R.manifest
[08.23.2008 12:44 PM | 0,000,0011 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3S.manifest
[08.16.2008 09:46 PM | ---D | C] - C:\Documents and Settings\atlegu\Application Data\NCH Swift Sound
[08.17.2008 06:54 PM | 0,149,5112 | ---- | M] (Adobe Systems Incorporated) - C:\Documents and Settings\atlegu\My Documents\install_flash_player.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\My Documents\install_flash_player.exe:Zone.Identifier
[08.02.2008 04:18 PM | 0,000,0826 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\Express Burn.lnk
[08.02.2008 09:41 PM | 0,000,1804 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[08.16.2008 09:45 PM | 0,000,0798 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\WavePad Sound Editor.lnk
[08.21.2008 11:34 PM | 0,077,6192 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\13.03.07_1015_1100_and_1215-1300.ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\13.03.07_1015_1100_and_1215-1300.ppt:Zone.Identifier
[08.21.2008 11:38 PM | 0,075,4688 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\22.08.08_0815_1000.ppt
[08.23.2008 12:01 PM | 0,179,8707 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\86933079.jpeg
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\86933079.jpeg:Zone.Identifier
[08.12.2008 07:50 AM | 1,915,3264 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\aaw2008.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\aaw2008.exe:Zone.Identifier
[08.17.2008 10:45 PM | 0,007,1309 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Bilde%204-03.jpg
[08.17.2008 10:46 PM | 0,006,8729 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Bilde%204-08.jpg
[08.06.2008 10:05 PM | 0,065,2482 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\bpmanalyzer.zip
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\bpmanalyzer.zip:Zone.Identifier
[08.22.2008 06:34 AM | 0,143,5136 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\chapter3_7e.ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\chapter3_7e.ppt:Zone.Identifier
[08.22.2008 06:35 AM | 0,169,2672 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\chapter5_7e.ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\chapter5_7e.ppt:Zone.Identifier
[08.01.2008 11:48 AM | ---D | C] - C:\Documents and Settings\atlegu\Desktop\Diverse rydding
[4 C:\Documents and Settings\atlegu\Desktop\*.tmp files]
[08.20.2008 10:40 PM | 0,059,3408 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Effects_of_Exchange_Rates_on_Export_Prices_of_Farmed_Salmon_MRE_FINAL_2_Jul
y_2008.doc
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Effects_of_Exchange_Rates_on_Export_Prices_of_Farmed_Salmon_MRE_FINAL_2_Jul
y_2008.doc:Zone.Identifier
[08.22.2008 09:38 PM | 0,003,5328 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Food_market_research_UiS_UMB[1].doc
[08.06.2008 11:20 PM | 0,298,9568 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\foredrag11[1].ppt
[08.05.2008 11:31 PM | 0,274,3808 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\foredrag1[1].ppt
[08.11.2008 11:51 PM | 0,546,5600 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\foredragnyeste.ppt
[08.05.2008 08:43 AM | 0,229,9392 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\GLOBALIZATION FISH TRADE_629.ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\GLOBALIZATION FISH TRADE_629.ppt:Zone.Identifier
[08.22.2008 09:15 PM | 0,000,1734 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\HijackThis.lnk
[08.22.2008 09:15 PM | 0,081,2344 | ---- | M] (Trend Micro Inc.) - C:\Documents and Settings\atlegu\Desktop\HJTSetup.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\HJTSetup.exe:Zone.Identifier
[08.21.2008 11:40 PM | 0,066,5600 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Introforelesning[1].ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Introforelesning[1].ppt:Zone.Identifier
[08.18.2008 04:33 PM | 0,005,0176 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Kioskvakter_18.8-18.10.xls
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Kioskvakter_18.8-18.10.xls:Zone.Identifier
[08.21.2008 11:41 PM | 0,099,7376 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Lecture2[1].ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Lecture2[1].ppt:Zone.Identifier
[08.17.2008 10:26 PM | 0,003,6352 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\LMIpaper317August[1].doc
[08.06.2008 10:06 PM | 0,000,0720 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\MixMeister BPM Analyzer.lnk
[08.20.2008 10:59 PM | ---D | C] - C:\Documents and Settings\atlegu\Desktop\MRE
[08.20.2008 10:40 PM | 0,010,3153 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\MRE(shrimp_July_2008).docx
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\MRE(shrimp_July_2008).docx:Zone.Identifier
[08.20.2008 10:39 PM | 0,029,9520 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\MRE-Shrimpr_July_2008.doc
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\MRE-Shrimpr_July_2008.doc:Zone.Identifier
[08.23.2008 12:39 PM | 0,029,1840 | ---- | M] (OldTimer Tools) - C:\Documents and Settings\atlegu\Desktop\OTMoveIt2.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\OTMoveIt2.exe:Zone.Identifier
[08.22.2008 09:32 PM | 0,139,7248 | ---- | M] (OldTimer Tools) - C:\Documents and Settings\atlegu\Desktop\OTViewIt.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\OTViewIt.exe:Zone.Identifier
[08.06.2008 11:05 PM | 0,002,7136 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Priser fem år.doc
[08.21.2008 11:15 PM | 0,002,8672 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\SNF_Timelisteapril.xls
[08.21.2008 11:12 PM | 0,002,8672 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\SNF_Timelistefebruar.xls
[08.21.2008 11:13 PM | 0,002,8672 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\SNF_Timelistemars.xls
[08.20.2008 10:40 PM | 0,019,4560 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\The_Price_Responsiveness_of_Salmon_SupplyReview4_revison.doc
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\The_Price_Responsiveness_of_Salmon_SupplyReview4_revison.doc:Zone.Identifie
r
[08.11.2008 11:39 PM | 0,004,3520 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\timeplan høsten 2008 endelig world 97.doc
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\timeplan høsten 2008 endelig world 97.doc:Zone.Identifier
[08.16.2008 09:44 PM | 0,038,2104 | ---- | M] (NCH Software) - C:\Documents and Settings\atlegu\Desktop\wpsetup.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\wpsetup.exe:Zone.Identifier
[08.17.2008 10:27 PM | 0,000,0162 | -H-- | M] () - C:\Documents and Settings\atlegu\Desktop\~$me_Schedule2008b[1].doc
[08.16.2008 09:40 PM | ---D | C] - C:\Program Files\Apple Software Update
[08.04.2008 06:47 PM | ---D | C] - C:\Program Files\FISHSTAT
[08.02.2008 09:41 PM | ---D | C] - C:\Program Files\iPod
[08.07.2008 08:42 AM | ---D | C] - C:\Program Files\MixMeister BPM Analyzer
[08.02.2008 10:14 PM | ---D | C] - C:\Program Files\NCH Software
[08.16.2008 09:45 PM | ---D | C] - C:\Program Files\NCH Swift Sound
[08.22.2008 09:15 PM | ---D | C] - C:\Program Files\Trend Micro

[Files/Folders - Modified Within 30 days]
[08.23.2008 12:43 PM | 5,358,75584 | -HS- | M] () - C:\hiberfil.sys
[08.22.2008 09:15 PM | R--D | M] - C:\Program Files
[08.21.2008 10:36 PM | ---D | M] - C:\WINDOWS
[08.20.2008 10:34 PM | 0,000,0057 | ---- | M] () - C:\xcrashdump.dat
[08.23.2008 12:40 PM | ---D | M] - C:\_OTMoveIt
[08.23.2008 12:43 PM | ---D | M] - C:\WINDOWS\System32\CatRoot2
[1 C:\WINDOWS\System32\*.tmp files]
[08.21.2008 08:09 AM | RHSD | M] - C:\WINDOWS\System32\dllcache
[08.20.2008 09:20 AM | ---D | M] - C:\WINDOWS\System32\drivers
[08.07.2008 04:09 PM | 0,003,9812 | -H-- | M] () - C:\WINDOWS\System32\mlfcache.dat
[08.23.2008 12:44 PM | 0,000,2206 | ---- | M] () - C:\WINDOWS\System32\wpa.dbl
[08.22.2008 06:31 PM | 0,002,4576 | ---- | M] () - C:\WINDOWS\System32\__c004F444.dat
[08.22.2008 11:59 PM | 0,007,4240 | ---- | M] (Avira GmbH) - C:\WINDOWS\System32\__c008F8A4.dat
[08.23.2008 12:40 PM | 0,007,4240 | ---- | M] () - C:\WINDOWS\System32\__c0097644.dat
[08.21.2008 08:09 AM | -H-D | M] - C:\WINDOWS\$hf_mig$
[4 C:\WINDOWS\*.tmp files]
[08.21.2008 10:33 PM | ---D | M] - C:\WINDOWS\AppPatch
[08.23.2008 12:43 PM | 0,000,2048 | --S- | M] () - C:\WINDOWS\bootstat.dat
[08.20.2008 07:03 AM | -HSD | M] - C:\WINDOWS\CSC
[08.21.2008 08:09 AM | ---D | M] - C:\WINDOWS\Help
[08.21.2008 08:09 AM | 0,000,1374 | ---- | M] () - C:\WINDOWS\imsins.BAK
[08.21.2008 08:10 AM | -H-D | M] - C:\WINDOWS\inf
[08.20.2008 09:20 AM | -HSD | M] - C:\WINDOWS\Installer
[08.23.2008 12:40 PM | ---D | M] - C:\WINDOWS\Prefetch
[08.04.2008 06:47 PM | ---D | M] - C:\WINDOWS\system
[08.23.2008 12:40 PM | ---D | M] - C:\WINDOWS\system32
[08.23.2008 12:43 PM | --SD | M] - C:\WINDOWS\Tasks
[08.23.2008 12:44 PM | ---D | M] - C:\WINDOWS\Temp
[08.16.2008 09:41 PM | 0,000,0284 | ---- | M] () - C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[08.23.2008 12:43 PM | 0,000,0006 | -H-- | M] () - C:\WINDOWS\tasks\SA.DAT
[08.12.2008 07:55 AM | ---D | M] - C:\Documents and Settings\All Users\Application Data\Lavasoft
[08.15.2008 08:39 AM | ---D | M] - C:\Documents and Settings\All Users\Application Data\Microsoft Help
[08.02.2008 04:19 PM | ---D | M] - C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[08.23.2008 12:44 PM | 0,000,0013 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3C.manifest
[08.23.2008 12:44 PM | 0,000,0011 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3O.manifest
[08.23.2008 12:44 PM | 0,000,0359 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3P.manifest
[08.23.2008 12:44 PM | 0,000,0007 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3R.manifest
[08.23.2008 12:44 PM | 0,000,0011 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3S.manifest
[08.23.2008 12:44 PM | ---D | M] - C:\Documents and Settings\atlegu\Application Data\LimeWire
[08.16.2008 09:46 PM | ---D | M] - C:\Documents and Settings\atlegu\Application Data\NCH Swift Sound
[08.03.2008 08:33 PM | 0,000,3584 | ---- | M] () - C:\Documents and Settings\atlegu\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[08.21.2008 11:19 PM | ---D | M] - C:\Documents and Settings\atlegu\Local Settings\Application Data\Microsoft
[08.17.2008 06:54 PM | 0,149,5112 | ---- | M] (Adobe Systems Incorporated) - C:\Documents and Settings\atlegu\My Documents\install_flash_player.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\My Documents\install_flash_player.exe:Zone.Identifier
[08.21.2008 11:19 PM | R--D | M] - C:\Documents and Settings\atlegu\My Documents\My Pictures
[08.02.2008 04:18 PM | 0,000,0826 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\Express Burn.lnk
[08.02.2008 09:41 PM | 0,000,1804 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[08.20.2008 01:31 PM | 0,000,2497 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\Microsoft Office Word 2003.lnk
[08.16.2008 09:45 PM | 0,000,0798 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\WavePad Sound Editor.lnk
[08.21.2008 11:34 PM | 0,077,6192 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\13.03.07_1015_1100_and_1215-1300.ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\13.03.07_1015_1100_and_1215-1300.ppt:Zone.Identifier
[08.21.2008 11:38 PM | 0,075,4688 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\22.08.08_0815_1000.ppt
[08.23.2008 12:01 PM | 0,179,8707 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\86933079.jpeg
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\86933079.jpeg:Zone.Identifier
[08.12.2008 07:50 AM | 1,915,3264 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\aaw2008.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\aaw2008.exe:Zone.Identifier
[08.17.2008 10:45 PM | 0,007,1309 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Bilde%204-03.jpg
[08.17.2008 10:46 PM | 0,006,8729 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Bilde%204-08.jpg
[08.06.2008 10:05 PM | 0,065,2482 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\bpmanalyzer.zip
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\bpmanalyzer.zip:Zone.Identifier
[08.22.2008 06:34 AM | 0,143,5136 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\chapter3_7e.ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\chapter3_7e.ppt:Zone.Identifier
[08.22.2008 06:35 AM | 0,169,2672 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\chapter5_7e.ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\chapter5_7e.ppt:Zone.Identifier
[08.01.2008 11:48 AM | ---D | M] - C:\Documents and Settings\atlegu\Desktop\Diverse rydding
[4 C:\Documents and Settings\atlegu\Desktop\*.tmp files]
[08.20.2008 10:40 PM | 0,059,3408 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Effects_of_Exchange_Rates_on_Export_Prices_of_Farmed_Salmon_MRE_FINAL_2_Jul
y_2008.doc
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Effects_of_Exchange_Rates_on_Export_Prices_of_Farmed_Salmon_MRE_FINAL_2_Jul
y_2008.doc:Zone.Identifier
[08.22.2008 09:38 PM | 0,003,5328 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Food_market_research_UiS_UMB[1].doc
[08.06.2008 11:20 PM | 0,298,9568 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\foredrag11[1].ppt
[08.05.2008 11:31 PM | 0,274,3808 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\foredrag1[1].ppt
[08.11.2008 11:51 PM | 0,546,5600 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\foredragnyeste.ppt
[08.05.2008 08:43 AM | 0,229,9392 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\GLOBALIZATION FISH TRADE_629.ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\GLOBALIZATION FISH TRADE_629.ppt:Zone.Identifier
[08.22.2008 09:15 PM | 0,000,1734 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\HijackThis.lnk
[08.22.2008 09:15 PM | 0,081,2344 | ---- | M] (Trend Micro Inc.) - C:\Documents and Settings\atlegu\Desktop\HJTSetup.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\HJTSetup.exe:Zone.Identifier
[08.21.2008 11:40 PM | 0,066,5600 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Introforelesning[1].ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Introforelesning[1].ppt:Zone.Identifier
[08.18.2008 04:33 PM | 0,005,0176 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Kioskvakter_18.8-18.10.xls
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Kioskvakter_18.8-18.10.xls:Zone.Identifier
[08.13.2008 10:47 PM | ---D | M] - C:\Documents and Settings\atlegu\Desktop\Kristin
[08.21.2008 11:41 PM | 0,099,7376 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Lecture2[1].ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Lecture2[1].ppt:Zone.Identifier
[08.17.2008 10:26 PM | 0,003,6352 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\LMIpaper317August[1].doc
[08.06.2008 10:06 PM | 0,000,0720 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\MixMeister BPM Analyzer.lnk
[08.20.2008 10:59 PM | ---D | M] - C:\Documents and Settings\atlegu\Desktop\MRE
[08.20.2008 10:40 PM | 0,010,3153 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\MRE(shrimp_July_2008).docx
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\MRE(shrimp_July_2008).docx:Zone.Identifier
[08.20.2008 10:39 PM | 0,029,9520 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\MRE-Shrimpr_July_2008.doc
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\MRE-Shrimpr_July_2008.doc:Zone.Identifier
[08.23.2008 12:39 PM | 0,029,1840 | ---- | M] (OldTimer Tools) - C:\Documents and Settings\atlegu\Desktop\OTMoveIt2.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\OTMoveIt2.exe:Zone.Identifier
[08.22.2008 09:32 PM | 0,139,7248 | ---- | M] (OldTimer Tools) - C:\Documents and Settings\atlegu\Desktop\OTViewIt.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\OTViewIt.exe:Zone.Identifier
[08.06.2008 11:05 PM | 0,002,7136 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Priser fem år.doc
[08.21.2008 11:15 PM | 0,002,8672 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\SNF_Timelisteapril.xls
[08.21.2008 11:12 PM | 0,002,8672 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\SNF_Timelistefebruar.xls
[08.21.2008 11:13 PM | 0,002,8672 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\SNF_Timelistemars.xls
[08.20.2008 10:40 PM | 0,019,4560 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\The_Price_Responsiveness_of_Salmon_SupplyReview4_revison.doc
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\The_Price_Responsiveness_of_Salmon_SupplyReview4_revison.doc:Zone.Identifie
r
[08.11.2008 11:39 PM | 0,004,3520 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\timeplan høsten 2008 endelig world 97.doc
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\timeplan høsten 2008 endelig world 97.doc:Zone.Identifier
[08.16.2008 09:44 PM | 0,038,2104 | ---- | M] (NCH Software) - C:\Documents and Settings\atlegu\Desktop\wpsetup.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\wpsetup.exe:Zone.Identifier
[08.17.2008 10:27 PM | 0,000,0162 | -H-- | M] () - C:\Documents and Settings\atlegu\Desktop\~$me_Schedule2008b[1].doc

< End of report >

Edited by Atle, 23 August 2008 - 04:49 AM.

#6
Mike

Posted 23 August 2008 - 10:02 AM

Malware Monger

Retired Staff
2,745 posts

Hi there

As a heads up, please don't use any P2P program for the while.
Although I don't recommend it's use at all it can be difficult cleaning up your PC if you were to download new things.

Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

[kill explorer]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c004F444
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\98d3ddfe382
C:\WINDOWS\System32\__c004F444.dat
C:\WINDOWS\System32\__c008F8A4.dat
C:\WINDOWS\System32\__c0097644.dat
emptytemp
purity
[start explorer]

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

And,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Post back with the two logs along with another OTViewIt log

Edited by Mike, 23 August 2008 - 10:02 AM.

#7
Atle

Posted 23 August 2008 - 12:04 PM

New Member

Topic Starter
Member
9 posts

Explorer killed successfully
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c004F444 >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c004F444\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\98d3ddfe382 >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\98d3ddfe382\\ deleted successfully.
File move failed. C:\WINDOWS\System32\__c004F444.dat scheduled to be moved on reboot.
C:\WINDOWS\System32\__c008F8A4.dat moved successfully.
C:\WINDOWS\System32\__c0097644.dat moved successfully.
< emptytemp >
File delete failed. C:\DOCUME~1\atlegu\LOCALS~1\Temp\~DFC6D5.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\atlegu\LOCALS~1\Temp\~DFC70C.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\nvcbin.def.AB37B891.TMP scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08232008_185708

Malwarebytes' Anti-Malware 1.25
Database version: 1078
Windows 5.1.2600 Service Pack 3

19:44:16 23.08.2008
mbam-log-08-23-2008 (19-44-16).txt

Scan type: Quick Scan
Objects scanned: 45504
Time elapsed: 3 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\__c004F444.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c0097644.dat (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c004f444 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\98d3ddfe382 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\atlegu\Desktop\PLAY_MP3.exe.download (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c004F444.dat (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\__c0097644.dat (Trojan.Agent) -> Delete on reboot.

OTViewIt logfile created on: 23.08.2008 20:03:53
OTViewIt by OldTimer - Version 1.0.0.5 Folder = C:\Documents and Settings\atlegu\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000414 | Country: Norway | Language: NOR | Date Format: dd.MM.yyyy

510,98 Mb Total Physical Memory | 148,59 Mb Available Physical Memory | 29,08% Memory free
1,22 Gb Paging File | 0,87 Gb Available in Paging File | 71,13% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19,53 Gb Total Space | 3,22 Gb Free Space | 16,47% Space Free | Partition Type: NTFS
Drive D: | 92,17 Gb Total Space | 74,29 Gb Free Space | 80,60% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 279,47 Gb Total Space | 272,84 Gb Free Space | 97,63% Space Free | Partition Type: NTFS
Drive K: | 279,32 Gb Total Space | 239,50 Gb Free Space | 85,74% Space Free | Partition Type: FAT32

Computer Name: IOR-1222
Current User Name: atlegu
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user

===== Processes - Non-Microsoft Only =====

[07.22.2008 08:42 PM | 0,011,6040 | ---- | M] (Apple Inc.) - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
[07.24.2007 03:17 PM | 0,022,9376 | ---- | M] (Apple Inc.) - C:\Program Files\Bonjour\mDNSResponder.exe
[08.25.2005 05:53 PM | 0,013,5168 | ---- | M] (Dell Inc.) - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe
[08.27.2007 03:17 PM | 0,004,7816 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
[08.27.2007 03:21 PM | 0,011,3320 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\common\FSMA32.EXE
[08.27.2007 03:17 PM | 0,036,6704 | ---- | M] (F-Secure Corp.) - C:\Program Files\F-Secure\Anti-Virus\fsgk32.exe
[08.27.2007 03:21 PM | 0,023,2104 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\common\FSMB32.EXE
[11.10.2005 12:00 AM | 0,009,0112 | ---- | M] (Dell Inc.) - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpwdnt.exe
[08.27.2007 03:21 PM | 0,012,5608 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\common\FCH32.EXE
[08.27.2007 03:21 PM | 0,039,1792 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\common\FAMEH32.EXE
[08.27.2007 03:17 PM | 0,004,3696 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
[08.27.2007 03:22 PM | 0,016,2472 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\common\FNRB32.exe
[08.27.2007 03:17 PM | 0,042,5584 | ---- | M] (F-Secure Corp.) - C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
[08.27.2007 03:15 PM | 0,046,1424 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
[08.27.2007 03:22 PM | 0,010,1032 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\common\FIH32.exe
[08.27.2007 03:19 PM | 0,046,1424 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\FWES\program\fsdfwd.exe
[08.27.2007 03:17 PM | 0,032,4208 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
[08.27.2007 03:21 PM | 0,018,2952 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\common\FSM32.EXE
[02.23.2006 12:00 AM | 0,019,2512 | ---- | M] (Dell Inc.) - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpsp.exe
[02.22.2008 05:25 AM | 0,014,4784 | ---- | M] (Sun Microsystems, Inc.) - C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
[08.27.2007 03:20 PM | 0,047,3712 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\FSGUI\fsguidll.exe
[07.30.2008 10:47 AM | 0,028,9064 | ---- | M] (Apple Inc.) - C:\Program Files\iTunes\iTunesHelper.exe
[07.20.2007 01:17 PM | 0,006,8856 | ---- | M] (Google Inc.) - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[09.28.2007 03:17 AM | 0,044,3968 | ---- | M] (Google Inc.) - C:\Program Files\Picasa2\PicasaMediaDetector.exe
[06.18.2008 08:46 PM | 0,014,7456 | ---- | M] (Lime Wire, LLC) - C:\Program Files\LimeWire\LimeWire.exe
[07.30.2008 10:47 AM | 0,053,2264 | ---- | M] (Apple Inc.) - C:\Program Files\iPod\bin\iPodService.exe
[02.22.2008 05:25 AM | 0,032,9104 | ---- | M] (Sun Microsystems, Inc.) - C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
[08.22.2008 09:32 PM | 0,139,7248 | ---- | M] (OldTimer Tools) - C:\Documents and Settings\atlegu\Desktop\OTViewIt.exe

===== Win32 Services - Non-Microsoft Only =====

(Apple Mobile Device) Apple Mobile Device [Auto | Running]
[07.22.2008 08:42 PM | 0,011,6040 | ---- | M] (Apple Inc.) - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

(Bonjour Service) Bonjour-tjeneste [Auto | Running]
[07.24.2007 03:17 PM | 0,022,9376 | ---- | M] (Apple Inc.) - C:\Program Files\Bonjour\mDNSResponder.exe

(DLPWD) Dell Printer Status Watcher [Auto | Running]
[11.10.2005 12:00 AM | 0,009,0112 | ---- | M] (Dell Inc.) - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpwdnt.exe

(DLSDB) Dell Printer Status Database [Auto | Running]
[08.25.2005 05:53 PM | 0,013,5168 | ---- | M] (Dell Inc.) - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe

(dmadmin) Logical Disk Manager Administrative Service [On_Demand | Stopped]
[04.14.2008 05:42 AM | 0,022,4768 | ---- | M] (Microsoft Corp., Veritas Software) - C:\WINDOWS\system32\dmadmin.exe

(F-Secure Gatekeeper Handler Starter) FSGKHS [Auto | Running]
[08.27.2007 03:17 PM | 0,004,7816 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe

(F-Secure Network Request Broker) F-Secure Network Request Broker [On_Demand | Running]
[08.27.2007 03:22 PM | 0,016,2472 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\common\FNRB32.exe

(FSAUA) F-Secure Automatic Update Agent [On_Demand | Running]
[08.27.2007 03:15 PM | 0,046,1424 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe

(FSDFWD) F-Secure Anti-Virus Firewall Daemon [On_Demand | Running]
[08.27.2007 03:19 PM | 0,046,1424 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\FWES\program\fsdfwd.exe

(FSMA) FSMA [Auto | Running]
[08.27.2007 03:21 PM | 0,011,3320 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\common\FSMA32.EXE

(gusvc) Google Updater Service [On_Demand | Stopped]
[07.16.2007 11:21 PM | 0,013,8168 | ---- | M] (Google) - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

(iPod Service) iPod-tjeneste [On_Demand | Running]
[07.30.2008 10:47 AM | 0,053,2264 | ---- | M] (Apple Inc.) - C:\Program Files\iPod\bin\iPodService.exe

===== Driver Services - Non-Microsoft Only =====

(aeaudio) aeaudio [On_Demand | Running]
[04.01.2002 01:15 PM | 0,000,4816 | ---- | M] (Andrea Electronics Corporation) - C:\WINDOWS\system32\drivers\aeaudio.sys

(ati2mtag) ati2mtag [On_Demand | Running]
[08.04.2004 12:29 AM | 0,070,1440 | ---- | M] (ATI Technologies Inc.) - C:\WINDOWS\system32\drivers\ati2mtag.sys

(cercsr6) cercsr6 [Boot | Stopped]
[03.22.2005 03:48 AM | 0,003,9904 | ---- | M] (Adaptec, Inc.) - C:\WINDOWS\System32\drivers\cercsr6.sys

(dmboot) dmboot [Disabled | Stopped]
[04.14.2008 12:14 AM | 0,079,9744 | ---- | M] (Microsoft Corp., Veritas Software) - C:\WINDOWS\system32\drivers\dmboot.sys

(dmio) Logical Disk Manager Driver [Boot | Running]
[04.14.2008 12:14 AM | 0,015,3344 | ---- | M] (Microsoft Corp., Veritas Software) - C:\WINDOWS\system32\drivers\dmio.sys

(dmload) dmload [Boot | Running]
[08.04.2004 02:00 PM | 0,000,5888 | ---- | M] (Microsoft Corp., Veritas Software.) - C:\WINDOWS\system32\drivers\dmload.sys

(E1000) Intel® PRO/1000 Network Connection Driver [On_Demand | Running]
[03.25.2007 08:20 PM | 0,017,1416 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\drivers\e1000325.sys

(F-Secure Filter) F-Secure File System Filter [Disabled | Stopped]
[08.27.2007 03:18 PM | 0,003,9792 | ---- | M] () - C:\Program Files\F-Secure\Anti-Virus\win2k\fsfilter.sys

(F-Secure Gatekeeper) F-Secure Gatekeeper [On_Demand | Running]
[08.27.2007 03:17 PM | 0,006,2064 | ---- | M] () - C:\Program Files\F-Secure\Anti-Virus\minifilter\fsgk.sys

(F-Secure HIPS) F-Secure HIPS [System | Running]
[08.27.2007 03:20 PM | 0,007,0768 | ---- | M] (F-Secure Corporation) - C:\Program Files\F-Secure\HIPS\fshs.sys

(F-Secure Recognizer) F-Secure File System Recognizer [Disabled | Stopped]
[08.27.2007 03:18 PM | 0,002,5200 | ---- | M] () - C:\Program Files\F-Secure\Anti-Virus\win2k\fsrec.sys

(FSFW) F-Secure Firewall Driver [Boot | Running]
[08.27.2007 03:19 PM | 0,006,0272 | ---- | M] (F-Secure Corporation) - C:\WINDOWS\system32\drivers\fsdfw.sys

(GEARAspiWDM) GEARAspiWDM [On_Demand | Running]
[01.29.2008 12:01 PM | 0,001,6168 | ---- | M] (GEAR Software Inc.) - C:\WINDOWS\system32\drivers\GEARAspiWDM.sys

(NAL) Nal Service [On_Demand | Stopped]
[03.09.2007 05:04 PM | 0,003,1072 | ---- | M] (Intel Corporation ) - C:\WINDOWS\system32\drivers\iqvw32.sys

(OMCI) OMCI [System | Running]
[05.14.2001 06:15 PM | 0,001,0368 | ---- | M] (Dell Computer Corporation) - C:\WINDOWS\system32\drivers\omci.sys

(Ptilink) Direct Parallel Link Driver [On_Demand | Running]
[08.04.2004 02:00 PM | 0,001,7792 | ---- | M] (Parallel Technologies, Inc.) - C:\WINDOWS\system32\drivers\ptilink.sys

(PxHelp20) PxHelp20 [Boot | Running]
[09.27.2006 11:53 PM | 0,003,6560 | ---- | M] (Sonic Solutions) - C:\WINDOWS\system32\drivers\pxhelp20.sys

(Secdrv) Secdrv [Auto | Running]
[11.13.2007 12:25 PM | 0,002,0480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) - C:\WINDOWS\system32\drivers\secdrv.sys

(smwdm) smwdm [On_Demand | Running]
[02.28.2003 09:17 AM | 0,054,5024 | ---- | M] (Analog Devices, Inc.) - C:\WINDOWS\system32\drivers\smwdm.sys

(USBAAPL) Apple Mobile USB Driver [On_Demand | Stopped]
[07.10.2008 09:35 AM | 0,003,2000 | ---- | M] (Apple, Inc.) - C:\WINDOWS\system32\drivers\usbaapl.sys

===== Run Keys =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher" = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01.11.2008 11:16 PM | 0,003,9792 | ---- | M] (Adobe Systems Incorporated)
"AppleSyncNotifier" = C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [07.10.2008 09:47 AM | 0,011,6040 | ---- | M] (Apple Inc.)
"DLPSP" = "C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE" [02.23.2006 12:00 AM | 0,019,2512 | ---- | M] (Dell Inc.)
"F-Secure Manager" = "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash [08.27.2007 03:21 PM | 0,018,2952 | ---- | M] (F-Secure Corporation)
"F-Secure TNB" = "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW [08.27.2007 03:20 PM | 0,089,5600 | ---- | M] (F-Secure Corporation)
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" [07.30.2008 10:47 AM | 0,028,9064 | ---- | M] (Apple Inc.)
"QuickTime Task" = "C:\Program Files\QuickTime\qttask.exe" -atboottime [05.27.2008 10:50 AM | 0,041,3696 | ---- | M] (Apple Inc.)
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02.22.2008 05:25 AM | 0,014,4784 | ---- | M] (Sun Microsystems, Inc.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = Reg Error: Value load does not exist or could not be read.
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"" =
"Installed" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"" =
"Installed" = 1
"NoChange" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"" =
"Installed" = 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector" = C:\Program Files\Picasa2\PicasaMediaDetector.exe [09.28.2007 03:17 AM | 0,044,3968 | ---- | M] (Google Inc.)
"swg" = C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [07.20.2007 01:17 PM | 0,006,8856 | ---- | M] (Google Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.

===== Startup Folders =====

[All Users Startup Folder - C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

[atlegu Startup Folder - C:\Documents and Settings\atlegu\Start Menu\Programs\Startup]
[06.18.2008 08:46 PM | 0,014,7456 | ---- | M] (Lime Wire, LLC) - C:\Documents and Settings\atlegu\Start Menu\Programs\Startup\LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

===== BHO's =====

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
HKLM CLSID: (Adobe PDF Reader Link Helper) - [10.23.2006 12:08 AM | 0,006,2080 | ---- | M] (Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
HKLM CLSID: (SSVHelper Class) - [02.22.2008 05:25 AM | 0,050,9328 | ---- | M] (Sun Microsystems, Inc.) C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
HKLM CLSID: (Google Toolbar Notifier BHO) - [04.05.2008 09:40 PM | 0,073,4704 | ---- | M] (Google Inc.) C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
HKLM CLSID: (Google Toolbar Helper) - [07.16.2007 11:21 PM | 0,240,3392 | R--- | M] (Google Inc.) c:\Program Files\Google\GoogleToolbar1.dll

===== Toolbars =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"
HKLM CLSID: (&Google) - [07.16.2007 11:21 PM | 0,240,3392 | R--- | M] (Google Inc.) c:\Program Files\Google\GoogleToolbar1.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
HKLM CLSID: (&Google) - [07.16.2007 11:21 PM | 0,240,3392 | R--- | M] (Google Inc.) c:\Program Files\Google\GoogleToolbar1.dll

===== Policies =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}" = 1
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}" = 1073741857
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}" = 32

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername" = 0
"legalnoticecaption" =
"legalnoticetext" =
"shutdownwithoutlogon" = 1
"undockwithoutlogon" = 1
"MaxGPOScriptWait" = 60

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

===== Desktop Components =====

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"FriendlyName" = "My Current Home Page"
"Source" = "About:Home"
"SubscribedURL" = "About:Home"

===== Shared Task Scheduler =====

===== AppInit_Dlls =====

===== Lsa Authentication Packages =====

===== Lsa Security Packages =====

===== Authorized Applications List =====

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = C:\WINDOWS\system32\sessmgr.exe [04.14.2008 05:42 AM | 0,014,1312 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE [05.21.2008 04:37 AM | 1,284,4576 | ---- | M] (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = C:\WINDOWS\network diagnostic\xpnetdiag.exe [04.14.2008 12:23 AM | 0,055,8080 | ---- | M] (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = C:\WINDOWS\system32\sessmgr.exe [04.14.2008 05:42 AM | 0,014,1312 | ---- | M] (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = C:\WINDOWS\network diagnostic\xpnetdiag.exe [04.14.2008 12:23 AM | 0,055,8080 | ---- | M] (Microsoft Corporation)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe [06.18.2008 08:46 PM | 0,014,7456 | ---- | M] (Lime Wire, LLC)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe [07.24.2007 03:17 PM | 0,022,9376 | ---- | M] (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe [07.30.2008 10:47 AM | 2,025,2968 | ---- | M] (Apple Inc.)

===== HKLM Winlogon Settings =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell]
"Explorer.exe" - [04.14.2008 05:42 AM | 0,103,3728 | ---- | M] (Microsoft Corporation) C:\WINDOWS\explorer.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit]
"C:\WINDOWS\system32\userinit.exe" - [04.14.2008 05:42 AM | 0,002,6112 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\userinit.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost]
"logonui.exe" - [04.14.2008 05:42 AM | 0,051,4560 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\logonui.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet]
"rundll32 shell32" - [04.14.2008 05:42 AM | 0,846,1312 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
"Control_RunDLL "sysdm.cpl"" - [04.14.2008 05:42 AM | 0,030,0544 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\sysdm.cpl

===== User's Winlogon Settings =====

===== Winlogon Notify Settings =====

===== Safeboot Options =====

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
"AlternateShell" = cmd.exe

===== Disabled MsConfig Items =====
Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ not found. -> ->

===== DNS Name Servers =====

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{9B92E789-1154-4697-AA32-47B3C09C5D85}]
Servers: | Description: 1394 Net Adapter

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{BA4C3937-DEBD-4705-A7AE-E4F207DF983F}]
Servers: | Description: Intel® PRO/1000 MT Network Connection

[Files/Folders - Created Within 30 days]
[08.20.2008 10:34 PM | 0,000,0057 | ---- | M] () - C:\xcrashdump.dat
[08.23.2008 12:40 PM | ---D | C] - C:\_OTMoveIt
[07.22.2008 04:45 PM | 0,079,0846 | ---- | M] () - C:\WINDOWS\System32\dllcache\apph_sp.sdb
[07.22.2008 04:45 PM | 0,000,9696 | ---- | M] () - C:\WINDOWS\System32\dllcache\drvmain.sdb
[07.22.2008 04:45 PM | 0,121,4526 | ---- | M] () - C:\WINDOWS\System32\dllcache\sysmain.sdb
[08.17.2008 03:01 PM | 0,001,7144 | ---- | M] (Malwarebytes Corporation) - C:\WINDOWS\System32\drivers\mbam.sys
[08.17.2008 03:01 PM | 0,003,8472 | ---- | M] (Malwarebytes Corporation) - C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[08.07.2008 04:09 PM | 0,003,9812 | -H-- | M] () - C:\WINDOWS\System32\mlfcache.dat
[10.23.1997 04:30 PM | 0,014,1008 | ---- | M] (Desaware) - C:\WINDOWS\System\ANIBTN16.OCX
[03.29.1994 07:38 PM | 0,001,2480 | ---- | M] () - C:\WINDOWS\System\BLASTER.VBX
[08.03.1995 11:44 AM | 0,002,3872 | ---- | M] (Dan Byström) - C:\WINDOWS\System\DBTTIP.VBX
[10.23.1997 04:30 PM | 0,030,4656 | ---- | M] (Bits Per Second Ltd) - C:\WINDOWS\System\GRAPH16.OCX
[10.23.1997 04:30 PM | 0,027,6880 | ---- | M] (Bits Per Second Ltd) - C:\WINDOWS\System\GSW16.EXE
[10.23.1997 04:30 PM | 0,004,5680 | ---- | M] (Bits Per Second Ltd) - C:\WINDOWS\System\GSWDLL16.DLL
[02.08.2000 03:17 PM | 0,009,3456 | ---- | M] (MicroHelp Inc.) - C:\WINDOWS\System\MHRUN400.DLL
[02.08.2000 03:17 PM | 0,013,0480 | ---- | M] (MicroHelp Inc.) - C:\WINDOWS\System\MHTR200.VBX
[01.11.1996 11:00 PM | 0,002,8113 | ---- | M] () - C:\WINDOWS\System\OLE2.REG
[02.08.2000 03:17 PM | 0,001,5840 | ---- | M] (Thuridion Software Engineering, Inc.) - C:\WINDOWS\System\PICCLIP.VBX
[10.23.1997 04:30 PM | 0,004,7936 | ---- | M] (Outrider Systems, Inc.) - C:\WINDOWS\System\SPIN16.OCX
[01.11.1996 11:00 PM | 0,015,7696 | ---- | M] () - C:\WINDOWS\System\STORAGE.DLL
[10.23.1997 04:30 PM | 0,011,5424 | ---- | M] (Sheridan Software Systems, Inc.) - C:\WINDOWS\System\TABCTL16.OCX
[10.23.1997 04:31 PM | 0,042,3424 | ---- | M] (APEX Software Corporation) - C:\WINDOWS\System\TG_VB4.VBX
[01.11.1996 11:00 PM | 0,001,4933 | ---- | M] () - C:\WINDOWS\System\VSHARE.386
[03.23.1998 11:00 PM | 0,004,7776 | ---- | M] (Xceed Software Inc. 1-514-442-2626 [email protected] www.xceedsoft.com) - C:\WINDOWS\System\XCDUNZIP.DLL
[03.23.1998 11:00 PM | 0,006,9596 | ---- | M] (Xceed Software Inc. (514)-442-2626 [email protected]) - C:\WINDOWS\System\XCEEDZIP.VBX
[08.23.2008 04:47 PM | 0,000,0284 | ---- | M] () - C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[08.12.2008 07:55 AM | ---D | C] - C:\Documents and Settings\All Users\Application Data\Lavasoft
[08.23.2008 07:39 PM | ---D | C] - C:\Documents and Settings\All Users\Application Data\Malwarebytes
[08.02.2008 04:19 PM | ---D | C] - C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[08.23.2008 07:35 PM | 0,000,0013 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3C.manifest
[08.23.2008 07:35 PM | 0,000,0011 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3O.manifest
[08.23.2008 07:35 PM | 0,000,0359 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3P.manifest
[08.23.2008 07:35 PM | 0,000,0007 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3R.manifest
[08.23.2008 07:35 PM | 0,000,0011 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3S.manifest
[08.23.2008 07:39 PM | ---D | C] - C:\Documents and Settings\atlegu\Application Data\Malwarebytes
[08.16.2008 09:46 PM | ---D | C] - C:\Documents and Settings\atlegu\Application Data\NCH Swift Sound
[08.17.2008 06:54 PM | 0,149,5112 | ---- | M] (Adobe Systems Incorporated) - C:\Documents and Settings\atlegu\My Documents\install_flash_player.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\My Documents\install_flash_player.exe:Zone.Identifier
[08.02.2008 04:18 PM | 0,000,0826 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\Express Burn.lnk
[08.02.2008 09:41 PM | 0,000,1804 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[08.23.2008 07:39 PM | 0,000,0696 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[08.16.2008 09:45 PM | 0,000,0798 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\WavePad Sound Editor.lnk
[08.21.2008 11:34 PM | 0,077,6192 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\13.03.07_1015_1100_and_1215-1300.ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\13.03.07_1015_1100_and_1215-1300.ppt:Zone.Identifier
[08.21.2008 11:38 PM | 0,075,4688 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\22.08.08_0815_1000.ppt
[08.23.2008 12:01 PM | 0,179,8707 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\86933079.jpeg
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\86933079.jpeg:Zone.Identifier
[08.12.2008 07:50 AM | 1,915,3264 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\aaw2008.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\aaw2008.exe:Zone.Identifier
[08.17.2008 10:45 PM | 0,007,1309 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Bilde%204-03.jpg
[08.17.2008 10:46 PM | 0,006,8729 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Bilde%204-08.jpg
[08.06.2008 10:05 PM | 0,065,2482 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\bpmanalyzer.zip
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\bpmanalyzer.zip:Zone.Identifier
[08.22.2008 06:34 AM | 0,143,5136 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\chapter3_7e.ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\chapter3_7e.ppt:Zone.Identifier
[08.22.2008 06:35 AM | 0,169,2672 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\chapter5_7e.ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\chapter5_7e.ppt:Zone.Identifier
[08.01.2008 11:48 AM | ---D | C] - C:\Documents and Settings\atlegu\Desktop\Diverse rydding
[4 C:\Documents and Settings\atlegu\Desktop\*.tmp files]
[08.20.2008 10:40 PM | 0,059,3408 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Effects_of_Exchange_Rates_on_Export_Prices_of_Farmed_Salmon_MRE_FINAL_2_Jul
y_2008.doc
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Effects_of_Exchange_Rates_on_Export_Prices_of_Farmed_Salmon_MRE_FINAL_2_Jul
y_2008.doc:Zone.Identifier
[08.22.2008 09:38 PM | 0,003,5328 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Food_market_research_UiS_UMB[1].doc
[08.06.2008 11:20 PM | 0,298,9568 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\foredrag11[1].ppt
[08.05.2008 11:31 PM | 0,274,3808 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\foredrag1[1].ppt
[08.11.2008 11:51 PM | 0,546,5600 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\foredragnyeste.ppt
[08.05.2008 08:43 AM | 0,229,9392 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\GLOBALIZATION FISH TRADE_629.ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\GLOBALIZATION FISH TRADE_629.ppt:Zone.Identifier
[08.22.2008 09:15 PM | 0,000,1734 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\HijackThis.lnk
[08.22.2008 09:15 PM | 0,081,2344 | ---- | M] (Trend Micro Inc.) - C:\Documents and Settings\atlegu\Desktop\HJTSetup.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\HJTSetup.exe:Zone.Identifier
[08.21.2008 11:40 PM | 0,066,5600 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Introforelesning[1].ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Introforelesning[1].ppt:Zone.Identifier
[08.18.2008 04:33 PM | 0,005,0176 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Kioskvakter_18.8-18.10.xls
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Kioskvakter_18.8-18.10.xls:Zone.Identifier
[08.21.2008 11:41 PM | 0,099,7376 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Lecture2[1].ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Lecture2[1].ppt:Zone.Identifier
[08.17.2008 10:26 PM | 0,003,6352 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\LMIpaper317August[1].doc
[08.23.2008 07:39 PM | 0,208,5280 | ---- | M] (Malwarebytes Corporation ) - C:\Documents and Settings\atlegu\Desktop\mbam-setup.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\mbam-setup.exe:Zone.Identifier
[08.06.2008 10:06 PM | 0,000,0720 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\MixMeister BPM Analyzer.lnk
[08.20.2008 10:59 PM | ---D | C] - C:\Documents and Settings\atlegu\Desktop\MRE
[08.20.2008 10:40 PM | 0,010,3153 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\MRE(shrimp_July_2008).docx
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\MRE(shrimp_July_2008).docx:Zone.Identifier
[08.20.2008 10:39 PM | 0,029,9520 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\MRE-Shrimpr_July_2008.doc
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\MRE-Shrimpr_July_2008.doc:Zone.Identifier
[08.23.2008 12:39 PM | 0,029,1840 | ---- | M] (OldTimer Tools) - C:\Documents and Settings\atlegu\Desktop\OTMoveIt2.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\OTMoveIt2.exe:Zone.Identifier
[08.22.2008 09:32 PM | 0,139,7248 | ---- | M] (OldTimer Tools) - C:\Documents and Settings\atlegu\Desktop\OTViewIt.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\OTViewIt.exe:Zone.Identifier
[08.06.2008 11:05 PM | 0,002,7136 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Priser fem år.doc
[08.21.2008 11:15 PM | 0,002,8672 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\SNF_Timelisteapril.xls
[08.21.2008 11:12 PM | 0,002,8672 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\SNF_Timelistefebruar.xls
[08.21.2008 11:13 PM | 0,002,8672 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\SNF_Timelistemars.xls
[08.20.2008 10:40 PM | 0,019,4560 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\The_Price_Responsiveness_of_Salmon_SupplyReview4_revison.doc
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\The_Price_Responsiveness_of_Salmon_SupplyReview4_revison.doc:Zone.Identifie
r
[08.11.2008 11:39 PM | 0,004,3520 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\timeplan høsten 2008 endelig world 97.doc
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\timeplan høsten 2008 endelig world 97.doc:Zone.Identifier
[08.16.2008 09:44 PM | 0,038,2104 | ---- | M] (NCH Software) - C:\Documents and Settings\atlegu\Desktop\wpsetup.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\wpsetup.exe:Zone.Identifier
[08.17.2008 10:27 PM | 0,000,0162 | -H-- | M] () - C:\Documents and Settings\atlegu\Desktop\~$me_Schedule2008b[1].doc
[08.16.2008 09:40 PM | ---D | C] - C:\Program Files\Apple Software Update
[08.04.2008 06:47 PM | ---D | C] - C:\Program Files\FISHSTAT
[08.02.2008 09:41 PM | ---D | C] - C:\Program Files\iPod
[08.23.2008 07:39 PM | ---D | C] - C:\Program Files\Malwarebytes' Anti-Malware
[08.07.2008 08:42 AM | ---D | C] - C:\Program Files\MixMeister BPM Analyzer
[08.02.2008 10:14 PM | ---D | C] - C:\Program Files\NCH Software
[08.16.2008 09:45 PM | ---D | C] - C:\Program Files\NCH Swift Sound
[08.22.2008 09:15 PM | ---D | C] - C:\Program Files\Trend Micro

[Files/Folders - Modified Within 30 days]
[08.23.2008 07:46 PM | 5,358,75584 | -HS- | M] () - C:\hiberfil.sys
[08.23.2008 07:39 PM | R--D | M] - C:\Program Files
[08.23.2008 07:46 PM | ---D | M] - C:\WINDOWS
[08.20.2008 10:34 PM | 0,000,0057 | ---- | M] () - C:\xcrashdump.dat
[08.23.2008 12:40 PM | ---D | M] - C:\_OTMoveIt
[08.17.2008 03:01 PM | 0,001,7144 | ---- | M] (Malwarebytes Corporation) - C:\WINDOWS\System32\drivers\mbam.sys
[08.17.2008 03:01 PM | 0,003,8472 | ---- | M] (Malwarebytes Corporation) - C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[08.23.2008 07:46 PM | ---D | M] - C:\WINDOWS\System32\CatRoot2
[1 C:\WINDOWS\System32\*.tmp files]
[08.21.2008 08:09 AM | RHSD | M] - C:\WINDOWS\System32\dllcache
[08.23.2008 07:46 PM | ---D | M] - C:\WINDOWS\System32\drivers
[08.07.2008 04:09 PM | 0,003,9812 | -H-- | M] () - C:\WINDOWS\System32\mlfcache.dat
[08.23.2008 07:52 PM | 0,000,2206 | ---- | M] () - C:\WINDOWS\System32\wpa.dbl
[08.21.2008 08:09 AM | -H-D | M] - C:\WINDOWS\$hf_mig$
[4 C:\WINDOWS\*.tmp files]
[08.21.2008 10:33 PM | ---D | M] - C:\WINDOWS\AppPatch
[08.23.2008 07:46 PM | 0,000,2048 | --S- | M] () - C:\WINDOWS\bootstat.dat
[08.20.2008 07:03 AM | -HSD | M] - C:\WINDOWS\CSC
[08.21.2008 08:09 AM | ---D | M] - C:\WINDOWS\Help
[08.21.2008 08:09 AM | 0,000,1374 | ---- | M] () - C:\WINDOWS\imsins.BAK
[08.21.2008 08:10 AM | -H-D | M] - C:\WINDOWS\inf
[08.20.2008 09:20 AM | -HSD | M] - C:\WINDOWS\Installer
[08.23.2008 07:39 PM | ---D | M] - C:\WINDOWS\Prefetch
[08.04.2008 06:47 PM | ---D | M] - C:\WINDOWS\system
[08.23.2008 07:46 PM | ---D | M] - C:\WINDOWS\system32
[08.23.2008 12:43 PM | --SD | M] - C:\WINDOWS\Tasks
[08.23.2008 07:52 PM | ---D | M] - C:\WINDOWS\Temp
[08.23.2008 04:47 PM | 0,000,0284 | ---- | M] () - C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[08.23.2008 07:46 PM | 0,000,0006 | -H-- | M] () - C:\WINDOWS\tasks\SA.DAT
[08.12.2008 07:55 AM | ---D | M] - C:\Documents and Settings\All Users\Application Data\Lavasoft
[08.23.2008 07:39 PM | ---D | M] - C:\Documents and Settings\All Users\Application Data\Malwarebytes
[08.15.2008 08:39 AM | ---D | M] - C:\Documents and Settings\All Users\Application Data\Microsoft Help
[08.02.2008 04:19 PM | ---D | M] - C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[08.23.2008 07:35 PM | 0,000,0013 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3C.manifest
[08.23.2008 07:35 PM | 0,000,0011 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3O.manifest
[08.23.2008 07:35 PM | 0,000,0359 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3P.manifest
[08.23.2008 07:35 PM | 0,000,0007 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3R.manifest
[08.23.2008 07:35 PM | 0,000,0011 | -HS- | M] () - C:\Documents and Settings\atlegu\Application Data\020000004aefe9f3S.manifest
[08.23.2008 07:52 PM | ---D | M] - C:\Documents and Settings\atlegu\Application Data\LimeWire
[08.23.2008 07:39 PM | ---D | M] - C:\Documents and Settings\atlegu\Application Data\Malwarebytes
[08.16.2008 09:46 PM | ---D | M] - C:\Documents and Settings\atlegu\Application Data\NCH Swift Sound
[08.03.2008 08:33 PM | 0,000,3584 | ---- | M] () - C:\Documents and Settings\atlegu\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[08.21.2008 11:19 PM | ---D | M] - C:\Documents and Settings\atlegu\Local Settings\Application Data\Microsoft
[08.17.2008 06:54 PM | 0,149,5112 | ---- | M] (Adobe Systems Incorporated) - C:\Documents and Settings\atlegu\My Documents\install_flash_player.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\My Documents\install_flash_player.exe:Zone.Identifier
[08.21.2008 11:19 PM | R--D | M] - C:\Documents and Settings\atlegu\My Documents\My Pictures
[08.02.2008 04:18 PM | 0,000,0826 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\Express Burn.lnk
[08.02.2008 09:41 PM | 0,000,1804 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[08.23.2008 07:39 PM | 0,000,0696 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[08.20.2008 01:31 PM | 0,000,2497 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\Microsoft Office Word 2003.lnk
[08.16.2008 09:45 PM | 0,000,0798 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\WavePad Sound Editor.lnk
[08.21.2008 11:34 PM | 0,077,6192 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\13.03.07_1015_1100_and_1215-1300.ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\13.03.07_1015_1100_and_1215-1300.ppt:Zone.Identifier
[08.21.2008 11:38 PM | 0,075,4688 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\22.08.08_0815_1000.ppt
[08.23.2008 12:01 PM | 0,179,8707 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\86933079.jpeg
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\86933079.jpeg:Zone.Identifier
[08.12.2008 07:50 AM | 1,915,3264 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\aaw2008.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\aaw2008.exe:Zone.Identifier
[08.17.2008 10:45 PM | 0,007,1309 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Bilde%204-03.jpg
[08.17.2008 10:46 PM | 0,006,8729 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Bilde%204-08.jpg
[08.06.2008 10:05 PM | 0,065,2482 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\bpmanalyzer.zip
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\bpmanalyzer.zip:Zone.Identifier
[08.22.2008 06:34 AM | 0,143,5136 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\chapter3_7e.ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\chapter3_7e.ppt:Zone.Identifier
[08.22.2008 06:35 AM | 0,169,2672 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\chapter5_7e.ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\chapter5_7e.ppt:Zone.Identifier
[08.01.2008 11:48 AM | ---D | M] - C:\Documents and Settings\atlegu\Desktop\Diverse rydding
[4 C:\Documents and Settings\atlegu\Desktop\*.tmp files]
[08.20.2008 10:40 PM | 0,059,3408 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Effects_of_Exchange_Rates_on_Export_Prices_of_Farmed_Salmon_MRE_FINAL_2_Jul
y_2008.doc
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Effects_of_Exchange_Rates_on_Export_Prices_of_Farmed_Salmon_MRE_FINAL_2_Jul
y_2008.doc:Zone.Identifier
[08.22.2008 09:38 PM | 0,003,5328 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Food_market_research_UiS_UMB[1].doc
[08.06.2008 11:20 PM | 0,298,9568 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\foredrag11[1].ppt
[08.05.2008 11:31 PM | 0,274,3808 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\foredrag1[1].ppt
[08.11.2008 11:51 PM | 0,546,5600 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\foredragnyeste.ppt
[08.05.2008 08:43 AM | 0,229,9392 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\GLOBALIZATION FISH TRADE_629.ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\GLOBALIZATION FISH TRADE_629.ppt:Zone.Identifier
[08.22.2008 09:15 PM | 0,000,1734 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\HijackThis.lnk
[08.22.2008 09:15 PM | 0,081,2344 | ---- | M] (Trend Micro Inc.) - C:\Documents and Settings\atlegu\Desktop\HJTSetup.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\HJTSetup.exe:Zone.Identifier
[08.21.2008 11:40 PM | 0,066,5600 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Introforelesning[1].ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Introforelesning[1].ppt:Zone.Identifier
[08.18.2008 04:33 PM | 0,005,0176 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Kioskvakter_18.8-18.10.xls
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Kioskvakter_18.8-18.10.xls:Zone.Identifier
[08.13.2008 10:47 PM | ---D | M] - C:\Documents and Settings\atlegu\Desktop\Kristin
[08.21.2008 11:41 PM | 0,099,7376 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Lecture2[1].ppt
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Lecture2[1].ppt:Zone.Identifier
[08.17.2008 10:26 PM | 0,003,6352 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\LMIpaper317August[1].doc
[08.23.2008 07:39 PM | 0,208,5280 | ---- | M] (Malwarebytes Corporation ) - C:\Documents and Settings\atlegu\Desktop\mbam-setup.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\mbam-setup.exe:Zone.Identifier
[08.06.2008 10:06 PM | 0,000,0720 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\MixMeister BPM Analyzer.lnk
[08.20.2008 10:59 PM | ---D | M] - C:\Documents and Settings\atlegu\Desktop\MRE
[08.20.2008 10:40 PM | 0,010,3153 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\MRE(shrimp_July_2008).docx
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\MRE(shrimp_July_2008).docx:Zone.Identifier
[08.20.2008 10:39 PM | 0,029,9520 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\MRE-Shrimpr_July_2008.doc
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\MRE-Shrimpr_July_2008.doc:Zone.Identifier
[08.23.2008 12:39 PM | 0,029,1840 | ---- | M] (OldTimer Tools) - C:\Documents and Settings\atlegu\Desktop\OTMoveIt2.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\OTMoveIt2.exe:Zone.Identifier
[08.22.2008 09:32 PM | 0,139,7248 | ---- | M] (OldTimer Tools) - C:\Documents and Settings\atlegu\Desktop\OTViewIt.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\OTViewIt.exe:Zone.Identifier
[08.06.2008 11:05 PM | 0,002,7136 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\Priser fem år.doc
[08.21.2008 11:15 PM | 0,002,8672 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\SNF_Timelisteapril.xls
[08.21.2008 11:12 PM | 0,002,8672 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\SNF_Timelistefebruar.xls
[08.21.2008 11:13 PM | 0,002,8672 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\SNF_Timelistemars.xls
[08.20.2008 10:40 PM | 0,019,4560 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\The_Price_Responsiveness_of_Salmon_SupplyReview4_revison.doc
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\The_Price_Responsiveness_of_Salmon_SupplyReview4_revison.doc:Zone.Identifie
r
[08.11.2008 11:39 PM | 0,004,3520 | ---- | M] () - C:\Documents and Settings\atlegu\Desktop\timeplan høsten 2008 endelig world 97.doc
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\timeplan høsten 2008 endelig world 97.doc:Zone.Identifier
[08.16.2008 09:44 PM | 0,038,2104 | ---- | M] (NCH Software) - C:\Documents and Settings\atlegu\Desktop\wpsetup.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\wpsetup.exe:Zone.Identifier
[08.17.2008 10:27 PM | 0,000,0162 | -H-- | M] () - C:\Documents and Settings\atlegu\Desktop\~$me_Schedule2008b[1].doc

< End of report >

#8
Mike

Posted 23 August 2008 - 12:59 PM

Malware Monger

Retired Staff
2,745 posts

Hi there

The vundo is proving to be very stubborn.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

#9
Atle

Posted 23 August 2008 - 01:20 PM

New Member

Topic Starter
Member
9 posts

ComboFix 08-08-21.02 - atlegu 2008-08-23 21:12:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.212 [GMT 2:00]
Running from: C:\Documents and Settings\atlegu\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\atlegu\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\atlegu\Cookies\[email protected][2].txt
C:\xcrashdump.dat
J:\Autorun.inf

----- BITS: Possible infected sites -----

http://wsusans
.
((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 )))))))))))))))))))))))))))))))
.

2008-08-23 19:39 . 2008-08-23 19:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-23 19:39 . 2008-08-23 19:39 <DIR> d-------- C:\Documents and Settings\atlegu\Application Data\Malwarebytes
2008-08-23 19:39 . 2008-08-23 19:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-23 19:39 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-23 19:39 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-23 12:40 . 2008-08-23 12:40 <DIR> d-------- C:\_OTMoveIt
2008-08-22 21:15 . 2008-08-22 21:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-20 17:17 . 2008-07-22 16:45 1,214,526 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-08-20 17:17 . 2008-07-22 16:45 790,846 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-08-20 17:17 . 2008-07-22 16:45 9,696 -----c--- C:\WINDOWS\system32\dllcache\drvmain.sdb
2008-08-16 21:40 . 2008-08-16 21:40 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-15 01:39 . 2008-06-24 18:43 74,240 -----c--- C:\WINDOWS\system32\dllcache\mscms.dll
2008-08-15 01:38 . 2008-07-07 22:26 253,952 -----c--- C:\WINDOWS\system32\dllcache\es.dll
2008-08-15 01:37 . 2008-05-01 16:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-15 01:33 . 2008-04-11 21:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-12 07:51 . 2008-08-12 07:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-07 16:09 . 2008-08-07 16:09 39,812 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-08-06 22:06 . 2008-08-07 08:42 <DIR> d-------- C:\Program Files\MixMeister BPM Analyzer
2008-08-04 18:47 . 2008-08-04 18:47 <DIR> d-------- C:\Program Files\FISHSTAT
2008-08-02 22:14 . 2008-08-02 22:14 <DIR> d-------- C:\Program Files\NCH Software
2008-08-02 21:41 . 2008-08-02 21:41 <DIR> d-------- C:\Program Files\iPod
2008-08-02 16:19 . 2008-08-16 21:46 <DIR> d-------- C:\Documents and Settings\atlegu\Application Data\NCH Swift Sound
2008-08-02 16:18 . 2008-08-02 16:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-08-02 16:17 . 2008-08-16 21:45 <DIR> d-------- C:\Program Files\NCH Swift Sound

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 18:06 --------- d-----w C:\Program Files\LimeWire
2008-08-23 17:52 --------- d-----w C:\Documents and Settings\atlegu\Application Data\LimeWire
2008-08-15 06:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-02 19:41 --------- d-----w C:\Program Files\iTunes
2008-07-18 16:29 --------- d-----w C:\Program Files\Bonjour
2008-07-18 16:28 --------- d-----w C:\Program Files\QuickTime
2008-07-18 16:17 --------- d-----w C:\Program Files\Safari
2008-07-10 07:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-26 11:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-26 11:17 --------- d-----w C:\Program Files\Prelusion Games
2008-06-26 11:16 --------- d-----w C:\Documents and Settings\atlegu\Application Data\InstallShield
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-04-28 05:40 5,714 ----a-w C:\Program Files\uninstal.log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-20 13:17 68856]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 03:17 443968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.EXE" [2007-08-27 15:21 182952]
"F-Secure TNB"="C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" [2007-08-27 15:20 895600]
"DLPSP"="C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE" [2006-02-23 00:00 192512]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 05:42 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientAXDisabler"="C:\WINDOWS\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 20:43 2247]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"MaxGPOScriptWait"= 60 (0x3c)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\ans.umb.no\NETLOGON\giveadmin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\ans.umb.no\NETLOGON\giveadmin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\1]
"Script"=\\ans.umb.no\NETLOGON\fixdns.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3822011219-1966389011-3099315458-1676\Scripts\Logon\0\0]
"Script"=Map

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2007-08-27 15:19]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\F-Secure\HIPS\fshs.sys [2007-08-27 15:20]
R2 DLSDB;Dell Printer Status Database;C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE [2005-08-25 17:53]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure\Anti-Virus\minifilter\fsgk.sys [2007-08-27 15:17]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2007-03-09 17:04]
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys [2008-07-10 09:35]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2007-08-27 15:18]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2007-08-27 15:18]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-08-23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Default_Search_URL = hxxp://www.google.com/ie
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-23 21:14:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-23 21:16:03
ComboFix-quarantined-files.txt 2008-08-23 19:15:32

Pre-Run: 3,363,065,856 bytes free
Post-Run: 3,376,226,304 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

149 --- E O F --- 2008-08-21 06:10:09

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:19:45, on 23.08.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [DLPSP] "C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1192031636265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1192031622781
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ans.umb.no
O17 - HKLM\Software\..\Telephony: DomainName = ans.umb.no
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ans.umb.no
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 8590 bytes

#10
Mike

Posted 23 August 2008 - 02:18 PM

Malware Monger

Retired Staff
2,745 posts

Hi there

Question, is this a work computer? Should there be an IT department working on this?

Your logs look good, how is your PC running?

#11
Atle

Posted 23 August 2008 - 02:28 PM

New Member

Topic Starter
Member
9 posts

Hi

No, its my home computer. It used to be my workcomputer, and was set up by the IT-guy at my job. But when I got a new one I got this one for home. Now it is the "family" computer and I realize that I should protect it much better. I am not very good at this, so do you have any good rules I should follow. I have removed Limewire.

However I believe that one of the problems came from an ad at http://no.msn.com/?o...ry=IE_Favorites the Norwegian Microsoft page.

I haven't got any stupid pop ups yet so it seems like it works good.

Thanks a lot for all the help, the computer was about to make me crazy.

One more question, do you know how to get rid of "phantom drives" The computer believes that I have a F,G, H and I drive, but they do not exist. I remove them, but when I restart the computer, they come back.

Best Regards
Atle

Edited by Atle, 23 August 2008 - 02:41 PM.

#12
Mike

Posted 23 August 2008 - 02:49 PM

Malware Monger

Retired Staff
2,745 posts

I'm not sure about the drive issue, you can try posting in the tech forums here and see if they can help.

Click START then RUN
Now type Combofix /u in the runbox and click OK
Posted Image

Notice the space between the x and / -- That needs to be there.

And,

please download OTCleanIt.

Save it to your desktop.
Double Click on OTCleanIt.exe, a window will appear.
Please press the CleanUp! Button.

This will remove the tools we used during the process of cleaning your computer.

Now that your are clean, you'll want to stay that way.

Some important things that you should keep in mind in order to protect yourself:

Use common sense. This is the big one! Don't download programs from suspicious sites and be careful where you browse.
Things you can do to avoid downloading bad programs:
- Google the program. Read reviews and opinions from other people on the internet, if you dont see any reports of foul play - then there more than likely is none.
- Stay away from Cracks! However luring the thought of free software can be it's not worth the hassle and potential danger of getting infected.
- Download the program directly from the website of the developer - then you can be certain you haven't downloaded a bogus copy.
- Read the EULA (End User License Agreement) - Find out exactly what you are downloading. A good tool to aid you in this would be EULAyzer.
Keep your programs updated! Software developers update their programs to patch possible security risks. Do a scan once in a while for outdated programs using Secunia's Software Inspector
Keep your protection programs up to date! No matter how good your Antivirus or Antispyware program is, without an updated set of definitions it will do you no good against the new infections. If you run a free program make sure to update them at least once a week.
Make sure that windows updates is enabled. Keeping your system up to date is a must - to turn on automatic updates take a look at this article by Microsoft.

I have listed two programs to boost your security while using no resources.

SpywareBlaster Take a look at the tutorial here.
ZonedOut Adds thousands of websites to your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Also consider using an alternative web browser. Two big named ones, both far superior to Internet Explorer in terms of security and performance, would be Firefox and Opera.

Make a habit of scanning your computer for viruses every week or so and backing up important files regularly.

Please also read Expert Tony Klein's excellent article: How I got Infected in the First Place

Please post back and tell me if everything is OK, so that I may mark this thread as Resolved.

#13
Atle

Posted 23 August 2008 - 03:19 PM

New Member

Topic Starter
Member
9 posts

No everything seems OK, thanks a lot

#14
Mike

Posted 24 August 2008 - 03:37 AM

Malware Monger

Retired Staff
2,745 posts

Glad to hear it

Take care and have a great day still!

Mike

#15
Mike

Posted 24 August 2008 - 03:37 AM

Malware Monger

Retired Staff
2,745 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.