Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

win32/Privacyremover.m64 & win32/Adware.virtumonde Spyware screen

Started by logs4 , Aug 27 2008 11:46 AM

This topic is locked

#1
logs4

Posted 27 August 2008 - 11:46 AM

Member

Member
12 posts

I have a screen on desktop that indicates I have a Spyware infection, Win32/Adware.Virtumonde and also win32/PrivacyRemover.m64 and the screen requests that I activiate my antivirus. I have run Spybot and Spyhunter and neither are getting the job fixed.

Please help

Edited by logs4, 27 August 2008 - 11:47 AM.

#2
logs4

Posted 27 August 2008 - 11:49 AM

Member

Topic Starter
Member
12 posts

Log file below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:41:18, on 8/27/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\PatchLink\Update Agent\GravitixService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\DSentry.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRAM FILES\PATCHLINK\UPDATE AGENT\pddm.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\LaCie\Backup Software\LaCieBackup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://hq.manu.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy3.cott.com:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\system32\DSentry.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [PDDM] C:\PROGRAM FILES\PATCHLINK\UPDATE AGENT\pddm.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [LaCie Backup] C:\Program Files\LaCie\Backup Software\\LaCieBackup.exe /background
O4 - HKCU\..\Run: [No Adware No Spyware] C:\Program Files\NoAdware.com\No Adware No Spyware\NoAdware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech Harmony Remote.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O15 - Trusted Zone: *.jda.corp.local
O15 - Trusted Zone: *.phx.jda.com
O15 - Trusted Zone: *.jdaconnect
O15 - Trusted Zone: hq.manu.com
O15 - Trusted Zone: *.manu.com
O15 - Trusted Zone: *.jda.corp.local (HKLM)
O15 - Trusted Zone: *.phx.jda.com (HKLM)
O15 - Trusted Zone: *.manu.com (HKLM)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {4F18FFF5-85B9-4378-A1B4-06743830EC70} (WAPUploaderAX Class) - http://www.web-a-pho...oUploaderXP.cab
O16 - DPF: {5879B3B0-566E-4ECB-9B77-9A8A5E62AAB8} (DeviceMon Class) - http://www.blackberr...teLoaderUSB.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126296604656
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://manu.webex.c...bex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://hq.manu.com/...perSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.manu.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.manu.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.manu.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.manu.com
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: PatchLink Update - PatchLink Corporation - C:\Program Files\PatchLink\Update Agent\GravitixService.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\system32\HPZipm12.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 14423 bytes

#3
fenzodahl512

Posted 30 August 2008 - 03:41 AM

Malware Removal
9,863 posts

Hello, my name is fenzodahl512 and welcome to Geekstogo.. Please do the following...

Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

NEXT

Please download RSIT by random/random and save it to your desktop.

Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.

Post these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt

#4
logs4

Posted 01 September 2008 - 09:21 AM

Member

Topic Starter
Member
12 posts

Malwarebytes log:

Malwarebytes' Anti-Malware 1.25
Database version: 1103
Windows 5.1.2600 Service Pack 1

11:17:34 AM 9/1/2008
mbam-log-09-01-2008 (11-17-34).txt

Scan type: Full Scan (C:\|D:\|Q:\|V:\|Y:\|)
Objects scanned: 82111
Time elapsed: 50 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 12
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\msapp.bhoapp (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\msapp.bhoapp.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{161b953b-95f9-4af3-b071-d5ff5ea132ef} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\SoftLand Ltd (Rogue.XPAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\blogan\Application Data\rhcvgwj0ee7n (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\blogan\Application Data\rhcvgwj0ee7n\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\blogan\Application Data\rhcvgwj0ee7n\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\blogan\Application Data\rhcvgwj0ee7n\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\blogan\Application Data\rhcvgwj0ee7n\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\blogan\Application Data\rhcvgwj0ee7n\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\blogan\Application Data\rhcvgwj0ee7n\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\blogan\Application Data\rhcvgwj0ee7n\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\blogan\Application Data\rhcvgwj0ee7n\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\blogan\Application Data\rhcvgwj0ee7n\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\blogan\Application Data\rhcvgwj0ee7n\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\blogan\~tmp1174.exe (Worm.Socks) -> Quarantined and deleted successfully.
C:\Documents and Settings\blogan\Local Settings\Temp\winiVKJaKTWbQlAP.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphcrgwj0ee7n.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pphcrgwj0ee7n.exe (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\atmgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mrcmgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\scerpt.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phcrgwj0ee7n.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysrest32.exe (Rootkit.Agent) -> Quarantined and deleted successfully.

#5
fenzodahl512

Posted 01 September 2008 - 09:39 AM

Malware Removal
9,863 posts

Your RSIT logs please..

#6
logs4

Posted 01 September 2008 - 09:53 AM

Member

Topic Starter
Member
12 posts

how long should that log process take to run?

seems to be stuck on "performing registry dump" -

#7
fenzodahl512

Posted 01 September 2008 - 09:58 AM

Malware Removal
9,863 posts

how long should that log process take to run?

seems to be stuck on "performing registry dump" -

It should be very fast.. Please don't run anything else while running our fix..

Just let it run till finish and then post the logs here

#8
logs4

Posted 01 September 2008 - 12:51 PM

Member

Topic Starter
Member
12 posts

I believe I have nothing else running, and I cannot get past the "performing registry dump" process.

Any suggestions?

#9
fenzodahl512

Posted 01 September 2008 - 07:23 PM

Malware Removal
9,863 posts

Lets do this..

Please download OTViewIt to your desktop.

Close all windows and double click OTViewIt
Place a tick in the Scan all Users box
In the File Age drop down box select 90 days
Click Run Scan and let the program run uninterrupted
On completion it will produce two logs on the Desktop, post the OTViewIt.txt and Extras.txt logs in your next post.

---edit---

In addition, can you find log.txt on your Desktop? If yes, please post it here

Edited by fenzodahl512, 01 September 2008 - 07:26 PM.

#10
logs4

Posted 01 September 2008 - 08:07 PM

Member

Topic Starter
Member
12 posts

OTViewIt.Txt

OTViewIt logfile created on: 9/1/2008 10:01:53 PM - Run 1
OTViewIt by OldTimer - Version 1.0.1.7 Folder = C:\Documents and Settings\blogan\Desktop
Windows XP Professional Edition Service Pack 1 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.36 Mb Total Physical Memory | 233.18 Mb Available Physical Memory | 22.97% Memory free
2.40 Gb Paging File | 1.57 Gb Available in Paging File | 65.45% Paging File free
Paging file location(s): c:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 54.64 Gb Free Space | 73.32% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BLOGAN4
Current User Name: blogan
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On

===== Processes - Non-Microsoft Only =====

[06/03/2005 01:25 AM | 00,086,016 | ---- | M] (Intel Corporation) - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
[06/03/2005 01:28 AM | 00,372,809 | ---- | M] (Intel Corporation ) - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
[09/06/2007 01:28 PM | 00,110,592 | ---- | M] (Apple, Inc.) - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
[11/20/2006 09:55 PM | 00,348,160 | ---- | M] (Juniper Networks) - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
[02/13/2004 11:47 AM | 00,155,648 | ---- | M] (Dell Inc) - C:\Program Files\Dell\OpenManage\Client\Iap.exe
[01/27/2006 06:01 PM | 00,075,328 | ---- | M] (PatchLink Corporation) - C:\Program Files\PatchLink\Update Agent\GravitixService.exe
[06/03/2005 01:25 AM | 00,139,264 | ---- | M] (Intel Corporation) - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
[09/27/2006 09:33 PM | 00,116,464 | ---- | M] (symantec) - C:\Program Files\Symantec AntiVirus\SavRoam.exe
[06/25/2004 06:15 PM | 00,045,056 | ---- | M] () - C:\WINDOWS\system32\WLTRYSVC.EXE
[05/31/2005 10:46 PM | 00,401,408 | ---- | M] (Intel Corporation) - C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
[06/03/2005 01:26 AM | 00,245,760 | ---- | M] (Intel) - C:\Program Files\Intel\Wireless\Bin\1XConfig.exe
[03/04/2005 11:26 AM | 00,606,208 | ---- | M] () - C:\Program Files\Dell\QuickSet\quickset.exe
[02/06/2003 02:41 PM | 00,028,672 | ---- | M] (Dell - Advanced Desktop Engineering) - C:\WINDOWS\system32\DSentry.exe
[06/03/2005 01:31 AM | 00,385,024 | ---- | M] (Intel Corporation) - C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
[01/27/2006 06:02 PM | 00,419,392 | ---- | M] (PatchLink Corporation) - C:\Program Files\PatchLink\Update Agent\pddm.exe
[10/31/2005 11:05 AM | 00,278,528 | ---- | M] (Walt Disney Internet Group) - C:\Program Files\DIGStream\digstream.exe
[10/31/2005 11:18 AM | 00,101,888 | ---- | M] (Walt Disney Internet Group) - C:\Program Files\ESPNRunTime\DIGServices.exe
[11/23/2002 02:15 AM | 00,631,362 | ---- | M] (Logitech Inc.) - C:\Program Files\Logitech\iTouch\iTouch.exe
[11/08/2002 05:50 AM | 00,019,968 | ---- | M] (Logitech Inc.) - C:\WINDOWS\LOGI_MWX.EXE
[07/19/2005 06:06 PM | 00,077,824 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\hkcmd.exe
[07/19/2005 06:10 PM | 00,114,688 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\igfxpers.exe
[07/19/2005 06:06 PM | 00,159,744 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\igfxsrvc.exe
[01/24/2006 09:55 AM | 02,633,728 | ---- | M] (LaCie Group) - C:\Program Files\LaCie\Backup Software\LacieBackup.exe
[08/18/2008 06:41 PM | 01,832,272 | RHS- | M] (Safer Networking Limited) - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[07/26/2005 12:35 PM | 00,091,672 | R--- | M] (Logitech ) - C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe

===== Win32 Services - Non-Microsoft Only =====

(Apple Mobile Device) Apple Mobile Device [Auto | Running]
[09/06/2007 01:28 PM | 00,110,592 | ---- | M] (Apple, Inc.) - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

(dsNcService) Juniper Network Connect Service [Auto | Running]
[11/20/2006 09:55 PM | 00,348,160 | ---- | M] (Juniper Networks) - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

(EvtEng) EvtEng [Auto | Running]
[06/03/2005 01:25 AM | 00,086,016 | ---- | M] (Intel Corporation) - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

(Iap) Iap [Auto | Running]
[02/13/2004 11:47 AM | 00,155,648 | ---- | M] (Dell Inc) - C:\Program Files\Dell\OpenManage\Client\Iap.exe

(PatchLink Update) PatchLink Update [Auto | Running]
[01/27/2006 06:01 PM | 00,075,328 | ---- | M] (PatchLink Corporation) - C:\Program Files\PatchLink\Update Agent\GravitixService.exe

(Pml Driver HPZ12) Pml Driver HPZ12 [Auto | Stopped]
File not found - C:\WINDOWS\system32\HPZipm12.exe

(RegSrvc) RegSrvc [Auto | Running]
[06/03/2005 01:25 AM | 00,139,264 | ---- | M] (Intel Corporation) - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

(S24EventMonitor) Spectrum24 Event Monitor [Auto | Running]
[06/03/2005 01:28 AM | 00,372,809 | ---- | M] (Intel Corporation ) - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

(SavRoam) SavRoam [Auto | Running]
[09/27/2006 09:33 PM | 00,116,464 | ---- | M] (symantec) - C:\Program Files\Symantec AntiVirus\SavRoam.exe

(WLTRYSVC) WLTRYSVC [Auto | Running]
[06/25/2004 06:15 PM | 00,045,056 | ---- | M] () - C:\WINDOWS\system32\WLTRYSVC.EXE

===== Driver Services - Non-Microsoft Only =====

(APPDRV) APPDRV [System | Running]
[08/18/2004 02:53 PM | 00,016,128 | ---- | M] (Dell Inc) - C:\WINDOWS\system32\drivers\APPDRV.SYS

(dsNcAdpt) Juniper Network Connect Adapter [On_Demand | Running]
[11/20/2006 09:55 PM | 00,023,552 | ---- | M] (Juniper Networks) - C:\WINDOWS\system32\drivers\dsNcAdpt.sys

(GTIPCI21) GTIPCI21 [On_Demand | Running]
[05/03/2004 04:26 PM | 00,080,384 | ---- | M] (Texas Instruments) - C:\WINDOWS\system32\drivers\gtipci21.sys

(ialm) ialm [On_Demand | Running]
[07/19/2005 06:34 PM | 01,049,180 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\drivers\ialmnt5.sys

(itchfltr) iTouch Keyboard Filter [On_Demand | Running]
[11/14/2002 10:15 PM | 00,012,640 | ---- | M] (Logitech, Inc.) - C:\WINDOWS\system32\drivers\itchfltr.sys

(IWCA) Intel Wireless Connection Agent Miniport for Win XP [On_Demand | Running]
[08/12/2004 08:44 AM | 00,234,496 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\drivers\iwca.sys

(LCcfltr) Logitech USB Filter Driver [On_Demand | Stopped]
[11/08/2002 05:50 AM | 00,014,156 | ---- | M] (Logitech, Inc.) - C:\WINDOWS\system32\drivers\LCCFLTR.SYS

(LHidFlt2) Logitech HID/USB Mouse Filter Driver [On_Demand | Stopped]
[11/08/2002 05:50 AM | 00,023,838 | ---- | M] (Logitech, Inc.) - C:\WINDOWS\system32\drivers\LHIDFLT2.SYS

(LHidUsb) Logitech USB Receiver device driver [On_Demand | Stopped]
[11/08/2002 05:50 AM | 00,041,420 | ---- | M] (Logitech, Inc.) - C:\WINDOWS\system32\drivers\Lhidusb.sys

(LMouFlt2) Logitech Mouse Class Filter Driver [On_Demand | Stopped]
[11/08/2002 05:50 AM | 00,070,238 | ---- | M] (Logitech, Inc.) - C:\WINDOWS\system32\drivers\lmouflt2.sys

(ncvcp) Network Connect Virtual Com Port [On_Demand | Stopped]
File not found - C:\WINDOWS\System32\DRIVERS\nsvcp.sys

(OMCI) OMCI WDM Device Driver [System | Running]
[02/13/2004 11:46 AM | 00,017,153 | ---- | M] (Dell Inc) - C:\WINDOWS\system32\drivers\omci.sys

(RimVSerPort) RIM Virtual Serial Port v2 [On_Demand | Running]
[06/30/2006 04:10 PM | 00,026,752 | R--- | M] (Research in Motion Ltd) - C:\WINDOWS\system32\drivers\RimSerial.sys

(s24trans) WLAN Transport [Auto | Running]
[05/03/2005 07:03 AM | 00,011,354 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\drivers\s24trans.sys

(SbcpHid) SbcpHid [System | Running]
[08/23/2001 03:00 PM | 00,022,400 | ---- | M] () - C:\WINDOWS\system32\drivers\SbcpHid.sys

(Secdrv) Secdrv [On_Demand | Stopped]
[08/29/2002 06:00 AM | 00,027,440 | ---- | M] () - C:\WINDOWS\system32\drivers\secdrv.sys

(UIUSys) Conexant Setup API [On_Demand | Stopped]
File not found - C:\WINDOWS\System32\drivers\UIUSys.sys

========== Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"" = File not found
"Apoint" = C:\Program Files\Apoint\Apoint.exe [09/13/2004 11:33 AM | 00,155,648 | ---- | M] (Alps Electric Co., Ltd.)
"ATIPTA" = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [10/06/2004 09:10 PM | 00,344,064 | ---- | M] (ATI Technologies, Inc.)
"AVG7_CC" = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP [04/19/2008 06:31 PM | 00,579,584 | ---- | M] (GRISOFT, s.r.o.)
"ccApp" = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/19/2006 08:26 PM | 00,052,896 | ---- | M] (Symantec Corporation)
"Dell QuickSet" = C:\Program Files\Dell\QuickSet\quickset.exe [03/04/2005 11:26 AM | 00,606,208 | ---- | M] ()
"DIGStream" = C:\Program Files\DIGStream\digstream.exe [10/31/2005 11:05 AM | 00,278,528 | ---- | M] (Walt Disney Internet Group)
"DVDLauncher" = "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [04/26/2004 09:04 AM | 00,053,248 | ---- | M] (CyberLink Corp.)
"DVDSentry" = C:\WINDOWS\system32\DSentry.exe [02/06/2003 02:41 PM | 00,028,672 | ---- | M] (Dell - Advanced Desktop Engineering)
"HP Software Update" = C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [02/19/2006 02:41 AM | 00,049,152 | ---- | M] (Hewlett-Packard Development Company, L.P.)
"HPDJ Taskbar Utility" = C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe [01/13/2006 02:46 AM | 00,196,608 | ---- | M] (HP)
"HPHmon03" = C:\WINDOWS\system32\hphmon03.exe [01/13/2006 02:46 AM | 00,311,296 | ---- | M] (Hewlett-Packard)
"igfxhkcmd" = C:\WINDOWS\system32\hkcmd.exe [07/19/2005 06:06 PM | 00,077,824 | ---- | M] (Intel Corporation)
"igfxpers" = C:\WINDOWS\system32\igfxpers.exe [07/19/2005 06:10 PM | 00,114,688 | ---- | M] (Intel Corporation)
"igfxtray" = C:\WINDOWS\system32\igfxtray.exe [07/19/2005 06:09 PM | 00,094,208 | ---- | M] (Intel Corporation)
"IntelWireless" = C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless [06/03/2005 01:31 AM | 00,385,024 | ---- | M] (Intel Corporation)
"IntelZeroConfig" = C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe [05/31/2005 10:46 PM | 00,401,408 | ---- | M] (Intel Corporation)
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" [09/26/2007 02:42 PM | 00,267,064 | ---- | M] (Apple Inc.)
"Logitech Utility" = Logi_MwX.Exe [11/08/2002 05:50 AM | 00,019,968 | ---- | M] (Logitech Inc.)
"PDDM" = C:\PROGRAM FILES\PATCHLINK\UPDATE AGENT\pddm.exe [01/27/2006 06:02 PM | 00,419,392 | ---- | M] (PatchLink Corporation)
"QuickTime Task" = "C:\Program Files\QuickTime\QTTask.exe" -atboottime [06/29/2007 06:24 AM | 00,286,720 | ---- | M] (Apple Inc.)
"UpdateManager" = "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r [01/07/2004 01:01 AM | 00,110,592 | ---- | M] (Sonic Solutions)
"vptray" = C:\PROGRA~1\SYMANT~1\VPTray.exe [09/27/2006 09:33 PM | 00,125,168 | ---- | M] (Symantec Corporation)
"zBrowser Launcher" = C:\Program Files\Logitech\iTouch\iTouch.exe [11/23/2002 02:15 AM | 00,631,362 | ---- | M] (Logitech Inc.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = Reg Error: Value load does not exist or could not be read.
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaCie Backup" = C:\Program Files\LaCie\Backup Software\\LaCieBackup.exe /background [01/24/2006 09:55 AM | 02,633,728 | ---- | M] (LaCie Group)
"No Adware No Spyware" = C:\Program Files\NoAdware.com\No Adware No Spyware\NoAdware.exe [03/14/2007 10:56 AM | 00,884,736 | ---- | M] (NoAdware.com)
"SpybotSD TeaTimer" = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [08/18/2008 06:41 PM | 01,832,272 | RHS- | M] (Safer Networking Limited)
"updateMgr" = "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 [03/30/2006 04:45 PM | 00,313,472 | ---- | M] (Adobe Systems Incorporated)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run" = C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE [10/24/2007 09:57 AM | 00,219,136 | ---- | M] (GRISOFT, s.r.o.)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run" = C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE [10/24/2007 09:57 AM | 00,219,136 | ---- | M] (GRISOFT, s.r.o.)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run" = C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE [10/24/2007 09:57 AM | 00,219,136 | ---- | M] (GRISOFT, s.r.o.)

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run" = C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE [10/24/2007 09:57 AM | 00,219,136 | ---- | M] (GRISOFT, s.r.o.)

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_USERS\S-1-5-21-12604286-1649964785-1244796221-24336\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaCie Backup" = C:\Program Files\LaCie\Backup Software\\LaCieBackup.exe /background [01/24/2006 09:55 AM | 02,633,728 | ---- | M] (LaCie Group)
"No Adware No Spyware" = C:\Program Files\NoAdware.com\No Adware No Spyware\NoAdware.exe [03/14/2007 10:56 AM | 00,884,736 | ---- | M] (NoAdware.com)
"SpybotSD TeaTimer" = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [08/18/2008 06:41 PM | 01,832,272 | RHS- | M] (Safer Networking Limited)
"updateMgr" = "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 [03/30/2006 04:45 PM | 00,313,472 | ---- | M] (Adobe Systems Incorporated)

[HKEY_USERS\S-1-5-21-12604286-1649964785-1244796221-24336\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.

========== Startup Folders ==========

[adm_cwheeloc Startup Folder - C:\Documents and Settings\adm_cwheeloc\Start Menu\Programs\Startup]

[All Users Startup Folder - C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
[09/24/2005 02:05 AM | 00,029,696 | ---- | M] (Adobe Systems Incorporated) - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
[02/19/2006 04:21 AM | 00,288,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
[03/26/2007 10:08 AM | 00,169,472 | ---- | M] (Logitech) - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
[07/26/2005 12:35 PM | 00,091,672 | R--- | M] (Logitech ) - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Harmony Remote.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe

[blogan Startup Folder - C:\Documents and Settings\blogan\Start Menu\Programs\Startup]

[Default User Startup Folder - C:\Documents and Settings\Default User\Start Menu\Programs\Startup]

[outlaw Startup Folder - C:\Documents and Settings\outlaw\Start Menu\Programs\Startup]

[outlaw.OUTLAWXP Startup Folder - C:\Documents and Settings\outlaw.OUTLAWXP\Start Menu\Programs\Startup]

========== BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
HKLM CLSID: (Yahoo! Toolbar Helper) - [10/26/2006 12:28 PM | 00,440,384 | ---- | M] (Yahoo! Inc.) C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
HKLM CLSID: (Adobe PDF Reader Link Helper) - [01/12/2006 09:38 PM | 00,063,128 | ---- | M] (Adobe Systems Incorporated) C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
HKLM CLSID: (Spybot-S&D IE Protection) - [07/07/2008 09:41 AM | 01,562,448 | ---- | M] (Safer Networking Limited) C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
HKLM CLSID: (DriveLetterAccess) - [08/13/2004 01:05 AM | 00,118,842 | ---- | M] (Sonic Solutions) C:\WINDOWS\system32\dla\tfswshx.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
HKLM CLSID: (SSVHelper Class) - [11/10/2005 02:22 PM | 00,184,423 | ---- | M] (Sun Microsystems, Inc.) C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
HKLM CLSID: (Reg Error: Key does not exist or could not be opened.) - File not found Reg Error: Key does not exist or could not be opened.

========== Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{8E718888-423F-11D2-876E-00A0C9082467}"
HKLM CLSID: (&Radio) - [08/29/2002 06:00 AM | 00,842,268 | ---- | M] () C:\WINDOWS\system32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
HKLM CLSID: (Yahoo! Toolbar) - [10/26/2006 12:28 PM | 00,440,384 | ---- | M] (Yahoo! Inc.) C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
HKLM CLSID: (Yahoo! Toolbar) - [10/26/2006 12:28 PM | 00,440,384 | ---- | M] (Yahoo! Inc.) C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_USERS\S-1-5-21-12604286-1649964785-1244796221-24336\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
HKLM CLSID: (Yahoo! Toolbar) - [10/26/2006 12:28 PM | 00,440,384 | ---- | M] (Yahoo! Inc.) C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

========== AppInit_Dlls ==========

========== HKLM Security Providers ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders]
"msapsspc.dll schannel.dll digest.dll msnsspc.dll" - File not found

========== HKLM Winlogon Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell]
"Explorer.exe" - [08/29/2002 06:00 AM | 01,004,032 | ---- | M] (Microsoft Corporation) C:\WINDOWS\explorer.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit]
"C:\WINDOWS\system32\userinit.exe" - [08/29/2002 06:00 AM | 00,022,016 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\userinit.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost]
"logonui.exe" - [08/29/2002 06:00 AM | 00,504,320 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\logonui.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet]
"rundll32 shell32" - [08/29/2002 06:00 AM | 08,336,384 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
"Control_RunDLL "sysdm.cpl"" - [08/29/2002 06:00 AM | 00,268,288 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\sysdm.cpl

========== User's Winlogon Settings ==========

========== Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DllName" = C:\WINDOWS\system32\ati2evxx.dll [10/06/2004 10:09 PM | 00,090,112 | ---- | M] (ATI Technologies Inc.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
"DllName" = C:\WINDOWS\system32\igfxdev.dll [07/19/2005 06:05 PM | 00,135,168 | ---- | M] (Intel Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IntelWireless]
"DllName" = C:\Program Files\Intel\Wireless\Bin\LgNotify.dll [05/31/2005 10:46 PM | 00,110,592 | ---- | M] (Intel Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName" = C:\WINDOWS\system32\NavLogon.dll [09/27/2006 09:33 PM | 00,043,760 | ---- | M] (Symantec Corporation)

========== Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
Unable to open key or key not present!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername" = 0
"legalnoticecaption" =
"legalnoticetext" =
"shutdownwithoutlogon" = 1
"undockwithoutlogon" = 1
"DisableCAD" = 0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"NoDispBackgroundPage" = 0
"NoDispScrSavPage" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
Unable to open key or key not present!

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
Unable to open key or key not present!

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
Unable to open key or key not present!

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
Unable to open key or key not present!

[HKEY_USERS\S-1-5-21-12604286-1649964785-1244796221-24336\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_USERS\S-1-5-21-12604286-1649964785-1244796221-24336\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"NoDispBackgroundPage" = 0
"NoDispScrSavPage" = 0

========== Lsa Authentication Packages ==========

========== Lsa Security Packages ==========

========== Desktop Components ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"FriendlyName" = "My Current Home Page"
"Source" = "About:Home"
"SubscribedURL" = "About:Home"

========== Safeboot Options ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
"AlternateShell" = cmd.exe

========== Disabled MsConfig Items ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"system.ini" = 0
"win.ini" = 0
"bootini" = 0
"services" = 0
"startup" = 0

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT [ | PATH %path%;C:\PROGRAM FILES\SWIFT | ]
[08/07/2006 03:48 PM | 00,000,038 | ---- | M] () C:\AUTOEXEC.BAT [ NTFS ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{00a7a1f3-7681-11db-b4ef-0013ce073db0}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0bf36a7e-1db9-11db-b4d1-0013ce073db0}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0d369b95-8a98-11db-b4f8-0013ce073db0}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0ef87f45-8a37-11db-b4f7-0013ce073db0}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{28be54c9-3e60-11db-b4e1-0013ce073db0}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{47f9c186-f446-11db-aa0d-0010c69e9ed7}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6d7c0417-cfee-11db-b530-0010c69e9ed7}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6d7c041a-cfee-11db-b530-0010c69e9ed7}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6db50987-6e8d-11db-b4eb-0013ce073db0}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{72d762c8-05ee-11db-b4c6-0013ce073db0}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{80540ca8-b55b-11db-b514-0013ce073db0}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{807ce0c4-015b-11dc-aa10-0010c69e9ed7}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8d8f9352-e662-11da-b4af-0013ce073db0}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b2059bf9-2b90-11db-b4d4-0013ce073db0}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b92412b5-8eae-11db-b4fa-0013ce073db0}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c0a3ded2-db8d-11da-b4a8-00123ffabcb0}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d22a2055-521e-11db-b4e2-0013ce073db0}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d3730eb6-9cd2-11da-b499-0010c69e9ed7}\Shell]
"" = None

========== DNS Name Servers ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{A40F97F5-979D-40BD-9F6A-A1766A1A0AE4}]
Servers: | Description:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{AC3C26A4-36A1-49D4-828A-50CEF1DA8269}]
Servers: | Description: Broadcom NetXtreme 57xx Gigabit Controller

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{AC91D8CB-44C8-4391-9F66-9676F83CE04E}]
Servers: | Description:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{B0C08F2B-F46F-467A-9C81-CDE4F5ED70E4}]
Servers: | Description:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{EF068FF2-5910-4578-BB27-1A2E6F29AD97}]
Servers: | Description: Intel® PRO/Wireless 2200BG Network Connection

========== Hosts File ==========

HOSTS File = (260782 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.1001-search.info
127.0.0.1 1001-search.info
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.10sek.com
127.0.0.1 10sek.com
127.0.0.1 www.123topsearch.com
127.0.0.1 123topsearch.com
127.0.0.1 www.132.com
127.0.0.1 132.com
127.0.0.1 www.136136.net
127.0.0.1 136136.net

========== Files/Folders - Created Within 90 days ==========

[08/27/2008 09:22 AM | ---D | C] - C:\VundoFix Backups
[09/01/2008 11:20 AM | ---D | C] - C:\rsit
[08/21/2008 01:28 PM | 00,007,369 | ---- | C] () - C:\WINDOWS\System32\dllcache\MSTSWEB.CAT
[08/21/2008 01:28 PM | 00,007,382 | ---- | C] () - C:\WINDOWS\System32\dllcache\OEMBIOS.CAT
[08/21/2008 01:28 PM | 00,008,574 | ---- | C] () - C:\WINDOWS\System32\dllcache\IASNT4.CAT
[08/21/2008 01:28 PM | 00,010,881 | ---- | C] () - C:\WINDOWS\System32\dllcache\MSMSGS.CAT
[08/21/2008 01:28 PM | 00,013,608 | ---- | C] () - C:\WINDOWS\System32\dllcache\IMS.CAT
[08/21/2008 01:28 PM | 00,014,031 | ---- | C] () - C:\WINDOWS\System32\dllcache\MSJDBC.CAT
[08/21/2008 01:28 PM | 00,021,281 | ---- | C] () - C:\WINDOWS\System32\dllcache\XMLDSOC.CAT
[08/21/2008 01:28 PM | 00,022,151 | ---- | C] () - C:\WINDOWS\System32\dllcache\TCLASSES.CAT
[08/21/2008 01:28 PM | 00,022,399 | ---- | C] () - C:\WINDOWS\System32\dllcache\mediactr.cat
[08/21/2008 01:28 PM | 00,031,405 | ---- | C] () - C:\WINDOWS\System32\dllcache\FP4.CAT
[08/21/2008 01:28 PM | 00,037,484 | ---- | C] () - C:\WINDOWS\System32\dllcache\MW770.CAT
[08/21/2008 01:28 PM | 00,052,311 | ---- | C] () - C:\WINDOWS\System32\dllcache\DX3.CAT
[08/21/2008 01:28 PM | 00,056,081 | ---- | C] () - C:\WINDOWS\System32\dllcache\DAJAVAC.CAT
[08/21/2008 01:28 PM | 00,093,044 | ---- | C] () - C:\WINDOWS\System32\dllcache\tabletpc.cat
[08/21/2008 01:28 PM | 00,390,168 | ---- | C] () - C:\WINDOWS\System32\dllcache\WFC.CAT
[08/21/2008 01:28 PM | 00,399,645 | ---- | C] () - C:\WINDOWS\System32\dllcache\MAPIMIG.CAT
[08/21/2008 01:28 PM | 00,451,856 | ---- | C] () - C:\WINDOWS\System32\dllcache\NT5INF.CAT
[08/21/2008 01:28 PM | 00,657,548 | ---- | C] () - C:\WINDOWS\System32\dllcache\CLASSES.CAT
[08/21/2008 01:28 PM | 00,797,189 | ---- | C] () - C:\WINDOWS\System32\dllcache\NT5IIS.CAT
[08/21/2008 01:28 PM | 01,086,182 | ---- | C] () - C:\WINDOWS\System32\dllcache\NTPRINT.CAT
[08/21/2008 01:28 PM | 02,049,999 | ---- | C] () - C:\WINDOWS\System32\dllcache\NT5.CAT
[08/21/2008 01:29 PM | 00,024,661 | ---- | C] (Perle Systems Ltd.) - C:\WINDOWS\System32\dllcache\spxcoins.dll
[08/21/2008 01:39 PM | 00,272,896 | ---- | C] (Cinematronics) - C:\WINDOWS\System32\dllcache\pinball.exe
[08/21/2008 01:41 PM | 00,004,639 | ---- | C] () - C:\WINDOWS\System32\dllcache\mplayer2.exe
[08/21/2008 01:42 PM | 00,028,672 | ---- | C] (Intel Corporation) - C:\WINDOWS\System32\dllcache\isrdbg32.dll
[08/21/2008 01:42 PM | 00,348,160 | ---- | C] () - C:\WINDOWS\System32\dllcache\msinfo.dll
[08/21/2008 01:46 PM | 00,031,744 | ---- | C] (SEIKO EPSON CORP.) - C:\WINDOWS\System32\dllcache\esucmd.dll
[08/21/2008 01:46 PM | 00,045,056 | ---- | C] (SEIKO EPSON CORP.) - C:\WINDOWS\System32\dllcache\esunid.dll
[08/21/2008 01:46 PM | 00,054,528 | ---- | C] (Philips Semiconductors GmbH) - C:\WINDOWS\System32\dllcache\cap7146.sys
[08/21/2008 01:46 PM | 00,057,856 | ---- | C] (SEIKO EPSON CORP.) - C:\WINDOWS\System32\dllcache\esuimgd.dll
[08/21/2008 01:46 PM | 00,094,208 | ---- | C] () - C:\WINDOWS\System32\dllcache\fpencode.dll
[08/21/2008 01:46 PM | 00,173,568 | ---- | C] () - C:\WINDOWS\System32\dllcache\chtskf.dll
[08/21/2008 01:47 PM | 00,059,392 | ---- | C] () - C:\WINDOWS\System32\dllcache\imscinst.exe
[08/21/2008 01:47 PM | 00,108,827 | ---- | C] () - C:\WINDOWS\System32\dllcache\hanja.lex
[08/21/2008 01:47 PM | 00,134,339 | ---- | C] () - C:\WINDOWS\System32\dllcache\imekr.lex
[08/21/2008 01:47 PM | 00,196,666 | ---- | C] () - C:\WINDOWS\System32\dllcache\imjpinst.exe
[08/21/2008 01:47 PM | 01,158,818 | ---- | C] () - C:\WINDOWS\System32\dllcache\korwbrkr.lex
[08/21/2008 01:47 PM | 13,463,552 | ---- | C] () - C:\WINDOWS\System32\dllcache\hwxjpn.dll
[08/21/2008 01:48 PM | 00,026,624 | ---- | C] (Ricoh Co., Ltd.) - C:\WINDOWS\System32\dllcache\rw330ext.dll
[08/21/2008 01:48 PM | 00,079,872 | ---- | C] (Ricoh Co., Ltd.) - C:\WINDOWS\System32\dllcache\rwia001.dll
[08/21/2008 01:48 PM | 00,079,872 | ---- | C] (Ricoh Co., Ltd.) - C:\WINDOWS\System32\dllcache\rwia330.dll
[08/21/2008 01:48 PM | 00,175,104 | ---- | C] () - C:\WINDOWS\System32\dllcache\pintlcsa.dll
[6 C:\WINDOWS\System32\*.tmp files]
[08/19/2008 12:08 PM | 00,010,752 | ---- | C] ( ) - C:\WINDOWS\System32\md5.dll
[08/19/2008 12:08 PM | 00,011,012 | ---- | C] () - C:\WINDOWS\System32\threadapi.tlb
[08/19/2008 12:08 PM | 00,089,088 | ---- | C] (Ariad Software) - C:\WINDOWS\System32\ProgressBar4.ocx
[08/19/2008 12:08 PM | 00,265,753 | ---- | C] (Ariad Software) - C:\WINDOWS\System32\AS-Exp2.ocx
[08/19/2008 12:08 PM | 00,423,784 | ---- | C] (Xceed Software Inc (450) 442-2626 [email protected] www.xceedsoft.com) - C:\WINDOWS\System32\XceedBkp.dll
[08/19/2008 12:08 PM | 01,140,472 | ---- | C] (Infragistics, Inc.) - C:\WINDOWS\System32\IGUltraGrid20.ocx
[08/19/2008 12:08 PM | 02,267,368 | ---- | C] (Adobe Systems, Inc.) - C:\WINDOWS\System32\Flash.ocx
[08/21/2008 01:29 PM | 00,024,661 | ---- | C] (Perle Systems Ltd.) - C:\WINDOWS\System32\spxcoins.dll
[08/21/2008 01:42 PM | 00,028,672 | ---- | C] (Intel Corporation) - C:\WINDOWS\System32\isrdbg32.dll
[08/21/2008 01:44 PM | 00,025,065 | ---- | C] () - C:\WINDOWS\System32\wmpscheme.xml
[08/21/2008 01:58 PM | 00,135,168 | ---- | C] (Intel Corporation) - C:\WINDOWS\System32\igfxres.dll
[08/24/2008 11:58 AM | 00,000,001 | ---- | C] () - C:\WINDOWS\System32\mp7arc.dat
[08/27/2008 05:56 PM | ---D | C] - C:\WINDOWS\System32\bits
[08/29/2008 10:57 AM | 00,176,235 | ---- | C] () - C:\WINDOWS\System32\Primomonnt.dll
[6 C:\WINDOWS\*.tmp files]
[06/03/2008 10:32 PM | 01,558,280 | ---- | C] (XMLAuthor Inc.) - C:\WINDOWS\screengenie.scr
[08/21/2008 01:42 PM | 00,000,749 | RH-- | C] () - C:\WINDOWS\WindowsShell.Manifest
[08/21/2008 01:44 PM | 00,299,552 | ---- | C] () - C:\WINDOWS\WMSysPrx.prx
[08/21/2008 01:54 PM | ---D | C] - C:\WINDOWS\Prefetch
[08/21/2008 12:23 AM | 00,000,245 | ---- | C] () - C:\WINDOWS\tmp7404078.bat
[08/27/2008 03:48 PM | ---D | C] - C:\WINDOWS\ERDNT
[08/29/2008 10:57 AM | ---D | C] - C:\WINDOWS\PrimoPDF4
[08/18/2008 08:29 AM | ---D | C] - C:\Documents and Settings\All Users\Application Data\WLInstaller
[08/21/2008 12:03 AM | ---D | C] - C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[08/27/2008 03:50 PM | ---D | C] - C:\Documents and Settings\All Users\Application Data\Malwarebytes
[08/27/2008 03:50 PM | ---D | C] - C:\Documents and Settings\blogan\Application Data\Malwarebytes
[08/26/2008 02:35 PM | ---D | C] - C:\Documents and Settings\blogan\Local Settings\Application Data\Downloaded Installations
[06/03/2008 10:47 PM | 00,003,456 | ---- | C] () - C:\Documents and Settings\blogan\My Documents\Fly I.aup
[06/03/2008 10:47 PM | ---D | C] - C:\Documents and Settings\blogan\My Documents\Fly I_data
[06/03/2008 10:52 PM | 00,002,399 | ---- | C] () - C:\Documents and Settings\blogan\My Documents\Fly II.aup
[06/03/2008 10:52 PM | ---D | C] - C:\Documents and Settings\blogan\My Documents\Fly II_data
[08/26/2008 02:35 PM | 00,927,744 | ---- | C] () - C:\Documents and Settings\blogan\My Documents\2008 FFL DRAFT.doc
[08/26/2008 03:53 PM | 00,182,272 | ---- | C] () - C:\Documents and Settings\blogan\My Documents\TOP 100 Fantasy Football Cheat Sheet Key.doc
[08/18/2008 08:33 AM | 00,001,827 | ---- | C] () - C:\Documents and Settings\All Users\Desktop\Windows Live Messenger .lnk
[08/24/2008 11:27 AM | 00,000,899 | ---- | C] () - C:\Documents and Settings\All Users\Desktop\SpyHunter.lnk
[08/25/2008 02:50 PM | 00,000,793 | ---- | C] () - C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[08/25/2008 02:50 PM | 00,000,793 | ---- | C] () - C:\Documents and Settings\All Users\Desktop\Ad-Watch.lnk
[08/26/2008 02:36 PM | 00,001,940 | ---- | C] () - C:\Documents and Settings\All Users\Desktop\Draft Analyzer.lnk
[08/27/2008 03:50 PM | 00,000,696 | ---- | C] () - C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[06/03/2008 10:29 PM | 12,569,040 | ---- | C] () - C:\Documents and Settings\blogan\Desktop\cinemaforge.exe
[06/03/2008 10:33 PM | 00,001,597 | ---- | C] () - C:\Documents and Settings\blogan\Desktop\CinemaForge App.lnk
[06/03/2008 10:38 PM | 00,000,630 | ---- | C] () - C:\Documents and Settings\blogan\Desktop\Audacity.lnk
[06/03/2008 10:38 PM | 02,228,534 | ---- | C] ( ) - C:\Documents and Settings\blogan\Desktop\audacity-win-1.2.6.exe
[06/03/2008 10:52 PM | 11,628,588 | ---- | C] () - C:\Documents and Settings\blogan\Desktop\Fly II.wav
[06/03/2008 11:00 PM | 19,586,092 | ---- | C] () - C:\Documents and Settings\blogan\Desktop\Fly I.wav
[08/19/2008 12:08 PM | 00,000,805 | ---- | C] () - C:\Documents and Settings\blogan\Desktop\No Adware No Spyware.lnk
[08/26/2008 01:49 PM | 15,083,520 | ---- | C] (Safer Networking Limited ) - C:\Documents and Settings\blogan\Desktop\spybotsd160.exe
[08/26/2008 01:53 PM | 03,195,984 | ---- | C] () - C:\Documents and Settings\blogan\Desktop\spybotsd_includes.exe
[08/26/2008 01:58 PM | 00,000,933 | ---- | C] () - C:\Documents and Settings\blogan\Desktop\Spybot - Search & Destroy.lnk
[08/26/2008 10:23 AM | 00,001,869 | ---- | C] () - C:\Documents and Settings\blogan\Desktop\rgfix25439.reg
[08/27/2008 01:40 PM | 00,001,734 | ---- | C] () - C:\Documents and Settings\blogan\Desktop\HijackThis.lnk
[08/27/2008 03:45 PM | 00,791,393 | ---- | C] (Lars Hederer ) - C:\Documents and Settings\blogan\Desktop\erunt_setup.exe
[08/27/2008 03:46 PM | 00,000,592 | ---- | C] () - C:\Documents and Settings\blogan\Desktop\ERUNT.lnk
[08/27/2008 03:46 PM | 00,000,611 | ---- | C] () - C:\Documents and Settings\blogan\Desktop\NTREGOPT.lnk
[08/27/2008 03:49 PM | 00,128,368 | ---- | C] (Digital River) - C:\Documents and Settings\blogan\Desktop\Download_mbam-setup.exe
[08/27/2008 09:38 AM | 00,096,978 | ---- | C] (Business Information Solutions) - C:\Documents and Settings\blogan\Desktop\Burn CDs & DVDs with RecordNow! Plus.lnk
[08/29/2008 10:54 AM | 11,121,848 | ---- | C] () - C:\Documents and Settings\blogan\Desktop\FreewarePrimoSetup.exe
[08/29/2008 11:00 AM | 00,353,112 | ---- | C] () - C:\Documents and Settings\blogan\Desktop\Ballantyne Elementary Annual Ca[1].pdf
[09/01/2008 11:19 AM | 00,025,088 | ---- | C] () - C:\Documents and Settings\blogan\Desktop\Malwarebytes LOG.doc
[09/01/2008 11:19 AM | 00,304,189 | ---- | C] () - C:\Documents and Settings\blogan\Desktop\RSIT.exe
[08/20/2008 10:18 PM | 00,001,730 | ---- | C] () - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
[08/18/2008 08:30 AM | -HSD | C] - C:\Program Files\Common Files\WindowsLiveInstaller
[08/25/2008 02:48 PM | ---D | C] - C:\Program Files\Common Files\Wise Installation Wizard
[08/27/2008 03:49 PM | ---D | C] - C:\Program Files\Common Files\Download Manager
[06/03/2008 10:33 PM | ---D | C] - C:\Program Files\CinemaForge
[06/03/2008 10:38 PM | ---D | C] - C:\Program Files\Audacity
[08/18/2008 08:29 AM | ---D | C] - C:\Program Files\Windows Live
[08/19/2008 12:08 PM | ---D | C] - C:\Program Files\NoAdware.com
[08/20/2008 10:18 AM | ---D | C] - C:\Program Files\Enigma Software Group
[08/21/2008 12:03 AM | ---D | C] - C:\Program Files\Spybot - Search & Destroy
[08/26/2008 02:35 PM | ---D | C] - C:\Program Files\Draft Analyzer
[08/27/2008 01:40 PM | ---D | C] - C:\Program Files\Trend Micro
[08/27/2008 03:46 PM | ---D | C] - C:\Program Files\ERUNT
[08/27/2008 03:50 PM | ---D | C] - C:\Program Files\Malwarebytes' Anti-Malware
[08/29/2008 10:57 AM | ---D | C] - C:\Program Files\activePDF

========== Files - Modified Within 90 days ==========

[08/21/2008 01:37 PM | 00,000,211 | -HS- | M] () - C:\boot.ini
[08/19/2008 12:17 PM | 00,000,732 | ---- | M] () - C:\WINDOWS\System32\drivers\etc\hosts.20080821-000815.backup
[08/21/2008 12:08 AM | 00,260,782 | R--- | M] () - C:\WINDOWS\System32\drivers\etc\hosts
[6 C:\WINDOWS\System32\*.tmp files]
[08/21/2008 01:40 PM | 00,023,348 | ---- | M] () - C:\WINDOWS\System32\emptyregdb.dat
[08/21/2008 01:44 PM | 00,025,065 | ---- | M] () - C:\WINDOWS\System32\wmpscheme.xml
[08/21/2008 01:50 PM | 00,000,288 | ---- | M] () - C:\WINDOWS\System32\$winnt$.inf
[08/21/2008 01:52 PM | 00,157,736 | ---- | M] () - C:\WINDOWS\System32\FNTCACHE.DAT
[08/21/2008 01:56 PM | 00,063,386 | ---- | M] () - C:\WINDOWS\System32\perfc009.dat
[08/21/2008 01:56 PM | 00,404,206 | ---- | M] () - C:\WINDOWS\System32\perfh009.dat
[08/21/2008 01:56 PM | 00,475,330 | ---- | M] () - C:\WINDOWS\System32\PerfStringBackup.INI
[08/24/2008 04:23 PM | 00,016,832 | ---- | M] () - C:\WINDOWS\System32\amcompat.tlb
[08/24/2008 04:23 PM | 00,023,392 | ---- | M] () - C:\WINDOWS\System32\nscompat.tlb
[08/24/2008 11:58 AM | 00,000,001 | ---- | M] () - C:\WINDOWS\System32\mp7arc.dat
[09/01/2008 06:03 PM | 00,002,228 | ---- | M] () - C:\WINDOWS\System32\wpa.dbl
[6 C:\WINDOWS\*.tmp files]
[08/18/2008 03:22 PM | 00,640,960 | ---- | M] () - C:\WINDOWS\setupapi.old
[08/21/2008 01:29 PM | 00,000,275 | ---- | M] () - C:\WINDOWS\system.ini
[08/21/2008 01:42 PM | 00,000,749 | RH-- | M] () - C:\WINDOWS\WindowsShell.Manifest
[08/21/2008 01:44 PM | 00,004,161 | ---- | M] () - C:\WINDOWS\ODBCINST.INI
[08/21/2008 01:44 PM | 00,299,552 | ---- | M] () - C:\WINDOWS\WMSysPrx.prx
[08/21/2008 01:45 PM | 00,000,768 | ---- | M] () - C:\WINDOWS\win.ini
[08/21/2008 01:51 PM | 00,004,382 | ---- | M] () - C:\WINDOWS\imsins.BAK
[08/21/2008 12:23 AM | 00,000,245 | ---- | M] () - C:\WINDOWS\tmp7404078.bat
[08/24/2008 04:21 PM | 00,316,640 | ---- | M] () - C:\WINDOWS\WMSysPr9.prx
[08/29/2008 10:57 AM | 00,000,310 | ---- | M] () - C:\WINDOWS\primopdf.ini
[09/01/2008 05:17 PM | 00,002,048 | --S- | M] () - C:\WINDOWS\bootstat.dat
[08/26/2008 11:37 AM | 00,000,284 | ---- | M] () - C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[09/01/2008 05:19 PM | 00,000,006 | -H-- | M] () - C:\WINDOWS\tasks\SA.DAT
[09/01/2008 05:39 PM | 00,000,330 | -H-- | M] () - C:\WINDOWS\tasks\MP Scheduled Scan.job
[08/21/2008 01:28 PM | 00,000,062 | -HS- | M] () - C:\Documents and Settings\All Users\Application Data\desktop.ini
[08/21/2008 01:57 PM | 00,022,368 | ---- | M] () - C:\Documents and Settings\blogan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[08/26/2008 10:39 AM | 03,770,706 | -H-- | M] () - C:\Documents and Settings\blogan\Local Settings\Application Data\IconCache.db
[08/21/2008 01:28 PM | 00,000,062 | -HS- | M] () - C:\Documents and Settings\All Users\Documents\desktop.ini
[06/03/2008 10:47 PM | 00,003,456 | ---- | M] () - C:\Documents and Settings\blogan\My Documents\Fly I.aup
[06/03/2008 10:52 PM | 00,002,399 | ---- | M] () - C:\Documents and Settings\blogan\My Documents\Fly II.aup
[08/26/2008 02:35 PM | 00,927,744 | ---- | M] () - C:\Documents and Settings\blogan\My Documents\2008 FFL DRAFT.doc
[08/26/2008 03:53 PM | 00,182,272 | ---- | M] () - C:\Documents and Settings\blogan\My Documents\TOP 100 Fantasy Football Cheat Sheet Key.doc
[08/19/2008 11:38 AM | 00,002,341 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[08/19/2008 11:41 AM | 00,001,604 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[08/24/2008 11:27 AM | 00,000,899 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\SpyHunter.lnk
[08/25/2008 02:50 PM | 00,000,793 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[08/25/2008 02:50 PM | 00,000,793 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\Ad-Watch.lnk
[08/26/2008 02:36 PM | 00,001,940 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\Draft Analyzer.lnk
[08/27/2008 06:36 PM | 00,001,827 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\Windows Live Messenger .lnk
[09/01/2008 10:24 AM | 00,000,696 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[06/03/2008 10:29 PM | 12,569,040 | ---- | M] () - C:\Documents and Settings\blogan\Desktop\cinemaforge.exe
[06/03/2008 10:34 PM | 00,001,597 | ---- | M] () - C:\Documents and Settings\blogan\Desktop\CinemaForge App.lnk
[06/03/2008 10:38 PM | 00,000,630 | ---- | M] () - C:\Documents and Settings\blogan\Desktop\Audacity.lnk
[06/03/2008 10:38 PM | 02,228,534 | ---- | M] ( ) - C:\Documents and Settings\blogan\Desktop\audacity-win-1.2.6.exe
[06/03/2008 10:53 PM | 11,628,588 | ---- | M] () - C:\Documents and Settings\blogan\Desktop\Fly II.wav
[06/03/2008 11:00 PM | 19,586,092 | ---- | M] () - C:\Documents and Settings\blogan\Desktop\Fly I.wav
[08/19/2008 12:08 PM | 00,000,805 | ---- | M] () - C:\Documents and Settings\blogan\Desktop\No Adware No Spyware.lnk
[08/26/2008 01:49 PM | 15,083,520 | ---- | M] (Safer Networking Limited ) - C:\Documents and Settings\blogan\Desktop\spybotsd160.exe
[08/26/2008 01:53 PM | 03,195,984 | ---- | M] () - C:\Documents and Settings\blogan\Desktop\spybotsd_includes.exe
[08/26/2008 01:58 PM | 00,000,933 | ---- | M] () - C:\Documents and Settings\blogan\Desktop\Spybot - Search & Destroy.lnk
[08/26/2008 10:22 AM | 00,001,869 | ---- | M] () - C:\Documents and Settings\blogan\Desktop\rgfix25439.reg
[08/27/2008 01:40 PM | 00,001,734 | ---- | M] () - C:\Documents and Settings\blogan\Desktop\HijackThis.lnk
[08/27/2008 03:45 PM | 00,791,393 | ---- | M] (Lars Hederer ) - C:\Documents and Settings\blogan\Desktop\erunt_setup.exe
[08/27/2008 03:46 PM | 00,000,592 | ---- | M] () - C:\Documents and Settings\blogan\Desktop\ERUNT.lnk
[08/27/2008 03:46 PM | 00,000,611 | ---- | M] () - C:\Documents and Settings\blogan\Desktop\NTREGOPT.lnk
[08/27/2008 03:49 PM | 00,128,368 | ---- | M] (Digital River) - C:\Documents and Settings\blogan\Desktop\Download_mbam-setup.exe
[08/27/2008 09:38 AM | 00,096,978 | ---- | M] (Business Information Solutions) - C:\Documents and Settings\blogan\Desktop\Burn CDs & DVDs with RecordNow! Plus.lnk
[08/29/2008 10:54 AM | 11,121,848 | ---- | M] () - C:\Documents and Settings\blogan\Desktop\FreewarePrimoSetup.exe
[08/29/2008 11:00 AM | 00,353,112 | ---- | M] () - C:\Documents and Settings\blogan\Desktop\Ballantyne Elementary Annual Ca[1].pdf
[09/01/2008 11:19 AM | 00,025,088 | ---- | M] () - C:\Documents and Settings\blogan\Desktop\Malwarebytes LOG.doc
[09/01/2008 11:19 AM | 00,304,189 | ---- | M] () - C:\Documents and Settings\blogan\Desktop\RSIT.exe
[08/21/2008 01:44 PM | 00,000,084 | -HS- | M] () - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

< End of report >

#11
logs4

Posted 01 September 2008 - 08:09 PM

Member

Topic Starter
Member
12 posts

Extras.TXt log

OTViewIt Extras logfile created on: 9/1/2008 10:01:59 PM - Run 1
OTViewIt by OldTimer - Version 1.0.1.7 Folder = C:\Documents and Settings\blogan\Desktop
Windows XP Professional Edition Service Pack 1 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.36 Mb Total Physical Memory | 233.18 Mb Available Physical Memory | 22.97% Memory free
2.40 Gb Paging File | 1.57 Gb Available in Paging File | 65.45% Paging File free
Paging file location(s): c:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 54.64 Gb Free Space | 73.32% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[08/29/2002 06:00 AM | 00,129,024 | ---- | M] (Microsoft Corporation)

"C:\Program Files\Logitech\Harmony Remote\HarmonyClient" = C:\Program Files\Logitech\Harmony Remote\HarmonyClient:*:Enabled:Logitech Harmony Remote Software
[07/26/2005 12:35 PM | 00,091,672 | R--- | M] (Logitech )

"C:\Program Files\Logitech\Harmony Remote\PatchHelper.exe" = C:\Program Files\Logitech\Harmony Remote\PatchHelper.exe:*:Enabled:Remote Control Software Patch Helper
File not found

"C:\WINDOWS\system32\ftp.exe" = C:\WINDOWS\system32\ftp.exe:*:Enabled:File Transfer Program
[08/29/2002 06:00 AM | 00,040,448 | ---- | M] (Microsoft Corporation)

"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
[09/26/2007 02:41 PM | 15,997,240 | ---- | M] (Apple Inc.)

"C:\Program Files\Juniper Networks\Network Connect 5.3.0\dsNetworkConnect.exe" = C:\Program Files\Juniper Networks\Network Connect 5.3.0\dsNetworkConnect.exe:*:Enabled:Network Connect
[11/20/2006 09:55 PM | 00,671,744 | ---- | M] (Juniper Networks)

"C:\Program Files\SharkModem\SharkModem.exe" = C:\Program Files\SharkModem\SharkModem.exe:*:Enabled:SharkModem executable
[10/16/2006 12:29 PM | 00,376,832 | ---- | M] (Mobishark)

"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[10/18/2007 11:34 AM | 05,724,184 | ---- | M] (Microsoft Corporation)

"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)
[10/02/2007 05:18 PM | 00,304,488 | ---- | M] (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[08/29/2002 06:00 AM | 00,129,024 | ---- | M] (Microsoft Corporation)

"C:\Program Files\NetMeeting\conf.exe" = C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting®
[08/29/2002 06:00 AM | 00,995,328 | ---- | M] (Microsoft Corporation)

"C:\Program Files\Neoteris\Network Connect\ncui.exe" = C:\Program Files\Neoteris\Network Connect\ncui.exe:*:Enabled:Network Connect UI
File not found

"C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
[10/13/2004 12:24 PM | 01,694,208 | ---- | M] (Microsoft Corporation)

"C:\Program Files\Logitech\Harmony Remote\HarmonyClient" = C:\Program Files\Logitech\Harmony Remote\HarmonyClient:*:Enabled:Logitech Harmony Remote Software
[07/26/2005 12:35 PM | 00,091,672 | R--- | M] (Logitech )

"C:\Program Files\Logitech\Harmony Remote\PatchHelper.exe" = C:\Program Files\Logitech\Harmony Remote\PatchHelper.exe:*:Enabled:Remote Control Software Patch Helper
File not found

"C:\WINDOWS\system32\fwupdat.exe" = C:\WINDOWS\system32\fwupdat.exe:*:Enabled:Windows Firewall Updater
File not found

"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe
[02/19/2006 04:21 AM | 00,288,472 | ---- | M] (Hewlett-Packard Development Company, L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe
[02/19/2006 05:24 AM | 00,239,320 | ---- | M] (Hewlett-Packard Development Company, L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe
[03/09/2006 04:11 AM | 00,231,128 | ---- | M] (Hewlett-Packard Development Company, L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe
[03/09/2006 01:28 AM | 00,040,960 | ---- | M] (Hewlett-Packard Development Company, L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe
[03/09/2006 03:41 AM | 00,087,768 | ---- | M] (Hewlett-Packard Development Company, L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe
[02/17/2006 12:19 AM | 00,192,512 | ---- | M] ()

"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe
[02/16/2006 10:49 PM | 01,085,440 | R--- | M] (Hewlett-Packard)

"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe
[03/09/2006 04:04 AM | 00,181,976 | ---- | M] (Hewlett-Packard Development Company, L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe
[02/15/2006 10:37 AM | 00,147,511 | R--- | M] (Hewlett-Packard)

"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe
[03/09/2006 01:38 AM | 00,454,656 | ---- | M] (Hewlett-Packard Development Company, L.P.)

"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe
[02/09/2006 04:43 PM | 00,110,592 | R--- | M] (Hewlett-Packard)

"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe
[02/09/2006 04:41 PM | 00,573,440 | ---- | M] ( )

"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe
[03/09/2006 03:40 AM | 00,063,192 | ---- | M] (Hewlett-Packard Development Company, L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe
[02/19/2006 05:29 AM | 00,139,264 | ---- | M] (Hewlett-Packard Development Company, L.P.)

"C:\Program Files\Grisoft\AVG7\avginet.exe" = C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe
[04/19/2008 06:31 PM | 00,510,976 | ---- | M] (GRISOFT, s.r.o.)

"C:\Program Files\Grisoft\AVG7\avgamsvr.exe" = C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe
[10/24/2007 09:57 AM | 00,418,816 | ---- | M] (GRISOFT, s.r.o.)

"C:\Program Files\Grisoft\AVG7\avgcc.exe" = C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe
[04/19/2008 06:31 PM | 00,579,584 | ---- | M] (GRISOFT, s.r.o.)

"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[10/18/2007 11:34 AM | 05,724,184 | ---- | M] (Microsoft Corporation)

"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)
[10/02/2007 05:18 PM | 00,304,488 | ---- | M] (Microsoft Corporation)

"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
[09/26/2007 02:41 PM | 15,997,240 | ---- | M] (Apple Inc.)

"C:\WINDOWS\Temp\.tt23.tmp" = C:\WINDOWS\Temp\.tt23.tmp:*:Enabled:enable
File not found

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] - "%1" %*
.cmd [@ = cmdfile] - "%1" %*
.com [@ = comfile] - "%1" %*
.exe [@ = exefile] - "%1" %*
.pif [@ = piffile] - "%1" %*
.scr [@ = scrfile] - "%1" %*

========== Winsock2 Catalogs ==========

========== HKEY_LOCAL_MACHINE Protocol Defaults ==========

========== HKEY_CURRENT_USER Protocol Defaults ==========

========== HKEY_USERS Protocol Defaults ==========

========== HKEY_USERS Protocol Defaults ==========

========== HKEY_USERS Protocol Defaults ==========

========== HKEY_USERS Protocol Defaults ==========

========== HKEY_USERS Protocol Defaults ==========

========== Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]
msdaipp: [HKLM - No CLSID value]

vnd.ms.radio:{3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} [HKLM - AsyncPProt Class]
[08/29/2002 06:00 AM | 00,842,268 | ---- | M] () C:\WINDOWS\system32\msdxm.ocx

========== Protocol Filters ==========

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{036AA4D4-6D32-11D4-9875-00105ACE7734}" = Logitech iTouch Software
"{03CE1BCB-03F5-4C6A-B37E-69799AA3C544}" = SpyHunter
"{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}" = mSSO
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}" = Security Update for CAPICOM (KB931906)
"{0F9196C6-58B4-445B-B56E-B1200FECC151}" = Microsoft Bootvis
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1CA6B13D-32F3-4998-9DC5-13A1ECD88E1D}" = BlackBerry v4.1.0 for the 7130e Series Wireless Device
"{1F528948-0E80-4C96-B455-DE4167CB1DF7}" = Internal Network Card Power Management
"{2070F79D-46BC-4EEA-8F02-9B4DCABAE7CB}" = iPod for Windows 2006-03-23
"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{28DA872A-0848-48CF-B749-19A198157A2A}" = mDriver
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{33CFCF98-F8D6-4549-B469-6F4295676D83}" = Symantec AntiVirus
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{363790D2-DA98-41DD-9C9F-69FA36B169DE}" = PanoStandAlone
"{37477865-A3F1-4772-AD43-AAFC6BCFF99F}" = MSXML 4.0 SP2 (KB927978)
"{37E1EB56-C59B-4C5C-B0B3-B5076046EF8A}" = BlackBerry Desktop Software 4.2
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{3EBD3749-304E-4A4C-9575-C00E5F015217}" = Apple Mobile Device Support
"{407D3326-F85D-4C09-91C1-AA8BA85E06D3}" = BlackBerry Web Tool for DST 2007 Device Updates
"{45B8A76B-57EC-4242-B019-066400CD8428}" = BufferChm
"{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}" = mHlpDell
"{4EA684E9-5C81-4033-A696-3019EC57AC3A}" = HPProductAssistant
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{52503B4E-149A-4731-A6FF-495067EABFDC}" = TI_Inst
"{5809E7CF-4DCF-11D4-9875-00105ACE7734}" = Logitech MouseWare 9.75
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{66910000-8B30-4973-A159-6371345AFFA5}" = WebReg
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.1
"{68763C27-235D-4165-A961-FDEA228CE504}" = AiOSoftwareNPI
"{6909F917-5499-482e-9AA1-FAD06A99F231}" = Toolbox
"{6994491D-D491-48F1-AE1F-E179C1FFFC2F}" = HP Photosmart Essential
"{6DD9963C-271A-4A14-82B0-4DC148C52E58}" = LaCie Backup Software v1.5.2215
"{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}" = mCore
"{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}" = mIWCA
"{70D040E8-C756-4B59-A1FC-B758D9A0792D}" = Lotus Notes 6.5.3
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{7228CB73-80E9-48D3-A7FD-C2A242686AB3}" = Microsoft Office Live Meeting 2005
"{736C803C-DD3B-4015-BC51-AFB9E67B9076}" = Readme
"{73F1BDB7-11E1-11D5-9DC6-00C04F2FC33B}" = OMCI
"{76E4A642-BC3E-438A-8450-0C15A36B5B18}" = MetaFrame Presentation Server Client
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7CD7A451-7224-49C8-95EF-9A1859C66607}" = mZConfig
"{7E7B7865-6C80-4373-8BC1-C2EB9431F9DE}" = ProductContextNPI
"{8331C3EA-0C91-43AA-A4D4-27221C631139}" = Status
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{8A4CE7FD-9657-4B06-9943-E1819F3D5D67}" = DocProc
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver for Mobile
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}" = Unload
"{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}" = Logitech Desktop Messenger
"{90120409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Standard
"{901A0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Outlook 2003
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow! Plus
"{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}" = QuickTime
"{98DF85D9-96C0-4F57-A92E-C3539477EF5E}" = DVDSentry
"{996512CF-F35B-48DE-9291-557FA5316967}" = ScannerCopy
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{9FC8D8F8-AF3A-4488-98AF-51C6DEC732F2}" = c3100_Help
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = C-Major Audio
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{A8AD990E-355A-4413-8647-A9B168978423}_is1" = UltraVNC v1.0.1
"{A9F5421F-DA70-4C77-BB97-8D77EC33ED5E}" = HP Photosmart and Deskjet 7.0.A
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0.8
"{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}" = Windows Live Sign-in Assistant
"{B045B608-4A47-4C77-9EAD-06C394503306}" = iTunes
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}" = HP Software Update
"{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}" = Windows Rights Management Client with Service Pack 2
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476}" = SolutionCenter
"{C8753E28-2680-49BF-BD48-DD38FD086EFE}" = AiO_Scan_CDA
"{CA9BAADB-C262-4E05-B2E2-CEE8CE9809EC}" = mToolkit
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D6F4C205-BD52-4E4B-8444-64F2A1A12F45}" = Draft Analyzer
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{D8A396DD-B7E8-4ED2-917F-BE8D5D86B196}" = Logitech Harmony Remote Software
"{DBC20735-34E6-4E97-A9E5-2066B66B243D}" = TrayApp
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{EB8C9964-09AC-48bf-8B98-027609C78251}" = C3100
"{EC905264-BCFE-423B-9C42-C3A106266790}" = Windows Rights Management Client Backwards Compatibility SP2
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F157460F-720E-482f-8625-AD7843891E5F}" = InstantShareDevicesMFC
"{F3760724-B29D-465B-BC53-E5D72095BCC4}" = Scan
"{F6076EF9-08E1-442F-B6A2-BFB61B295A14}" = Fax_CDA
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{FB15E224-67C3-491F-9F5C-F257BC418412}" = Destinations
"{FBB980B0-63F8-4B48-8D65-90F1D9F81D9F}" = NewCopy_CDA
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"ActiveTouchMeetingClient" = WebEx
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"Audacity_is1" = Audacity 1.2.6
"Avaya Intuity Message Manager" = Avaya Intuity Message Manager
"AVG7Uninstall" = AVG 7.5
"BlackBerry_{37E1EB56-C59B-4C5C-B0B3-B5076046EF8A}" = BlackBerry Desktop Software 4.2
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Utility
"CinemaForge" = CinemaForge
"CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1" = Conexant D110 MDC V.92 Modem
"DivX Content Uploader" = DivX Content Uploader
"ERUNT_is1" = ERUNT 1.1j
"ESPN RunTime" = ESPN RunTime
"HijackThis" = HijackThis 2.0.2
"HP Imaging Device Functions" = HP Imaging Device Functions 7.0
"hp photosmart printer series" = hp photosmart printer series (Remove only)
"HP Solution Center & Imaging Support Tools" = HP Solution Center 7.0
"HPOCR" = OCR Software by I.R.I.S 7.0
"InstallShield_{2070F79D-46BC-4EEA-8F02-9B4DCABAE7CB}" = iPod for Windows 2006-03-23
"InstallShield_{52503B4E-149A-4731-A6FF-495067EABFDC}" = Texas Instruments PCIxx21/x515 drivers.
"InstallShield_{D8A396DD-B7E8-4ED2-917F-BE8D5D86B196}" = Logitech Harmony Remote Software
"JDA Forecast Version 8" = JDA Forecast Version 8
"JDA PriceBook V8" = JDA PriceBook V8
"Juniper Network Connect 5.3.0" = Juniper Networks Network Connect 5.3.0
"KB842773" = Windows XP Hotfix - KB842773
"KB892130" = Windows Genuine Advantage Validation Tool (KB892130)
"KB928365.T1_1ToU569_1" = Security Update for Microsoft .NET Framework 2.0 (KB928365)
"KB931906" = Security Update for CAPICOM (KB931906)
"LiveUpdate" = LiveUpdate 3.1 (Symantec Corporation)
"Logitech Resource Center" = Logitech Resource Center
"M886903" = Microsoft .NET Framework 1.1 Hotfix (KB886903)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSN Music Assistant" = MSN Music Assistant
"MSNINST" = MSN
"No Adware No Spyware_is1" = No Adware No Spyware 1.0.0.0
"Oracle JInitiator 1.1.8.16" = Oracle JInitiator 1.1.8.16
"Passware Kit Enterprise Demo" = Passware Kit Enterprise 8.3 Demo
"PatchLink Update Agent" = PatchLink Update Agent
"PowerCHART" = PowerCHART! - Patch 3
"PrimoPDF4.1.0.9" = PrimoPDF
"ProInst" = Intel® PROSet/Wireless Software
"RADAR123" = RADAR 1-2-3 2.1.2
"RealVNC_is1" = VNC Free Edition 4.1.2
"SharkModem" = SharkModem 2.0
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"ST6UNST #1" = AXS-One Swift 7.11
"WGA" = Windows Genuine Advantage Validation Tool (KB892130)
"WgaNotify" = Windows Genuine Advantage Notifications (KB905474)
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar for Internet Explorer
"Yahoo! Toolbar" = Yahoo! Toolbar

========== HKEY_CURRENT_USER Uninstall List ==========

========== HKEY_USERS Uninstall List ==========

========== HKEY_USERS Uninstall List ==========

========== HKEY_USERS Uninstall List ==========

========== HKEY_USERS Uninstall List ==========

========== HKEY_USERS Uninstall List ==========

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/1/2008 7:35:44 PM - Computer Name = BLOGAN4 - User Name = ENTERPRISE\blogan - Source = Symantec AntiVirus
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Allocation Memory Action Taken: Blocked Actor Process:
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe (PID 5556) Time:
Monday, September 01, 2008 3:35:44 PM

Error - 9/1/2008 7:35:44 PM - Computer Name = BLOGAN4 - User Name = ENTERPRISE\blogan - Source = Symantec AntiVirus
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Common Files\Symantec
Shared\ccApp.exe Event Info: Allocation Memory Action Taken: Blocked Actor Process:
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe (PID 5556) Time:
Monday, September 01, 2008 3:35:44 PM

Error - 9/1/2008 7:35:44 PM - Computer Name = BLOGAN4 - User Name = ENTERPRISE\blogan - Source = Symantec AntiVirus
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Allocation Memory Action Taken: Blocked Actor Process:
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe (PID 5556) Time:
Monday, September 01, 2008 3:35:44 PM

Error - 9/1/2008 7:35:44 PM - Computer Name = BLOGAN4 - User Name = ENTERPRISE\blogan - Source = Symantec AntiVirus
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Common Files\Symantec
Shared\ccApp.exe Event Info: Allocation Memory Action Taken: Blocked Actor Process:
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe (PID 5556) Time:
Monday, September 01, 2008 3:35:44 PM

Error - 9/1/2008 7:35:44 PM - Computer Name = BLOGAN4 - User Name = ENTERPRISE\blogan - Source = Symantec AntiVirus
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\DoScan.exe Event Info: Allocation Memory Action Taken: Blocked Actor Process:
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe (PID 5556) Time:
Monday, September 01, 2008 3:35:44 PM

Error - 9/1/2008 7:35:44 PM - Computer Name = BLOGAN4 - User Name = ENTERPRISE\blogan - Source = Symantec AntiVirus
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\DoScan.exe Event Info: Allocation Memory Action Taken: Blocked Actor Process:
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe (PID 5556) Time:
Monday, September 01, 2008 3:35:44 PM

Error - 9/1/2008 9:19:18 PM - Computer Name = BLOGAN4 - User Name = NT AUTHORITY\SYSTEM - Source = Userenv
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 9/1/2008 9:20:18 PM - Computer Name = BLOGAN4 - User Name = User SID not found - Source = AutoEnrollment
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 9/1/2008 10:02:52 PM - Computer Name = BLOGAN4 - User Name = NT AUTHORITY\SYSTEM - Source = Userenv
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 9/1/2008 10:05:10 PM - Computer Name = BLOGAN4 - User Name = User SID not found - Source = Perflib
Description = The timeout waiting for the performance data collection function "Outlook"
in
the "C:\PROGRA~1\COMMON~1\SYSTEM\MSMAPI\1033\MSMAPI32.DLL" Library to finish has
expired. There may be a problem with this extensible counter or the service it is
collecting data from or the system may have been very busy when this call was attempted.

[ RASAdHoc Events ]

[ Security Events ]

[ System Events ]
Error - 9/1/2008 7:29:53 PM - Computer Name = BLOGAN4 - User Name = User SID not found - Source = Service Control Manager
Description = The Pml Driver HPZ12 service failed to start due to the following
error: %%2

Error - 9/1/2008 7:29:53 PM - Computer Name = BLOGAN4 - User Name = User SID not found - Source = Service Control Manager
Description = The Pml Driver HPZ12 service failed to start due to the following
error: %%2

Error - 9/1/2008 7:29:58 PM - Computer Name = BLOGAN4 - User Name = User SID not found - Source = Service Control Manager
Description = The Pml Driver HPZ12 service failed to start due to the following
error: %%2

Error - 9/1/2008 7:29:58 PM - Computer Name = BLOGAN4 - User Name = User SID not found - Source = Service Control Manager
Description = The Pml Driver HPZ12 service failed to start due to the following
error: %%2

Error - 9/1/2008 7:30:03 PM - Computer Name = BLOGAN4 - User Name = User SID not found - Source = Service Control Manager
Description = The Pml Driver HPZ12 service failed to start due to the following
error: %%2

Error - 9/1/2008 7:30:03 PM - Computer Name = BLOGAN4 - User Name = User SID not found - Source = Service Control Manager
Description = The Pml Driver HPZ12 service failed to start due to the following
error: %%2

Error - 9/1/2008 7:30:09 PM - Computer Name = BLOGAN4 - User Name = User SID not found - Source = Service Control Manager
Description = The Pml Driver HPZ12 service failed to start due to the following
error: %%2

Error - 9/1/2008 7:30:09 PM - Computer Name = BLOGAN4 - User Name = User SID not found - Source = Service Control Manager
Description = The Pml Driver HPZ12 service failed to start due to the following
error: %%2

Error - 9/1/2008 7:30:14 PM - Computer Name = BLOGAN4 - User Name = User SID not found - Source = Service Control Manager
Description = The Pml Driver HPZ12 service failed to start due to the following
error: %%2

Error - 9/1/2008 7:30:14 PM - Computer Name = BLOGAN4 - User Name = User SID not found - Source = Service Control Manager
Description = The Pml Driver HPZ12 service failed to start due to the following
error: %%2

< End of report >

#12
fenzodahl512

Posted 01 September 2008 - 08:27 PM

Malware Removal
9,863 posts

Hello, please uninstall No Adware No Spyware from your computer..

Tell me, do you know below file? If not, please delete it..

C:\Documents and Settings\blogan\Desktop\rgfix25439.reg

NEXT

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

[kill explorer]
C:\Program Files\NoAdware.com
C:\WINDOWS\tmp7404078.bat
C:\Documents and Settings\blogan\Desktop\No Adware No Spyware.lnk
C:\WINDOWS\Temp\.tt23.tmp
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\No Adware No Spyware
HKEY_USERS\S-1-5-21-12604286-1649964785-1244796221-24336\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\No Adware No Spyware
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\Temp\.tt23.tmp
EmptyTemp
purity
[start explorer]

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If above OTMoveIt2 link above is broken, please use this link instead..

NEXT

Please download and install the latest Java from HERE

After that, please run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

Click on SCAN NOW
Click Accept.
The program will then begin downloading the latest definition files.
Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop.
In the File name area use KScan, or something similar.
In Save as type: click the drop arrow and select: Text file [*.txt]
Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Please post these logs in your next reply.. Post each log in separate post..

1. OTMoveIt2
2. Kaspersky Online
3. A fresh HijackThis log (after Kaspersky step)
4. Tell me about your computer behaviour..

Regards
fenzodahl512

#13
logs4

Posted 01 September 2008 - 09:04 PM

Member

Topic Starter
Member
12 posts

OTMOveit2 log

Explorer killed successfully
File/Folder C:\Program Files\NoAdware.com not found.
File/Folder C:\WINDOWS\tmp7404078.bat not found.
File/Folder C:\Documents and Settings\blogan\Desktop\No Adware No Spyware.lnk not found.
File/Folder C:\WINDOWS\Temp\.tt23.tmp not found.
< HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\No Adware No Spyware >
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\No Adware No Spyware not found.
< HKEY_USERS\S-1-5-21-12604286-1649964785-1244796221-24336\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\No Adware No Spyware >
Registry value HKEY_USERS\S-1-5-21-12604286-1649964785-1244796221-24336\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\No Adware No Spyware not found.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\Temp\.tt23.tmp >
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\Temp\.tt23.tmp not found.
< EmptyTemp >
File delete failed. C:\DOCUME~1\blogan\LOCALS~1\Temp\hpodvd09.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\blogan\LOCALS~1\Temp\Perflib_Perfdata_704.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\blogan\LOCALS~1\Temp\hsperfdata_blogan\2764 scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09012008_225038

Files moved on Reboot...
C:\DOCUME~1\blogan\LOCALS~1\Temp\hpodvd09.log moved successfully.
File C:\DOCUME~1\blogan\LOCALS~1\Temp\Perflib_Perfdata_704.dat not found!
File C:\DOCUME~1\blogan\LOCALS~1\Temp\hsperfdata_blogan\2764 not found!
File C:\WINDOWS\temp\TMP000000661B5D326A7983120E not found!

#14
fenzodahl512

Posted 01 September 2008 - 09:58 PM

Malware Removal
9,863 posts

Ok.. waiting for other logs

#15
logs4

Posted 01 September 2008 - 10:27 PM

Member

Topic Starter
Member
12 posts

Kscan

KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, September 2, 2008
Operating System: Microsoft Windows XP Professional Service Pack 1 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, September 02, 2008 01:32:50
Records in database: 1176704
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\blogan\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics:
Files scanned: 28246
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 00:54:43

File name / Threat name / Threats count
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\Symantec Client Security\Symantec AntiVirus\o Infected: Trojan-Downloader.BAT.Ftp.ab 1
C:\Program Files\UltraVNC\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 1

The selected area was scanned.