Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Request with help removing Win32.trojan downloader.delf [RESOLVED]


  • This topic is locked This topic is locked

#1
btrentler

btrentler

    Member

  • Member
  • PipPip
  • 14 posts
Last week I noticed the win32.trojan downloader.delf virus. I quarantined the virus & went on to use my pc. A couple of days later, I re-ran AdAware and the virus was still present. After researching, I realized that the virus will return each time I reboot. Please provide guidance for virus removal. I have a Dell XPS 400 pc with Windows XP OS. I appreciate any help you can provide. Thanks!!
  • 0

Advertisements


#2
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

Sorry for the delay we are very busy.

Please download OTViewIt by OldTimer.
Double click on OTViewIt.exe and select Scan in the upper right corner.
In a few minutes a notepad file will appear, please post the contents of that here in your next post.

Edited by Mike, 22 August 2008 - 10:29 AM.

  • 0

#3
btrentler

btrentler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Thanks. I appreciate your help.

OTViewIt logfile created on: 8/15/2009 1:50:33 PM
OTViewIt by OldTimer - Version 1.0.0.5 Folder = C:\Documents and Settings\Brian\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.37 Gb Available Physical Memory | 68.45% Memory free
3.85 Gb Paging File | 3.30 Gb Available in Paging File | 85.79% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 228.13 Gb Total Space | 177.65 Gb Free Space | 77.87% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OFFICE
Current User Name: Brian
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user

===== Processes - Non-Microsoft Only =====

[09/19/2007 07:50 PM | 0,124,7600 | ---- | M] () - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
[07/07/2008 08:15 AM | 0,061,1664 | ---- | M] (Lavasoft) - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
[10/31/2007 03:09 PM | 0,011,0592 | ---- | M] (Apple, Inc.) - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
[12/13/1999 02:01 AM | 0,004,4032 | ---- | M] (Creative Technology Ltd) - C:\WINDOWS\system32\CTSVCCDA.EXE
[06/17/2005 08:55 AM | 0,008,6140 | ---- | M] (Intel Corporation) - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
[12/14/2005 09:51 PM | 0,014,3427 | ---- | M] (NVIDIA Corporation) - C:\WINDOWS\system32\nvsvc32.exe
[02/25/2008 10:52 PM | 0,069,8888 | ---- | M] (Trend Micro Inc.) - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
[12/24/2007 06:41 PM | 0,033,3064 | ---- | M] (Trend Micro Inc.) - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
[02/16/2008 12:58 AM | 0,048,8768 | ---- | M] (Trend Micro Inc.) - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
[02/16/2008 12:58 AM | 0,064,8456 | ---- | M] (Trend Micro Inc.) - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
[03/30/2008 10:36 AM | 0,050,4104 | ---- | M] (Apple Inc.) - C:\Program Files\iPod\bin\iPodService.exe
[11/08/2005 08:30 PM | 0,001,6384 | ---- | M] (Creative Technology Ltd) - C:\WINDOWS\CTHELPER.EXE
[02/22/2008 04:25 AM | 0,014,4784 | ---- | M] (Sun Microsystems, Inc.) - C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
[06/17/2005 08:56 AM | 0,013,9264 | ---- | M] (Intel Corporation) - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
[06/18/2003 02:00 AM | 0,004,5056 | ---- | M] (Creative Technology Ltd) - C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe
[10/14/2005 12:01 PM | 0,012,2880 | ---- | M] (Creative Technology Ltd) - C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
[11/04/2005 07:07 PM | 0,004,9152 | ---- | M] (Creative Technology Ltd.) - C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
[04/13/2006 08:02 AM | 0,002,6112 | ---- | M] (RealNetworks, Inc.) - C:\Program Files\Real\RealPlayer\realplay.exe
[09/08/2005 06:20 AM | 0,012,2940 | ---- | M] (Sonic Solutions) - C:\WINDOWS\system32\DLA\DLACTRLW.EXE
[01/12/2005 02:54 PM | 0,024,1664 | ---- | M] (Hewlett-Packard Company) - C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
[02/16/2005 11:11 PM | 0,004,9152 | ---- | M] (Hewlett-Packard Co.) - C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
[03/23/2005 12:20 AM | 0,033,9968 | ---- | M] (SigmaTel, Inc.) - C:\WINDOWS\stsystra.exe
[02/16/2008 12:56 AM | 0,139,8024 | ---- | M] (Trend Micro Inc.) - C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
[03/02/2006 11:53 AM | 0,071,7312 | ---- | M] (Creative Technology Ltd) - C:\WINDOWS\system32\CTXFISPI.EXE
[03/30/2008 10:36 AM | 0,026,7048 | ---- | M] (Apple Inc.) - C:\Program Files\iTunes\iTunesHelper.exe
[10/19/2007 11:22 AM | 0,140,0832 | ---- | M] (Verizon Data Services Inc.) - C:\Program Files\Verizon\Media Manager\MediaManager.exe
[03/15/2007 11:09 AM | 0,046,0784 | ---- | M] (Gteko Ltd.) - C:\Program Files\DellSupport\DSAgnt.exe
[09/11/2006 04:40 AM | 0,021,8032 | ---- | M] (Macrovision Corporation) - C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
[02/15/2008 07:53 PM | 0,042,3248 | ---- | M] (Trend Micro Inc.) - C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
[09/18/2007 03:31 AM | 0,048,8712 | ---- | M] (Trend Micro Inc.) - C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
[02/15/2008 07:02 PM | 0,015,7008 | ---- | M] (Trend Micro Inc.) - C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
[10/29/2003 03:06 AM | 0,002,4576 | R--- | M] (BVRP Software) - C:\Program Files\Digital Line Detect\DLG.exe
[05/28/2004 10:31 PM | 0,024,1664 | ---- | M] (Hewlett-Packard Co.) - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
[05/31/2001 08:52 AM | 0,029,9008 | ---- | M] (Palm, Inc.) - C:\Program Files\Sony Handheld\HOTSYNC.EXE
[05/28/2004 11:08 PM | 0,052,0192 | ---- | M] (Hewlett-Packard Co.) - C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
[02/15/2008 07:02 PM | 0,054,2032 | ---- | M] (Trend Micro Inc.) - C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
[03/18/2004 04:55 PM | 0,006,5536 | ---- | M] (HP) - C:\WINDOWS\system32\HPZipm12.exe
[02/22/2008 04:25 AM | 0,032,9104 | ---- | M] (Sun Microsystems, Inc.) - C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
[08/15/2009 01:50 PM | 0,139,7248 | ---- | M] (OldTimer Tools) - C:\Documents and Settings\Brian\Desktop\OTViewIt.exe

===== Win32 Services - Non-Microsoft Only =====

(aawservice) Lavasoft Ad-Aware Service [Auto | Running]
[07/07/2008 08:15 AM | 0,061,1664 | ---- | M] (Lavasoft) - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

(Apple Mobile Device) Apple Mobile Device [Auto | Running]
[10/31/2007 03:09 PM | 0,011,0592 | ---- | M] (Apple, Inc.) - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

(Creative Service for CDROM Access) Creative Service for CDROM Access [Auto | Running]
[12/13/1999 02:01 AM | 0,004,4032 | ---- | M] (Creative Technology Ltd) - C:\WINDOWS\system32\CTSVCCDA.EXE

(dmadmin) Logical Disk Manager Administrative Service [On_Demand | Stopped]
[04/13/2008 08:12 PM | 0,022,4768 | ---- | M] (Microsoft Corp., Veritas Software) - C:\WINDOWS\system32\dmadmin.exe

(DSBrokerService) DSBrokerService [On_Demand | Stopped]
[03/07/2007 03:47 PM | 0,007,6848 | ---- | M] () - C:\Program Files\DellSupport\brkrsvc.exe

(ELService) Intel® Quick Resume Technology Drivers [Auto | Stopped]
[12/12/2005 05:52 PM | 0,018,0224 | ---- | M] (Intel Corporation) - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

(IAANTMon) Intel® Matrix Storage Event Monitor [Auto | Running]
[06/17/2005 08:55 AM | 0,008,6140 | ---- | M] (Intel Corporation) - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

(IDriverT) InstallDriver Table Manager [On_Demand | Stopped]
[10/22/2004 03:24 AM | 0,007,3728 | ---- | M] (Macrovision Corporation) - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

(iPod Service) iPod Service [On_Demand | Running]
[03/30/2008 10:36 AM | 0,050,4104 | ---- | M] (Apple Inc.) - C:\Program Files\iPod\bin\iPodService.exe

(NetSvc) Intel NCS NetService [On_Demand | Stopped]
[11/19/2004 12:26 PM | 0,014,7456 | ---- | M] (Intel® Corporation) - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

(NVSvc) NVIDIA Display Driver Service [Auto | Running]
[12/14/2005 09:51 PM | 0,014,3427 | ---- | M] (NVIDIA Corporation) - C:\WINDOWS\system32\nvsvc32.exe

(Pml Driver HPZ12) Pml Driver HPZ12 [On_Demand | Running]
[03/18/2004 04:55 PM | 0,006,5536 | ---- | M] (HP) - C:\WINDOWS\system32\HPZipm12.exe

(SfCtlCom) Trend Micro Central Control Component [Auto | Running]
[02/25/2008 10:52 PM | 0,069,8888 | ---- | M] (Trend Micro Inc.) - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

(Symantec Core LC) Symantec Core LC [Auto | Running]
[09/19/2007 07:50 PM | 0,124,7600 | ---- | M] () - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

(TMBMServer) Trend Micro Unauthorized Change Prevention Service [Auto | Running]
[12/24/2007 06:41 PM | 0,033,3064 | ---- | M] (Trend Micro Inc.) - C:\Program Files\Trend Micro\BM\TMBMSRV.exe

(TmPfw) Trend Micro Personal Firewall [On_Demand | Running]
[02/16/2008 12:58 AM | 0,048,8768 | ---- | M] (Trend Micro Inc.) - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe

(tmproxy) Trend Micro Proxy Service [On_Demand | Running]
[02/16/2008 12:58 AM | 0,064,8456 | ---- | M] (Trend Micro Inc.) - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

===== Driver Services - Non-Microsoft Only =====

(Ad-Watch Connect Filter) Ad-Watch Connect Kernel Filter [On_Demand | Stopped]
[04/29/2008 11:20 AM | 0,001,5648 | ---- | M] (Lavasoft AB) - C:\WINDOWS\system32\drivers\NSDriver.sys

(AegisP) AEGIS Protocol (IEEE 802.1x) v3.2.0.3 [Auto | Running]
[01/15/2007 08:18 PM | 0,001,7801 | ---- | M] (Meetinghouse Data Communications) - C:\WINDOWS\system32\drivers\AegisP.sys

(AliIde) AliIde [Disabled | Stopped]
[08/17/2001 02:51 PM | 0,000,5248 | ---- | M] (Acer Laboratories Inc.) - C:\WINDOWS\system32\drivers\aliide.sys

(amdagp) AMD AGP Bus Filter Driver [Disabled | Stopped]
[04/13/2008 02:36 PM | 0,004,3008 | ---- | M] (Advanced Micro Devices, Inc.) - C:\WINDOWS\system32\drivers\amdagp.sys

(ASAPIW2K) ASAPIW2K [On_Demand | Running]
[02/23/2005 06:40 PM | 0,001,1264 | ---- | M] (VOB Computersysteme GmbH) - C:\WINDOWS\system32\drivers\asapiW2k.sys

(asc) asc [Disabled | Stopped]
[08/17/2001 02:52 PM | 0,002,6496 | ---- | M] (Advanced System Products, Inc.) - C:\WINDOWS\system32\drivers\asc.sys

(asc3550) asc3550 [Disabled | Stopped]
[08/17/2001 02:51 PM | 0,001,4848 | ---- | M] (Advanced System Products, Inc.) - C:\WINDOWS\system32\drivers\asc3550.sys

(ASCTRM) ASCTRM [Auto | Running]
[04/13/2006 08:02 AM | 0,000,8552 | ---- | M] (Windows ® 2000 DDK provider) - C:\WINDOWS\System32\drivers\asctrm.sys

(ATIAVPCI) ATI Unified AVStream service [On_Demand | Running]
[03/05/2005 01:06 AM | 0,013,5296 | ---- | M] (ATI Technologies Inc.) - C:\WINDOWS\system32\drivers\atinavxx.sys

(BCM42RLY) BCM42RLY [On_Demand | Stopped]
[02/01/2005 07:18 PM | 0,001,7992 | ---- | M] (Broadcom Corporation) - C:\WINDOWS\system32\bcm42rly.sys

(CmdIde) CmdIde [Disabled | Stopped]
[08/17/2001 02:51 PM | 0,000,6656 | ---- | M] (CMD Technology, Inc.) - C:\WINDOWS\system32\drivers\cmdide.sys

(ctac32k) Creative AC3 Software Decoder [On_Demand | Running]
[11/08/2005 08:14 PM | 0,050,2272 | ---- | M] (Creative Technology Ltd) - C:\WINDOWS\system32\drivers\ctac32k.sys

(ctaud2k) Creative Audio Driver (WDM) [On_Demand | Running]
[11/08/2005 08:15 PM | 0,043,9680 | ---- | M] (Creative Technology Ltd) - C:\WINDOWS\system32\drivers\ctaud2k.sys

(ctdvda2k) Creative DVD-Audio Device Driver [On_Demand | Stopped]
[07/13/2005 05:18 PM | 0,034,0704 | ---- | M] (Creative Technology Ltd) - C:\WINDOWS\system32\drivers\ctdvda2k.sys

(ctprxy2k) Creative Proxy Driver [On_Demand | Running]
[11/08/2005 08:15 PM | 0,000,7168 | ---- | M] (Creative Technology Ltd) - C:\WINDOWS\system32\drivers\ctprxy2k.sys

(ctsfm2k) Creative SoundFont Management Device Driver [On_Demand | Running]
[11/08/2005 08:14 PM | 0,014,3360 | ---- | M] (Creative Technology Ltd) - C:\WINDOWS\system32\drivers\ctsfm2k.sys

(dac2w2k) dac2w2k [Disabled | Stopped]
[08/17/2001 02:52 PM | 0,017,9584 | ---- | M] (Mylex Corporation) - C:\WINDOWS\system32\drivers\dac2w2k.sys

(DLABOIOM) DLABOIOM [Auto | Running]
[09/08/2005 06:20 AM | 0,002,5628 | ---- | M] (Sonic Solutions) - C:\WINDOWS\system32\DLA\DLABOIOM.SYS

(DLACDBHM) DLACDBHM [System | Running]
[08/25/2005 01:16 PM | 0,000,5628 | ---- | M] (Sonic Solutions) - C:\WINDOWS\system32\drivers\DLACDBHM.SYS

(DLADResN) DLADResN [Auto | Running]
[09/08/2005 06:20 AM | 0,000,2496 | ---- | M] (Sonic Solutions) - C:\WINDOWS\system32\DLA\DLADResN.SYS

(DLAIFS_M) DLAIFS_M [Auto | Running]
[09/08/2005 06:20 AM | 0,008,6524 | ---- | M] (Sonic Solutions) - C:\WINDOWS\system32\DLA\DLAIFS_M.SYS

(DLAOPIOM) DLAOPIOM [Auto | Running]
[09/08/2005 06:20 AM | 0,001,4684 | ---- | M] (Sonic Solutions) - C:\WINDOWS\system32\DLA\DLAOPIOM.SYS

(DLAPoolM) DLAPoolM [Auto | Running]
[09/08/2005 06:20 AM | 0,000,6364 | ---- | M] (Sonic Solutions) - C:\WINDOWS\system32\DLA\DLAPoolM.SYS

(DLARTL_N) DLARTL_N [System | Running]
[08/25/2005 01:16 PM | 0,002,2684 | ---- | M] (Sonic Solutions) - C:\WINDOWS\system32\drivers\DLARTL_N.SYS

(DLAUDFAM) DLAUDFAM [Auto | Running]
[09/08/2005 06:20 AM | 0,009,4332 | ---- | M] (Sonic Solutions) - C:\WINDOWS\system32\DLA\DLAUDFAM.SYS

(DLAUDF_M) DLAUDF_M [Auto | Running]
[09/08/2005 06:20 AM | 0,008,7036 | ---- | M] (Sonic Solutions) - C:\WINDOWS\system32\DLA\DLAUDF_M.SYS

(dmboot) dmboot [Disabled | Stopped]
[04/13/2008 02:44 PM | 0,079,9744 | ---- | M] (Microsoft Corp., Veritas Software) - C:\WINDOWS\system32\drivers\dmboot.sys

(dmio) Logical Disk Manager Driver [Boot | Running]
[04/13/2008 02:44 PM | 0,015,3344 | ---- | M] (Microsoft Corp., Veritas Software) - C:\WINDOWS\system32\drivers\dmio.sys

(dmload) dmload [Boot | Running]
[08/10/2004 06:00 AM | 0,000,5888 | ---- | M] (Microsoft Corp., Veritas Software.) - C:\WINDOWS\system32\drivers\dmload.sys

(DRVMCDB) DRVMCDB [Boot | Running]
[09/12/2005 04:30 AM | 0,008,9264 | ---- | M] (Sonic Solutions) - C:\WINDOWS\system32\drivers\DRVMCDB.SYS

(DRVNDDM) DRVNDDM [Auto | Running]
[08/12/2005 06:20 AM | 0,004,0544 | ---- | M] (Sonic Solutions) - C:\WINDOWS\system32\drivers\DRVNDDM.SYS

(DSproct) DSproct [On_Demand | Running]
[10/05/2006 04:07 PM | 0,000,4736 | ---- | M] (Gteko Ltd.) - C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys

(dsunidrv) DellSupport UniDriver [Auto | Running]
[02/25/2007 12:10 PM | 0,000,5376 | --S- | M] (Gteko Ltd.) - C:\WINDOWS\system32\drivers\dsunidrv.sys

(E100B) Intel® PRO Adapter Driver [On_Demand | Stopped]
[08/17/2001 01:12 PM | 0,011,7760 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\drivers\e100b325.sys

(e1express) Intel® PRO/1000 PCI Express Network Connection Driver [On_Demand | Running]
[08/25/2005 08:05 PM | 0,017,6128 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\drivers\e1e5132.sys

(ELacpi) ELacpi [On_Demand | Stopped]
[12/12/2005 05:52 PM | 0,000,7808 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\drivers\ELacpi.sys

(ELhid) ELhid [System | Running]
[12/12/2005 05:52 PM | 0,001,0112 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\drivers\ELhid.sys

(ELkbd) ELkbd [System | Running]
[12/12/2005 05:52 PM | 0,000,6912 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\drivers\ELkbd.sys

(ELmon) ELmon [System | Running]
[12/12/2005 05:52 PM | 0,000,7040 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\drivers\ELmon.sys

(ELmou) ELmou [System | Running]
[12/12/2005 05:52 PM | 0,000,6400 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\drivers\ELmou.sys

(emupia) E-mu Plug-in Architecture Driver [On_Demand | Running]
[11/08/2005 08:14 PM | 0,007,7824 | ---- | M] (Creative Technology Ltd) - C:\WINDOWS\system32\drivers\emupia2k.sys

(GEARAspiWDM) GEARAspiWDM [On_Demand | Running]
[01/29/2008 12:01 PM | 0,001,6168 | ---- | M] (GEAR Software Inc.) - C:\WINDOWS\system32\drivers\GEARAspiWDM.sys

(ha20x2k) Creative 20X HAL Driver [On_Demand | Running]
[04/24/2006 01:12 PM | 0,109,6704 | ---- | M] (Creative Technology Ltd) - C:\WINDOWS\system32\drivers\ha20x2k.sys

(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [On_Demand | Running]
[04/13/2008 12:36 PM | 0,014,4384 | ---- | M] (Windows ® Server 2003 DDK provider) - C:\WINDOWS\system32\drivers\hdaudbus.sys

(HPZid412) IEEE-1284.4 Driver HPZid412 [On_Demand | Running]
[06/22/2004 08:05 AM | 0,005,1088 | ---- | M] (HP) - C:\WINDOWS\system32\drivers\hpzid412.sys

(HPZipr12) Print Class Driver for IEEE-1284.4 HPZipr12 [On_Demand | Running]
[06/22/2004 08:05 AM | 0,001,6496 | ---- | M] (HP) - C:\WINDOWS\system32\drivers\HPZipr12.sys

(HPZius12) USB to IEEE-1284.4 Translation Driver HPZius12 [On_Demand | Running]
[06/22/2004 08:05 AM | 0,002,1744 | ---- | M] (HP) - C:\WINDOWS\system32\drivers\HPZius12.sys

(HSFHWBS2) HSFHWBS2 [On_Demand | Running]
[11/17/2003 10:59 PM | 0,021,2224 | ---- | M] (Conexant Systems, Inc.) - C:\WINDOWS\system32\drivers\HSFHWBS2.sys

(HSF_DP) HSF_DP [On_Demand | Running]
[11/17/2003 10:56 PM | 0,104,2432 | ---- | M] (Conexant Systems, Inc.) - C:\WINDOWS\system32\drivers\HSF_DP.sys

(iastor) Intel AHCI Controller [Boot | Running]
[06/17/2005 01:33 PM | 0,087,2064 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\drivers\iaStor.sys

(MarvinBus) Pinnacle Marvin Bus [On_Demand | Running]
[06/02/2005 07:28 PM | 0,017,1008 | ---- | M] (Pinnacle Systems GmbH) - C:\WINDOWS\system32\drivers\MarvinBus.sys

(mdmxsdk) mdmxsdk [Auto | Running]
[04/09/2003 07:48 PM | 0,001,1043 | ---- | M] (Conexant) - C:\WINDOWS\system32\drivers\mdmxsdk.sys

(mraid35x) mraid35x [Disabled | Stopped]
[08/17/2001 02:52 PM | 0,001,7280 | ---- | M] (American Megatrends Inc.) - C:\WINDOWS\system32\drivers\mraid35x.sys

(neokdss) neokdss [On_Demand | Running]
File not found - C:\WINDOWS\System32\Drivers\neokdss.sys

(nv) nv [On_Demand | Running]
[12/14/2005 09:51 PM | 0,358,0480 | ---- | M] (NVIDIA Corporation) - C:\WINDOWS\system32\drivers\nv4_mini.sys

(ossrv) Creative OS Services Driver [On_Demand | Running]
[11/08/2005 08:14 PM | 0,011,4688 | ---- | M] (Creative Technology Ltd.) - C:\WINDOWS\system32\drivers\ctoss2k.sys

(PalmUSBD) PalmUSBD [On_Demand | Stopped]
[05/31/2001 08:44 AM | 0,001,2270 | ---- | M] (Palm, Inc.) - C:\WINDOWS\system32\drivers\PalmUSBD.sys

(PCLEPCI) PCLEPCI [System | Running]
[02/09/2005 12:59 PM | 0,001,4165 | ---- | M] (Pinnacle Systems GmbH) - C:\WINDOWS\system32\drivers\Pclepci.sys

(Ptilink) Direct Parallel Link Driver [On_Demand | Running]
[08/10/2004 06:00 AM | 0,001,7792 | ---- | M] (Parallel Technologies, Inc.) - C:\WINDOWS\system32\drivers\ptilink.sys

(PxHelp20) PxHelp20 [Boot | Running]
[10/18/2006 03:00 AM | 0,003,6624 | ---- | M] (Sonic Solutions) - C:\WINDOWS\system32\drivers\pxhelp20.sys

(ql1080) ql1080 [Disabled | Stopped]
[08/17/2001 02:52 PM | 0,004,0320 | ---- | M] (QLogic Corporation) - C:\WINDOWS\system32\drivers\ql1080.sys

(ql12160) ql12160 [Disabled | Stopped]
[08/17/2001 02:52 PM | 0,004,5312 | ---- | M] (QLogic Corporation) - C:\WINDOWS\system32\drivers\ql12160.sys

(ql1280) ql1280 [Disabled | Stopped]
[08/17/2001 02:52 PM | 0,004,9024 | ---- | M] (QLogic Corporation) - C:\WINDOWS\system32\drivers\ql1280.sys

(Secdrv) Secdrv [On_Demand | Stopped]
[11/13/2007 06:25 AM | 0,002,0480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) - C:\WINDOWS\system32\drivers\secdrv.sys

(sisagp) SIS AGP Bus Filter [Disabled | Stopped]
[04/13/2008 02:36 PM | 0,004,0960 | ---- | M] (Silicon Integrated Systems Corporation) - C:\WINDOWS\system32\drivers\sisagp.sys

(SONYPVU1) Sony USB Filter Driver (SONYPVU1) [On_Demand | Stopped]
[08/17/2001 02:56 PM | 0,000,7552 | ---- | M] (Sony Corporation) - C:\WINDOWS\system32\drivers\SONYPVU1.SYS

(Sparrow) Sparrow [Disabled | Stopped]
[08/17/2001 03:07 PM | 0,001,9072 | ---- | M] (Adaptec, Inc.) - C:\WINDOWS\system32\drivers\sparrow.sys

(srescan) srescan [Boot | Running]
[06/28/2006 08:24 PM | 0,002,8656 | ---- | M] (Zone Labs, LLC) - C:\WINDOWS\system32\ZoneLabs\srescan.sys

(STHDA) SigmaTel High Definition Audio CODEC [On_Demand | Running]
[11/16/2005 10:36 PM | 0,104,7816 | ---- | M] (SigmaTel, Inc.) - C:\WINDOWS\system32\drivers\sthda.sys

(symc810) symc810 [Disabled | Stopped]
[08/17/2001 03:07 PM | 0,001,6256 | ---- | M] (Symbios Logic Inc.) - C:\WINDOWS\system32\drivers\symc810.sys

(symc8xx) symc8xx [Disabled | Stopped]
[08/17/2001 03:07 PM | 0,003,2640 | ---- | M] (LSI Logic) - C:\WINDOWS\system32\drivers\symc8xx.sys

(symlcbrd) symlcbrd [Auto | Running]
[04/19/2006 11:59 PM | 0,001,0344 | ---- | M] (Symantec Corporation) - C:\WINDOWS\system32\drivers\symlcbrd.sys

(sym_hi) sym_hi [Disabled | Stopped]
[08/17/2001 03:07 PM | 0,002,8384 | ---- | M] (LSI Logic) - C:\WINDOWS\system32\drivers\sym_hi.sys

(sym_u3) sym_u3 [Disabled | Stopped]
[08/17/2001 03:07 PM | 0,003,0688 | ---- | M] (LSI Logic) - C:\WINDOWS\system32\drivers\sym_u3.sys

(tmactmon) tmactmon [Auto | Running]
[12/24/2007 06:37 PM | 0,005,2496 | ---- | M] (Trend Micro Inc.) - C:\WINDOWS\system32\drivers\tmactmon.sys

(tmcfw) Trend Micro Common Firewall Service [On_Demand | Running]
[02/15/2008 11:37 PM | 0,033,3328 | ---- | M] (Trend Micro Inc.) - C:\WINDOWS\system32\drivers\TM_CFW.sys

(tmcomm) tmcomm [Auto | Running]
[12/24/2007 06:37 PM | 0,013,8384 | ---- | M] (Trend Micro Inc.) - C:\WINDOWS\system32\drivers\tmcomm.sys

(tmevtmgr) tmevtmgr [Auto | Running]
[12/24/2007 06:37 PM | 0,005,2240 | ---- | M] (Trend Micro Inc.) - C:\WINDOWS\system32\drivers\tmevtmgr.sys

(tmpreflt) tmpreflt [Auto | Running]
[07/18/2008 07:08 PM | 0,003,6368 | ---- | M] (Trend Micro Inc.) - C:\WINDOWS\system32\drivers\tmpreflt.sys

(tmtdi) Trend Micro TDI Driver [System | Running]
[02/15/2008 11:37 PM | 0,006,5936 | ---- | M] (Trend Micro Inc.) - C:\WINDOWS\system32\drivers\tmtdi.sys

(tmxpflt) tmxpflt [Auto | Running]
[07/18/2008 07:08 PM | 0,020,5328 | ---- | M] (Trend Micro Inc.) - C:\WINDOWS\system32\drivers\tmxpflt.sys

(ultra) ultra [Disabled | Stopped]
[08/17/2001 02:52 PM | 0,003,6736 | ---- | M] (Promise Technology, Inc.) - C:\WINDOWS\system32\drivers\ultra.sys

(USBAAPL) Apple Mobile USB Driver [On_Demand | Stopped]
[10/31/2007 03:09 PM | 0,003,0464 | ---- | M] (Apple, Inc.) - C:\WINDOWS\system32\drivers\usbaapl.sys

(VET-FILT) VET File System Filter [On_Demand | Stopped]
[05/13/2005 06:53 PM | 0,002,1605 | ---- | M] () - C:\WINDOWS\System32\drivers\vet-filt.sys

(VET-REC) VET File System Recognizer [On_Demand | Stopped]
[05/13/2005 06:53 PM | 0,001,5668 | ---- | M] () - C:\WINDOWS\System32\drivers\vet-rec.sys

(VETFDDNT) VET Floppy Boot Sector Monitor [On_Demand | Stopped]
[05/13/2005 06:53 PM | 0,010,8453 | ---- | M] (Computer Associates International, Inc.) - C:\WINDOWS\System32\drivers\vetfddnt.sys

(VETMONNT) VET File and Macro Monitor [On_Demand | Stopped]
[05/13/2005 06:53 PM | 0,054,1733 | ---- | M] (Computer Associates International, Inc.) - C:\WINDOWS\System32\drivers\vetmonnt.sys

(vsapint) vsapint [Auto | Running]
[07/18/2008 06:51 PM | 0,119,5448 | ---- | M] (Trend Micro Inc.) - C:\WINDOWS\system32\drivers\vsapint.sys

(winachsf) winachsf [On_Demand | Running]
[11/17/2003 10:58 PM | 0,068,0704 | ---- | M] (Conexant Systems, Inc.) - C:\WINDOWS\system32\drivers\HSF_CNXT.sys

===== Run Keys =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Watch" = C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe File not found
"AudioDrvEmulator" = "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll" [11/04/2005 07:07 PM | 0,004,9152 | ---- | M] (Creative Technology Ltd.)
"CTDVDDET" = "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [06/18/2003 02:00 AM | 0,004,5056 | ---- | M] (Creative Technology Ltd)
"CTHelper" = CTHELPER.EXE [11/08/2005 08:30 PM | 0,001,6384 | ---- | M] (Creative Technology Ltd)
"DLA" = C:\WINDOWS\System32\DLA\DLACTRLW.EXE [09/08/2005 06:20 AM | 0,012,2940 | ---- | M] (Sonic Solutions)
"HP Component Manager" = "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [01/12/2005 02:54 PM | 0,024,1664 | ---- | M] (Hewlett-Packard Company)
"HP Software Update" = C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [02/16/2005 11:11 PM | 0,004,9152 | ---- | M] (Hewlett-Packard Co.)
"IAAnotif" = C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [06/17/2005 08:56 AM | 0,013,9264 | ---- | M] (Intel Corporation)
"ISUSPM Startup" = "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup [09/11/2006 04:40 AM | 0,021,8032 | ---- | M] (Macrovision Corporation)
"ISUSScheduler" = "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start [09/11/2006 04:40 AM | 0,008,6960 | ---- | M] (Macrovision Corporation)
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM | 0,026,7048 | ---- | M] (Apple Inc.)
"MediaManager" = C:\Program Files\Verizon\Media Manager\MediaManager.exe [10/19/2007 11:22 AM | 0,140,0832 | ---- | M] (Verizon Data Services Inc.)
"NvCplDaemon" = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [12/14/2005 09:51 PM | 0,732,3648 | ---- | M] (NVIDIA Corporation)
"PinnacleDriverCheck" = C:\WINDOWS\system32\\PSDrvCheck.exe [03/11/2004 12:26 AM | 0,040,6016 | ---- | M] ()
"QuickTime Task" = "C:\Program Files\QuickTime\qttask.exe" -atboottime [03/28/2008 11:37 PM | 0,041,3696 | ---- | M] (Apple Inc.)
"RealTray" = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER [04/13/2006 08:02 AM | 0,002,6112 | ---- | M] (RealNetworks, Inc.)
"SigmatelSysTrayApp" = stsystra.exe [03/23/2005 12:20 AM | 0,033,9968 | ---- | M] (SigmaTel, Inc.)
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM | 0,014,4784 | ---- | M] (Sun Microsystems, Inc.)
"UfSeAgnt.exe" = "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [02/16/2008 12:56 AM | 0,139,8024 | ---- | M] (Trend Micro Inc.)
"UpdReg" = C:\WINDOWS\UpdReg.EXE [05/11/2000 02:00 AM | 0,009,0112 | ---- | M] (Creative Technology Ltd.)
"VolPanel" = "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r [10/14/2005 12:01 PM | 0,012,2880 | ---- | M] (Creative Technology Ltd)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = Reg Error: Value load does not exist or could not be read.
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed" = 1
"NoChange" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed" = 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport" = "C:\Program Files\DellSupport\DSAgnt.exe" /startup [03/15/2007 11:09 AM | 0,046,0784 | ---- | M] (Gteko Ltd.)
"ISUSPM" = "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler [09/11/2006 04:40 AM | 0,021,8032 | ---- | M] (Macrovision Corporation)
"OE" = "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [09/18/2007 03:31 AM | 0,048,8712 | ---- | M] (Trend Micro Inc.)
"TrendSecure Remote File Lock" = C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe [02/15/2008 07:53 PM | 0,042,3248 | ---- | M] (Trend Micro Inc.)
"updateMgr" = "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 [03/30/2006 04:45 PM | 0,031,3472 | R--- | M] (Adobe Systems Incorporated)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.

===== Startup Folders =====

[All Users Startup Folder - C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
[04/23/2008 03:38 AM | 0,002,9696 | ---- | M] (Adobe Systems Incorporated) - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
[10/29/2003 03:06 AM | 0,002,4576 | R--- | M] (BVRP Software) - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
[05/28/2004 10:31 PM | 0,024,1664 | ---- | M] (Hewlett-Packard Co.) - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
[05/28/2004 11:06 PM | 0,005,3248 | ---- | M] (Hewlett-Packard Co.) - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

[Brian Startup Folder - C:\Documents and Settings\Brian\Start Menu\Programs\Startup]
[05/31/2001 08:52 AM | 0,029,9008 | ---- | M] (Palm, Inc.) - C:\Documents and Settings\Brian\Start Menu\Programs\Startup\HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE

===== BHO's =====

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
HKLM CLSID: (&Yahoo! Toolbar Helper) - [08/22/2007 09:30 PM | 0,081,6912 | ---- | M] (Yahoo! Inc.) C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
HKLM CLSID: (Adobe PDF Reader Link Helper) - [12/18/2006 04:16 AM | 0,005,9032 | ---- | M] (Adobe Systems Incorporated) C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
HKLM CLSID: (SSVHelper Class) - [02/22/2008 04:25 AM | 0,050,9328 | ---- | M] (Sun Microsystems, Inc.) C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C1656CCA-D2EA-4A32-94AE-AE0B180E6449}]
HKLM CLSID: (TSToolbarBHO) - [09/16/2007 10:21 AM | 0,010,3760 | ---- | M] (Trend Micro Inc.) C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\rsion]
HKLM CLSID: (Reg Error: Key does not exist or could not be opened.) - File not found Reg Error: Key does not exist or could not be opened.

===== Toolbars =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}"
HKLM CLSID: (Transaction Protector) - [09/16/2007 10:21 AM | 0,010,3760 | ---- | M] (Trend Micro Inc.) C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
HKLM CLSID: (Yahoo! Toolbar) - [08/22/2007 09:30 PM | 0,081,6912 | ---- | M] (Yahoo! Inc.) C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}"
HKLM CLSID: (Reg Error: Key does not exist or could not be opened.) - File not found Reg Error: Key does not exist or could not be opened.

"{C4069E3A-68F1-403E-B40E-20066696354B}"
HKLM CLSID: (Reg Error: Key does not exist or could not be opened.) - File not found Reg Error: Key does not exist or could not be opened.

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
HKLM CLSID: (Yahoo! Toolbar) - [08/22/2007 09:30 PM | 0,081,6912 | ---- | M] (Yahoo! Inc.) C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

===== Policies =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments]
"ScanWithAntiVirus" = 2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{17492023-C23A-453E-A040-C7C580BBF700}" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}" = 1
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}" = 1073741857
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}" = 32

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername" = 0
"legalnoticecaption" =
"legalnoticetext" =
"shutdownwithoutlogon" = 1
"undockwithoutlogon" = 1
"InstallVisualStyle" = C:\WINDOWS\Resources\Themes\Royale\Royale.mss File not found
"InstallTheme" = C:\WINDOWS\Resources\Themes\Royale.the File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoCDBurning" = 0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

===== Desktop Components =====

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"FriendlyName" = "My Current Home Page"
"Source" = "About:Home"
"SubscribedURL" = "About:Home"

===== Shared Task Scheduler =====

===== AppInit_Dlls =====

===== Lsa Authentication Packages =====

===== Lsa Security Packages =====

===== Authorized Applications List =====

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = C:\WINDOWS\system32\sessmgr.exe [04/13/2008 08:12 PM | 0,014,1312 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe File not found
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe File not found
"%windir%\Network Diagnostic\xpnetdiag.exe" = C:\WINDOWS\network diagnostic\xpnetdiag.exe [04/13/2008 02:53 PM | 0,055,8080 | ---- | M] (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = C:\WINDOWS\system32\sessmgr.exe [04/13/2008 08:12 PM | 0,014,1312 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe File not found
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe File not found
"C:\Program Files\Pinnacle\Studio 10\programs\RM.exe" = C:\Program Files\Pinnacle\Studio 10\programs\RM.exe [03/24/2006 12:58 PM | 0,006,5536 | ---- | M] (Pinnacle Systems, Inc.)
"C:\Program Files\Pinnacle\Studio 10\programs\Studio.exe" = C:\Program Files\Pinnacle\Studio 10\programs\studio.exe [03/24/2006 01:58 PM | 0,437,0432 | ---- | M] (Pinnacle Systems)
"C:\Program Files\Pinnacle\Studio 10\programs\PMSRegisterFile.exe" = C:\Program Files\Pinnacle\Studio 10\programs\PMSRegisterFile.exe [09/21/2005 04:22 PM | 0,002,4576 | ---- | M] ( )
"C:\Program Files\Pinnacle\Studio 10\programs\umi.exe" = C:\Program Files\Pinnacle\Studio 10\programs\umi.exe [03/24/2006 12:57 PM | 0,007,7824 | ---- | M] (Pinnacle Systems, Inc.)
"C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe [04/13/2008 08:12 PM | 0,169,5232 | -HS- | M] (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = C:\WINDOWS\network diagnostic\xpnetdiag.exe [04/13/2008 02:53 PM | 0,055,8080 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [11/30/2006 09:49 PM | 0,466,2776 | ---- | M] (Yahoo! Inc.)
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe File not found
"" = :*:Enabled:Yahoo! Music Jukebox
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe [03/30/2008 10:36 AM | 2,063,8504 | ---- | M] (Apple Inc.)

===== HKLM Winlogon Settings =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell]
"Explorer.exe" - [04/13/2008 08:12 PM | 0,103,3728 | ---- | M] (Microsoft Corporation) C:\WINDOWS\explorer.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit]
"C:\WINDOWS\system32\userinit.exe" - [04/13/2008 08:12 PM | 0,002,6112 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\userinit.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost]
"logonui.exe" - [04/13/2008 08:12 PM | 0,051,4560 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\logonui.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet]
"rundll32 shell32" - [04/13/2008 08:12 PM | 0,846,1312 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
"Control_RunDLL "sysdm.cpl"" - [04/13/2008 08:12 PM | 0,030,0544 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\sysdm.cpl

===== User's Winlogon Settings =====

===== Winlogon Notify Settings =====

===== Safeboot Options =====

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
"AlternateShell" = cmd.exe

===== Disabled MsConfig Items =====
Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ not found. -> ->

===== DNS Name Servers =====

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{00D7EA4D-5CD6-438F-822C-F54012013803}]
Servers: | Description:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{0FC1AC39-4C80-4BE0-BAA8-81C6FED22B5C}]
Servers: | Description: Intel® PRO/1000 PL Network Connection

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{8A7957C0-B2D9-4317-B73E-D9D29B7AF6C8}]
Servers: | Description: Compact Wireless-G USB Network Adapter with SpeedBooster

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{DD100F03-4AAB-4452-A174-0D69F492B359}]
Servers: | Description: 1394 Net Adapter



[Files/Folders - Created Within 30 days]
[08/11/2009 08:55 PM | ---D | C] - C:\WINDOWS\System32\Adobe
[14 C:\WINDOWS\System32\*.tmp files]
[08/15/2009 01:31 PM | 0,019,2512 | ---- | M] (킹스정보통신) - C:\WINDOWS\System32\kdfvmgr.exe
[08/15/2009 08:06 AM | ---D | C] - C:\WINDOWS\LastGood
[4 C:\WINDOWS\*.tmp files]
[08/14/2009 11:05 PM | 0,000,1602 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[08/11/2009 08:59 PM | 0,045,7447 | ---- | M] (Malwareteks.com) - C:\Documents and Settings\Brian\Desktop\FixIEDef.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\FixIEDef.exe:Zone.Identifier
[08/15/2009 01:50 PM | 0,139,7248 | ---- | M] (OldTimer Tools) - C:\Documents and Settings\Brian\Desktop\OTViewIt.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\OTViewIt.exe:Zone.Identifier
[08/14/2009 11:08 PM | ---D | C] - C:\Program Files\Mozilla Firefox

[Files/Folders - Modified Within 30 days]
[08/14/2009 11:05 PM | ---D | M] - C:\Program Files
[08/15/2009 08:30 AM | ---D | M] - C:\WINDOWS
[08/15/2009 12:01 PM | ---D | M] - C:\WINDOWS\System32\drivers\etc
[08/11/2009 08:55 PM | ---D | M] - C:\WINDOWS\System32\Adobe
[14 C:\WINDOWS\System32\*.tmp files]
[08/14/2009 11:10 PM | 0,005,5700 | ---- | M] () - C:\WINDOWS\System32\BMXState-{00000005-00000000-00000004-00001102-00000005-10031102}.rfx
[08/14/2009 11:10 PM | 0,005,5700 | ---- | M] () - C:\WINDOWS\System32\BMXStateBkp-{00000005-00000000-00000004-00001102-00000005-10031102}.rfx
[08/15/2009 08:03 AM | ---D | M] - C:\WINDOWS\System32\CatRoot2
[08/15/2009 08:03 AM | RHSD | M] - C:\WINDOWS\System32\dllcache
[08/15/2009 01:31 PM | ---D | M] - C:\WINDOWS\System32\drivers
[08/14/2009 11:10 PM | 0,006,4980 | ---- | M] () - C:\WINDOWS\System32\DVCState-{00000005-00000000-00000004-00001102-00000005-10031102}.rfx
[08/15/2009 08:31 AM | ---D | M] - C:\WINDOWS\System32\FxsTmp
[08/15/2009 01:31 PM | 0,007,7824 | ---- | M] (Kings Information & Network) - C:\WINDOWS\System32\kdfapi.dll
[08/15/2009 08:09 AM | 0,005,3248 | ---- | M] (Kings Information & Network) - C:\WINDOWS\System32\Kdfhok.dll
[08/15/2009 01:31 PM | 0,072,6568 | ---- | M] (Bluegem Security) - C:\WINDOWS\System32\kdfmgr.exe
[08/15/2009 01:31 PM | 0,019,2512 | ---- | M] (킹스정보통신) - C:\WINDOWS\System32\kdfvmgr.exe
[08/15/2009 08:30 AM | 0,003,9472 | ---- | M] () - C:\WINDOWS\System32\nvapps.xml
[08/14/2009 11:10 PM | 0,000,1080 | ---- | M] () - C:\WINDOWS\System32\settings.sfm
[08/14/2009 11:10 PM | 0,000,1080 | ---- | M] () - C:\WINDOWS\System32\settingsbkup.sfm
[08/15/2009 08:30 AM | 0,000,2206 | ---- | M] () - C:\WINDOWS\System32\wpa.dbl
[08/15/2009 08:03 AM | 0,000,2048 | --S- | M] () - C:\WINDOWS\bootstat.dat
[08/11/2009 08:55 PM | --SD | M] - C:\WINDOWS\Downloaded Program Files
[4 C:\WINDOWS\*.tmp files]
[08/14/2009 07:41 PM | ---D | M] - C:\WINDOWS\Help
[08/15/2009 08:06 AM | -H-D | M] - C:\WINDOWS\inf
[08/15/2009 08:06 AM | ---D | M] - C:\WINDOWS\LastGood
[08/15/2009 01:50 PM | ---D | M] - C:\WINDOWS\Prefetch
[08/15/2009 08:30 AM | 0,005,4156 | -H-- | M] () - C:\WINDOWS\QTFont.qfn
[08/15/2009 08:03 AM | ---D | M] - C:\WINDOWS\Registration
[08/15/2009 01:31 PM | ---D | M] - C:\WINDOWS\system32
[08/15/2009 01:14 PM | ---D | M] - C:\WINDOWS\Temp
[08/08/2009 11:41 PM | 0,000,0284 | ---- | M] () - C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[08/15/2009 08:03 AM | 0,000,0006 | -H-- | M] () - C:\WINDOWS\tasks\SA.DAT
[08/15/2009 08:30 AM | ---D | M] - C:\Documents and Settings\Brian\Local Settings\Application Data\ApplicationHistory
[08/15/2009 08:09 AM | 0,000,0000 | ---- | M] () - C:\Documents and Settings\All Users\Documents\{499663EE-202C-4468-874C-198A9E0BC058}
[08/14/2009 11:05 PM | 0,000,1602 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[08/11/2009 08:59 PM | 0,045,7447 | ---- | M] (Malwareteks.com) - C:\Documents and Settings\Brian\Desktop\FixIEDef.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\FixIEDef.exe:Zone.Identifier
[08/15/2009 01:50 PM | 0,139,7248 | ---- | M] (OldTimer Tools) - C:\Documents and Settings\Brian\Desktop\OTViewIt.exe
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\OTViewIt.exe:Zone.Identifier

< End of report >
  • 0

#4
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there :)

I'm not seeing anything in your log, could you tell me what your program is flagging, i.e what file (and filepath) trendmicro is calling a baddy?

Let's do two general scans to see if we can find something. The online scan takes a long(long) time, if you are having troubles with the internet please post back rather than running it. Updating Java would still be good though.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

And,

Download the latest version of Java Runtime Environment (JRE) 6 Update 7. Once done, uninstall any older versions of Java through add or remove programs.

Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

  • 0

#5
btrentler

btrentler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Alright.... :)

The entity identified by AdAware isi Win32.trojan downloader.delf - I wasn't able to ascertain the file path.

Next, the MBAM results....

Malwarebytes' Anti-Malware 1.25
Database version: 1078
Windows 5.1.2600 Service Pack 3

10:18:46 PM 8/15/2009
mbam-log-08-15-2009 (22-18-46).txt

Scan type: Quick Scan
Objects scanned: 74346
Time elapsed: 21 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 71

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\Log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\Settings (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\AdwareAlert\adwarealert.exe (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\DataBaseNew.ref (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\Log\log_2006_11_04_12_11_59.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\Log\log_2006_11_04_12_12_24.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\Log\log_2006_11_04_12_12_42.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\Log\log_2006_11_04_12_12_56.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\Log\log_2006_11_05_05_56_33.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\Log\log_2006_11_05_05_56_39.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\Settings\CustomScan.stg (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\Settings\IgnoreList.stg (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\Settings\ScanInfo.stg (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\Settings\SelectedFolders.stg (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\Settings\Settings.stg (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Errors.stg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\RegistrySmart.exe (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Results.stg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Log\log_2007_10_23_07_14_16.eklog (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Log\log_2007_10_23_07_15_27.eklog (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Log\log_2007_10_23_07_15_38.eklog (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2006-10-23_06-43-36.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2006-10-28_11-55-00.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2006-10-30_21-39-24.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2006-11-02_22-38-25.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2006-11-04_11-43-49.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2006-11-04_12-08-47.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2006-11-04_12-10-26.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2006-11-09_08-05-03.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2006-11-12_12-00-48.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2006-11-13_21-48-49.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2006-11-21_07-44-46.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2006-11-24_21-25-27.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2006-12-05_06-00-50.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2006-12-07_07-47-18.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2006-12-12_20-48-14.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2006-12-23_12-03-36.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2006-12-28_19-08-16.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2006-12-31_13-47-19.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-01-11_21-22-27.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-01-17_20-56-39.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-01-20_14-39-00.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-01-25_21-13-46.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-01-28_08-00-57.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-02-07_20-38-54.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-02-16_08-26-22.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-02-24_14-51-21.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-02-28_07-26-15.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-03-06_07-57-57.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-03-10_15-25-14.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-03-24_22-36-23.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-03-29_21-45-03.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-04-06_07-13-55.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-04-08_19-17-26.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-04-14_21-24-50.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-04-19_19-47-58.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-05-03_21-50-27.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-05-07_12-28-17.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-05-15_21-21-39.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-05-27_19-52-18.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-06-03_16-47-03.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-06-10_20-32-12.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-06-29_07-31-18.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-07-19_20-20-14.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-07-27_08-02-25.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-08-02_07-57-49.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-08-16_07-38-13.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-09-13_07-27-47.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-09-21_06-30-45.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-10-15_20-26-15.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\2007-10-15_22-46-09.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\Errors.stg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Registry Backups\Results.stg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

Next - I downloaded the JRE 6 Update 7 & removed old programs.

Go to Kaspersky website and perform an online antivirus scan. - I was unable to properly run the program because the update continued to fail time after time.

Please let me know if there's any hints to get the program to load properly. I disabled by existing antivirus software (Trend Micro).

Thanks again for all of your help. It's greatly appreciated!!!! :)
  • 0

#6
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Let's do a different scan then :)

  • Go to http://support.f-sec.../home/ols.shtml
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
Notes:
  • This scan will only work with Internet Explorer
  • You must have administrator rights to run this scan
  • This scan can take several hours, so please be patient

  • 0

#7
btrentler

btrentler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hello there!! :) :) - Hope your day is going well. Here is the result of the scan you requested. I hope this provides some insight with my problem.

Thanks!


Scanning Report
Sunday, August 16, 2009 12:41:10 - 15:36:27
Computer name: OFFICE
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 15 malware found
TrackingCookie.2o7 (spyware)
System
TrackingCookie.Adbrite (spyware)
System
TrackingCookie.Adinterax (spyware)
System
TrackingCookie.Adrevolver (spyware)
System
TrackingCookie.Advertising (spyware)
System
TrackingCookie.Atdmt (spyware)
System
TrackingCookie.Atwola (spyware)
System
TrackingCookie.Doubleclick (spyware)
System
TrackingCookie.Imrworldwide (spyware)
System
TrackingCookie.Mediaplex (spyware)
System
TrackingCookie.Questionmarket (spyware)
System
TrackingCookie.Revsci (spyware)
System
TrackingCookie.Specificclick (spyware)
System
TrackingCookie.Webtrends (spyware)
System
TrackingCookie.Yieldmanager (spyware)
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 85351
System: 5647
Not scanned: 11
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 15
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL
C:\DOCUMENTS AND SETTINGS\BRIAN\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\NC9NDLYN\XML;SZ=640X480;ORD=38525434957895870[1].XML
C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\RECORDED TV\TEMPREC\TEMPSBE\MSDVRMM_478157632_1900544_29542
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\3AD391678A806EC4D691E83AAA393B6F_24ADF822-76F7-4481-B30B-FF1B40F8687F
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\EE54A3E723A03104D9237D036F312BA3_24ADF822-76F7-4481-B30B-FF1B40F8687F

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Blacklight: 1.0.68
F-Secure Hydra: 2.8.8110, 2008-08-23
F-Secure Pegasus: 1.20.0, 2008-04-14
F-Secure AVP: 7.0.171, 2008-08-22
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.
  • 0

#8
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

My day is good :)

It looks good, how is your PC running?
  • 0

#9
btrentler

btrentler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
It's running ok...speed is fine. Everytime I run the AdAware scan, the trojan virus reappears. I realized after doing some research that (even after I quarantine or delete) it reactivates each time I start or restart the PC.

My wife is stressing out because she cannot pay her credit card bill online. Her companies (Capital One) cookie expired, and she's unable to override the page to pay her bill. Is that tied to the virus?? Also, my yahoo login page looks drastically different. I wasn't sure if these were mutually exclusive developments or correlated in some way.

Again, I appreciate all of your help. Based upon the tools we've used thus far, the trojan virus is hidden except for the AdAware scan???

Thanks again.
:)
  • 0

#10
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there :)

Can you tell me what file AdAware is finding, maybe take a screenshot of the results? ( look here to see how to take a screenshot http://www.microsoft...screenshot.mspx )

My wife is stressing out because she cannot pay her credit card bill online. Her companies (Capital One) cookie expired, and she's unable to override the page to pay her bill. Is that tied to the virus?? Also, my yahoo login page looks drastically different. I wasn't sure if these were mutually exclusive developments or correlated in some way.


The cookie issue doesn't have anything to do with the virus, it can be because of the scans we did though (they clean out cookies), she just needs to login again and should be good to go.

About the yahoo page,

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Go to yahoo and see if its different still, if it is do a hard refresh (press f5) and it should be fine.

I'll wait on your reply :)

Edited by Mike, 24 August 2008 - 03:43 AM.

  • 0

Advertisements


#11
btrentler

btrentler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hey Mike

Hope your morning is starting off well! I found an interesting wrinkle. Each week, I run Windows Update to see if there are any new updates. This morning I was unable to run it because my date & time stamp was screwed up. My computer had been reset to 8/24 2009. Very strange.....

My wife has no idea how to change it & my kids (ages 1 & 3) clearly are not capable. Could the virus have changed the year?? Anyway, once I changed the date, we were able to access the capitalone.com website, so now my wife is once again happy.

Now, on to AdAware. When I attempted to run a scan this morning (after resetting the date & time), the program blocked me. I don't use their free service....I paid for a 2-yr subscription. The message stated that I needed to change the date to 8/24 2009 to run the scan. Otherwise, if I kept it 2008, I'd only be able to run the free scan. Does that sound strange to you???

I didn't attach a screen-shot of the AdAware scan results because it's larger than 500K. It's actually 1.2 megabytes. Please advise.

Thanks for your guidance!!! I appreciate it.
Brian :)
  • 0

#12
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

The time issue is strange, viruses are known to change them but I don't remember a case where this infection did so.
For the ad-aware issue, you should contact the company directly, http://www.lavasoft....enter/index.php

For the screenshot, try hosting it at a website such as http://www.imageshack.us/ or upload the file to http://www.mediafire.com/ and post the link here.

Edited by Mike, 24 August 2008 - 06:41 AM.

  • 0

#13
btrentler

btrentler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Mike

Here's a link - please let me know if you're able to view it.

Posted Image

Thanks!!
Brian
  • 0

#14
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
The image is a bit small, but from what I can make out it doesn't seem to show the file path...

Is there a tab called logs or something in that direction where you could possibly see the threat and then C:\windows\badfile as an example?

Maybe it's picking up an orphaned entry (thoughts for me, no worries if you don't understand)

* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

  • 0

#15
btrentler

btrentler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I'll look into it this evening. Presently, I'm at work & won't have access to my home PC until later this evening. Thanks for the quick follow-up!!

Brian
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP