Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help Forums Windows Startup Programs Database Spyware and Malware Removal Guides Computer Tutorials Uninstall Database File Database Computer Glossary Computer Resources
 

Welcome Guest ( Log In | Click here to Register a free account now! )



Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.
MalwareByte's Anti-Malware Download

> Forum Guidelines

Read this topic before posting a log.


DO NOT post a ComboFix log unless requested to.


Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

3 Pages V  < 1 2 3 >  
Closed TopicStart new topic
> Klone.t And Basefdrn32.dll, Need help removing this infection, please
capt.frito
post Jul 30 2008, 07:43 AM
Post #16


Member
**

Group: Members
Posts: 24
Joined: 28-June 08
Member No.: 219,148
Hi Billy

I added some firewalling stuff to my local network and connected this box to my network (completely ignoring the sick feeling I got doing it). It's trying to update windohs now and then i will run the online scanner. I will post the results and a new HJT log when it completes.

best,
Frito
Go to the top of the page
 
+Quote Post
capt.frito
post Jul 30 2008, 04:30 PM
Post #17


Member
**

Group: Members
Posts: 24
Joined: 28-June 08
Member No.: 219,148
Hi Billy

Here's an update. I tried to run the online scanner but Windows would not allow their unsigned activx control to execute. I tried many things like adding the eset.com domain to the trusted zone and setting the security level for the trusyted zone to "low", buut still no joy.

So I proceeded t the Windows Update action item, and it did update some files, but nothing dramatic. It required a reboot, but when i came up that "basefdrn32.dll" file was missing and it kept self-rebooting. I put the file back and the machine booted but then the Ethernet port is no longer active (reports media state unplugged).

So no logs yet, but stay tuned... your suggestions are always welcomed :-)

best,
Frito
Go to the top of the page
 
+Quote Post
Billy O'Neal
post Jul 30 2008, 05:22 PM
Post #18


Multi Megaton Malware Munition
******

Group: HJT Team
Posts: 5,118
Joined: 17-January 08
From: Northfield, Ohio
Member No.: 184,215
Hello, Frito smile.gif

Where did you replace the file to?

Please go to this page:
http://www.bleepingcomputer.com/submit-mal....php?channel=54

Where it asks for a link, enter <http://www.bleepingcomputer.com/forums/index.php?showtopic=154853>

Browse to a copy of that file you replaced.

Then press "Send File"

Thanks smile.gif

Once you're back up an running we'll look at searching the registry and removing refrences to that nasty smile.gif

Billy3


--------------------
The forum is always a busy place. In the event I fail to reply within twenty-four hours, feel free to send me a PM.
Go to the top of the page
 
+Quote Post
capt.frito
post Jul 31 2008, 08:34 AM
Post #19


Member
**

Group: Members
Posts: 24
Joined: 28-June 08
Member No.: 219,148
Hi Billy

Okay, a power-cycle fixed the NIC issue. I uploaded the basefdrn32.dll file with comments. AVG and other virus scanners report this file is infected with klone.T. Removing it will halt boot when it looks for the file. I have no idea if this file is legitimate but infected, or is illegitimate on its face. But every 30min or so the machine runs a svchost instance and hogs 100% cpu when it is present, then just stops and things return to "normal" for the next 30min or so, and deleting it post-boot seems to sop that bad behavior. But, alas, other things begin to go bad if it's not there. We'll see, I suppose.

I have started the Windows Update again. Let's see if it gets as far as SP3 this time. Then I will try the eset.com scanner. Please have a look at the uploaded file, this is the one driving me mad.

best,
Frito
Go to the top of the page
 
+Quote Post
Billy O'Neal
post Jul 31 2008, 08:55 AM
Post #20


Multi Megaton Malware Munition
******

Group: HJT Team
Posts: 5,118
Joined: 17-January 08
From: Northfield, Ohio
Member No.: 184,215
Hello, capt.frito.

DONT run the ESET scanner yet... it may pull that file and leave your system unbootable. We have to remove the references to it first.

1.[/b] Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: All files to your desktop.

QUOTE
RegSearch Options File

[Search]
basefdrn32.dll
[Exclude]

[Options]
Filter=KVDLUI


2. Download Registry Search to your desktop.
  • Right-click on the compressed RegSearch folder, and choose Extract All. In the box that pops open, click Next, then Next again, and then Finish. You now have another RegSearch folder on your desktop.
  • Open the new folder, and double click on regsearch.exe.
  • Click Import in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
  • Click OK and Registry Search will scan your registry for the file(s). A Notepad box will open with a report, please save the report on your desktop.
Please post the RegSearch report in your next reply.

In your next reply, please include the following:
  • Regsearch's log

Billy3


--------------------
The forum is always a busy place. In the event I fail to reply within twenty-four hours, feel free to send me a PM.
Go to the top of the page
 
+Quote Post
capt.frito
post Jul 31 2008, 10:27 AM
Post #21


Member
**

Group: Members
Posts: 24
Joined: 28-June 08
Member No.: 219,148
Hi Billy

Here's the results.


Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 7/31/2008 9:19:30 AM for strings:
; 'basefdrn32.dll'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...


best,
Frito
Go to the top of the page
 
+Quote Post
Billy O'Neal
post Jul 31 2008, 11:06 AM
Post #22


Multi Megaton Malware Munition
******

Group: HJT Team
Posts: 5,118
Joined: 17-January 08
From: Northfield, Ohio
Member No.: 184,215
Hello, capt.frito.
Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.
We need to see if a file is a virus.
  1. Please click this link-->Jotti
  2. When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
    c:\windows\system32\drivers\pcdrndisuio.sys
  3. If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
  4. Please post back the results of the scan in your next post.

We need to scan for rootkits with GMER
  1. Please download gmer.zip and save to your desktop.
  2. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.)
  3. When you have done this, disconnect from the Internet and close all running programs.
    Note: There is a small chance this application may crash your computer so save any work you have open.
  4. Double-click on Gmer.exe to start the program.
  5. Allow the gmer.sys driver to load if asked.
  6. If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  7. Click on "Settings", then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  8. You will be prompted to restart your computer. Please do so.
  9. Run Gmer again and click on the Rootkit tab.
  10. Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  11. Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
    Important! Please do not select the "Show all" checkbox during the scan.
  12. Click on the "Scan" and wait for the scan to finish.
    • Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  13. When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  14. Note: If you have any problems, try running GMER in Safe Mode

Please run Deckard's System Scanner again, this time using these instructions:
(In the event you lost your copy, you can download a new one from here: Deckard's System Scanner)
  1. Click on Start, click on Run
  2. Copy and paste the following in the open window and then click OK:
    CODE
    "%userprofile%\desktop\dss.exe" /config
  3. This will open up DSS configuration
  4. Click on Check All.
  5. Click Scan.
    DSS will now run again.
  6. Please post back both logs that open in notepad.
    Main.txt and Extra.txt

In your next reply, please include the following:
  • VirusTotal/Jotti's Log
  • GMER's Log
  • DSS's Main.txt
  • DSS's Extra.txt

Billy3


--------------------
The forum is always a busy place. In the event I fail to reply within twenty-four hours, feel free to send me a PM.
Go to the top of the page
 
+Quote Post
capt.frito
post Jul 31 2008, 12:44 PM
Post #23


Member
**

Group: Members
Posts: 24
Joined: 28-June 08
Member No.: 219,148
Hi Billy,

Here goes:

Jotti's log:

Service load:
0% 100%
File: PcdrNdisuio.sys
Status:
OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 505cba425df3bb230f244e1c23221058
Packers detected:
-
Scanner results
Scan taken on 31 Jul 2008 17:38:46 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


GMER's log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-07-31 11:27:30
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateKey [0xEFB747A6]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcess [0xEFB71794]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcessEx [0xEFB71F1E]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwDeleteKey [0xEFB751F0]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwDeleteValueKey [0xEFB7542A]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwRenameKey [0xEFB7612A]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwSetValueKey [0xEFB7583C]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwTerminateProcess [0xEFB70D0A]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwWriteVirtualMemory [0xEFB70384]

Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) ZwClose [0xEF3D9B6C]
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) ZwCreateSection [0xEF3D9DD7]
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) ZwSetInformationFile [0xEF3D9255]
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) ZwWriteFile [0xEF3D8EA1]
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) IoCreateFile
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) NtClose
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) NtCreateSection
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) NtSetInformationFile
Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) NtWriteFile

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!_abnormal_termination + 148 804E27A4 1 Byte [ F0 ]
.text ntoskrnl.exe!_abnormal_termination + 14A 804E27A6 2 Bytes [ B7, EF ]
PAGE ntoskrnl.exe!NtCreateSection 8056461B 7 Bytes JMP EF3D9DDB \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)
PAGE ntoskrnl.exe!NtClose 80566D49 5 Bytes JMP EF3D9B70 \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)
PAGE ntoskrnl.exe!IoCreateFile 8056FAA3 5 Bytes JMP EF3D89CA \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)
PAGE ntoskrnl.exe!NtSetInformationFile 80576E9C 5 Bytes JMP EF3D9259 \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)
PAGE ntoskrnl.exe!NtWriteFile 80577145 7 Bytes JMP EF3D8EA5 \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)
PAGE Fastfat.SYS EF8B3948 7 Bytes JMP EF3DA3BE \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Spyware Doctor\pctsSvc.exe[420] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ 67, 98, C3, 83 ]
.text C:\Program Files\Spyware Doctor\pctsTray.exe[596] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ 8B, 96, C3, 83 ]
.text C:\WINDOWS\system32\SearchIndexer.exe[1172] kernel32.dll!WriteFile 7C810D87 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F87931A0] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F87931FC] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F879344A] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F8793426] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F8793426] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F87931FC] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F87931A0] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F879344A] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F879344A] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F8793426] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F87931FC] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F87931A0] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F8793426] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F87931A0] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F87931FC] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F879344A] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F87931A0] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F87931FC] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F8793426] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F879344A] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F8793426] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F87931FC] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F87931A0] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [F87931A0] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [F87931FC] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [F879344A] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [F8793426] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F8793426] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F879344A] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F87931A0] GRFILTER.sys (NDIS Hooker driver/Global RISC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F87931FC] GRFILTER.sys (NDIS Hooker driver/Global RISC)

---- Devices - GMER 1.0.14 ----

Device \Driver\Tcpip \Device\Ip GRTdiMon.sys (GRTdiMon TDI Filter Driver/Global RISC)
Device \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\Tcp GRTdiMon.sys (GRTdiMon TDI Filter Driver/Global RISC)
Device \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\Udp GRTdiMon.sys (GRTdiMon TDI Filter Driver/Global RISC)
Device \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\RawIp GRTdiMon.sys (GRTdiMon TDI Filter Driver/Global RISC)
Device \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\IPMULTICAST GRTdiMon.sys (GRTdiMon TDI Filter Driver/Global RISC)
Device \Driver\Tcpip \Device\IPMULTICAST avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.14 ----


DSS Main:

Deckard's System Scanner v20071014.68
Run by Compaq_Owner on 2008-07-31 11:29:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
88: 2008-07-31 17:30:05 UTC - RP194 - Deckard's System Scanner Restore Point
87: 2008-07-31 15:47:50 UTC - RP193 - Software Distribution Service 3.0
86: 2008-07-31 14:59:17 UTC - RP192 - Software Distribution Service 3.0
85: 2008-07-31 13:04:14 UTC - RP191 - Software Distribution Service 3.0
84: 2008-07-30 14:28:46 UTC - RP190 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-05-27 16:43:01 UTC - RP107 - System Checkpoint


Performed disk cleanup.

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as Compaq_Owner.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:21 AM, on 7/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\program files\qwestinternetsecurity\iss\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\IRIS Desktop Search\IRISDesktopSearch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Compaq_Owner\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\COMPAQ~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\QwestInternetSecurity\ISS\app\AuthBHO.dll
O3 - Toolbar: I.R.I.S. Desktop Search - {577EBCA9-8ED3-45FC-A514-55B3817D4BCF} - C:\Program Files\IRIS Desktop Search\IRISDesktopSearchIntegration910.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Qwest Internet Security Services Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\QwestInternetSecurity\ISS\app\AuthBHO.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [I.R.I.S. Desktop Search] "C:\Program Files\IRIS Desktop Search\IRISDesktopSearch.exe" /tray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O15 - Trusted Zone: http://www.eset.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1186008886843
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\qwestinternetsecurity\iss\app\CurtainsSysSvcNt.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7507 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080729-061242-765 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.myidentitydefender.com
backup-20080729-073746-146 O3 - Toolbar: (no name) - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 GRTdiMon (GR TDI Mon) - c:\windows\system32\drivers\grtdimon.sys <Not Verified; Global RISC; NSX>
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>

S3 PcdrNdisuio (PCDRNDISUIO Usermode I/O Protocol) - c:\windows\system32\drivers\pcdrndisuio.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CurtainsSysSvc (Curtains for Windows System Service) - c:\program files\qwestinternetsecurity\iss\app\curtainssyssvcnt.exe <Not Verified; Authentium, Inc.; Curtains for Windows>
R2 dvpapi - "c:\program files\common files\command software\dvpapi.exe" <Not Verified; Command Software Systems, Inc.; Command AntiVirus for Windows>

S2 QBCFMonitorService (QuickBooks Database Manager Service) - "c:\program files\common files\intuit\quickbooks\qbcfmonitorservice.exe" <Not Verified; Intuit; QuickBooks for Windows>
S3 gusvc (Google Updater Service) - "c:\program files\google\common\google updater\googleupdaterservice.exe" (file missing)
S3 QBFCService (Intuit QuickBooks FCS) - "c:\program files\common files\intuit\quickbooks\fcs\intuit.quickbooks.fcs.exe" <Not Verified; Intuit Inc.; QuickBooks 2007>
S4 Automatic LiveUpdate Scheduler - "c:\program files\symantec\liveupdate\aluschedulersvc.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

All modules okay.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-08 22:21:11 256 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-03-22 12:10:43 386 --a------ C:\WINDOWS\Tasks\rpc.job


-- Files created between 2008-06-30 and 2008-07-31 -----------------------------

2008-07-31 10:58:50 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Windows Search
2008-07-30 08:40:05 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Windows Desktop Search
2008-07-30 08:38:59 0 d-------- C:\Program Files\Windows Desktop Search
2008-07-30 08:38:58 0 d-------- C:\WINDOWS\system32\GroupPolicy
2008-07-30 08:36:35 0 d-------- C:\Program Files\MSBuild
2008-07-30 08:33:38 0 d-------- C:\WINDOWS\system32\XPSViewer
2008-07-30 08:32:36 0 d-------- C:\Program Files\Reference Assemblies
2008-07-30 08:31:08 0 d-------- C:\0f4a0b4ae1dc4df89a0d2ed0c14a03e7
2008-07-30 08:31:04 0 d-------- C:\Program Files\MSXML 6.0
2008-07-30 06:30:11 0 d-------- C:\Program Files\xp-AntiSpy
2008-07-29 23:00:58 0 d-------- C:\Program Files\Java
2008-07-29 23:00:56 0 d-------- C:\Program Files\Common Files\Java
2008-07-29 06:07:52 0 d-------- C:\Program Files\Trend Micro


-- Find3M Report ---------------------------------------------------------------

2008-07-29 23:00:56 0 d-------- C:\Program Files\Common Files
2008-07-24 10:45:11 0 d-------- C:\Program Files\Spyware Doctor
2008-07-03 22:42:59 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\AVGTOOLBAR
2008-06-27 06:15:07 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla
2008-06-27 06:09:55 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Talkback
2008-06-27 06:09:29 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-26 08:07:07 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Help
2008-06-25 23:24:07 0 d-------- C:\Program Files\Enigma Software Group
2008-06-25 12:23:52 0 d-------- C:\Program Files\AVG
2008-06-17 10:15:31 0 d-------- C:\Program Files\Common Files\Command Software
2008-06-10 22:22:58 0 d-------- C:\Program Files\NetFilter
2008-06-07 22:33:39 0 d--h----- C:\Program Files\Common Files\Authentium Shared
2008-06-07 22:33:30 0 d-------- C:\Program Files\QwestInternetSecurity
2008-06-05 22:37:04 0 d-------- C:\Program Files\History Clean
2008-06-02 20:45:10 0 d-------- C:\Program Files\Panicware


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
07/30/2008 06:56 AM 2055960 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [07/30/2008 06:56 AM 2055960]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [02/01/2008 12:55 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/30/2008 06:58 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"I.R.I.S. Desktop Search"="C:\Program Files\IRIS Desktop Search\IRISDesktopSearch.exe" [01/11/2006 07:37 AM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [03/01/2007 11:37 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [9/24/2005 1:28:44 AM]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [9/24/2005 2:39:30 AM]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [6/10/2007 2:09:14 AM]
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [5/26/2008 10:19:14 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)
"disabletaskmgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [05/26/2008 10:19 PM 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b72c2855-5cb9-11dd-b0c3-0011d8e623c2}]
AutoRun\command- F:\LaunchU3.exe




-- End of Deckard's System Scanner: finished at 2008-07-31 11:33:03 ------------


DSS Extra:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.80GHz
Percentage of Memory in Use: 69%
Physical Memory (total/avail): 503.48 MiB / 155.7 MiB
Pagefile Memory (total/avail): 1230.25 MiB / 764.48 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1917.83 MiB

C: is Fixed (NTFS) - 68.56 GiB total, 52.09 GiB free.
D: is Fixed (FAT32) - 5.99 GiB total, 1.48 GiB free.
E: is CDROM (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)
K: is Removable (No Media)

\\.\PHYSICALDRIVE0 - SAMSUNG SP0802N - 74.56 GiB - 2 partitions
\PARTITION0 - Unknown - 6 GiB - D:
\PARTITION1 (bootable) - Installable File System - 68.56 GiB - C:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG Anti-Virus Free v8.0 (AVG Technologies) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%ProgramFiles%\\iTunes\\iTunes.exe"="%ProgramFiles%\\iTunes\\iTunes.exe:*:enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe:*:Enabled:QuickBooks 2007 Data Manager"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Compaq_Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-F78BF48CE2
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Compaq_Owner
LOGONSERVER=\\YOUR-F78BF48CE2
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=c:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp
USERDOMAIN=YOUR-F78BF48CE2
USERNAME=Compaq_Owner
USERPROFILE=C:\Documents and Settings\Compaq_Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Compaq_Owner (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> MsiExec.exe /I{71EEA108-09C9-4D81-8FA2-D48C70681242}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AnswerWorks 4.0 Runtime - English --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}\setup.exe" -l0x9 -removeonly
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Blackhawk Striker 2 from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\BFAF1EEC-E987-415B-BCB8-80CDB0BC6CDF\Uninstall.exe"
Blasterball 2 from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\75528D5F-DD82-402E-BA7C-045B7DC6A712\Uninstall.exe"
Blasterball 2 Holidays from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\D06AB82F-D68E-405A-9886-AB8804291B6D\Uninstall.exe"
Blasterball 2 Remix from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\9D7E7CDA-051E-4B0D-8CEE-58F41F449CF9\Uninstall.exe"
Bounce Symphony from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\29FF6D07-4A15-41F1-9D5E-E0F3A58012C6\Uninstall.exe"
Crystal Maze from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\C43D84CD-EBFC-48D3-A330-7868C8AD415A\Uninstall.exe"
Data Fax SoftModem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2702&SUBSYS_8D88A259\HXFSETUP.EXE -U -IVEN_14F1&DEV_2702&SUBSYS_8D88A259
Easy Internet Sign-up --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{8105684D-8CA6-440D-8F58-7E5FD67A499D} /l1033
Final Drive Nitro from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\657A0149-EEC7-4FB2-AB4F-CB7AA027748E\Uninstall.exe"
Form Fill (Windows Live Toolbar) --> MsiExec.exe /X{548B3DC6-2300-47E1-BA7B-74AD25F8DEBF}
GoToMeeting/GoToWebinar 3.0.0.198 --> C:\Program Files\Citrix\GoToMeeting\198\G2MUninstall.exe /uninstall
Help and Support Additions --> WScript.exe C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\eHelpSetup.jse eHelpUninstall
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Boot Optimizer --> MsiExec.exe /I{3BA95526-6AE0-4B87-A62D-17187EF565FC}
HP Imaging Device Functions 6.0 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Cameras 6.0 --> C:\Program Files\HP\Digital Imaging\{61CF89F5-5175-4b3b-ABB8-C89821252D50}\setup\hpzscr01.exe -datfile hpiscr01.dat
HP Photosmart Premier Software 6.0 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 3.5 --> "C:\Program Files\HP\Digital Imaging\{18E0918E-1060-48f3-925C-56C82E88551B}\setup\hpzscr01.exe" -datfile hposcr03.dat
HP Software Update --> MsiExec.exe /X{ECFDD6BD-E0C0-41CC-A171-E6D6AF4C0E93}
HP Solution Center and Imaging Support Tools 6.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
I.R.I.S. Desktop Search --> C:\Program Files\IRIS Desktop Search\uninst.exe
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
iTunes --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BE20E2F5-1903-4AAE-B1AF-2046E586C925}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
JumpStart World Presents Pet Playground --> C:\Program Files\Common Files\Knowledge Adventure\Uninstall\PetPlaygroundUn.exe
Lexibox Deluxe from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\F05A08BF-E600-4FBD-A53A-3D47296B1275\Uninstall.exe"
Map Button (Windows Live Toolbar) --> MsiExec.exe /X{7745B7A9-F323-4BB9-9811-01BF57A028DA}
Memories Disc Creator 2.0 --> MsiExec.exe /X{2E132061-C78A-48D4-A899-1D13B9D189FA}
MetaFrame Presentation Server Web Client for Win32 --> C:\WINDOWS\system32\ctxsetup.exe /uninst C:\PROGRA~1\Citrix\icaweb32\uninst.inf
Metaphor Player Version 1.0 --> "C:\Program Files\Metaphor\unins000.exe"
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! Dancer LE --> MsiExec.exe /X{1A103D70-5C9B-4E1A-B306-5106C68F9914}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
OneCare Advisor (Windows Live Toolbar) --> MsiExec.exe /X{53B2CFE9-A508-4457-B2CA-5D253536BFB7}
Overball from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\FA7F5211-C629-4711-BD82-7DFFB08CB518\Uninstall.exe"
PC-Doctor for Windows --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{19C989C4-50AE-43A4-B06E-8C70FFFF852F} /l1033
Phoenix Assault from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\CCCDE323-C76D-44DA-BB5B-B8ABE767756E\Uninstall.exe"
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
Polar Bowler from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\05E21449-3BA3-42BF-BBDA-95205F4EA40A\Uninstall.exe"
Polar Golfer from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\3330A279-CC39-4A17-AE19-DA464B26AD9A\Uninstall.exe"
Popup Blocker (Windows Live Toolbar) --> MsiExec.exe /X{66A7A386-6F35-41A7-A731-101F0C0153C8}
Python 2.2 pywin32 extensions (build 203) --> "C:\Python22\Removepywin32.exe" -u "C:\Python22\pywin32-wininst.log"
Python 2.2.3 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
QuickBooks Product Listing Service --> MsiExec.exe /I{91208A47-5D08-4C79-986F-1931940F51BB}
QuickBooks Simple Start Free Starter Edition --> msiexec.exe /I {71EEA108-09C9-4D81-8FA2-D48C70681242} UNIQUE_NAME="atomlimited" QBFULLNAME="QuickBooks Simple Start Free Starter Edition" ADDREMOVE=1 OEMVENDOR=DIRECT
Quicken 2005 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2DBE41DD-2129-4C65-A3D3-5647236A60F3} anything
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
Qwest Internet Security Services --> "C:\Program Files\QwestInternetSecurity\ISS\app\Repair.exe" -REMOVE
Readiris Pro 11 --> MsiExec.exe /I{8CE0B1C5-15E9-4027-92F4-F63C57FEFD87}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Remove Adobe Photoshop Album 2.0 Starter Edition installer --> c:\\hp\\bin\\cloaker.exe commands /ww /lw:c:\\hp\\bin\\ifc\\Adobe_PhotoShop_Album\\lg.ini /c c:\\hp\\bin\\cloaker.exe c:\\hp\\bin\\ifc\\uninst.cmd ar
Remove Microsoft Money 2005 installer --> c:\\hp\\bin\\cloaker.exe commands /ww /lw:c:\\hp\\bin\\ifc\\Money\\lg.ini /c c:\\hp\\bin\\cloaker.exe c:\\hp\\bin\\ifc\\uninst.cmd ar
Remove WeatherBug installer --> c:\\hp\\bin\\cloaker.exe commands /ww /lw:c:\\hp\\bin\\ifc\\WeatherBug\\lg.ini /c c:\\hp\\bin\\cloaker.exe c:\\hp\\bin\\ifc\\uninst.cmd ar
Rhapsody --> C:\PROGRA~1\Rhapsody\Unwise32.exe /A C:\PROGRA~1\Rhapsody\install.log
Rhapsody Player Engine --> MsiExec.exe /I{8A62A068-3FD6-495A-9F66-26FE94F32EC9}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shooting Stars Pool from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\045C89A0-CA37-443C-8826-F750227DE69C\Uninstall.exe"
Slyder from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\8BA6F58B-7A91-461F-95F8-E34F8BD8AA4E\Uninstall.exe"
Smart Menus (Windows Live Toolbar) --> MsiExec.exe /X{F084395C-40FB-4DB3-981C-B51E74E1E83D}
Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
Super Granny from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\DE87FA96-7840-420C-86F9-33F3B7B3CED1\Uninstall.exe"
SupportSoft Assisted Service --> MsiExec.exe /I{5A3F6A80-7913-475E-8B96-477A952CFA43}
Tradewinds from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\66195170-D19D-46C5-8FB7-8A4630071ADC\Uninstall.exe"
TurboTax Home & Business 2007 --> C:\Program Files\TurboTax\Home & Business 2007\TaxUnst.EXE "C:\Program Files\TurboTax\Home & Business 2007\Uninstall.log" -NoGui
Watchtower Library 2006 - English Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{42EED331-936C-446E-9374-077F7B028518}\Setup.exe"
Watchtower Library 2007 - English --> C:\Program Files\Watchtower\Watchtower Library 2007\E\uninst.exe
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live Favorites for Windows Live Toolbar --> MsiExec.exe /X{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Outlook Toolbar (Windows Live Toolbar) --> MsiExec.exe /X{35E1A8C8-6646-4101-B0AA-42D1EB2AB3AE}
Windows Live Sign-in Assistant --> MsiExec.exe /I{0ED47137-C071-46CC-A243-E5E33271E10E}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar --> MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{341201D4-4F61-4ADB-987E-9CCE4D83A58D}
Windows Live Toolbar Feed Detector (Windows Live Toolbar) --> MsiExec.exe /X{68108E66-D13A-4EE8-A6F4-40E4B90C2A26}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Search 4.0 --> "C:\WINDOWS\$NtUninstallKB940157$\spuninst\spuninst.exe"
XML Paper Specification Shared Components Pack 1.0 -->
xp-AntiSpy 3.96-8 --> C:\Program Files\xp-AntiSpy\Uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type9592 / Error
Event Submitted/Written: 07/31/2008 10:48:18 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application gmer.exe, version 1.0.14.14536, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type9581 / Error
Event Submitted/Written: 07/31/2008 09:27:01 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application regsearch.exe, version 2.0.5.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type9562 / Warning
Event Submitted/Written: 07/31/2008 09:02:03 AM
Event ID/Source: 0 / System.ServiceModel.Install 3.0.0.0
Event Description:
Could not detect IIS installation or IIS is disabled, skipping the Web Host Script Mappings component since it depends upon IIS to function properly.
If you believe this message is an error, check your IIS installation to make sure it is installed properly.

Event Record #/Type9522 / Error
Event Submitted/Written: 07/30/2008 08:40:31 AM
Event ID/Source: 3024 / Windows Search Service
Event Description:
The update cannot be started because the content sources cannot be accessed. Fix the errors and try the update again.

Context: Windows Application, SystemIndex Catalog

Event Record #/Type9521 / Warning
Event Submitted/Written: 07/30/2008 08:40:30 AM
Event ID/Source: 3036 / Windows Search Se