Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Vundofix -- Trojan.Vundo Variant [RESOLVED]

Started by pdatrinity , Aug 22 2008 03:09 PM

  • This topic is locked This topic is locked

#1
pdatrinity
Posted 22 August 2008 - 03:09 PM

pdatrinity

    New Member

  • Member
  • Pip
  • 9 posts
Hi.

I have, I think, cleaned my system.

Ran Superantispyware which cleaned most of infection. Ran VundoFix and (in safe mode) VundoBeGone. It seemed the main (8-miscellaneous charachter) executable files were still active, but TrendMicro pointed them out (but didn't remove them). I deleted them manually. Since then the system has been clean.

All the cleanup forums I have read about vundo and virtumundo have said that the infection goes very deep and that the "automatic" installers don't get rid of it very well.

It seems likely that my system is clean, but if one of you experienced professionals would like to review my "Hijack This" log, I would appreciate it.

Thank you,

Peter

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:55:32 PM, on 8/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\AirPort\APAgent.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/?rd=nux
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\AirPort\APAgent.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1206019659008
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 7825 bytes


********

Here is the "uninstall list" which you requested in your "read this first" post.

********

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
AirPort
Apple Mobile Device Support
Apple Software Update
BibleWorks 6
Bonjour
Compatibility Pack for the 2007 Office system
CutePDF Writer 2.7
Google Desktop
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
HP Deskjet 5400 series
HP Extended Capabilities 5.0
HP Image Zone 4.7
HP Image Zone Express
HP Imaging Device Functions 5.0
HP Product Detection
HP PSC & OfficeJet 4.7
HP Solution Center & Imaging Support Tools 5.0
HP Update
Intel® Extreme Graphics 2 Driver
Intel® PROSet for Wireless
iTunes
Learn2 Player (Uninstall Only)
Libronix Digital Library System
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
Mozilla Firefox (2.0.0.16)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
MUSICMATCH® Jukebox
Nero OEM
PowerDVD
QuickTime
RealPlayer Basic
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Shop for HP Supplies
SoftK56 Data Fax Modem
SoundMAX
SUPERAntiSpyware Free Edition
Synaptics Pointing Device Driver
Trend Micro AntiVirus
Trend Micro AntiVirus
Update for Windows Internet Explorer 7 (KB928089)
Update for Windows Internet Explorer 7 (KB945007)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB951072-v2)
Viewpoint Media Player
Virtools 3D Life Player
Windows Backup Utility
Windows Defender
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 2
  • 0

Advertisements

#2
Stamper19
Posted 26 August 2008 - 01:14 PM

Stamper19

    Expert

  • Expert
  • 1,992 posts
Hi pdatrinity,

Welcome to Geeks to Go!

My name is Stamper19 and I will be helping you with your Malware problem. During the course of our interactions please be sure to follow all instructions carefully, and ask questions if you are unsure of how to proceed at any point. :)

----------------------------------------------------------------

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

----------------------------------------------------------------

Download OTViewIt to your desktop.
  • Close all windows and double click OTViewIt
  • Place a tick in the Scan all Users box
  • In the File Age drop down box select 30 days
  • Click Run Scan and let the program run uninterrupted
  • On completion it will produce two logs on the Desktop, post the OTViewIt.txt and Extras.txt logs in your next post.

----------------------------------------------------------------

Information to include in your next post:
  • Malwarebytes Log
  • OTViewIt Logs

  • 0

#3
pdatrinity
Posted 28 August 2008 - 12:41 PM

pdatrinity

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Dear Stamper19:

Thank you so much for your attention to my problem.

I have followed your instructions. Here are the three logs you requested:

MalwareBytes Log

Malwarebytes' Anti-Malware 1.25
Database version: 1092
Windows 5.1.2600 Service Pack 2

11:23:10 AM 8/28/2008
mbam-log-08-28-2008 (11-23-10).txt

Scan type: Quick Scan
Objects scanned: 44567
Time elapsed: 6 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{892b2785-b0d0-4aa2-ae6a-0ed60b00a979} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{00476c87-a276-49bf-86bc-ff005732430b} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


MalwareBytes did require a reboot to complete it's process. Following the reboot I executed OTViewIt:

OT View It Log:

OTViewIt logfile created on: 8/28/2008 11:41:59 AM - Run 1
OTViewIt by OldTimer - Version 1.0.0.14 Folder = C:\Documents and Settings\Owner\My Documents\My Received Files\Software Packages
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

990.42 Mb Total Physical Memory | 516.05 Mb Available Physical Memory | 52.10% Memory free
2.33 Gb Paging File | 1.87 Gb Available in Paging File | 80.27% Paging File free
Paging file location(s): C:\pagefile.sys 1488 2976;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 128.00 Gb Total Space | 109.81 Gb Free Space | 85.79% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-K8L3QTHB26
Current User Name: Owner
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: All users

===== Processes - Non-Microsoft Only =====

[12/16/2003 07:42 PM | 00,311,363 | ---- | M] (Intel Corporation ) - C:\WINDOWS\system32\S24EvMon.exe
[12/16/2003 07:47 PM | 00,376,832 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\ZCfgSvc.exe
[12/10/2003 05:36 AM | 00,086,016 | ---- | M] (Intel® Corporation) - C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
[11/20/2003 06:19 PM | 00,098,304 | ---- | M] (Synaptics, Inc.) - C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[11/20/2003 06:18 PM | 00,499,712 | ---- | M] (Synaptics, Inc.) - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[07/29/2008 02:57 PM | 01,398,024 | ---- | M] (Trend Micro Inc.) - C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
[05/08/2007 04:24 PM | 00,054,840 | ---- | M] (Hewlett-Packard) - C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
[02/07/2006 08:36 AM | 00,077,824 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\hkcmd.exe
[02/07/2006 08:40 AM | 00,118,784 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\igfxpers.exe
[06/10/2008 04:09 PM | 00,029,744 | ---- | M] (Google) - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
[05/20/2008 03:17 PM | 00,737,280 | ---- | M] (Apple Inc.) - C:\Program Files\AirPort\APAgent.exe
[05/27/2008 10:50 AM | 00,413,696 | ---- | M] (Apple Inc.) - C:\Program Files\QuickTime\QTTask.exe
[07/30/2008 10:47 AM | 00,289,064 | ---- | M] (Apple Inc.) - C:\Program Files\iTunes\iTunesHelper.exe
[06/10/2008 04:09 PM | 00,068,856 | ---- | M] (Google Inc.) - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[08/26/2008 01:07 PM | 01,576,176 | ---- | M] (SUPERAntiSpyware.com) - C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
[05/11/2005 11:23 PM | 00,282,624 | ---- | M] (Hewlett-Packard Co.) - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
[11/04/2004 07:36 PM | 00,425,984 | ---- | M] (Hewlett-Packard Co.) - C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
[06/10/2008 04:09 PM | 00,029,744 | ---- | M] (Google) - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
[07/22/2008 08:42 PM | 00,116,040 | ---- | M] (Apple Inc.) - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
[07/24/2007 03:17 PM | 00,229,376 | ---- | M] (Apple Inc.) - C:\Program Files\Bonjour\mDNSResponder.exe
[06/10/2008 04:08 PM | 00,137,200 | ---- | M] (Google) - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
[12/16/2003 07:41 PM | 00,122,880 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\RegSrvc.exe
[05/12/2005 12:40 AM | 00,204,800 | ---- | M] (Hewlett-Packard Co.) - C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
[07/29/2008 02:57 PM | 00,698,888 | ---- | M] (Trend Micro Inc.) - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
[12/24/2007 05:41 PM | 00,333,064 | ---- | M] (Trend Micro Inc.) - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
[07/30/2008 10:47 AM | 00,532,264 | ---- | M] (Apple Inc.) - C:\Program Files\iPod\bin\iPodService.exe
[08/09/2007 03:27 AM | 00,073,728 | ---- | M] (HP) - C:\WINDOWS\system32\HPZipm12.exe
[12/16/2003 07:43 PM | 00,184,320 | ---- | M] (Intel) - C:\WINDOWS\system32\1XConfig.exe
[02/26/2008 02:19 PM | 00,648,456 | ---- | M] (Trend Micro Inc.) - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
[08/27/2008 02:10 PM | 01,299,968 | ---- | M] (OldTimer Tools) - C:\Documents and Settings\Owner\My Documents\My Received Files\Software Packages\OTViewIt.exe

===== Win32 Services - Non-Microsoft Only =====

(Apple Mobile Device) Apple Mobile Device [Auto | Running]
[07/22/2008 08:42 PM | 00,116,040 | ---- | M] (Apple Inc.) - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

(Bonjour Service) Bonjour Service [Auto | Running]
[07/24/2007 03:17 PM | 00,229,376 | ---- | M] (Apple Inc.) - C:\Program Files\Bonjour\mDNSResponder.exe

(dmadmin) Logical Disk Manager Administrative Service [On_Demand | Stopped]
[08/04/2004 01:56 AM | 00,224,768 | ---- | M] (Microsoft Corp., Veritas Software) - C:\WINDOWS\system32\dmadmin.exe

(GoogleDesktopManager-022208-143751) Google Desktop Manager 5.7.802.22438 [On_Demand | Stopped]
[06/10/2008 04:09 PM | 00,029,744 | ---- | M] (Google) - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

(gusvc) Google Updater Service [Auto | Running]
[06/10/2008 04:08 PM | 00,137,200 | ---- | M] (Google) - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

(iPod Service) iPod Service [On_Demand | Running]
[07/30/2008 10:47 AM | 00,532,264 | ---- | M] (Apple Inc.) - C:\Program Files\iPod\bin\iPodService.exe

(Pml Driver HPZ12) Pml Driver HPZ12 [Auto | Running]
[08/09/2007 03:27 AM | 00,073,728 | ---- | M] (HP) - C:\WINDOWS\system32\HPZipm12.exe

(RegSrvc) RegSrvc [Auto | Running]
[12/16/2003 07:41 PM | 00,122,880 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\RegSrvc.exe

(S24EventMonitor) Spectrum24 Event Monitor [Auto | Running]
[12/16/2003 07:42 PM | 00,311,363 | ---- | M] (Intel Corporation ) - C:\WINDOWS\system32\S24EvMon.exe

(SfCtlCom) Trend Micro Central Control Component [Auto | Running]
[07/29/2008 02:57 PM | 00,698,888 | ---- | M] (Trend Micro Inc.) - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

(TMBMServer) Trend Micro Unauthorized Change Prevention Service [Auto | Running]
[12/24/2007 05:41 PM | 00,333,064 | ---- | M] (Trend Micro Inc.) - C:\Program Files\Trend Micro\BM\TMBMSRV.exe

(tmproxy) Trend Micro Proxy Service [On_Demand | Running]
[02/26/2008 02:19 PM | 00,648,456 | ---- | M] (Trend Micro Inc.) - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

===== Driver Services - Non-Microsoft Only =====

(aeaudio) aeaudio [On_Demand | Running]
[04/01/2002 04:15 PM | 00,004,816 | ---- | M] (Andrea Electronics Corporation) - C:\WINDOWS\system32\drivers\aeaudio.sys

(ASCTRM) ASCTRM [Auto | Running]
[06/23/2004 02:11 PM | 00,008,552 | ---- | M] (Windows ® 2000 DDK provider) - C:\WINDOWS\System32\drivers\asctrm.sys

(dmboot) dmboot [Disabled | Stopped]
[08/04/2004 12:07 AM | 00,799,744 | ---- | M] (Microsoft Corp., Veritas Software) - C:\WINDOWS\system32\drivers\dmboot.sys

(dmio) dmio [Disabled | Stopped]
[08/04/2004 12:07 AM | 00,153,344 | ---- | M] (Microsoft Corp., Veritas Software) - C:\WINDOWS\system32\drivers\dmio.sys

(dmload) dmload [Disabled | Stopped]
[03/31/2003 08:00 AM | 00,005,888 | ---- | M] (Microsoft Corp., Veritas Software.) - C:\WINDOWS\system32\drivers\dmload.sys

(GEARAspiWDM) GEARAspiWDM [On_Demand | Running]
[01/29/2008 12:01 PM | 00,016,168 | ---- | M] (GEAR Software Inc.) - C:\WINDOWS\system32\drivers\GEARAspiWDM.sys

(HPZid412) IEEE-1284.4 Driver HPZid412 [On_Demand | Running]
[12/14/2004 12:07 PM | 00,051,120 | R--- | M] (HP) - C:\WINDOWS\system32\drivers\HPZid412.sys

(HPZipr12) Print Class Driver for IEEE-1284.4 HPZipr12 [On_Demand | Running]
[12/14/2004 12:07 PM | 00,016,496 | R--- | M] (HP) - C:\WINDOWS\system32\drivers\HPZipr12.sys

(HPZius12) USB to IEEE-1284.4 Translation Driver HPZius12 [On_Demand | Running]
[03/08/2005 07:52 AM | 00,021,744 | ---- | M] (HP) - C:\WINDOWS\system32\drivers\HPZius12.sys

(HSFHWICH) HSFHWICH [On_Demand | Running]
[10/14/2003 10:08 PM | 00,197,120 | ---- | M] (Conexant Systems, Inc.) - C:\WINDOWS\system32\drivers\HSFHWICH.sys

(HSF_DP) HSF_DP [On_Demand | Running]
[10/14/2003 10:04 PM | 01,043,072 | ---- | M] (Conexant Systems, Inc.) - C:\WINDOWS\system32\drivers\HSF_DP.sys

(ialm) ialm [On_Demand | Running]
[02/07/2006 09:04 AM | 01,399,615 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\drivers\ialmnt5.sys

(MDC8021X) AEGIS Protocol (IEEE 802.1x) v2.2.1.0 [Auto | Running]
[06/23/2004 02:39 PM | 00,014,037 | ---- | M] (Meetinghouse Data Communications) - C:\WINDOWS\system32\drivers\mdc8021x.sys

(mdmxsdk) mdmxsdk [Auto | Running]
[04/09/2003 07:48 PM | 00,011,043 | ---- | M] (Conexant) - C:\WINDOWS\system32\drivers\mdmxsdk.sys

(MxlW2k) MxlW2k [On_Demand | Running]
[06/23/2004 03:25 PM | 00,028,352 | ---- | M] (MusicMatch, Inc.) - C:\WINDOWS\System32\drivers\MxlW2k.sys

(Ptilink) Direct Parallel Link Driver [On_Demand | Running]
[03/31/2003 08:00 AM | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) - C:\WINDOWS\system32\drivers\ptilink.sys

(rmedia) Ricoh MediaCard Driver [Boot | Running]
[10/20/2003 10:09 PM | 00,065,664 | ---- | M] (REDC) - C:\WINDOWS\system32\drivers\Rmedia.sys

(RTL8023) Realtek RTL8139/810x/8169/8110 all in one NDIS NT Driver [On_Demand | Running]
[08/13/2003 06:27 PM | 00,065,280 | ---- | M] (Realtek Semiconductor Corporation ) - C:\WINDOWS\system32\drivers\Rtlnic51.sys

(s24trans) WLAN Transport [Auto | Running]
[09/15/2003 01:20 PM | 00,011,258 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\drivers\s24trans.sys

(SABProcEnum) SABProcEnum [On_Demand | Stopped]
File not found - C:\PROGRA~1\MOZILL~1\SABProcEnum.sys

(SASDIFSV) SASDIFSV [System | Running]
[05/28/2008 10:33 AM | 00,008,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) - C:\Program Files\SUPERAntiSpyware\sasdifsv.sys

(SASENUM) SASENUM [On_Demand | Running]
[05/28/2008 10:33 AM | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) - C:\Program Files\SUPERAntiSpyware\SASENUM.SYS

(SASKUTIL) SASKUTIL [System | Running]
[05/28/2008 10:33 AM | 00,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) - C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

(Secdrv) Secdrv [On_Demand | Stopped]
[11/13/2007 06:25 AM | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) - C:\WINDOWS\system32\drivers\secdrv.sys

(smwdm) smwdm [On_Demand | Running]
[01/13/2004 07:40 PM | 00,612,032 | ---- | M] (Analog Devices, Inc.) - C:\WINDOWS\system32\drivers\smwdm.sys

(SynTP) Synaptics TouchPad Driver [On_Demand | Running]
[11/20/2003 06:15 PM | 00,178,528 | ---- | M] (Synaptics, Inc.) - C:\WINDOWS\system32\drivers\SynTP.sys

(tmactmon) tmactmon [Auto | Running]
[12/24/2007 05:37 PM | 00,052,496 | ---- | M] (Trend Micro Inc.) - C:\WINDOWS\system32\drivers\tmactmon.sys

(tmcomm) tmcomm [Auto | Running]
[12/24/2007 05:37 PM | 00,138,384 | ---- | M] (Trend Micro Inc.) - C:\WINDOWS\system32\drivers\tmcomm.sys

(tmevtmgr) tmevtmgr [Auto | Running]
[12/24/2007 05:37 PM | 00,052,240 | ---- | M] (Trend Micro Inc.) - C:\WINDOWS\system32\drivers\tmevtmgr.sys

(tmpreflt) tmpreflt [Auto | Running]
[07/18/2008 07:08 PM | 00,036,368 | ---- | M] (Trend Micro Inc.) - C:\WINDOWS\system32\drivers\tmpreflt.sys

(tmtdi) Trend Micro TDI Driver [System | Running]
[02/15/2008 11:37 PM | 00,065,936 | ---- | M] (Trend Micro Inc.) - C:\WINDOWS\system32\drivers\tmtdi.sys

(tmxpflt) tmxpflt [Auto | Running]
[07/18/2008 07:08 PM | 00,205,328 | ---- | M] (Trend Micro Inc.) - C:\WINDOWS\system32\drivers\tmxpflt.sys

(USBAAPL) Apple Mobile USB Driver [On_Demand | Stopped]
[07/10/2008 09:35 AM | 00,032,000 | ---- | M] (Apple, Inc.) - C:\WINDOWS\system32\drivers\usbaapl.sys

(vsapint) vsapint [Auto | Running]
[07/18/2008 06:51 PM | 01,195,448 | ---- | M] (Trend Micro Inc.) - C:\WINDOWS\system32\drivers\vsapint.sys

(w22n51) Intel® PRO/Wireless 2200 Adapter Driver [On_Demand | Running]
[01/02/2004 05:52 AM | 01,646,720 | ---- | M] (Intel® Corporation) - C:\WINDOWS\system32\drivers\w22n51.sys

(wanatw) WAN Miniport (ATW) [On_Demand | Stopped]
File not found - C:\WINDOWS\System32\DRIVERS\wanatw4.sys

(winachsf) winachsf [On_Demand | Running]
[10/14/2003 10:05 PM | 00,679,808 | ---- | M] (Conexant Systems, Inc.) - C:\WINDOWS\system32\drivers\HSF_CNXT.sys

===== Run Keys =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher" = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM | 00,039,792 | ---- | M] (Adobe Systems Incorporated)
"AirPort Base Station Agent" = "C:\Program Files\AirPort\APAgent.exe" [05/20/2008 03:17 PM | 00,737,280 | ---- | M] (Apple Inc.)
"AppleSyncNotifier" = C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [07/10/2008 09:47 AM | 00,116,040 | ---- | M] (Apple Inc.)
"Google Desktop Search" = "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup [06/10/2008 04:09 PM | 00,029,744 | ---- | M] (Google)
"HP Software Update" = C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [05/08/2007 04:24 PM | 00,054,840 | ---- | M] (Hewlett-Packard)
"igfxhkcmd" = C:\WINDOWS\system32\hkcmd.exe [02/07/2006 08:36 AM | 00,077,824 | ---- | M] (Intel Corporation)
"igfxpers" = C:\WINDOWS\system32\igfxpers.exe [02/07/2006 08:40 AM | 00,118,784 | ---- | M] (Intel Corporation)
"igfxtray" = C:\WINDOWS\system32\igfxtray.exe [02/07/2006 08:39 AM | 00,094,208 | ---- | M] (Intel Corporation)
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" [07/30/2008 10:47 AM | 00,289,064 | ---- | M] (Apple Inc.)
"PRONoMgr.exe" = C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe [12/10/2003 05:36 AM | 00,086,016 | ---- | M] (Intel® Corporation)
"QuickTime Task" = "C:\Program Files\QuickTime\QTTask.exe" -atboottime [05/27/2008 10:50 AM | 00,413,696 | ---- | M] (Apple Inc.)
"SynTPEnh" = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [11/20/2003 06:18 PM | 00,499,712 | ---- | M] (Synaptics, Inc.)
"SynTPLpr" = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [11/20/2003 06:19 PM | 00,098,304 | ---- | M] (Synaptics, Inc.)
"UfSeAgnt.exe" = "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [07/29/2008 02:57 PM | 01,398,024 | ---- | M] (Trend Micro Inc.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = Reg Error: Value load does not exist or could not be read.
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware" = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [08/26/2008 01:07 PM | 01,576,176 | ---- | M] (SUPERAntiSpyware.com)
"swg" = C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [06/10/2008 04:09 PM | 00,068,856 | ---- | M] (Google Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_USERS\S-1-5-21-3422090608-1729408543-1775048222-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware" = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [08/26/2008 01:07 PM | 01,576,176 | ---- | M] (SUPERAntiSpyware.com)
"swg" = C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [06/10/2008 04:09 PM | 00,068,856 | ---- | M] (Google Inc.)

[HKEY_USERS\S-1-5-21-3422090608-1729408543-1775048222-1003\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.

===== Startup Folders =====

[All Users Startup Folder - C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
[05/11/2005 11:23 PM | 00,282,624 | ---- | M] (Hewlett-Packard Co.) - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
[11/04/2004 07:50 PM | 00,053,248 | ---- | M] (Hewlett-Packard Co.) - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

[Default User Startup Folder - C:\Documents and Settings\Default User\Start Menu\Programs\Startup]

[Owner Startup Folder - C:\Documents and Settings\Owner\Start Menu\Programs\Startup]

===== BHO's =====

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
HKLM CLSID: (Adobe PDF Reader Link Helper) - [10/22/2006 11:08 PM | 00,062,080 | ---- | M] (Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
HKLM CLSID: (Google Toolbar Helper) - [06/10/2008 04:09 PM | 02,549,368 | R--- | M] (Google Inc.) c:\Program Files\Google\GoogleToolbar1.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
HKLM CLSID: (Google Toolbar Notifier BHO) - [07/29/2008 12:57 PM | 00,734,704 | ---- | M] (Google Inc.) C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

===== Toolbars =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"
HKLM CLSID: (&Google) - [06/10/2008 04:09 PM | 02,549,368 | R--- | M] (Google Inc.) c:\Program Files\Google\GoogleToolbar1.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
HKLM CLSID: (Reg Error: Key does not exist or could not be opened.) - File not found Reg Error: Key does not exist or could not be opened.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
HKLM CLSID: (&Google) - [06/10/2008 04:09 PM | 02,549,368 | R--- | M] (Google Inc.) c:\Program Files\Google\GoogleToolbar1.dll

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
HKLM CLSID: (&Google) - [06/10/2008 04:09 PM | 02,549,368 | R--- | M] (Google Inc.) c:\Program Files\Google\GoogleToolbar1.dll

[HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
HKLM CLSID: (&Google) - [06/10/2008 04:09 PM | 02,549,368 | R--- | M] (Google Inc.) c:\Program Files\Google\GoogleToolbar1.dll

[HKEY_USERS\S-1-5-21-3422090608-1729408543-1775048222-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
HKLM CLSID: (Reg Error: Key does not exist or could not be opened.) - File not found Reg Error: Key does not exist or could not be opened.

[HKEY_USERS\S-1-5-21-3422090608-1729408543-1775048222-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
HKLM CLSID: (&Google) - [06/10/2008 04:09 PM | 02,549,368 | R--- | M] (Google Inc.) c:\Program Files\Google\GoogleToolbar1.dll

===== Policies =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
Unable to open key or key not present!


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername" = 0
"legalnoticecaption" =
"legalnoticetext" =
"shutdownwithoutlogon" = 1
"undockwithoutlogon" = 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145
"NoSaveSettings" = 0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
Unable to open key or key not present!


[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
Unable to open key or key not present!


[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
Unable to open key or key not present!


[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
Unable to open key or key not present!


[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
Unable to open key or key not present!


[HKEY_USERS\S-1-5-21-3422090608-1729408543-1775048222-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145
"NoSaveSettings" = 0

[HKEY_USERS\S-1-5-21-3422090608-1729408543-1775048222-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
Unable to open key or key not present!


===== Desktop Components =====

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"FriendlyName" = "My Current Home Page"
"Source" = "About:Home"
"SubscribedURL" = "About:Home"

===== Shared Task Scheduler =====

===== AppInit_Dlls =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls]
"C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL" - [06/10/2008 04:09 PM | 00,112,128 | ---- | M] (Google) C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll

===== Lsa Authentication Packages =====

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages]
"C:\WINDOWS\system32\yayyVllM" - File not found

===== Lsa Security Packages =====

===== Authorized Applications List =====

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = C:\WINDOWS\system32\sessmgr.exe [08/04/2004 01:56 AM | 00,140,800 | ---- | M] (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = C:\WINDOWS\system32\sessmgr.exe [08/04/2004 01:56 AM | 00,140,800 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe [07/24/2007 03:17 PM | 00,229,376 | ---- | M] (Apple Inc.)
"C:\Program Files\AirPort\APAgent.exe" = C:\Program Files\AirPort\APAgent.exe [05/20/2008 03:17 PM | 00,737,280 | ---- | M] (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe [07/30/2008 10:47 AM | 20,252,968 | ---- | M] (Apple Inc.)

===== HKLM Winlogon Settings =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell]
"Explorer.exe" - [06/13/2007 06:23 AM | 01,033,216 | ---- | M] (Microsoft Corporation) C:\WINDOWS\explorer.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit]
"C:\WINDOWS\system32\userinit.exe" - [08/04/2004 01:56 AM | 00,024,576 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\userinit.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost]
"logonui.exe" - [08/04/2004 01:56 AM | 00,514,560 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\logonui.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet]
"rundll32 shell32" - [10/25/2007 11:36 PM | 08,454,656 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
"Control_RunDLL "sysdm.cpl"" - [08/04/2004 01:56 AM | 00,298,496 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\sysdm.cpl

===== User's Winlogon Settings =====

===== Winlogon Notify Settings =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
"DllName" = C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [08/26/2008 01:07 PM | 00,352,256 | ---- | M] (SUPERAntiSpyware.com)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
"DllName" = C:\WINDOWS\system32\igfxdev.dll [02/07/2006 08:35 AM | 00,139,264 | ---- | M] (Intel Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Sebring]
"DllName" = C:\WINDOWS\system32\LgNotify.dll [12/16/2003 07:49 PM | 00,110,592 | ---- | M] (Intel Corporation)

===== Safeboot Options =====

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
"AlternateShell" = cmd.exe

===== Disabled MsConfig Items =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroFilterCheck]
"command" = C:\WINDOWS\system32\NeroCheck.exe [07/09/2001 06:50 AM | 00,155,648 | ---- | M] (Ahead Software Gmbh)
"item" = NeroFilterCheck
"inimapping" = 0
"hkey" = HKLM
"key" = Software\Microsoft\Windows\CurrentVersion\Run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RemoteControl]
"command" = C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [10/31/2003 10:42 PM | 00,032,768 | ---- | M] (Cyberlink Corp.)
"item" = RemoteControl
"inimapping" = 0
"hkey" = HKLM
"key" = Software\Microsoft\Windows\CurrentVersion\Run

===== DNS Name Servers =====

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{5E31996B-0F89-4058-811C-4AA14CD39DF4}]
Servers: | Description: Intel® PRO/Wireless 2200BG Network Connection

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{63D1FC3A-9990-492E-A116-CF4B3E4EB733}]
Servers: | Description: 1394 Net Adapter

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{8BD11811-DED8-427E-A88B-972686A6C494}]
Servers: | Description: Realtek RTL8139/810x Family Fast Ethernet NIC

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{C5A47A86-4660-4342-A7DF-BED79A54BB46}]
Servers: | Description: 1394 Net Adapter

===== CDRom AutoRun Settings =====

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

===== Autorun Files on Drives =====

AUTOEXEC.BAT []
[06/23/2004 01:39 PM | 00,000,000 | ---- | M] () C:\AUTOEXEC.BAT [ NTFS ]

===== MountPoints2 =====

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{46a389b0-3e01-11dd-8d65-00032520bb6e}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{46a389b0-3e01-11dd-8d65-00032520bb6e}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 11:36 PM | 08,454,656 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{46a389b0-3e01-11dd-8d65-00032520bb6e}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{76926d01-f699-11dc-8cef-00032520b44f}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{76926d01-f699-11dc-8cef-00032520b44f}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 11:36 PM | 08,454,656 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{76926d01-f699-11dc-8cef-00032520b44f}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a677f650-c9c1-11d8-88b8-00038a000015}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a677f650-c9c1-11d8-88b8-00038a000015}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 11:36 PM | 08,454,656 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a677f650-c9c1-11d8-88b8-00038a000015}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c50775-c53c-11d8-88b0-000325098867}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c50775-c53c-11d8-88b0-000325098867}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 11:36 PM | 08,454,656 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c50775-c53c-11d8-88b0-000325098867}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f7c28841-c9eb-11d8-9cc1-806d6172696f}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f7c28841-c9eb-11d8-9cc1-806d6172696f}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 11:36 PM | 08,454,656 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f7c28841-c9eb-11d8-9cc1-806d6172696f}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}

===== Hosts File =====

HOSTS File = (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost



[Files/Folders - Created Within 30 days]
[08/16/2008 01:38 PM | ---D | C] - C:\Archive
[08/16/2008 02:04 PM | 10,386,02240 | -HS- | C] () - C:\hiberfil.sys
[08/28/2008 11:14 AM | 00,017,144 | ---- | C] (Malwarebytes Corporation) - C:\WINDOWS\System32\drivers\mbam.sys
[08/28/2008 11:14 AM | 00,038,472 | ---- | C] (Malwarebytes Corporation) - C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[1 C:\WINDOWS\System32\*.tmp files]
[08/15/2008 05:07 PM | 00,806,970 | -HS- | C] () - C:\WINDOWS\System32\MopqYcdd.ini2
[08/15/2008 05:07 PM | 00,807,148 | -HS- | C] () - C:\WINDOWS\System32\MopqYcdd.ini
[08/16/2008 09:34 AM | 00,000,345 | -HS- | C] () - C:\WINDOWS\System32\MllVyyay.ini2
[08/16/2008 09:34 AM | 00,777,227 | -HS- | C] () - C:\WINDOWS\System32\MllVyyay.ini
[08/16/2008 10:33 PM | 00,002,206 | ---- | C] () - C:\WINDOWS\System32\wpa.dbl
[08/16/2008 12:41 PM | ---D | C] - C:\WINDOWS\System32\SuperAdBlocker.com
[08/27/2008 02:10 PM | ---D | C] - C:\WINDOWS\System32\CatRoot_bak
[1 C:\WINDOWS\*.tmp files]
[08/16/2008 01:23 PM | ---D | C] - C:\WINDOWS\ERDNT
[08/08/2008 11:36 AM | 00,000,284 | ---- | C] () - C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At1.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At10.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At11.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At12.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At13.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At14.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At15.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At16.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At17.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At18.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At19.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At2.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At20.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At21.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At22.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At23.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At24.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At3.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At4.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At5.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At6.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At7.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At8.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At9.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At25.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At26.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At27.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At28.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At29.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At30.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At31.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At32.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At33.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At34.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At35.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At36.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At37.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At38.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At39.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At40.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At41.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At42.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At43.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At44.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At45.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At46.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At47.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | C] () - C:\WINDOWS\tasks\At48.job
[08/19/2008 02:52 PM | 00,000,330 | -H-- | C] () - C:\WINDOWS\tasks\MP Scheduled Scan.job
[08/15/2008 11:44 PM | ---D | C] - C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[08/28/2008 11:14 AM | ---D | C] - C:\Documents and Settings\All Users\Application Data\Malwarebytes
[08/15/2008 11:44 PM | ---D | C] - C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
[08/28/2008 11:15 AM | ---D | C] - C:\Documents and Settings\Owner\Application Data\Malwarebytes
[08/02/2008 07:12 PM | 00,060,928 | ---- | C] () - C:\Documents and Settings\Owner\My Documents\Joseph Johns Funeral Bulletin.doc
[08/02/2008 08:56 PM | 00,025,600 | ---- | C] () - C:\Documents and Settings\Owner\My Documents\Joe McCune Letters to Mark About Jesus Bible Verses.doc
[08/04/2008 10:01 AM | ---D | C] - C:\Documents and Settings\Owner\My Documents\Mt Calvary Crisis Documents
[08/08/2008 11:55 AM | 00,047,491 | ---- | C] () - C:\Documents and Settings\Owner\My Documents\PayPal Payment Details - Brown Death Messiah.pdf
[08/09/2008 08:11 PM | 00,026,112 | ---- | C] () - C:\Documents and Settings\Owner\My Documents\Well.doc
[08/20/2008 08:56 AM | ---D | C] - C:\Documents and Settings\Owner\My Documents\Missional Leadership
[08/28/2008 11:14 AM | 00,000,696 | ---- | C] () - C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[08/22/2008 04:55 PM | 00,001,740 | ---- | C] () - C:\Documents and Settings\Owner\Favorites\Desktop\HijackThis.lnk
[08/15/2008 11:42 PM | ---D | C] - C:\Program Files\Common Files\Wise Installation Wizard
[08/02/2008 08:46 PM | ---D | C] - C:\Program Files\iPod
[08/08/2008 11:35 AM | ---D | C] - C:\Program Files\Apple Software Update
[08/10/2008 09:06 PM | ---D | C] - C:\Program Files\Microsoft Silverlight
[08/15/2008 11:44 PM | ---D | C] - C:\Program Files\SUPERAntiSpyware
[08/19/2008 02:49 PM | ---D | C] - C:\Program Files\Windows Defender
[08/28/2008 11:14 AM | ---D | C] - C:\Program Files\Malwarebytes' Anti-Malware

[Files/Folders - Modified Within 30 days]
[08/16/2008 01:38 PM | ---D | M] - C:\Archive
[08/19/2008 02:49 PM | -H-D | M] - C:\Config.Msi
[08/28/2008 11:14 AM | R--D | M] - C:\Program Files
[08/28/2008 11:25 AM | 10,386,02240 | -HS- | M] () - C:\hiberfil.sys
[08/28/2008 11:25 AM | ---D | M] - C:\WINDOWS
[08/17/2008 03:01 PM | 00,017,144 | ---- | M] (Malwarebytes Corporation) - C:\WINDOWS\System32\drivers\mbam.sys
[08/17/2008 03:01 PM | 00,038,472 | ---- | M] (Malwarebytes Corporation) - C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[08/26/2008 12:01 PM | ---D | M] - C:\WINDOWS\System32\drivers\etc
[1 C:\WINDOWS\System32\*.tmp files]
[08/15/2008 11:43 PM | 00,806,970 | -HS- | M] () - C:\WINDOWS\System32\MopqYcdd.ini2
[08/15/2008 11:43 PM | 00,807,148 | -HS- | M] () - C:\WINDOWS\System32\MopqYcdd.ini
[08/16/2008 02:03 PM | ---D | M] - C:\WINDOWS\System32\wbem
[08/16/2008 02:04 PM | ---D | M] - C:\WINDOWS\System32\config
[08/16/2008 09:34 AM | 00,000,345 | -HS- | M] () - C:\WINDOWS\System32\MllVyyay.ini2
[08/16/2008 09:35 AM | 00,777,227 | -HS- | M] () - C:\WINDOWS\System32\MllVyyay.ini
[08/20/2008 09:50 PM | ---D | M] - C:\WINDOWS\System32\SuperAdBlocker.com
[08/27/2008 02:23 PM | ---D | M] - C:\WINDOWS\System32\CatRoot
[08/27/2008 02:23 PM | ---D | M] - C:\WINDOWS\System32\CatRoot_bak
[08/27/2008 04:06 PM | 00,002,206 | ---- | M] () - C:\WINDOWS\System32\wpa.dbl
[08/28/2008 11:08 AM | RHSD | M] - C:\WINDOWS\System32\dllcache
[08/28/2008 11:14 AM | ---D | M] - C:\WINDOWS\System32\drivers
[08/28/2008 11:28 AM | ---D | M] - C:\WINDOWS\System32\CatRoot2
[1 C:\WINDOWS\*.tmp files]
[08/15/2008 06:12 PM | 00,000,797 | ---- | M] () - C:\WINDOWS\win.ini
[08/15/2008 06:19 PM | ---D | M] - C:\WINDOWS\ie7updates
[08/15/2008 06:26 PM | 00,001,374 | ---- | M] () - C:\WINDOWS\imsins.BAK
[08/15/2008 06:26 PM | -H-D | M] - C:\WINDOWS\$hf_mig$
[08/16/2008 01:23 PM | ---D | M] - C:\WINDOWS\ERDNT
[08/16/2008 02:03 PM | ---D | M] - C:\WINDOWS\Registration
[08/18/2008 12:14 PM | --SD | M] - C:\WINDOWS\Downloaded Program Files
[08/19/2008 02:49 PM | -HSD | M] - C:\WINDOWS\Installer
[08/20/2008 09:50 PM | 00,002,229 | ---- | M] () - C:\WINDOWS\mozver.dat
[08/27/2008 02:10 PM | ---D | M] - C:\WINDOWS\Debug
[08/27/2008 02:10 PM | ---D | M] - C:\WINDOWS\Prefetch
[08/27/2008 04:02 PM | ---D | M] - C:\WINDOWS\Help
[08/27/2008 04:03 PM | ---D | M] - C:\WINDOWS\SoftwareDistribution
[08/28/2008 11:08 AM | -H-D | M] - C:\WINDOWS\inf
[08/28/2008 11:25 AM | 00,002,048 | --S- | M] () - C:\WINDOWS\bootstat.dat
[08/28/2008 11:28 AM | --SD | M] - C:\WINDOWS\Tasks
[08/28/2008 11:40 AM | ---D | M] - C:\WINDOWS\system32
[08/28/2008 11:40 AM | ---D | M] - C:\WINDOWS\Temp
[08/15/2008 02:19 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At1.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At2.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At3.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At4.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At5.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At6.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At7.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At8.job
[08/15/2008 02:19 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At9.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At25.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At26.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At27.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At28.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At29.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At30.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At31.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At32.job
[08/15/2008 02:46 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At33.job
[08/20/2008 08:00 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At21.job
[08/20/2008 08:00 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At45.job
[08/22/2008 05:00 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At18.job
[08/22/2008 05:00 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At42.job
[08/22/2008 10:00 AM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At11.job
[08/22/2008 10:00 AM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At35.job
[08/22/2008 11:00 AM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At12.job
[08/22/2008 11:00 AM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At36.job
[08/23/2008 05:23 PM | 00,000,284 | ---- | M] () - C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[08/23/2008 06:00 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At19.job
[08/23/2008 06:00 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At43.job
[08/23/2008 07:00 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At20.job
[08/23/2008 07:00 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At44.job
[08/23/2008 09:00 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At22.job
[08/23/2008 09:00 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At46.job
[08/23/2008 10:00 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At23.job
[08/23/2008 10:00 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At47.job
[08/24/2008 09:00 AM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At10.job
[08/24/2008 09:00 AM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At34.job
[08/24/2008 11:00 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At24.job
[08/24/2008 11:00 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At48.job
[08/26/2008 01:00 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At14.job
[08/26/2008 01:00 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At38.job
[08/26/2008 02:00 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At15.job
[08/26/2008 02:00 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At39.job
[08/26/2008 03:00 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At16.job
[08/26/2008 03:00 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At40.job
[08/27/2008 04:00 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At17.job
[08/27/2008 04:00 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At41.job
[08/27/2008 12:00 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At13.job
[08/27/2008 12:00 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\tasks\At37.job
[08/28/2008 11:25 AM | 00,000,006 | -H-- | M] () - C:\WINDOWS\tasks\SA.DAT
[08/28/2008 11:28 AM | 00,000,330 | -H-- | M] () - C:\WINDOWS\tasks\MP Scheduled Scan.job
[08/15/2008 11:44 PM | ---D | M] - C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[08/19/2008 02:49 PM | --SD | M] - C:\Documents and Settings\All Users\Application Data\Microsoft
[08/26/2008 11:22 AM | ---D | M] - C:\Documents and Settings\All Users\Application Data\Google Updater
[08/28/2008 11:14 AM | ---D | M] - C:\Documents and Settings\All Users\Application Data\Malwarebytes
[08/15/2008 11:44 PM | ---D | M] - C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
[08/16/2008 09:06 AM | ---D | M] - C:\Documents and Settings\Owner\Application Data\Apple Computer
[08/28/2008 11:15 AM | ---D | M] - C:\Documents and Settings\Owner\Application Data\Malwarebytes
[08/19/2008 02:49 PM | ---D | M] - C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft
[08/22/2008 01:08 PM | ---D | M] - C:\Documents and Settings\Owner\Local Settings\Application Data\CutePDF Writer
[08/28/2008 11:24 AM | 09,097,254 | -H-- | M] () - C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[08/28/2008 11:25 AM | ---D | M] - C:\Documents and Settings\Owner\Local Settings\Application Data\ApplicationHistory
[08/02/2008 07:12 PM | 00,060,928 | ---- | M] () - C:\Documents and Settings\Owner\My Documents\Joseph Johns Funeral Bulletin.doc
[08/02/2008 08:56 PM | 00,025,600 | ---- | M] () - C:\Documents and Settings\Owner\My Documents\Joe McCune Letters to Mark About Jesus Bible Verses.doc
[08/08/2008 11:55 AM | 00,047,491 | ---- | M] () - C:\Documents and Settings\Owner\My Documents\PayPal Payment Details - Brown Death Messiah.pdf
[08/10/2008 12:04 AM | 00,026,112 | ---- | M] () - C:\Documents and Settings\Owner\My Documents\Well.doc
[08/19/2008 03:13 PM | ---D | M] - C:\Documents and Settings\Owner\My Documents\Sermons
[08/19/2008 11:11 PM | ---D | M] - C:\Documents and Settings\Owner\My Documents\My Received Files
[08/22/2008 05:21 PM | ---D | M] - C:\Documents and Settings\Owner\My Documents\Missional Leadership
[08/22/2008 10:56 PM | ---D | M] - C:\Documents and Settings\Owner\My Documents\Mt Calvary Crisis Documents
[08/22/2008 12:50 PM | ---D | M] - C:\Documents and Settings\Owner\My Documents\Parish Reports
[08/24/2008 09:07 AM | ---D | M] - C:\Documents and Settings\Owner\My Documents\Youth
[08/25/2008 12:23 AM | ---D | M] - C:\Documents and Settings\Owner\My Documents\Newsletter Articles
[08/28/2008 11:14 AM | 00,000,696 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[08/22/2008 04:55 PM | 00,001,740 | ---- | M] () - C:\Documents and Settings\Owner\Favorites\Desktop\HijackThis.lnk
[08/15/2008 11:42 PM | ---D | M] - C:\Program Files\Common Files\Wise Installation Wizard

< End of report >


OT View It Extras Log

OTViewIt Extras logfile created on: 8/28/2008 11:41:59 AM - Run 1
OTViewIt by OldTimer - Version 1.0.0.14 Folder = C:\Documents and Settings\Owner\My Documents\My Received Files\Software Packages
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

990.42 Mb Total Physical Memory | 516.05 Mb Available Physical Memory | 52.10% Memory free
2.33 Gb Paging File | 1.87 Gb Available in Paging File | 80.27% Paging File free
Paging file location(s): C:\pagefile.sys 1488 2976;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 128.00 Gb Total Space | 109.81 Gb Free Space | 85.79% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

===== File Associations =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] - File not found -
.cmd [@ = cmdfile] - File not found -
.com [@ = comfile] - File not found -
.exe [@ = exefile] - File not found -
.html [@ = FirefoxHTML] - [07/16/2008 05:54 PM | 07,667,312 | ---- | M] (Mozilla Corporation) - C:\Program Files\Mozilla Firefox\firefox.exe
.pif [@ = piffile] - File not found -
.scr [@ = scrfile] - File not found -

===== Uninstall List =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{08CA9554-B5FE-4313-938F-D4A417B81175}" = QuickTime
"{09984AEC-6B9F-4ca7-B78D-CB44D4771DA3}" = Destinations
"{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}" = MSXML 6.0 Parser (KB933579)
"{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}" = Scan
"{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}" = Security Update for CAPICOM (KB931906)
"{0FF18B53-CA57-40BB-B562-21A27B662005}" = 1600
"{14BEB6DF-A499-4A38-8E06-E173BCD5C087}" = ScannerCopy
"{181821B7-82AA-44DA-9DAF-EF254CCB670A}" = Fax
"{19991EAD-C273-47EB-87E8-0D274925230B}" = OEB Resource Driver
"{1AD5F465-8282-4DAD-B957-E09C0B783D18}" = InstantShare
"{1B680FBA-E317-4E93-AF43-3B59798A4BE0}" = Copy
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{272EC8BA-5A08-4ea1-A189-684466A06B02}" = cp_dwShrek2Albums1
"{2BA00471-0328-3743-93BD-FA813353A783}" = Microsoft .NET Framework 3.0 Service Pack 1
"{2CADCEAB-D5DA-44D6-B5FC-7DEE87AB3C0C}" = Unload
"{30C19FF2-7FBA-4d09-B9DE-1659977F64F6}" = TrayApp
"{342C7C88-D335-4bc2-8CF1-281857629CE2}" = HP PSC & OfficeJet 4.7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3762DB2D-71BD-421F-9E55-C74DA7DF4D07}" = CueTour
"{391E18CE-7D3B-45E9-A8F0-34E77F14F47A}" = ProductContext
"{3C0BAFCA-BDB8-492B-8845-DC0A4B4C1823}" = HPDeskjet5400Series
"{3DE0053C-FD9A-483E-B7C9-B06E4392206E}" = iTunes
"{442BE28B-782B-4DC0-B490-E70A403B1C69}" = Readme
"{45EBDA59-D33B-433A-956E-B2F236468B56}" = MUSICMATCH® Jukebox
"{47BF1BD6-DCAC-
  • 0

#4
pdatrinity
Posted 28 August 2008 - 12:51 PM

pdatrinity

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
It appears that the "Extras" file was cut off. Here is the full file.

Take your time responding, if it takes a while I won't be upset.

Thanks again for your help.

Peter



OTViewIt Extras logfile created on: 8/28/2008 11:41:59 AM - Run 1
OTViewIt by OldTimer - Version 1.0.0.14 Folder = C:\Documents and Settings\Owner\My Documents\My Received Files\Software Packages
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

990.42 Mb Total Physical Memory | 516.05 Mb Available Physical Memory | 52.10% Memory free
2.33 Gb Paging File | 1.87 Gb Available in Paging File | 80.27% Paging File free
Paging file location(s): C:\pagefile.sys 1488 2976;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 128.00 Gb Total Space | 109.81 Gb Free Space | 85.79% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

===== File Associations =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] - File not found -
.cmd [@ = cmdfile] - File not found -
.com [@ = comfile] - File not found -
.exe [@ = exefile] - File not found -
.html [@ = FirefoxHTML] - [07/16/2008 05:54 PM | 07,667,312 | ---- | M] (Mozilla Corporation) - C:\Program Files\Mozilla Firefox\firefox.exe
.pif [@ = piffile] - File not found -
.scr [@ = scrfile] - File not found -

===== Uninstall List =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{08CA9554-B5FE-4313-938F-D4A417B81175}" = QuickTime
"{09984AEC-6B9F-4ca7-B78D-CB44D4771DA3}" = Destinations
"{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}" = MSXML 6.0 Parser (KB933579)
"{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}" = Scan
"{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}" = Security Update for CAPICOM (KB931906)
"{0FF18B53-CA57-40BB-B562-21A27B662005}" = 1600
"{14BEB6DF-A499-4A38-8E06-E173BCD5C087}" = ScannerCopy
"{181821B7-82AA-44DA-9DAF-EF254CCB670A}" = Fax
"{19991EAD-C273-47EB-87E8-0D274925230B}" = OEB Resource Driver
"{1AD5F465-8282-4DAD-B957-E09C0B783D18}" = InstantShare
"{1B680FBA-E317-4E93-AF43-3B59798A4BE0}" = Copy
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{272EC8BA-5A08-4ea1-A189-684466A06B02}" = cp_dwShrek2Albums1
"{2BA00471-0328-3743-93BD-FA813353A783}" = Microsoft .NET Framework 3.0 Service Pack 1
"{2CADCEAB-D5DA-44D6-B5FC-7DEE87AB3C0C}" = Unload
"{30C19FF2-7FBA-4d09-B9DE-1659977F64F6}" = TrayApp
"{342C7C88-D335-4bc2-8CF1-281857629CE2}" = HP PSC & OfficeJet 4.7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3762DB2D-71BD-421F-9E55-C74DA7DF4D07}" = CueTour
"{391E18CE-7D3B-45E9-A8F0-34E77F14F47A}" = ProductContext
"{3C0BAFCA-BDB8-492B-8845-DC0A4B4C1823}" = HPDeskjet5400Series
"{3DE0053C-FD9A-483E-B7C9-B06E4392206E}" = iTunes
"{442BE28B-782B-4DC0-B490-E70A403B1C69}" = Readme
"{45EBDA59-D33B-433A-956E-B2F236468B56}" = MUSICMATCH® Jukebox
"{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}" = Bonjour
"{49C88E44-1B38-4FC6-824E-2BDA3063B0E3}" = Apple Mobile Device Support
"{49FC50FC-F965-40D9-89B4-CBFF80941033}" = Windows Movie Maker 2.0
"{5380063E-2909-4d72-BFA3-625881F2E78B}" = Intel® PROSet for Wireless
"{56F8AFC3-FA98-4ff1-9673-8A026CBF85BE}" = WebReg
"{599858EA-0422-481D-944A-DA049C626A25}" = AirPort
"{5B622B7A-60FB-4630-B11D-F121D20BCCD6}" = MarketResearch
"{5E8D588F-307C-4250-B622-26969027319A}" = PanoStandAlone
"{5F26311C-B135-4F7F-B11E-8E650F83651E}" = DeviceFunctionQFolder
"{5F81DD84-6A2F-11D4-903E-00E0293397B7}" = Bible Data Type System Files
"{5F81DD89-6A2F-11D4-903E-00E0293397B7}" = Common System Files
"{5F81DD92-6A2F-11D4-903E-00E0293397B7}" = Libronix Digital Library System
"{5F81DD97-6A2F-11D4-903E-00E0293397B7}" = Libronix DLS Application
"{5F81DD9B-6A2F-11D4-903E-00E0293397B7}" = LibronixUpdate
"{5F81DD9F-6A2F-11D4-903E-00E0293397B7}" = LLS Resource Driver
"{5F81DDA3-6A2F-11D4-903E-00E0293397B7}" = PDF Resource Driver
"{644D04A2-C682-4FD5-977D-03B804C4B9C5}" = CreativeProjects
"{646A65DD-23FC-418E-B9F0-E0500FB42CB1}" = PhotoGallery
"{655CB07D-C944-40BE-B93F-55957CAC7625}" = AiO_Scan
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6846389C-BAC0-4374-808E-B120F86AF5D7}" = Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{718D791F-F4E8-4aa7-98A6-15FDED17BDD0}" = Trend Micro AntiVirus
"{724517BD-1DE1-4986-BFCA-C1DFD379E3BC}" = cp_dwShrek2Cards1
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{72CB5335-6D2A-4207-B811-6CB6C6925039}" = Batch Update
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{7AD25C9F-9957-4D1C-95EF-9BCD09F6D31B}" = HPSystemDiagnostics
"{84CDF5A8-1D57-4B69-BAB6-1F11D8923375}" = SkinsHP1
"{85CFD253-38AE-4DB1-ACB7-F0F4C791990D}" = AiOSoftware
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{8BC3B99B-A6BE-4A0B-8535-B1B94BA4B1B1}" = DocProc
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A5B9D22C-755A-4AC6-9904-875E80838BB6}" = CP_AtenaShokunin1Config
"{A621B45A-D138-4A95-BE10-7CABA05EF94E}" = Trend Micro AntiVirus
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{AC76BA86-7AD7-1033-7B44-A81200000003}_Adobe Reader 8.1.2" = Adobe Reader 8.1.2 Security Update 1 (KB403742)
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B8DBED1E-8BC3-4d08-B94A-F9D7D88E9BBF}" = HPSSupply
"{B996AE66-10DB-4ac5-B151-E8B4BFBC42FC}" = BufferChm
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C04E32E0-0416-434D-AFB9-6969D703A9EF}" = MSXML 4.0 SP2 (KB936181)
"{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}" = HP Update
"{CA0AF735-4583-413E-897F-E91A237EE2E1}" = Libronix DLS Shortcuts
"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CB449D5A-7710-47aa-B9F5-352B877C90E6}" = 1600_Help
"{CC351B44-5610-43C5-81E6-A2C760CB0A20}" = Graphical Query Editor
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE0C8CC5-E396-442B-A50E-D1D374A9E820}" = DocumentViewer
"{DBEA1034-5882-4A88-8033-81C4EF0CFA29}" = Google Toolbar for Internet Explorer
"{E3F90083-80D4-4b5a-87C7-E97E12F5516D}" = HPProductAssistant
"{EA103B64-C0E4-4C0E-A506-751590E1653D}" = SolutionCenter
"{EB57A16E-500D-43d7-85B9-FBE279EBBA6E}" = HP Deskjet 5400 series
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F4C2E5F5-2970-45f4-ABD3-C180C4D961C4}" = Status
"{F4C6CC40-1142-49be-A28C-7BBD36F0B41A}" = 1600Trb
"{F5CD130F-5789-4D38-8762-FFBEBA896805}" = BibleWorks 6
"{FC22D020-3005-4715-8DF9-F3EDE81DEB3D}" = CreativeProjectsTemplates
"{FE64AE29-0883-4C70-8388-DC026019C900}" = HP Image Zone Express
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_2030161F" = SoftK56 Data Fax Modem
"CutePDF Writer Installation" = CutePDF Writer 2.7
"Google Desktop" = Google Desktop
"Google Updater" = Google Updater
"HijackThis" = HijackThis 2.0.2
"HP Imaging Device Functions" = HP Imaging Device Functions 5.0
"HP Photo & Imaging" = HP Image Zone 4.7
"HP Solution Center & Imaging Support Tools" = HP Solution Center & Imaging Support Tools 5.0
"HPExtendedCapabilities" = HP Extended Capabilities 5.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"KB873333" = Windows XP Hotfix - KB873333
"KB873339" = Windows XP Hotfix - KB873339
"KB885835" = Windows XP Hotfix - KB885835
"KB885836" = Windows XP Hotfix - KB885836
"KB886185" = Windows XP Hotfix - KB886185
"KB887472" = Windows XP Hotfix - KB887472
"KB887742" = Windows XP Hotfix - KB887742
"KB888302" = Windows XP Hotfix - KB888302
"KB890859" = Windows XP Hotfix - KB890859
"KB891781" = Windows XP Hotfix - KB891781
"KB892130" = Windows Genuine Advantage Validation Tool (KB892130)
"KB893756" = Security Update for Windows XP (KB893756)
"KB893803v2" = Windows Installer 3.1 (KB893803)
"KB894391" = Update for Windows XP (KB894391)
"KB896358" = Security Update for Windows XP (KB896358)
"KB896423" = Security Update for Windows XP (KB896423)
"KB896428" = Security Update for Windows XP (KB896428)
"KB898458" = Security Update for Step By Step Interactive Training (KB898458)
"KB898461" = Update for Windows XP (KB898461)
"KB899587" = Security Update for Windows XP (KB899587)
"KB899588" = Security Update for Windows XP (KB899588)
"KB899591" = Security Update for Windows XP (KB899591)
"KB900485" = Update for Windows XP (KB900485)
"KB900725" = Security Update for Windows XP (KB900725)
"KB901017" = Security Update for Windows XP (KB901017)
"KB901214" = Security Update for Windows XP (KB901214)
"KB902400" = Security Update for Windows XP (KB902400)
"KB904706" = Security Update for Windows XP (KB904706)
"KB905414" = Security Update for Windows XP (KB905414)
"KB905749" = Security Update for Windows XP (KB905749)
"KB908519" = Security Update for Windows XP (KB908519)
"KB908531" = Update for Windows XP (KB908531)
"KB910437" = Update for Windows XP (KB910437)
"KB911280" = Update for Windows XP (KB911280)
"KB911562" = Security Update for Windows XP (KB911562)
"KB911564" = Security Update for Windows Media Player (KB911564)
"KB911927" = Security Update for Windows XP (KB911927)
"KB913580" = Security Update for Windows XP (KB913580)
"KB914388" = Security Update for Windows XP (KB914388)
"KB914389" = Security Update for Windows XP (KB914389)
"KB915865" = Hotfix for Windows XP (KB915865)
"KB916595" = Update for Windows XP (KB916595)
"KB917953" = Security Update for Windows XP (KB917953)
"KB918118" = Security Update for Windows XP (KB918118)
"KB918439" = Security Update for Windows XP (KB918439)
"KB919007" = Security Update for Windows XP (KB919007)
"KB920213" = Security Update for Windows XP (KB920213)
"KB920670" = Security Update for Windows XP (KB920670)
"KB920683" = Security Update for Windows XP (KB920683)
"KB920685" = Security Update for Windows XP (KB920685)
"KB920872" = Update for Windows XP (KB920872)
"KB921398" = Security Update for Windows XP (KB921398)
"KB921503" = Security Update for Windows XP (KB921503)
"KB922120" = Update for Windows XP (KB922120)
"KB922582" = Update for Windows XP (KB922582)
"KB922616" = Security Update for Windows XP (KB922616)
"KB922819" = Security Update for Windows XP (KB922819)
"KB923191" = Security Update for Windows XP (KB923191)
"KB923414" = Security Update for Windows XP (KB923414)
"KB923689" = Security Update for Windows XP (KB923689)
"KB923789" = Security Update for Windows XP (KB923789)
"KB923980" = Security Update for Windows XP (KB923980)
"KB924270" = Security Update for Windows XP (KB924270)
"KB924496" = Security Update for Windows XP (KB924496)
"KB924667" = Security Update for Windows XP (KB924667)
"KB925398_WMP64" = Security Update for Windows Media Player 6.4 (KB925398)
"KB925720" = Update for Windows XP (KB925720)
"KB925902" = Security Update for Windows XP (KB925902)
"KB926239" = Hotfix for Windows XP (KB926239)
"KB926255" = Security Update for Windows XP (KB926255)
"KB926436" = Security Update for Windows XP (KB926436)
"KB927779" = Security Update for Windows XP (KB927779)
"KB927802" = Security Update for Windows XP (KB927802)
"KB927891" = Update for Windows XP (KB927891)
"KB928089" = Update for Windows Internet Explorer 7 (KB928089)
"KB928255" = Security Update for Windows XP (KB928255)
"KB928843" = Security Update for Windows XP (KB928843)
"KB929123" = Security Update for Windows XP (KB929123)
"KB929338" = Update for Windows XP (KB929338)
"KB929399" = Hotfix for Windows Media Format 11 SDK (KB929399)
"KB930178" = Security Update for Windows XP (KB930178)
"KB930916" = Update for Windows XP (KB930916)
"KB931261" = Security Update for Windows XP (KB931261)
"KB931678-v2" = Hotfix for Windows XP (KB931678-v2)
"KB931784" = Security Update for Windows XP (KB931784)
"KB931906" = Security Update for CAPICOM (KB931906)
"KB932168" = Security Update for Windows XP (KB932168)
"KB932823-v2" = Hotfix for Windows XP (KB932823-v2)
"KB932823-v3" = Update for Windows XP (KB932823-v3)
"KB933360" = Update for Windows XP (KB933360)
"KB933729" = Security Update for Windows XP (KB933729)
"KB934428-v3" = Hotfix for Windows XP (KB934428-v3)
"KB935839" = Security Update for Windows XP (KB935839)
"KB935840" = Security Update for Windows XP (KB935840)
"KB936021" = Security Update for Windows XP (KB936021)
"KB936357" = Update for Windows XP (KB936357)
"KB936357-v2" = Hotfix for Windows XP (KB936357-v2)
"KB936782_WMP11" = Security Update for Windows Media Player 11 (KB936782)
"KB937894" = Security Update for Windows XP (KB937894)
"KB938127-IE7" = Security Update for Windows Internet Explorer 7 (KB938127)
"KB938828" = Update for Windows XP (KB938828)
"KB938829" = Security Update for Windows XP (KB938829)
"KB939683" = Hotfix for Windows Media Player 11 (KB939683)
"KB941202" = Security Update for Windows XP (KB941202)
"KB941568" = Security Update for Windows XP (KB941568)
"KB941569" = Security Update for Windows XP (KB941569)
"KB941644" = Security Update for Windows XP (KB941644)
"KB942615" = Security Update for Windows XP (KB942615)
"KB942615-IE7" = Security Update for Windows Internet Explorer 7 (KB942615)
"KB942763" = Update for Windows XP (KB942763)
"KB942840" = Update for Windows XP (KB942840)
"KB943055" = Security Update for Windows XP (KB943055)
"KB943460" = Security Update for Windows XP (KB943460)
"KB943485" = Security Update for Windows XP (KB943485)
"KB944533-IE7" = Security Update for Windows Internet Explorer 7 (KB944533)
"KB944653" = Security Update for Windows XP (KB944653)
"KB945007" = Update for Windows XP (KB945007)
"KB945007-IE7" = Update for Windows Internet Explorer 7 (KB945007)
"KB946026" = Security Update for Windows XP (KB946026)
"KB946627" = Update for Windows XP (KB946627)
"KB946648" = Security Update for Windows XP (KB946648)
"KB948881" = Security Update for Windows XP (KB948881)
"KB950749" = Security Update for Windows XP (KB950749)
"KB950759-IE7" = Security Update for Windows Internet Explorer 7 (KB950759)
"KB950760" = Security Update for Windows XP (KB950760)
"KB950762" = Security Update for Windows XP (KB950762)
"KB950974" = Security Update for Windows XP (KB950974)
"KB951066" = Security Update for Windows XP (KB951066)
"KB951072-v2" = Update for Windows XP (KB951072-v2)
"KB951376" = Security Update for Windows XP (KB951376)
"KB951376-v2" = Security Update for Windows XP (KB951376-v2)
"KB951698" = Security Update for Windows XP (KB951698)
"KB951748" = Security Update for Windows XP (KB951748)
"KB952287" = Hotfix for Windows XP (KB952287)
"KB952954" = Security Update for Windows XP (KB952954)
"KB953838-IE7" = Security Update for Windows Internet Explorer 7 (KB953838)
"KB953839" = Security Update for Windows XP (KB953839)
"Libronix DLS" = Libronix Digital Library System
"M928366" = Microsoft .NET Framework 1.1 Hotfix (KB928366)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (2.0.0.16)" = Mozilla Firefox (2.0.0.16)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Nero - Burning Rom!UninstallKey" = Nero OEM
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"RealPlayer 6.0" = RealPlayer Basic
"Shop for HP Supplies" = Shop for HP Supplies
"StreetPlugin" = Learn2 Player (Uninstall Only)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"ViewpointMediaPlayer" = Viewpoint Media Player
"Virtools3DLifePlayer" = Virtools 3D Life Player
"WGA" = Windows Genuine Advantage Validation Tool (KB892130)
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 2
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

===== Uninstall List =====


===== Uninstall List =====


===== Uninstall List =====


===== Uninstall List =====


===== Uninstall List =====


===== Uninstall List =====


===== Winsock2 Catalogs =====

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\]
NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - [07/24/2007 03:17 PM | 00,147,456 | ---- | M] (Apple Inc.) C:\Program Files\Bonjour\mdnsNSP.dll

===== Protocol Defaults =====


===== Protocol Defaults =====


===== Protocol Defaults =====


[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell - shell protocol not assigned

===== Protocol Defaults =====


[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell - shell protocol not assigned

===== Protocol Defaults =====


[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell - shell protocol not assigned

===== Protocol Defaults =====


[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell - shell protocol not assigned

===== Protocol Defaults =====


===== Protocol Handlers =====

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

lbxfile:{56831180-F115-11d2-B6AA-00104B2B9943} [HKLM - Libronix File Protocol]
[12/10/2007 06:01 PM | 00,201,992 | ---- | M] (Libronix Corporation) C:\Program Files\Libronix DLS\System\FileProt.dll

lbxres:{24508F1B-9E94-40EE-9759-9AF5795ADF52} [HKLM - Libronix ResProtocol]
[12/10/2007 06:02 PM | 00,136,456 | ---- | M] (Libronix Corporation) C:\Program Files\Libronix DLS\System\ResProt.dll
msdaipp: [HKLM - No CLSID value]

===== Protocol Filters =====

< End of report >
  • 0

#5
Stamper19
Posted 28 August 2008 - 02:37 PM

Stamper19

    Expert

  • Expert
  • 1,992 posts
Hi pdatrinity,

Happy to help out :)

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#6
pdatrinity
Posted 28 August 2008 - 08:29 PM

pdatrinity

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Stamper 19:

Thanks for your help.

I did run combofix. It did restart my computer. It also seems to have reset some of the stuff on my computer (things that are no longer pegged to the start menu, my default browser changed). This particular program really made me nervous. It seemed to be doing a lot of stuff.

Here is the log that combofix produced.

Peter

ComboFix 08-08-28.04 - Owner 2008-08-28 22:12:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.504 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\My Documents\My Received Files\Software Packages\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\#SharedObjects\VQUMVUSW\interclick.com
C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\#SharedObjects\VQUMVUSW\interclick.com\ud.sol
C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\3HS49WKL\bin.clearspring.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\3HS49WKL\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\3HS49WKL\interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\3HS49WKL\interclick.com\ud.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\MllVyyay.ini
C:\WINDOWS\system32\MllVyyay.ini2
C:\WINDOWS\system32\MopqYcdd.ini
C:\WINDOWS\system32\MopqYcdd.ini2

.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.

2008-08-28 11:15 . 2008-08-28 11:15 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-28 11:14 . 2008-08-28 11:14 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-28 11:14 . 2008-08-28 11:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-28 11:14 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-28 11:14 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-27 16:02 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-08-27 14:10 . 2008-08-27 14:23 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-19 14:49 . 2008-08-19 14:49 <DIR> d-------- C:\Program Files\Windows Defender
2008-08-16 22:33 . 2008-08-27 16:06 2,206 --a------ C:\WINDOWS\system32\wpa.dbl
2008-08-16 13:38 . 2008-08-16 13:38 <DIR> d-------- C:\Archive
2008-08-16 12:41 . 2008-08-20 21:50 <DIR> d-------- C:\WINDOWS\system32\SuperAdBlocker.com
2008-08-15 23:44 . 2008-08-26 13:07 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-15 23:44 . 2008-08-15 23:44 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-08-15 23:44 . 2008-08-15 23:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-15 23:42 . 2008-08-15 23:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-15 12:21 . 2008-05-01 10:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-10 21:06 . 2008-08-10 21:06 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-08 11:35 . 2008-08-08 11:35 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-02 20:46 . 2008-08-02 20:46 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-28 18:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-16 17:24 --------- d-----w C:\Program Files\Trend Micro
2008-08-16 13:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-08-03 00:46 --------- d-----w C:\Program Files\iTunes
2008-07-19 01:52 --------- d-----w C:\Program Files\QuickTime
2008-07-18 23:08 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-07-18 23:08 205,328 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-07-18 22:51 1,195,448 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2008-07-10 13:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-01 15:20 --------- d-----w C:\Program Files\MSXML 4.0
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-10 16:09 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-26 13:07 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 05:36 86016]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-11-20 18:19 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-11-20 18:18 499712]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 14:57 1398024]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-02-07 08:39 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-02-07 08:36 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-02-07 08:40 118784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-10 16:09 29744]
"AirPort Base Station Agent"="C:\Program Files\AirPort\APAgent.exe" [2008-05-20 15:17 737280]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52 53248]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-08-26 13:07 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-12-16 19:49 110592 C:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 06:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 22:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\AirPort\\APAgent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour

R0 rmedia;Ricoh MediaCard Driver;C:\WINDOWS\system32\DRIVERS\rmedia.sys [2003-10-20 22:09]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-06-10 16:09]
.
Contents of the 'Scheduled Tasks' folder

2008-08-23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-08-29 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\9mymcq2t.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://cm.my.yahoo.com/?rd=nux
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-28 22:18:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-08-28 22:22:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-29 02:22:07

Pre-Run: 117,824,172,032 bytes free
Post-Run: 117,737,291,776 bytes free

160 --- E O F --- 2008-08-27 19:52:48
  • 0

#7
pdatrinity
Posted 28 August 2008 - 08:38 PM

pdatrinity

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I forgot to post the HijackThis Log in the last post. Here it is

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:36:07 PM, on 8/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\AirPort\APAgent.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/?rd=nux
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\AirPort\APAgent.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1206019659008
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 7359 bytes
  • 0

#8
Stamper19
Posted 29 August 2008 - 05:30 AM

Stamper19

    Expert

  • Expert
  • 1,992 posts
Hi pdatrinity,

Combofix is a very powerful tool, and as you point out it does a lot of things while it works. However, it is also an extremely effective tool for dealing with many serious infections -- it actually removed a good deal of malware that was on your system. No need to be nervous. While the tool must be respected, and should never be used by someone untrained in doing so, trained malware technicians very very rarely have an issue with it.

We need to get your recovery console installed -- this is important for general Windows repair. Should anything ever go wrong with your system having recovery console installed can be the difference between fixing it and formatting. One this is done we will clear out the rest of the malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System (for you it is the one for Service Pack 2).


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
  • 0

#9
pdatrinity
Posted 29 August 2008 - 08:03 AM

pdatrinity

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Stamper19:

I'm still a little shocked. I honestly thought that my system was pretty clean when I posted my original HJ log. Since the system was running fine.

I have downloaded the Microsoft disk image. However, your instructions say "do not reboot the machine until we have reviewed the log."

So while normally I would just follow your directions and post and stuff, I wanted to make sure you were available to review the log.

My PC is a laptop and I am a multi-site worker, so not rebooting is actually a big deal.

Should I do this now, or should I wait until Tuesday (I should be in one place for a relatively long time then)?

Thanks,

Peter
  • 0

#10
Stamper19
Posted 29 August 2008 - 09:04 AM

Stamper19

    Expert

  • Expert
  • 1,992 posts

I'm still a little shocked. I honestly thought that my system was pretty clean when I posted my original HJ log. Since the system was running fine.

We are primarily dealing with leftovers at this point, so while not totally clean, your machine was not terribly infected either. We will still need to run some scans to make sure there is nothing hiding, so to speak.

I have downloaded the Microsoft disk image. However, your instructions say "do not reboot the machine until we have reviewed the log."

So while normally I would just follow your directions and post and stuff, I wanted to make sure you were available to review the log.

My PC is a laptop and I am a multi-site worker, so not rebooting is actually a big deal.

Should I do this now, or should I wait until Tuesday (I should be in one place for a relatively long time then)?

If you do it now I will try to check quickly and give you the OK to shut down the machine. However, I will not be able to post additional instructions beyond that until later today.

Edited by Stamper19, 29 August 2008 - 09:04 AM.

  • 0

Advertisements

#11
pdatrinity
Posted 29 August 2008 - 10:12 AM

pdatrinity

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Stamper19:

Thanks for your prompt and direct response. Unfortunately, the internet went down at the office I was at. I'm at my main office now and will be writing my sermon this afternoon, so I'll be around whenever you get to me.

I followed your instructions. Unfortunately, no CF_RC.txt file opened for me. I used the windows search feature and could not find it in all folders, including hidden files and folders. I even searched for just "CF" and "CF*.txt" and it didn't come up.

Here is the standard combofix log that appeared when the scan finished.

ComboFix 08-08-28.04 - Owner 2008-08-29 11:56:49.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.504 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\My Documents\My Received Files\Software Packages\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\My Documents\My Received Files\Software Packages\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.

2008-08-28 11:15 . 2008-08-28 11:15 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-28 11:14 . 2008-08-28 11:14 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-28 11:14 . 2008-08-28 11:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-28 11:14 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-28 11:14 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-27 16:02 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-08-27 14:10 . 2008-08-27 14:23 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-19 14:49 . 2008-08-19 14:49 <DIR> d-------- C:\Program Files\Windows Defender
2008-08-16 22:33 . 2008-08-27 16:06 2,206 --a------ C:\WINDOWS\system32\wpa.dbl
2008-08-16 13:38 . 2008-08-16 13:38 <DIR> d-------- C:\Archive
2008-08-16 12:41 . 2008-08-20 21:50 <DIR> d-------- C:\WINDOWS\system32\SuperAdBlocker.com
2008-08-15 23:44 . 2008-08-26 13:07 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-15 23:44 . 2008-08-15 23:44 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-08-15 23:44 . 2008-08-15 23:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-15 23:42 . 2008-08-15 23:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-15 12:21 . 2008-05-01 10:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-10 21:06 . 2008-08-10 21:06 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-08 11:35 . 2008-08-08 11:35 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-02 20:46 . 2008-08-02 20:46 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-28 18:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-16 17:24 --------- d-----w C:\Program Files\Trend Micro
2008-08-16 13:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-08-03 00:46 --------- d-----w C:\Program Files\iTunes
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-19 01:52 --------- d-----w C:\Program Files\QuickTime
2008-07-18 23:08 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-07-18 23:08 205,328 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-07-18 22:51 1,195,448 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2008-07-10 13:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-01 15:20 --------- d-----w C:\Program Files\MSXML 4.0
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-10 16:09 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-26 13:07 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 05:36 86016]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-11-20 18:19 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-11-20 18:18 499712]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 14:57 1398024]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-02-07 08:39 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-02-07 08:36 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-02-07 08:40 118784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-10 16:09 29744]
"AirPort Base Station Agent"="C:\Program Files\AirPort\APAgent.exe" [2008-05-20 15:17 737280]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52 53248]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-08-26 13:07 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-12-16 19:49 110592 C:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 06:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 22:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\AirPort\\APAgent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour

R0 rmedia;Ricoh MediaCard Driver;C:\WINDOWS\system32\DRIVERS\rmedia.sys [2003-10-20 22:09]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-06-10 16:09]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-08-29 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\9mymcq2t.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://cm.my.yahoo.com/?rd=nux
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 11:59:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-29 12:01:27
ComboFix-quarantined-files.txt 2008-08-29 16:01:16
ComboFix2.txt 2008-08-29 02:22:14

Pre-Run: 117,702,217,728 bytes free
Post-Run: 117,673,172,992 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

143 --- E O F --- 2008-08-27 19:52:48
  • 0

#12
Stamper19
Posted 29 August 2008 - 10:35 AM

Stamper19

    Expert

  • Expert
  • 1,992 posts
Hi pdatrinity,

Thanks for your prompt and direct response

You are very welcome :)

That log looks good - you can feel free to shut down or reboot your machine. I will post additional instructions later on today.
  • 0

#13
Stamper19
Posted 29 August 2008 - 06:43 PM

Stamper19

    Expert

  • Expert
  • 1,992 posts
Hi pdatrinity,

Now that we have the recovery console installed, lets check to see if there are any remaining malware traces hiding out.

----------------------------------------------------------------

Please clean out your temp files.

Please download ATF Cleaner by Atribune.

Caution: This program is for Windows 2000, XP and Vista only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu..

----------------------------------------------------------------

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u7-windows-i586-p.exe and select "Run as an Administrator.")

----------------------------------------------------------------

Information to include in your next post:
  • Kapersky Scan Log

  • 0

#14
pdatrinity
Posted 02 September 2008 - 03:16 PM

pdatrinity

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hello Stamper19:

I hope you had a good holiday weekend (although I know a lot of IT professionals, if you are one, end up working on long weekends).

I have loaded the Java Runtime environment and completed the kaspersky scan. Here is the log.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, September 2, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, September 02, 2008 18:50:05
Records in database: 1182121
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 47257
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:21:09

No malware has been detected. The scan area is clean.

The selected area was scanned.
_________________________

Thanks for your help.

Peter
  • 0

#15
Stamper19
Posted 02 September 2008 - 03:40 PM

Stamper19

    Expert

  • Expert
  • 1,992 posts
Hi pdatrinity,

The holiday weekend was nice enough, but not nearly long enough :)

Congrats - your logs are all clean :)

There are still a couple of things you should do for the sake of cleaning up.

---------------------------------------------------------------

Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


    • Posted Image

  • When shown the disclaimer, Select "2"

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

----------------------------------------------------------------

Otherwise, unless you have any questions, you are all set. Included below are some tips for keeping your computer malware free in the future.

Cheers,
Stamper :)

----------------------------------------------------------------

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP