Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumundo Infection/errorprotector.com Ad Popup/backdoor.win32.rbot.aeu Infection


  • This topic is locked This topic is locked
25 replies to this topic

#1 Wintcom

Wintcom

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 11 September 2007 - 12:49 AM

I believe my browser has been hijacked. My settings are being automatically changed without my input. When my PC locks up and freezes, ocassionally web sites that I have previously visited appears. Each day when upon START-UP of my computer a new .DLL error occurs. I use Mozilla Firefox as my primary browser. Below are a listing of some of the RUNDLL errors I receive daily.

RUNDLL

error loading C:\windows\nnmmnk.dll
specified module could not be found

error loading C:\windows\system32\licapi.dll
access is denied

error loading C:\windows\system32\comnst.dll
access is denied

error loading C:\windows\system32\psdll.dll
access is denied

error loading C:\windows\system32\empcfg.dll
access is denied

error loading C:\windows\system32\ATIDelp.dll
access is denied

error loading C:\windows\system32\booteds.dll
access is denied

error loading C:\windows\system32\ativhci.dll
access is denied

error loading C:\windows\system32\ctl3d8.dll
access is denied

error loading C:\windows\system32\INKock.dll
access is denied

error loading C:\windows\system32\c_1onv.dll
access is denied

error loading C:\windows\system32\dhccmd.dll
access is denied

error loading C:\windows\system32\kbchdi.dll
access is denied

error loading C:\windows\system32\anscnv.dll
access is denied

error loading C:\windows\system32\auturs.dll
access is denied

error loading C:\windows\system32\CIRver.dll
access is denied

error loading C:\windows\system32\nnmmnk.dll
access is denied

error loading C:\windows\system32\ir4edb.dll
access is denied

error loading C:\windows\system32\desime.dll
access is denied

error loading C:\windows\system32\mqtros.dll
access is denied

error loading C:\windows\system32\gdi3dfo.dll
access is denied

error loading C:\windows\system32\lmhlin.dll
access is denied

error loading C:\windows\system32\iasode.dll
access is denied



Here is a fresh HJT log for your review.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:22 AM, on 9/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\A-squared\a-squared Free\a2service.exe
C:\Program Files\AdAware2007\aawservice.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\AdAware2007\Ad-Watch2007.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\Findvundo.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: (no name) - {45290e26-7891-4465-9835-e9432ed73be5} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {b34866bf-22b1-4e4c-b5e3-e0a807d46dd2} - (no file)
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Ad-Watch] "C:\Program Files\AdAware2007\Ad-Watch2007.exe"
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6172\SiteAdv.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Startup Manager] C:\Documents and Settings\L Winters\Application Data\Systweak\ASO 2\smstartUp manager.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {BE71A78B-77DB-451C-A761-59B37022D544} (AOL Newport Downloader Ctrl) - http://pictures.aolcdn.com/ap/Resources/1....-US.9.3.2.0.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: catvxx - catvxx.dll (file missing)
O20 - Winlogon Notify: ideoe64 - ideoe64.dll (file missing)
O20 - Winlogon Notify: kbdime - kbdime.dll (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\A-squared\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\AdAware2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 12711 bytes

My log items ( NO NAME) showed "no file" at the end. And the (Winlogon Notify) shows "file missing".

As you can see from the items in my log shown below they are different from the example.

O2 - BHO: (no name) - {45290e26-7891-4465-9835-e9432ed73be5} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {b34866bf-22b1-4e4c-b5e3-e0a807d46dd2} - (no file)

O20 - AppInit_DLLs: c:\windows\system32\ddayyww.dll

O20 - Winlogon Notify: catvxx - catvxx.dll (file missing)

O20 - Winlogon Notify: ideoe64 - ideoe64.dll (file missing)

O20 - Winlogon Notify: kbdime - kbdime.dll (file missing)


Also below are some recent malware problems picked up by my Zone Alarm.

not-a-virus:AdWare.Win32.Virtumonde.ke

C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP503\A0147324.dll

C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP503\A0147325.dll

C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP503\A0147381.dll


Also, here is a fresh ComboFix Log:

Here is a fresh ComboFix log just created with hopes that it will assist in determining the severity of the problems on my PC.

ComboFix 07-09-10.2 - "L Winters" 2007-09-09 23:16:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.354 [GMT -4:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\LWINTE~1\APPLIC~1\tmp16.tmp.exe
C:\DOCUME~1\LWINTE~1\APPLIC~1\tmp25.tmp.exe
C:\DOCUME~1\LWINTE~1\APPLIC~1\tmp45.tmp.exe
C:\DOCUME~1\LWINTE~1\APPLIC~1\tmp54.tmp.exe
C:\DOCUME~1\LWINTE~1\APPLIC~1\tmp58.tmp.exe
C:\DOCUME~1\LWINTE~1\APPLIC~1\tmp5E.tmp.exe
C:\DOCUME~1\LWINTE~1\APPLIC~1\tmp69.tmp.exe
C:\DOCUME~1\LWINTE~1\APPLIC~1\tmp7.tmp.exe
C:\DOCUME~1\LWINTE~1\APPLIC~1\tmp9D.tmp.exe
C:\DOCUME~1\LWINTE~1\APPLIC~1\tmpC6.tmp.exe
C:\DOCUME~1\LWINTE~1\APPLIC~1\tmpC8.tmp.exe
C:\Program Files\windows
C:\Program Files\windows\WGAPluginInstall.exe
C:\Program Files\windows\Windows Live\Messenger\msimg32.dll
C:\Program Files\windows\Windows Media Connect 2\connectionmanager.xml
C:\Program Files\windows\Windows Media Connect 2\contentdirectory.xml
C:\Program Files\windows\Windows Media Connect 2\mediareceiverregistrar.xml
C:\Program Files\windows\Windows Media Connect 2\wmc_bw120.jpg
C:\Program Files\windows\Windows Media Connect 2\wmc_bw120.png
C:\Program Files\windows\Windows Media Connect 2\wmc_bw32.bmp
C:\Program Files\windows\Windows Media Connect 2\wmc_bw32.jpg
C:\Program Files\windows\Windows Media Connect 2\wmc_bw48.bmp
C:\Program Files\windows\Windows Media Connect 2\wmc_bw48.jpg
C:\Program Files\windows\Windows Media Connect 2\wmc_bw48.png
C:\Program Files\windows\Windows Media Connect 2\wmc_color120.jpg
C:\Program Files\windows\Windows Media Connect 2\wmc_color120.png
C:\Program Files\windows\Windows Media Connect 2\wmc_color32.bmp
C:\Program Files\windows\Windows Media Connect 2\wmc_color32.jpg
C:\Program Files\windows\Windows Media Connect 2\wmc_color48.bmp
C:\Program Files\windows\Windows Media Connect 2\wmc_color48.jpg
C:\Program Files\windows\Windows Media Connect 2\wmc_color48.png
C:\Program Files\windows\Windows Plus\Audio Converter\ACPlugIn.dll
C:\Program Files\windows\Windows Plus\Audio Converter\ACShellExt3.dll
C:\Program Files\windows\Windows Plus\Audio Converter\AudioConverter.exe
C:\Program Files\windows\Windows Plus\Audio Converter\Res\ACShellExt3UI.dll
C:\Program Files\windows\Windows Plus\Audio Converter\Res\AudioConverter.chm
C:\Program Files\windows\Windows Plus\Audio Converter\Res\AudioConverterUI.dll
C:\Program Files\windows\Windows Plus\CDLM\CDLM.exe
C:\Program Files\windows\Windows Plus\CDLM\CDLMPlugin.dll
C:\Program Files\windows\Windows Plus\CDLM\Images\Plus_Back_Section_Background.bmp
C:\Program Files\windows\Windows Plus\CDLM\Images\Plus_CD_Label_Background.bmp
C:\Program Files\windows\Windows Plus\CDLM\Images\Plus_Front_Section_Background.bmp
C:\Program Files\windows\Windows Plus\CDLM\Images\Plus_Label_Background.bmp
C:\Program Files\windows\Windows Plus\CDLM\Images\Plus_Left_Spine_Background.bmp
C:\Program Files\windows\Windows Plus\CDLM\Images\Plus_Right_Spine_Background.bmp
C:\Program Files\windows\Windows Plus\CDLM\Images\Plus_Spine_Background.bmp
C:\Program Files\windows\Windows Plus\CDLM\Res\CDLM.chm
C:\Program Files\windows\Windows Plus\CDLM\Res\CDLMPluginUI.dll
C:\Program Files\windows\Windows Plus\CDLM\Res\CDLMUI.dll
C:\Program Files\windows\Windows Plus\CDLM\Templates\A-One_CD_Case_Index_A4.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\A-One_CD_Index_148x296.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\A-One_CD_Label_148x296.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\apli_cd_label_a4_10039.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\apli_cd_label_a4_10041.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\apli_cd_label_a4_10166.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\apli_cd_label_a4_10294.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\apli_cd_label_a4_2001.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\APLI_CD_Label_A4_3268.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\avery_cd_insert_a4_j8432.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\avery_cd_insert_a4_j8435.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\avery_cd_insert_us_regular.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\avery_cd_label_5824.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\avery_cd_label_a4_full_face.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\avery_cd_label_a4_regular.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\avery_cd_label_us_full_face.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\avery_cd_label_us_regular.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\avery_maxell_cd_booklet_a4_c9358.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\avery_maxell_cd_insert_a4_c9357.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\avery_maxell_cd_label_a4_c95661.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\avery_maxell_cd_label_a4_full_face.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\avery_maxell_cd_label_a5_c95461.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\avery_maxell_cd_label_a5_c95462.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\basf_cd_label_a4_regular.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\cd_stomper_a4_insert.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\cd_stomper_cd_label__a4_regular.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\cd_stomper_cd_label__us_regular.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\cd_stomper_insert.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\data_becker_a4_insert.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\data_becker_cd_insert.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\data_becker_cd_label.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\data_becker_cd_label_a4_full_face.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\decadry_cd_label_a4_regular.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\elecom_cd_label_a4_regular.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\elecom_cd_label_a5.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\fellowes_cd_label_a4_regular.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\Fellowes_neato_a4_cd_booklet.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\fellowes_neato_a4_insert.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\fellowes_neato_cd_booklet.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\fellowes_neato_cd_insert.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\fellowes_neato_cd_label.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\Fellowes_neato_cd_slimline_insert.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\hisago_cd_booklet_cj692s.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\hisago_cd_insert_cj593s.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\hisago_cd_insert_cj691s.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\hisago_cd_insert_cj695s_back.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\hisago_cd_insert_cj695s_front.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\hisago_cd_label_a4_cj2847s.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\hisago_cd_label_a4_cj2884s.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\hisago_cd_label_a5_cj2846s.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\hisago_cd_label_a5_cj5000s.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\hisago_cd_label_cj2845s.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\hisago_cj2843s.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\hp_cd_inlay.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\hp_cd_label_us_regular.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\memorex_cd_insert.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\memorex_cd_label.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\nanacreate_inkjet_cdr_labels.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\office_cd_insert_a4.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\office_cd_label_a4_regular.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\pressit_cd_label_a4_regular.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\sanwa_inkjet_cdr_labels.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\SanwaSupply_CD_Booklet_A4.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\SanwaSupply_CD_Bottom_Index_A4.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\SanwaSupply_CD_Case_Index_A4.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\SanwaSupply_CD_Label_138x145_24mm.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\SanwaSupply_CD_Label_138x145_41mm.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\SanwaSupply_CD_Label_A4_24mm.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\SanwaSupply_CD_Label_A4_41mm.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\SanwaSupply_CD_Label_A5_24mm.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\SanwaSupply_CD_Label_A5_41mm.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\SanwaSupply_Slim_CD_Index_A4.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\Stick_it_Right_Ultimate_CD_Inserts.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\Stick_it_Right_Ultimate_CD_Inserts_Fold_Over.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\Stick_it_Right_Ultimate_CD_Labels.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\sure_thing_cd_label.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\tdk_a4_insert.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\trackfmt.txt
C:\Program Files\windows\Windows Plus\CDLM\Templates\versatile_cd_labels_2up.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\zweckform_cd_label_a4_regular.cdl
C:\Program Files\windows\Windows Plus\CDLM\Templates\zweckform_insert_32250.cdl
C:\Program Files\windows\Windows Plus\Dancer\Dancer.exe
C:\Program Files\windows\Windows Plus\Dancer\Dancers\Amanda_L.da2
C:\Program Files\windows\Windows Plus\Dancer\Dancers\Amanda_L.dn2
C:\Program Files\windows\Windows Plus\Dancer\Res\Dancer.chm
C:\Program Files\windows\Windows Plus\Dancer\Res\DancerUI.dll
C:\Program Files\windows\Windows Plus\Party Mode\Butterflies.jpg
C:\Program Files\windows\Windows Plus\Party Mode\Butterflies.wmz
C:\Program Files\windows\Windows Plus\Party Mode\Crystal_Clockwork.jpg
C:\Program Files\windows\Windows Plus\Party Mode\Crystal_Clockwork.wmz
C:\Program Files\windows\Windows Plus\Party Mode\Darkling.jpg
C:\Program Files\windows\Windows Plus\Party Mode\Darkling.wmz
C:\Program Files\windows\Windows Plus\Party Mode\Energy.jpg
C:\Program Files\windows\Windows Plus\Party Mode\Energy.wmz
C:\Program Files\windows\Windows Plus\Party Mode\focus.wav
C:\Program Files\windows\Windows Plus\Party Mode\Nature.jpg
C:\Program Files\windows\Windows Plus\Party Mode\Nature.wmz
C:\Program Files\windows\Windows Plus\Party Mode\Party_Mode.jpg
C:\Program Files\windows\Windows Plus\Party Mode\Party_Mode.wmz
C:\Program Files\windows\Windows Plus\Party Mode\PartyMode.exe
C:\Program Files\windows\Windows Plus\Party Mode\Plasma.jpg
C:\Program Files\windows\Windows Plus\Party Mode\Plasma.wmz
C:\Program Files\windows\Windows Plus\Party Mode\Res\PartyMode.chm
C:\Program Files\windows\Windows Plus\Party Mode\Res\PartyModeUI.dll
C:\Program Files\windows\Windows Plus\Party Mode\Sunburst.jpg
C:\Program Files\windows\Windows Plus\Party Mode\Sunburst.wmz
C:\Program Files\windows\WindowsXPMediaCenter2005-KB900325-usa.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\awtqn.exe
C:\WINDOWS\system32\awtqq.exe
C:\WINDOWS\system32\awtqr.exe
C:\WINDOWS\system32\awtsp.exe
C:\WINDOWS\system32\awtsq.exe
C:\WINDOWS\system32\awtst.exe
C:\WINDOWS\system32\awvtr.exe
C:\WINDOWS\system32\awvvs.exe
C:\WINDOWS\system32\awvvt.exe
C:\WINDOWS\system32\awvvu.exe
C:\WINDOWS\system32\awvvv.exe
C:\WINDOWS\system32\awvvw.exe
C:\WINDOWS\system32\azip32.dll
C:\WINDOWS\system32\cry11n.dll
C:\WINDOWS\system32\ddaby.exe
C:\WINDOWS\system32\ddayv.exe
C:\WINDOWS\system32\ddayyww.dll
C:\WINDOWS\system32\ddccc.exe
C:\WINDOWS\system32\ddccd.exe
C:\WINDOWS\system32\ddccy.exe
C:\WINDOWS\system32\ddcya.exe
C:\WINDOWS\system32\ddcyv.exe
C:\WINDOWS\system32\ddcyx.exe
C:\WINDOWS\system32\dn60b47ab6.dat
C:\WINDOWS\system32\dzgtactx.dll
C:\WINDOWS\system32\FTPx.dll
C:\WINDOWS\system32\gebca.exe
C:\WINDOWS\system32\gebcc.exe
C:\WINDOWS\system32\gebcy.exe
C:\WINDOWS\system32\gebyv.exe
C:\WINDOWS\system32\gebyw.exe
C:\WINDOWS\system32\gebyy.exe
C:\WINDOWS\system32\geebc.exe
C:\WINDOWS\system32\geebx.exe
C:\WINDOWS\system32\geedb.exe
C:\WINDOWS\system32\geede.exe
C:\WINDOWS\system32\jkhfd.exe
C:\WINDOWS\system32\jkhhf.exe
C:\WINDOWS\system32\jkhhh.exe
C:\WINDOWS\system32\jkkjh.exe
C:\WINDOWS\system32\jkkjj.exe
C:\WINDOWS\system32\jkkli.exe
C:\WINDOWS\system32\jkklj.exe
C:\WINDOWS\system32\jkklk.exe
C:\WINDOWS\system32\jkkll.exe
C:\WINDOWS\system32\MabryObj.dll
C:\WINDOWS\system32\mljge.exe
C:\WINDOWS\system32\mljgf.exe
C:\WINDOWS\system32\mljjh.exe
C:\WINDOWS\system32\mljjk.exe
C:\WINDOWS\system32\mlljh.exe
C:\WINDOWS\system32\mlljj.exe
C:\WINDOWS\system32\mllmm.exe
C:\WINDOWS\system32\pmkhe.exe
C:\WINDOWS\system32\pmkhf.exe
C:\WINDOWS\system32\pmkji.exe
C:\WINDOWS\system32\pmkjk.exe
C:\WINDOWS\system32\pmnli.exe
C:\WINDOWS\system32\pmnlj.exe
C:\WINDOWS\system32\pmnlk.exe
C:\WINDOWS\system32\pmnll.exe
C:\WINDOWS\system32\pmnlm.exe
C:\WINDOWS\system32\pmnnk.exe
C:\WINDOWS\system32\pmnnl.exe
C:\WINDOWS\system32\pmnnn.exe
C:\WINDOWS\system32\ssqpn.exe
C:\WINDOWS\system32\ssqpo.exe
C:\WINDOWS\system32\ssqpq.exe
C:\WINDOWS\system32\ssqro.exe
C:\WINDOWS\system32\ssqrp.exe
C:\WINDOWS\system32\ssqrr.exe
C:\WINDOWS\system32\ssqrs.exe
C:\WINDOWS\system32\sstqo.exe
C:\WINDOWS\system32\sstqp.exe
C:\WINDOWS\system32\sstqq.exe
C:\WINDOWS\system32\sstqr.exe
C:\WINDOWS\system32\ssttr.exe
C:\WINDOWS\system32\sstts.exe
C:\WINDOWS\system32\ssttt.exe
C:\WINDOWS\system32\vtsqn.exe
C:\WINDOWS\system32\vtsqo.exe
C:\WINDOWS\system32\vtsqq.exe
C:\WINDOWS\system32\vtsqr.exe
C:\WINDOWS\system32\vtstq.exe
C:\WINDOWS\system32\vtstt.exe
C:\WINDOWS\system32\vturo.exe
C:\WINDOWS\system32\vturq.exe
C:\WINDOWS\system32\vturs.exe
C:\WINDOWS\system32\vtuts.exe
D:\Autorun.inf


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm


((((((((((((((((((((((((( Files Created from 2007-08-10 to 2007-09-10 )))))))))))))))))))))))))))))))
.

2007-09-09 23:07 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-09 21:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-09-09 01:44 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\SiteAdvisor
2007-09-09 01:40 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\SiteAdvisor
2007-09-09 01:39 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-09-09 01:38 <DIR> d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\SiteAdvisor
2007-09-09 01:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SiteAdvisor
2007-09-08 18:19 <DIR> d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\Systweak
2007-09-08 18:17 <DIR> d-------- C:\Program Files\Advanced System Optimizer
2007-09-06 16:44 <DIR> d-------- C:\!KillBox
2007-09-06 12:26 <DIR> d-------- C:\Program Files\A-squared
2007-09-05 20:08 <DIR> d---s---- C:\CrackDown Store
2007-09-04 10:22 <DIR> d-------- C:\CrackDown
2007-09-04 09:50 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-09-04 09:48 <DIR> d-------- C:\Program Files\Grisoft AVG
2007-09-03 10:23 53,781 --a------ C:\WINDOWS\system32\awvtq.exe
2007-09-02 13:31 <DIR> d-------- C:\VirtumundoBeGone
2007-09-02 12:09 <DIR> d-------- C:\VundoFix Backups
2007-09-02 12:07 <DIR> d-------- C:\Program Files\VundoFix
2007-09-02 10:35 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-09-02 02:58 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-09-02 02:58 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-09-02 02:58 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-09-02 02:58 163,128 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-09-02 02:58 1,521,464 --a------ C:\WINDOWS\WRSetup.dll
2007-09-02 02:58 <DIR> d-------- C:\Program Files\Webroot
2007-09-02 02:58 <DIR> d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\Webroot
2007-09-02 02:58 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-09-02 02:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-09-01 21:22 724,992 --a------ C:\WINDOWS\iun6002.exe
2007-09-01 21:22 <DIR> d-------- C:\Program Files\Spyware
2007-09-01 15:16 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-01 08:45 7,939,032 --a------ C:\WINDOWS\Windows-KB890830-V1.32.exe
2007-08-31 16:39 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-08-31 11:23 <DIR> d-------- C:\Program Files\IDM Computer Solutions
2007-08-31 11:23 <DIR> d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\IDMComp
2007-08-31 01:51 <DIR> d-------- C:\Program Files\Azureus
2007-08-30 13:45 <DIR> d-------- C:\Program Files\Windows Defender
2007-08-30 02:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SlySoft
2007-08-30 01:34 <DIR> d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\SlySoft
2007-08-29 10:45 62,541 --a------ C:\WINDOWS\system32\ddccb.exe
2007-08-28 19:12 <DIR> d-------- C:\Diskkeeper
2007-08-28 13:35 <DIR> d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\Leadertech
2007-08-28 12:52 <DIR> d-------- C:\Program Files\Diskeeper Corporation
2007-08-27 22:06 <DIR> d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\Reasonable Software House Ltd
2007-08-27 22:04 <DIR> d-------- C:\Program Files\Reasonable NoClone 2007 Enterprise
2007-08-27 20:49 <DIR> d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\MailFrontier
2007-08-27 12:43 <DIR> d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\Apple Computer
2007-08-27 12:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-08-25 12:08 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2007-08-25 12:08 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2007-08-24 11:22 <DIR> d-------- C:\Program Files\A Tech Group
2007-08-24 11:08 <DIR> d-------- C:\Program Files\NotePad Pro
2007-08-24 10:27 <DIR> d-------- C:\Program Files\TextPad 5
2007-08-24 10:27 <DIR> d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\Helios
2007-08-17 14:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Maxtor
2007-08-16 23:09 <DIR> d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\Acronis
2007-08-16 23:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Acronis
2007-08-16 07:28 392,320 --a------ C:\WINDOWS\system32\drivers\timntr.sys
2007-08-16 07:28 32,768 --a------ C:\WINDOWS\system32\drivers\tifsfilt.sys
2007-08-16 07:28 114,048 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2007-08-16 07:28 <DIR> d-------- C:\Program Files\Common Files\Acronis
2007-08-16 07:28 <DIR> d-------- C:\Program Files\Acronis
2007-08-13 10:52 <DIR> d-------- C:\WINDOWS\system32\oodag
2007-08-10 15:56 93,128 --a------ C:\WINDOWS\system32\ElbyCDIO.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-09 23:35 656108 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-09-09 23:35 49118752 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-09 23:35 1727264 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-09-09 23:35 160892 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-09-09 23:09 --------- d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\Azureus
2007-09-09 21:46 --------- d-------- C:\Program Files\Common Files\Ahead
2007-09-09 20:55 --------- d-------- C:\Program Files\Ahead
2007-09-09 19:57 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-09-09 01:40 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-09-06 16:18 512 --a------ C:\ScanSectorLog.dat
2007-09-02 22:10 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-31 03:42 --------- d-------- C:\Program Files\Affiliate Link Masker
2007-08-31 03:40 --------- d-------- C:\Program Files\Instant Video Suite
2007-08-31 03:40 --------- d-------- C:\Program Files\Instant Content Creator
2007-08-31 02:01 --------- d-------- C:\Program Files\Torrents
2007-08-30 17:39 --------- d-------- C:\Program Files\The Rosetta Stone
2007-08-30 02:00 --------- d-------- C:\Program Files\SlySoft
2007-08-27 12:29 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-27 12:29 --------- d-------- C:\Program Files\QuickTime
2007-08-26 09:01 --------- d-------- C:\Program Files\CCleaner
2007-08-23 03:05 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-08-22 00:09 --------- d-------- C:\Program Files\Liquid Story Binder
2007-08-18 00:03 --------- d-------- C:\Program Files\The Logo Creator v5
2007-08-13 00:12 --------- d-------- C:\Program Files\IZArc
2007-08-13 00:11 --------- d-------- C:\Program Files\PageBreeze
2007-08-07 15:48 25160 --a------ C:\WINDOWS\system32\drivers\ElbyCDIO.sys
2007-08-04 12:59 --------- d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\Writer's Cafe
2007-08-04 06:59 96704 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-08-03 13:52 --------- d-------- C:\Program Files\MagicISO
2007-08-02 13:48 --------- d-------- C:\Program Files\DeskTopAuthorEval
2007-07-31 22:50 --------- d-------- C:\Program Files\VirusTotalUploader
2007-07-30 19:20 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:12 --------- d-------- C:\Program Files\CyberLink
2007-07-30 19:00 505392 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-07-27 15:39 --------- d-------- C:\Program Files\AuctionSieve
2007-07-27 03:09 --------- d-------- C:\Program Files\OpenOffice.org 2.2
2007-07-27 03:07 --------- d-------- C:\Program Files\DirectX 9.0
2007-07-27 02:50 --------- d-------- C:\Program Files\Google
2007-07-26 14:21 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-07-25 15:32 --------- d-------- C:\Program Files\MSBuild
2007-07-25 15:23 --------- d-------- C:\Program Files\Reference Assemblies
2007-07-25 13:25 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-25 13:24 --------- d-------- C:\Program Files\TechSmith
2007-07-25 11:32 --------- d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\Skype
2007-07-25 11:28 --------- d-------- C:\Program Files\Common Files\Skype
2007-07-25 11:28 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
2007-07-25 11:02 --------- d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\Real
2007-07-25 10:44 --------- d-------- C:\Program Files\Common Files\xing shared
2007-07-25 10:44 --------- d-------- C:\Program Files\Common Files\Real
2007-07-24 14:23 --------- d-------- C:\Program Files\LockNote
2007-07-24 00:30 --------- d-------- C:\Program Files\Final Draft AV 2.5
2007-07-23 23:57 --------- d-------- C:\Program Files\Writer's Cafe
2007-07-23 23:39 --------- d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\Final Draft
2007-07-23 23:39 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Final Draft
2007-07-23 23:01 --------- d-------- C:\Program Files\Final Draft Tagger
2007-07-23 23:01 --------- d-------- C:\Program Files\Final Draft 7
2007-07-23 01:40 --------- d-------- C:\Program Files\AdAware2007
2007-07-22 20:10 --------- d-------- C:\Program Files\HotTopicMediaQuizzMaker
2007-07-21 00:34 971232 --a------ C:\WINDOWS\dbplugin.exe
2007-07-20 19:56 --------- d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\WinRAR
2007-07-20 15:59 --------- d-------- C:\Program Files\YouTube
2007-07-20 02:11 3129901 --a------ C:\LandingPageQuizCreator.1.08.exe
2007-07-19 15:56 --------- d-------- C:\Program Files\SysShield Tools
2007-07-18 22:37 --------- d-------- C:\Program Files\Microsoft Accounting 2007 pro
2007-07-17 23:21 --------- d-------- C:\Program Files\SmartDD
2007-07-17 15:09 --------- d-------- C:\Program Files\The Logo Creator v4
2007-07-16 23:34 --------- d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\Ahead
2007-07-16 15:25 --------- d-------- C:\Program Files\jv16 PowerTools 2007
2007-07-15 23:04 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-15 15:26 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com
2007-07-15 12:00 --------- d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\PC Tools
2007-07-15 01:05 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-14 14:37 --------- d-------- C:\Program Files\Copernic Agent
2007-07-14 02:58 --------- d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\SpywareBot
2007-07-13 00:11 --------- d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\Nvu
2007-07-10 02:15 --------- d-------- C:\Program Files\WebPosition 4
2007-07-10 02:11 --------- d-------- C:\Program Files\Laughingbird Software
2007-07-10 02:07 --------- d-------- C:\Program Files\CloneCD
2007-07-10 02:05 --------- d-------- C:\Program Files\RealDrawPRO4
2007-06-27 19:05 972072 --a------ C:\WINDOWS\UNNeroMediaHome.exe
2007-06-26 14:12 972072 --a------ C:\WINDOWS\UNNeroVision.exe
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45290e26-7891-4465-9835-e9432ed73be5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b34866bf-22b1-4e4c-b5e3-e0a807d46dd2}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 14:04]
"Gateway Extended Warranty"="C:\Program Files\Gateway\GWCares\GWCares.exe" [2004-02-08 20:30]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 13:47]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 13:47]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 03:42]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-02 01:05]
"CTRegRun"="C:\WINDOWS\CTRegRun.EXE" [1999-10-10 21:00]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 02:46]
"HPHmon03"="C:\WINDOWS\system32\hphmon03.exe" [2006-01-13 02:46]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"Ad-Watch"="C:\Program Files\AdAware2007\Ad-Watch2007.exe" [2007-07-19 13:06]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-13 14:05]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-07-19 22:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-09 15:45]
"Startup Manager"="C:\Documents and Settings\L Winters\Application Data\Systweak\ASO 2\smstartUp manager.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"IETI"=C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\catvxx]
catvxx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ideoe64]
ideoe64.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kbdime]
kbdime.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^L Winters^Start Menu^Programs^Startup^Diskeeper 10 Professional Edition Registration.lnk]
backup=C:\WINDOWS\pss\Diskeeper 10 Professional Edition Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^L Winters^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^L Winters^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]
backup=C:\WINDOWS\pss\OpenOffice.org 2.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1&1 EasyLogin]
"C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe" HIDE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
"C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1133494656\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jing]
C:\Program Files\TechSmith\Jing\Jing.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KlipFolio]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

BC AdBot (Login to Remove)

 


m

#2 Wintcom

Wintcom
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 11 September 2007 - 12:51 AM

It appears my ComboFix Log was cut off. Here is the latter part of it.


Part II of cutoff ComboFix log:

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCAutoLiveUpdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCSystemTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wise-FTP Scheduler]

R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R0 timounter;Acronis True Image Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\timntr.sys
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\C:\Program Files\CyberLink\PowerDVD�0.fcl
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
R2 tifsfilter;Acronis True Image FS Filter;C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
S3 Dot4 HPH09;Dot4 HPH09;C:\WINDOWS\system32\DRIVERS\hphid409.sys
S3 Dot4Print HPH09;Print Class Driver for IEEE-1284.4 HPH09;C:\WINDOWS\system32\DRIVERS\hphipr09.sys
S3 Dot4Storage HPH09;Storage Class Driver for IEEE-1284.4 (HPH09);C:\WINDOWS\system32\Drivers\hphs2k09.sys
S3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\system32\drivers\hphius09.sys
S3 MXOPSWD;Maxtor OneTouch Security Driver;C:\WINDOWS\system32\DRIVERS\mxopswd.sys
S3 P1171VID;Creative WebCam Notebook #2;C:\WINDOWS\system32\DRIVERS\P1171Vid.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-07-14 18:39:12 C:\WINDOWS\Tasks\1 Copernic Intra-Daily ~LWINTERS L Winters.job"
"2007-07-14 18:39:12 C:\WINDOWS\Tasks\2 Copernic Daily ~LWINTERS L Winters.job"
- C:\Program Files\Copernic Agent\CopernicAgent.exe
"2007-07-14 18:39:12 C:\WINDOWS\Tasks\3 Copernic Weekly ~LWINTERS L Winters.job"
- C:\Program Files\Copernic Agent\CopernicAgent.exe
"2007-07-14 18:39:12 C:\WINDOWS\Tasks\4 Copernic Monthly ~LWINTERS L Winters.job"
- C:\Program Files\Copernic Agent\CopernicAgent.exe
"2007-09-10 03:39:47 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-09-08 07:00:01 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-09 23:38:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-09 23:45:44 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-09 23:45
.
--- E O F ---

Thanks for your help!!!

#3 Wintcom

Wintcom
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 11 September 2007 - 12:52 AM

Thought you may be interested in seeing a fresh report log of SilentRunners.vsb

SEE BELOW!!!!


"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"" [file not found]
"swg" = ""C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"" ["Google Inc."]
"Startup Manager" = "C:\Documents and Settings\L Winters\Application Data\Systweak\ASO 2\smstartUp manager.exe" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS]
"Gateway Extended Warranty" = ""C:\Program Files\Gateway\GWCares\GWCares.exe"" ["BillP Studios"]
"SynTPLpr" = ""C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"" ["Synaptics, Inc."]
"SynTPEnh" = ""C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"" ["Synaptics, Inc."]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE" [empty string]
"ATIPTA" = ""C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"" ["ATI Technologies, Inc."]
"CTRegRun" = "C:\WINDOWS\CTRegRun.EXE" ["Creative Technology Ltd "]
"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" ["HP"]
"HPHmon03" = "C:\WINDOWS\system32\hphmon03.exe" ["Hewlett-Packard"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"ZoneAlarm Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
"Ad-Watch" = ""C:\Program Files\AdAware2007\Ad-Watch2007.exe"" ["Lavasoft AB"]
"SiteAdvisor" = ""C:\Program Files\SiteAdvisor\6172\SiteAdv.exe"" ["McAfee, Inc."]
"NeroFilterCheck" = ""C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe"" ["Nero AG"]
"NBKeyScan" = ""C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"" ["Nero AG"]
"SpySweeper" = "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray" ["Webroot Software, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}\(Default) = "IE7 Uninstall Stub"
\StubPath = "C:\WINDOWS\system32\ieudinit.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{00C6482D-C502-44C8-8409-FCE54AD9C208}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SnagIt Toolbar Loader"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll" ["TechSmith Corporation"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{074C1DC5-9320-4A9A-947D-C042949C6216}\(Default) = (no title provided)
-> {HKLM...CLSID} = "ContributeBHO Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll" ["Adobe Systems Incorporated."]
{089FD14D-132B-48FC-8861-0048AE113215}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\SiteAdvisor\6172\SiteAdv.dll" ["McAfee, Inc."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
\InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\audiodev.dll" [MS]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {HKLM...CLSID} = "SampleView"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]
"{336B02CE-F88A-4aea-8731-79EF94D3723A}" = "Free AOL & Unlimited Internet.lnk"
-> {HKLM...CLSID} = "AOL 9.0"
\InProcServer32\(Default) = "C:\WINDOWS\aod\aodshext.dll" [null data]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682}" = "IZArc DragDrop Menu"
-> {HKLM...CLSID} = "IZArc DragDrop Menu"
\InProcServer32\(Default) = "C:\PROGRA~1\IZArc\IZArcCM.dll" [null data]
"{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}" = "IZArc Shell Context Menu"
-> {HKLM...CLSID} = "IZArc Shell Context Menu"
\InProcServer32\(Default) = "C:\PROGRA~1\IZArc\IZArcCM.dll" [null data]
"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = "SnagIt"
-> {HKLM...CLSID} = "SnagIt"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll" ["TechSmith Corporation"]
"{CF74B903-3389-469c-B3B6-0204D204FCBD}" = "SnagIt Shell Extension"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{C539A15A-3AF9-4c92-B771-50CB78F5C751}" = "Acronis True Image Shell Context Menu Extension"
-> {HKLM...CLSID} = "Acronis True Image Shell Context Menu Extension"
\InProcServer32\(Default) = "C:\Program Files\Acronis\TrueImageHome\tishell.dll" ["Acronis"]
"{C539A15B-3AF9-4c92-B771-50CB78F5C751}" = "Acronis True Image Shell Extension"
-> {HKLM...CLSID} = "Acronis True Image Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Acronis\TrueImageHome\tishell.dll" ["Acronis"]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{A155339D-CCCD-4714-85EB-3754B804C9DF}" = "a-squared Free Shell Extension"
-> {HKLM...CLSID} = "a-squared Free Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\A-squared\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]
"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"
-> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WINDOW~2\MpShHook.dll" [MS]

HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"OODBS" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> catvxx\DLLName = "catvxx.dll" [file not found]
<<!>> ideoe64\DLLName = "ideoe64.dll" [file not found]
<<!>> kbdime\DLLName = "kbdime.dll" [file not found]
<<!>> WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"
-> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
FileEncrypt\(Default) = "{90A07ACC-0331-4aee-9AAD-A854A9C37667}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Advanced System Optimizer\ShellExt.dll" ["Systweak Inc"]
IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"
-> {HKLM...CLSID} = "IZArc Shell Context Menu"
\InProcServer32\(Default) = "C:\PROGRA~1\IZArc\IZArcCM.dll" [null data]
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
-> {HKLM...CLSID} = "MShellExtMenu Class"
\InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {HKLM...CLSID} = "RtClkCtxMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Ipswitch\WS_FTP Professional\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
zzzUltraCompare\(Default) = "{D39D9960-20CA-40CE-A802-8C64817BE518}"
-> {HKLM...CLSID} = "UCShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\IDM Computer Solutions\UltraCompare\UC_ShellExt.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
FileEncrypt\(Default) = "{90A07ACC-0331-4aee-9AAD-A854A9C37667}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Advanced System Optimizer\ShellExt.dll" ["Systweak Inc"]
IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"
-> {HKLM...CLSID} = "IZArc Shell Context Menu"
\InProcServer32\(Default) = "C:\PROGRA~1\IZArc\IZArcCM.dll" [null data]
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
-> {HKLM...CLSID} = "MShellExtMenu Class"
\InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"]
zzzUltraCompare\(Default) = "{D39D9960-20CA-40CE-A802-8C64817BE518}"
-> {HKLM...CLSID} = "UCShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\IDM Computer Solutions\UltraCompare\UC_ShellExt.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"
-> {HKLM...CLSID} = "a-squared Free Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\A-squared\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
-> {HKLM...CLSID} = "MShellExtMenu Class"
\InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {HKLM...CLSID} = "RtClkCtxMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Ipswitch\WS_FTP Professional\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"
-> {HKLM...CLSID} = "a-squared Free Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\A-squared\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]


Default executables:
--------------------

HKLM\Software\Classes\.hta\(Default) = (value not set)


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"InstallVisualStyle" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
{unrecognized setting}

"InstallTheme" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale.theme
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Gateway.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "c:\windows\web\wallpaper\Gateway.bmp"


Enabled Scheduled Tasks:
------------------------

"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]
"SpywareBot Scheduled Scan" -> launches: "C:\Program Files\SpywareBot\SpywareBot.exe scheduled" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]
000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
"{F2E259E8-0FC8-438C-A6E0-342DD80FA53E}"
-> {HKLM...CLSID} = "Copernic Agent"
\InProcServer32\(Default) = "C:\PROGRA~1\COPERN~1\COPERN~1.DLL" ["Copernic Technologies Inc."]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{F2E259E8-0FC8-438C-A6E0-342DD80FA53E}" = (no title provided)
-> {HKLM...CLSID} = "Copernic Agent"
\InProcServer32\(Default) = "C:\PROGRA~1\COPERN~1\COPERN~1.DLL" ["Copernic Technologies Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = (no title provided)
-> {HKLM...CLSID} = "SnagIt"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll" ["TechSmith Corporation"]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
"{517BDDE4-E3A7-4570-B21E-2B52B6139FC7}" = (no title provided)
-> {HKLM...CLSID} = "Contribute Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll" ["Adobe Systems Incorporated."]
"{0BF43445-2F28-4351-9252-17FE6E806AA0}" = "McAfee SiteAdvisor"
-> {HKLM...CLSID} = "McAfee SiteAdvisor"
\InProcServer32\(Default) = "C:\Program Files\SiteAdvisor\6172\SiteAdv.dll" ["McAfee, Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
{6F480F82-C3A6-4D35-96F7-B297AD49FBE8}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Copernic Agent Results"
\InProcServer32\(Default) = "C:\Program Files\Copernic Agent\CopernicAgentExt.dll" ["Copernic Technologies Inc."]
{F2E259E8-0FC8-438C-A6E0-342DD80FA53E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Copernic Agent"
\InProcServer32\(Default) = "C:\PROGRA~1\COPERN~1\COPERN~1.DLL" ["Copernic Technologies Inc."]
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll" ["Sun Microsystems, Inc."]

{193B17B0-7C9F-4D5B-AEAB-8D3605EFC084}\
"MenuText" = "Launch Copernic Agent"
"Exec" = "C:\PROGRA~1\COPERN~1\COPERN~1.EXE" ["Copernic Technologies Inc."]

{688DC797-DC11-46A7-9F1B-445F4F58CE6E}\
"ButtonText" = "Copernic Agent"
"Exec" = "C:\PROGRA~1\COPERN~1\COPERN~1.EXE" ["Copernic Technologies Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Computer, Inc."]
a-squared Free Service, a2free, ""C:\Program Files\A-squared\a-squared Free\a2service.exe"" ["Emsi Software GmbH"]
Acronis Scheduler2 Service, AcrSch2Svc, ""C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe"" ["Acronis"]
Ad-Aware 2007 Service, aawservice, ""C:\Program Files\AdAware2007\aawservice.exe"" ["Lavasoft AB"]
AOL Connectivity Service, AOL ACS, "C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe" ["AOL LLC"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Cyberlink RichVideo Service(CRVS), RichVideo, ""C:\Program Files\CyberLink\Shared files\RichVideo.exe"" [empty string]
Google Updater Service, gusvc, ""C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"" ["Google"]
Media Center Receiver Service, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS]
Media Center Scheduler Service, ehSched, "C:\WINDOWS\eHome\ehSched.exe" [MS]
Nero BackItUp Scheduler 3, Nero BackItUp Scheduler 3, "C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe" ["Nero AG"]
NMIndexingService, NMIndexingService, ""C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe"" ["Nero AG"]
PrismXL, PrismXL, "C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS" ["New Boundary Technologies, Inc."]
SiteAdvisor Service, SiteAdvisor Service, "C:\Program Files\SiteAdvisor\6172\SAService.exe" ["McAfee, Inc."]
SQL Server (MSSMLBIZ), MSSQL$MSSMLBIZ, ""c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ" [MS]
SQL Server Browser, SQLBrowser, ""c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe"" [MS]
SQL Server VSS Writer, SQLWriter, ""c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"" [MS]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]
Webroot Spy Sweeper Engine, WebrootSpySweeperService, "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" ["Webroot Software, Inc."]
Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]


Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = <<!>> "SSKBFD" ["Webroot Software Inc (www.webroot.com)"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


---------- (launch time: 2007-09-11 01:04:58)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 82 seconds, including 18 seconds for message boxes)

I would appreciate if someone could review the logs and provide me with some feedback.

Thanks a bunch!!!

#4 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:04:29 PM

Posted 20 September 2007 - 10:32 PM

Hi and welcome,

Sorry for delay.

If you still need some help, please post a fresh hijackthis log here.
You can include a new silent runners log as well please.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#5 Wintcom

Wintcom
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 21 September 2007 - 10:59 PM

Here is a fresh HJT Log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:00 PM, on 9/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\A-squared\a-squared Free\a2service.exe
C:\Program Files\AdAware2007\aawservice.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\AdAware2007\Ad-Watch2007.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Torrents\Azureus\Azureus.exe
C:\WINDOWS\system32\ping.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\Findvundo.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Ad-Watch] "C:\Program Files\AdAware2007\Ad-Watch2007.exe"
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6172\SiteAdv.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Startup Manager] C:\Documents and Settings\L Winters\Application Data\Systweak\ASO 2\smstartUp manager.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BE71A78B-77DB-451C-A761-59B37022D544} (AOL Newport Downloader Ctrl) - http://pictures.aolcdn.com/ap/Resources/1....-US.9.3.2.0.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\A-squared\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\AdAware2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 12313 bytes

___________________________________________________________

Silent Runners Log


"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"" [file not found]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" ["Google Inc."]
"Startup Manager" = "C:\Documents and Settings\L Winters\Application Data\Systweak\ASO 2\smstartUp manager.exe" [file not found]
"SUPERAntiSpyware" = "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS]
"Gateway Extended Warranty" = ""C:\Program Files\Gateway\GWCares\GWCares.exe"" ["BillP Studios"]
"SynTPLpr" = ""C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"" ["Synaptics, Inc."]
"SynTPEnh" = ""C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"" ["Synaptics, Inc."]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE" [empty string]
"ATIPTA" = ""C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"" ["ATI Technologies, Inc."]
"CTRegRun" = "C:\WINDOWS\CTRegRun.EXE" ["Creative Technology Ltd "]
"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" ["HP"]
"HPHmon03" = "C:\WINDOWS\system32\hphmon03.exe" ["Hewlett-Packard"]
"ZoneAlarm Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
"Ad-Watch" = ""C:\Program Files\AdAware2007\Ad-Watch2007.exe"" ["Lavasoft AB"]
"SiteAdvisor" = ""C:\Program Files\SiteAdvisor\6172\SiteAdv.exe"" ["McAfee, Inc."]
"NeroFilterCheck" = ""C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe"" ["Nero AG"]
"NBKeyScan" = ""C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"" ["Nero AG"]
"RegistryMechanic" = "(empty string)" [file not found]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}\(Default) = "IE7 Uninstall Stub"
\StubPath = "C:\WINDOWS\system32\ieudinit.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{00C6482D-C502-44C8-8409-FCE54AD9C208}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SnagIt Toolbar Loader"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll" ["TechSmith Corporation"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{089FD14D-132B-48FC-8861-0048AE113215}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\SiteAdvisor\6172\SiteAdv.dll" ["McAfee, Inc."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
\InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\audiodev.dll" [MS]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {HKLM...CLSID} = "SampleView"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]
"{336B02CE-F88A-4aea-8731-79EF94D3723A}" = "Free AOL & Unlimited Internet.lnk"
-> {HKLM...CLSID} = "AOL 9.0"
\InProcServer32\(Default) = "C:\WINDOWS\aod\aodshext.dll" [null data]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
"{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682}" = "IZArc DragDrop Menu"
-> {HKLM...CLSID} = "IZArc DragDrop Menu"
\InProcServer32\(Default) = "C:\PROGRA~1\IZArc\IZArcCM.dll" [null data]
"{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}" = "IZArc Shell Context Menu"
-> {HKLM...CLSID} = "IZArc Shell Context Menu"
\InProcServer32\(Default) = "C:\PROGRA~1\IZArc\IZArcCM.dll" [null data]
"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = "SnagIt"
-> {HKLM...CLSID} = "SnagIt"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll" ["TechSmith Corporation"]
"{CF74B903-3389-469c-B3B6-0204D204FCBD}" = "SnagIt Shell Extension"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{C539A15A-3AF9-4c92-B771-50CB78F5C751}" = "Acronis True Image Shell Context Menu Extension"
-> {HKLM...CLSID} = "Acronis True Image Shell Context Menu Extension"
\InProcServer32\(Default) = "C:\Program Files\Acronis\TrueImageHome\tishell.dll" ["Acronis"]
"{C539A15B-3AF9-4c92-B771-50CB78F5C751}" = "Acronis True Image Shell Extension"
-> {HKLM...CLSID} = "Acronis True Image Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Acronis\TrueImageHome\tishell.dll" ["Acronis"]
"{A155339D-CCCD-4714-85EB-3754B804C9DF}" = "a-squared Free Shell Extension"
-> {HKLM...CLSID} = "a-squared Free Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\A-squared\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]
"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"
-> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WINDOW~2\MpShHook.dll" [MS]
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"OODBS" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"
-> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
FileEncrypt\(Default) = "{90A07ACC-0331-4aee-9AAD-A854A9C37667}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Advanced System Optimizer\ShellExt.dll" ["Systweak Inc"]
IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"
-> {HKLM...CLSID} = "IZArc Shell Context Menu"
\InProcServer32\(Default) = "C:\PROGRA~1\IZArc\IZArcCM.dll" [null data]
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
-> {HKLM...CLSID} = "MShellExtMenu Class"
\InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {HKLM...CLSID} = "RtClkCtxMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Ipswitch\WS_FTP Professional\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
zzzUltraCompare\(Default) = "{D39D9960-20CA-40CE-A802-8C64817BE518}"
-> {HKLM...CLSID} = "UCShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\IDM Computer Solutions\UltraCompare\UC_ShellExt.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
FileEncrypt\(Default) = "{90A07ACC-0331-4aee-9AAD-A854A9C37667}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Advanced System Optimizer\ShellExt.dll" ["Systweak Inc"]
IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"
-> {HKLM...CLSID} = "IZArc Shell Context Menu"
\InProcServer32\(Default) = "C:\PROGRA~1\IZArc\IZArcCM.dll" [null data]
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
-> {HKLM...CLSID} = "MShellExtMenu Class"
\InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"]
zzzUltraCompare\(Default) = "{D39D9960-20CA-40CE-A802-8C64817BE518}"
-> {HKLM...CLSID} = "UCShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\IDM Computer Solutions\UltraCompare\UC_ShellExt.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"
-> {HKLM...CLSID} = "a-squared Free Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\A-squared\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
-> {HKLM...CLSID} = "MShellExtMenu Class"
\InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {HKLM...CLSID} = "RtClkCtxMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Ipswitch\WS_FTP Professional\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"
-> {HKLM...CLSID} = "a-squared Free Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\A-squared\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]


Default executables:
--------------------

HKLM\Software\Classes\.hta\(Default) = (value not set)


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"InstallVisualStyle" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
{unrecognized setting}

"InstallTheme" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale.theme
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Gateway.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "c:\windows\web\wallpaper\Gateway.bmp"


Enabled Scheduled Tasks:
------------------------

"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]
000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
"{F2E259E8-0FC8-438C-A6E0-342DD80FA53E}"
-> {HKLM...CLSID} = "Copernic Agent"
\InProcServer32\(Default) = "C:\PROGRA~1\COPERN~1\COPERN~1.DLL" ["Copernic Technologies Inc."]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{F2E259E8-0FC8-438C-A6E0-342DD80FA53E}" = (no title provided)
-> {HKLM...CLSID} = "Copernic Agent"
\InProcServer32\(Default) = "C:\PROGRA~1\COPERN~1\COPERN~1.DLL" ["Copernic Technologies Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = (no title provided)
-> {HKLM...CLSID} = "SnagIt"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll" ["TechSmith Corporation"]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
"{0BF43445-2F28-4351-9252-17FE6E806AA0}" = "McAfee SiteAdvisor"
-> {HKLM...CLSID} = "McAfee SiteAdvisor"
\InProcServer32\(Default) = "C:\Program Files\SiteAdvisor\6172\SiteAdv.dll" ["McAfee, Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
{6F480F82-C3A6-4D35-96F7-B297AD49FBE8}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Copernic Agent Results"
\InProcServer32\(Default) = "C:\Program Files\Copernic Agent\CopernicAgentExt.dll" ["Copernic Technologies Inc."]
{F2E259E8-0FC8-438C-A6E0-342DD80FA53E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Copernic Agent"
\InProcServer32\(Default) = "C:\PROGRA~1\COPERN~1\COPERN~1.DLL" ["Copernic Technologies Inc."]
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll" ["Sun Microsystems, Inc."]

{193B17B0-7C9F-4D5B-AEAB-8D3605EFC084}\
"MenuText" = "Launch Copernic Agent"
"Exec" = "C:\PROGRA~1\COPERN~1\COPERN~1.EXE" ["Copernic Technologies Inc."]

{688DC797-DC11-46A7-9F1B-445F4F58CE6E}\
"ButtonText" = "Copernic Agent"
"Exec" = "C:\PROGRA~1\COPERN~1\COPERN~1.EXE" ["Copernic Technologies Inc."]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Computer, Inc."]
a-squared Free Service, a2free, ""C:\Program Files\A-squared\a-squared Free\a2service.exe"" ["Emsi Software GmbH"]
Acronis Scheduler2 Service, AcrSch2Svc, ""C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe"" ["Acronis"]
Ad-Aware 2007 Service, aawservice, ""C:\Program Files\AdAware2007\aawservice.exe"" ["Lavasoft AB"]
AOL Connectivity Service, AOL ACS, "C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe" ["AOL LLC"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Cyberlink RichVideo Service(CRVS), RichVideo, ""C:\Program Files\CyberLink\Shared files\RichVideo.exe"" [empty string]
Google Updater Service, gusvc, ""C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"" ["Google"]
Media Center Receiver Service, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS]
Media Center Scheduler Service, ehSched, "C:\WINDOWS\eHome\ehSched.exe" [MS]
Nero BackItUp Scheduler 3, Nero BackItUp Scheduler 3, "C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe" ["Nero AG"]
PrismXL, PrismXL, "C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS" ["New Boundary Technologies, Inc."]
SiteAdvisor Service, SiteAdvisor Service, "C:\Program Files\SiteAdvisor\6172\SAService.exe" ["McAfee, Inc."]
SQL Server (MSSMLBIZ), MSSQL$MSSMLBIZ, ""c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ" [MS]
SQL Server Browser, SQLBrowser, ""c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe"" [MS]
SQL Server VSS Writer, SQLWriter, ""c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"" [MS]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]
Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


---------- (launch time: 2007-09-21 23:30:41)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 357 seconds, including 25 seconds for message boxes)


Thanks for your help Blender.

#6 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:04:29 PM

Posted 22 September 2007 - 11:14 AM

Hi,

Are you still getting errors or other symptoms?

Can I get you to ensure your ZA antivirus is fully up to date, run a full scan with it and post the resulting log if any detections please.


Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#7 Wintcom

Wintcom
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 22 September 2007 - 12:49 PM

Hi Blender:

I am getting pop-ups from www.errorsafe.com and www.drivecleaner.com. Also my system is very slow and freezing up frequently. Since it took so long for someone to respond, I began to read the forums and try to resolve some of the previous issues. But I know I do not yet have a clean system. I will update the ZA and respond accordingly.

Thanks so much for your help.

#8 Wintcom

Wintcom
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 22 September 2007 - 06:30 PM

Hi again Blender. My ZA is set to update automatically. So I was up to date. I ran a scan and cam up with a Trojan. Here
are the details.

Win32.Worm.Mytob.FN

File: C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP556\A0165032.exe
RegistryKey: HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Skins\res://wmploc/RT_TEXT/wmpdxm.wsz
RegistryKey: HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\VideoSettings
RegistryKey: HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\FirewallPortMappings
RegistryKey: HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General\LatchSet1
RegistryKey: HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\NATCache

I also have ocassional problems with my cursor blinking and disappearing.

As well as an error with vsmon.exe. I know this is associated with ZA, but the error says it cannot load the memory.

#9 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:04:29 PM

Posted 23 September 2007 - 04:13 AM

Hi,

Those ZA scan results...
All those registry keys are legit unless I'm infected too. :|

That mytob is in your system restore. we'll nuke whatever is in there last.
Leave system restore on please till we are done cleaning.

couple other logs I wanna look at.

for this log you will need to go offline & temporarily disable the firewall and antispyware protection.
Otherwise you will be asked 100 questions due to the methods used to check for several known spyware rootkits.
don't forget to re-enable protection once done.

Download this tool to your desktop:
http://www.uploads.ejvindh.net/rootchk.exe
Run the program. After a short time a logfile will turn up. Copy the contents of the log into the thread. (c:\rootlog.txt)

Next:

Download Deckard's System Scanner to your Desktop.:

http://www.techsupportforum.com/sectools/Deckard/dss.exe
http://deckard.geekstogo.com/dss.exe

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, a text file will open - Main.txt
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt here.
A folder, C:\Deckard\System Scanner, will also open. In it will be another text file, Extra.txt.
Please attach Extra.txt to your post.

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

To attach a file to a new post, simply
Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:

C:\Deckard\System Scanner\Extra.txt

Click Upload.

What DSS will do:
--create a new System Restore point in Windows XP and Vista.
--clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
--check some important areas of your system and produce a report for your analyst to review.
--System Scanner automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#10 Wintcom

Wintcom
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 23 September 2007 - 12:15 PM

Per your instructions here are the logs.


********************************* ROOTCHK-(21-09-07)-LOG, by ejvindh
Sun 09/23/2007 12:42:23.50

The rootkits that are detected by this tool were not found.

********************************* ROOTCHK-LOG-end


catchme 0.3.1160 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-23 12:42:24
Windows 5.1.2600 Service Pack 2
scanning hidden processes ...

scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:92,e6,7e,cc,fd,fd,6f,bf,da,a5,84,d3,23,5b,4d,19,c1,70,4a,0a,00,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:27,01,a0,a3,58,98,98,a0,72,76,7c,e7,34,49,22,81,bd,be,34,b1,bf,..
"d0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:2a,20,04,5d,31,2a,11,c8,3e,c5,36,84,a9,68,1c,97,d8,3a,c0,0c,6d,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:92,e6,7e,cc,fd,fd,6f,bf,da,a5,84,d3,23,5b,4d,19,c1,70,4a,0a,00,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:27,01,a0,a3,58,98,98,a0,72,76,7c,e7,34,49,22,81,bd,be,34,b1,bf,..
"d0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:2a,20,04,5d,31,2a,11,c8,3e,c5,36,84,a9,68,1c,97,d8,3a,c0,0c,6d,..

scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
"OODEFRAG10.00.00.01WORKSTATION"="662F8E393DB8FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933FEBC9E127BECC74CA6A0AC4980AC7933A2D97226D213B555268586AB7CDA4AA297B356FDB347FD21CA91D0034C6E6CF9E5A5DE714FC03211872AA952914E5D057A5A24DBC13D07E30491AE8F6C13FBB8C0BEC4B3AB4EE96C09A1351551CE316CF0E0FA9BAC8CB3ADCF6093B0DBA2BE72DD7E6F70AF26016BD60A75329D4E8FA14018075AC0EC7D36AB25AAFEEF3B02E99200B0DCD96AB2FEC091779DBF93426152E73966B1EADD2539196547634C9155DAF318E20F913C0A3A7E907A65399A5CB1C744C41465591BBD8B7A0A559B3FE0569B7D1E94E3E0E6DB27D6A69CAEEAB7904621ABE00F72A923DDE0FA4840E02BC64F7962978068DFE0F7A5305C378B0DC4838B86757231D5F787D78323A84F4614FAEAB426579CB5AA739C57FA68D7E8463405F413E8A599ED905F402E15E93BC79CF4CC35314B1B3B2B9D15362DB04CB023D04BE023DB63DB1A3C81989A110392C77C9A1B25C739BB4A51922EC5772D47AC7611E5246C953954F84BF5A12A8D45252BBE9322E82DF68AA1AFE6C295F1EDC3438190C5EC06A686E1573B6720BED8EDF00F3C6A89845E3DBEFDC80C767B2C6BC58A32B1FCFDE30B8711C47BDFEBE6F2FE149B1308C404451C439FDB0997313E545201693BBCD84EC01ACEC3DAE02F964B0C9706C6E5A19DEEFB1DC2C18D4DE784AF153FCB730ED5A4C47D78865C14CF8FE7FB00ACD312D0335455219894742C352CEC5A5948B035121C55275E921CABCB4EF694A4EE54FEA8B1412F875B405E050A69398F551597A85CC2AFDC29F247BF181EA89C0A8E5DD2A7BBF70F816DE8583C4F299E292FBBCEF313C707BCE6D7F353E6F508EE87B3F7030659339C5E4856E749CF3CC499F22E09F8776059EA23B0C0AC0BDD582BDEA3C04407FB35150F6D6B64239F9F12A43274899B7205978584D5304897F509CD24140006F3C9BB614BD4917007A2FA4A8C42C165CBB6256D423C94E4B4EC55850EE3A3B2ABC99F77E6E826D5B2ABD872B3B2FDD8FED773DD80D2DF69B6D4E79E38C981BB371B32A0F51E5C49660D58BF5E3A02509FC7867097297FB426B93E453D154CA3AC9607BDF49F5090EA8DC3E70D81F276C8D983CCA70641F60C1BF4B97C481EC1A709D743A44D84488D660FB4FDE5DB4D1755B7B590E25938F76E524F9899F1BE49B302BB0ABB5E601F46CF86B676ABA92DF410FCFA6B5FD07B9A3E6F7973299C354C84C2EB31A61D734D41CC81F9B3B4AF679E88CE054E6EAE7C4396497508AB127A868AD5A98B946414BE10EBE5AA69C8CF1DD53C4184932C629254F870B6930CDBCF599A559DB4CDA34CE945E8AB1A274664F2B4EB47951112FE4DB9EB41CDD1014D06"

scanning hidden files ...

hidden processes: 0
hidden services: 0
hidden files: 0

_______________________________________________

B. DSS Main.txt log

Deckard's System Scanner v20070905.67
Run by L Winters on 2007-09-23 12:51:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
12: 2007-09-23 16:52:07 UTC - RP557 - Deckard's System Scanner Restore Point
11: 2007-09-21 11:52:36 UTC - RP556 - Software Distribution Service 3.0
10: 2007-09-20 21:42:30 UTC - RP555 - ComboFix created restore point
9: 2007-09-20 02:18:44 UTC - RP554 - Removed Final Draft AV 2.5
8: 2007-09-20 02:17:56 UTC - RP553 - Removed Final Draft 7


-- First Restore Point --
1: 2007-09-18 01:30:50 UTC - RP546 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 9.88 GiB (less than 15%) free.


-- HijackThis (run as L Winters.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:56:47 PM, on 9/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\A-squared\a-squared Free\a2service.exe
C:\Program Files\AdAware2007\aawservice.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AdAware2007\Ad-Watch2007.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\L Winters\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\L Winters.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Ad-Watch] "C:\Program Files\AdAware2007\Ad-Watch2007.exe"
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6172\SiteAdv.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Startup Manager] C:\Documents and Settings\L Winters\Application Data\Systweak\ASO 2\smstartUp manager.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BE71A78B-77DB-451C-A761-59B37022D544} (AOL Newport Downloader Ctrl) - http://pictures.aolcdn.com/ap/Resources/1....-US.9.3.2.0.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\A-squared\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\AdAware2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 12226 bytes

-- File Associations -----------------------------------------------------------

.ini - pnpinifile - DefaultIcon - %SystemRoot%\System32\shell32.dll,-151
.ini - pnpinifile - shell\open\command - "C:\Program Files\A Tech Group\Professional Notepad\notepad.exe" "%1"
.js - pnpjsfile - DefaultIcon - %SystemRoot%\System32\WScript.exe,3
.js - pnpjsfile - shell\open\command - "C:\Program Files\A Tech Group\Professional Notepad\notepad.exe" "%1"
.txt - pnptxtfile - DefaultIcon - %SystemRoot%\system32\shell32.dll,-152
.txt - pnptxtfile - shell\open\command - "C:\Program Files\A Tech Group\Professional Notepad\notepad.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 timounter (Acronis True Image Backup Archive Explorer) - c:\windows\system32\drivers\timntr.sys <Not Verified; Acronis; Acronis True Image>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 tifsfilter (Acronis True Image FS Filter) - c:\windows\system32\drivers\tifsfilt.sys <Not Verified; Acronis; Acronis True Image>
R3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys <Not Verified; Lavasoft AB; Ad-Watch Connections>
R3 Ad-Watch Real-Time Scanner (AW Real-Time Scanner) - c:\windows\system32\drivers\awrtpd.sys <Not Verified; Lavasoft AB; Ad-Watch Beta>
R3 catchme - c:\docume~1\lwinte~1\locals~1\temp\catchme.sys (file missing)
R3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 Ad-Watch Registry Filter (Ad-Watch Registry Kernel Filter) - c:\windows\system32\drivers\awrtrd.sys <Not Verified; Lavasoft AB; Ad-Watch Registry Protection>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\adaware2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>
R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe

S2 MaxBackServiceInt - "c:\program files\maxtor\maxtor backup\maxbackserviceint.exe" (file missing)
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-09-23 12:28:42 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2007-07-14 14:39:12 405 --a------ C:\WINDOWS\Tasks\4 Copernic Monthly ~LWINTERS L Winters.job
2007-07-14 14:39:12 400 --a------ C:\WINDOWS\Tasks\3 Copernic Weekly ~LWINTERS L Winters.job
2007-07-14 14:39:12 395 --a------ C:\WINDOWS\Tasks\2 Copernic Daily ~LWINTERS L Winters.job
2007-07-14 14:39:12 419 --a------ C:\WINDOWS\Tasks\1 Copernic Intra-Daily ~LWINTERS L Winters.job


-- Files created between 2007-08-23 and 2007-09-23 -----------------------------

2007-09-22 16:41:50 206 --a------ C:\WINDOWS\system32\fceec1_r.dll
2007-09-20 07:31:02 1755 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
2007-09-18 16:28:39 0 d-------- C:\WINDOWS\system32\SuperAdBlocker.com
2007-09-18 10:19:26 0 d-------- C:\Program Files\Common Files\ODBC
2007-09-18 02:30:09 0 d-------- C:\Program Files\ZoneOut
2007-09-16 18:53:36 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-16 18:53:14 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-09-16 18:53:14 0 d-------- C:\Documents and Settings\L Winters\Application Data\SUPERAntiSpyware.com
2007-09-16 18:25:25 0 dr-h----- C:\Documents and Settings\L Winters\Recent
2007-09-16 02:05:45 0 d-------- C:\Program Files\Common Files\Java
2007-09-15 19:54:06 0 d-------- C:\WINDOWS\ERUNT
2007-09-14 12:45:03 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-09-14 12:42:56 0 d-------- C:\Program Files\Security Task Manager
2007-09-12 12:06:13 0 d-------- C:\WINDOWS\BDOSCAN8
2007-09-12 11:45:44 0 d-------- C:\Program Files\Cookie Monster
2007-09-11 14:49:15 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-09-10 10:40:44 0 d-------- C:\Documents and Settings\L Winters\Application Data\Nero
2007-09-10 10:29:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-09-10 10:29:53 0 d-------- C:\Program Files\Common Files\Nero
2007-09-09 01:44:10 0 d-------- C:\Documents and Settings\NetworkService\Desktop
2007-09-09 01:44:10 0 d-------- C:\Documents and Settings\NetworkService\Application Data\SiteAdvisor
2007-09-09 01:40:03 0 d-------- C:\Documents and Settings\LocalService\Desktop
2007-09-09 01:40:03 0 d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-09-09 01:39:40 0 d-------- C:\Program Files\SiteAdvisor
2007-09-09 01:38:54 0 d-------- C:\Documents and Settings\L Winters\Application Data\SiteAdvisor
2007-09-09 01:38:54 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-09-08 18:19:12 0 d-------- C:\Documents and Settings\L Winters\Application Data\Systweak
2007-09-08 18:17:29 0 d-------- C:\Program Files\Advanced System Optimizer
2007-09-06 16:44:29 0 d-------- C:\!KillBox
2007-09-06 12:26:59 0 d-------- C:\Program Files\A-squared
2007-09-04 09:48:34 0 d-------- C:\Program Files\Grisoft AVG
2007-09-02 13:31:00 0 d-------- C:\VirtumundoBeGone
2007-09-02 12:09:16 0 d-------- C:\VundoFix Backups
2007-09-02 12:07:47 0 d-------- C:\Program Files\VundoFix
2007-09-02 02:58:10 0 d-------- C:\Program Files\Webroot
2007-09-01 15:16:54 0 d-------- C:\Program Files\Trend Micro
2007-08-31 11:23:43 0 d-------- C:\Documents and Settings\L Winters\Application Data\IDMComp
2007-08-31 11:23:05 0 d-------- C:\Program Files\IDM Computer Solutions
2007-08-30 13:45:13 0 d-------- C:\Program Files\Windows Defender
2007-08-30 02:08:44 0 d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2007-08-30 01:34:39 0 d-------- C:\Documents and Settings\L Winters\Application Data\SlySoft
2007-08-28 19:12:29 0 d-------- C:\Diskkeeper
2007-08-28 13:35:06 0 d-------- C:\Documents and Settings\L Winters\Application Data\Leadertech
2007-08-28 12:52:28 0 d-------- C:\Program Files\Diskeeper Corporation
2007-08-27 22:06:37 0 d-------- C:\Documents and Settings\L Winters\Application Data\Reasonable Software House Ltd
2007-08-27 22:04:07 0 d-------- C:\Program Files\Reasonable NoClone 2007 Enterprise
2007-08-27 20:49:15 0 d-------- C:\Documents and Settings\L Winters\Application Data\MailFrontier
2007-08-27 20:29:36 0 d-------- C:\WINDOWS\system32\ZoneLabs
2007-08-27 12:43:16 0 d-------- C:\Documents and Settings\L Winters\Application Data\Apple Computer
2007-08-27 12:25:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-08-24 11:22:35 0 d-------- C:\Program Files\A Tech Group
2007-08-24 11:08:17 0 d-------- C:\Program Files\NotePad Pro
2007-08-24 10:27:19 0 d-------- C:\Documents and Settings\L Winters\Application Data\Helios
2007-08-24 10:27:05 0 d-------- C:\Program Files\TextPad 5


-- Find3M Report ---------------------------------------------------------------

2007-09-22 23:13:26 0 d-------- C:\Program Files\MSN Messenger
2007-09-22 23:04:18 0 d-------- C:\Program Files\Google
2007-09-22 23:02:00 0 d-------- C:\Program Files\Copernic Agent
2007-09-22 22:46:52 0 d-------- C:\Program Files\Bonjour
2007-09-22 22:28:41 0 d-------- C:\Program Files\AdAware2007
2007-09-22 16:51:49 0 d-------- C:\Documents and Settings\L Winters\Application Data\Azureus
2007-09-22 16:51:00 0 d-------- C:\Program Files\jv16 PowerTools 2007
2007-09-22 15:23:28 512 --a------ C:\ScanSectorLog.dat
2007-09-20 18:30:57 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-09-19 22:18:50 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-19 22:18:48 0 d-------- C:\Program Files\Final Draft AV 2.5
2007-09-19 22:16:59 0 d-------- C:\Documents and Settings\L Winters\Application Data\Writer's Cafe
2007-09-19 22:14:57 0 d-------- C:\Program Files\OpenOffice.org 2.2
2007-09-18 16:28:41 5529 --a------ C:\WINDOWS\mozver.dat
2007-09-18 10:19:26 0 d-------- C:\Program Files\Common Files
2007-09-17 11:31:33 0 d-------- C:\Program Files\MagicISO
2007-09-17 11:28:08 0 d-------- C:\Program Files\IZArc
2007-09-17 00:57:01 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-09-16 18:14:11 0 d-------- C:\Program Files\CCleaner
2007-09-16 16:28:42 0 d-------- C:\Program Files\support.com
2007-09-16 16:28:02 0 d-------- C:\Program Files\Messenger Plus! Live
2007-09-16 16:28:01 0 d-------- C:\Program Files\Liquid Story Binder
2007-09-16 16:28:01 0 d-------- C:\Program Files\Laughingbird Software
2007-09-16 16:27:53 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-09-16 16:27:36 0 d-------- C:\Program Files\Common Files\aolshare
2007-09-16 16:15:55 0 d-------- C:\Program Files\AuctionSieve
2007-09-16 16:15:52 0 d-------- C:\Program Files\America Online 9.0
2007-09-16 15:23:08 1 --a------ C:\WINDOWS\system32\msjctsj.dll
2007-09-16 02:07:36 0 d-------- C:\Program Files\Java
2007-09-10 10:29:54 0 d-------- C:\Program Files\Nero
2007-09-10 10:29:26 0 d-------- C:\Program Files\Common Files\Ahead
2007-09-09 20:55:10 0 d-------- C:\Program Files\Ahead
2007-08-31 03:42:21 0 d-------- C:\Program Files\Affiliate Link Masker
2007-08-31 03:40:51 0 d-------- C:\Program Files\Instant Content Creator
2007-08-31 03:40:03 0 d-------- C:\Program Files\Instant Video Suite
2007-08-31 02:01:48 0 d-------- C:\Program Files\Torrents
2007-08-30 17:39:37 0 d-------- C:\Program Files\The Rosetta Stone
2007-08-30 02:00:40 0 d-------- C:\Program Files\SlySoft
2007-08-27 12:29:11 0 d-------- C:\Program Files\QuickTime
2007-08-22 00:09:26 96 --a------ C:\WINDOWS\system32\Binder Functions.dll
2007-08-18 00:03:38 0 d-------- C:\Program Files\The Logo Creator v5
2007-08-16 23:09:51 0 d-------- C:\Documents and Settings\L Winters\Application Data\Acronis
2007-08-16 23:09:45 0 d-------- C:\Program Files\Common Files\Acronis
2007-08-16 07:28:15 0 d-------- C:\Program Files\Acronis
2007-08-13 00:11:42 0 d-------- C:\Program Files\PageBreeze
2007-08-04 12:57:14 20 --a------ C:\Documents and Settings\L Winters\Application Data\Final Draft Tagger Preferences
2007-08-02 13:48:19 0 d-------- C:\Program Files\DeskTopAuthorEval
2007-07-31 22:50:16 0 d-------- C:\Program Files\VirusTotalUploader
2007-07-30 19:12:39 0 d-------- C:\Program Files\CyberLink
2007-07-27 03:07:22 0 d-------- C:\Program Files\DirectX 9.0
2007-07-25 15:32:46 0 d-------- C:\Program Files\MSBuild
2007-07-25 15:23:29 0 d-------- C:\Program Files\Reference Assemblies
2007-07-25 13:24:32 0 d-------- C:\Program Files\TechSmith
2007-07-25 11:32:32 0 d-------- C:\Documents and Settings\L Winters\Application Data\Skype
2007-07-25 11:28:23 0 d-------- C:\Program Files\Common Files\Skype
2007-07-25 11:02:15 0 d-------- C:\Documents and Settings\L Winters\Application Data\Real
2007-07-25 10:44:57 0 d-------- C:\Program Files\Common Files\xing shared
2007-07-25 10:44:38 0 d-------- C:\Program Files\Common Files\Real
2007-07-24 14:23:26 0 d-------- C:\Program Files\LockNote
2007-07-23 23:39:52 0 d-------- C:\Documents and Settings\L Winters\Application Data\Final Draft
2007-07-06 17:30:56 154 --a------ C:\Documents and Settings\L Winters\Application Data\wklnhst.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/10/2004 02:04 PM]
"Gateway Extended Warranty"="C:\Program Files\Gateway\GWCares\GWCares.exe" [02/08/2004 08:30 PM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [11/05/2004 01:47 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/05/2004 01:47 PM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [09/14/2002 03:42 AM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [02/02/2005 01:05 AM]
"CTRegRun"="C:\WINDOWS\CTRegRun.EXE" [10/10/1999 09:00 PM]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [01/13/2006 02:46 AM]
"HPHmon03"="C:\WINDOWS\system32\hphmon03.exe" [01/13/2006 02:46 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/09/2007 12:02 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"Ad-Watch"="C:\Program Files\AdAware2007\Ad-Watch2007.exe" [07/19/2007 01:06 PM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [08/13/2007 02:05 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [03/01/2007 03:57 PM]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [08/08/2007 09:25 AM]
"RegistryMechanic"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 03:00 PM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/09/2007 03:45 PM]
"Startup Manager"="C:\Documents and Settings\L Winters\Application Data\Systweak\ASO 2\smstartUp manager.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [09/17/2007 01:34 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"IETI"=C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^L Winters^Start Menu^Programs^Startup^Diskeeper 10 Professional Edition Registration.lnk]
backup=C:\WINDOWS\pss\Diskeeper 10 Professional Edition Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^L Winters^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1&1 EasyLogin]
"C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe" HIDE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
"C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1133494656\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jing]
C:\Program Files\TechSmith\Jing\Jing.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KlipFolio]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCAutoLiveUpdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCSystemTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe




-- End of Deckard's System Scanner: finished at 2007-09-23 12:58:41 ------------

____________________________________________

Attached File  extra.txt   30.11KB   8 downloads


Thank you so much. I really need this help. My computer freezes up every day.

#11 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:04:29 PM

Posted 25 September 2007 - 03:15 PM

Hi,

Sorry for delay. My internet is flakey.

Delete the copy of combofix you now have.

1. Download this file and save it to your desktop.

**Note: It is important that it is saved directly to, and run from your desktop**

In the event you already have Combofix, please delete it as this is a new version I need you to download.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

a. Close any open browsers.

b. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

You need to disable Ad-Watch or it will interfere with any fixes.
Leave it disabled till you are clean.

To disable AdWatch:

1.) Open AdAware SE.
2.) Go to AdWatch User Interface.
3.) Go to Tools and Preferences.
4.) At the bottom of the screen you will see 2 options Active and Automatic.

Active: This will turn Ad-Watch On\Off without closing it.
Automatic: Suspicious activity will be blocked automatically.

5.) Uncheck both options. You can enable these after resolving your problem.

---------------

--Double click combofix.exe & follow the prompts.
You will temporarily lose desktop while scan is running. Once scan is done desktop will return to normal.
--When finished, it shall produce a log for you. Post that log in your next reply (C:\Combofix.txt)

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Post new hijackthis log as well please.

Let me know how system is running.

Thanks
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#12 Wintcom

Wintcom
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 25 September 2007 - 05:59 PM

Per your request here is the items you requested.

A. Combofix Log

ComboFix 07-09-21.2 - "L Winters" 2007-09-25 18:23:42.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.514 [GMT -4:00]
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-08-25 to 2007-09-25 )))))))))))))))))))))))))))))))
.

2007-09-24 03:55 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-09-24 02:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-09-23 12:51 <DIR> d-------- C:\Deckard
2007-09-22 16:41 206 --a------ C:\WINDOWS\system32\fceec1_r.dll
2007-09-18 16:28 <DIR> d-------- C:\WINDOWS\system32\SuperAdBlocker.com
2007-09-18 02:30 <DIR> d-------- C:\Program Files\ZoneOut
2007-09-16 18:53 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-16 18:53 <DIR> d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-16 18:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-15 20:39 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-15 19:54 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-14 12:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-09-14 12:42 <DIR> d-------- C:\Program Files\Security Task Manager
2007-09-12 12:06 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-09-12 11:45 <DIR> d-------- C:\Program Files\Cookie Monster
2007-09-11 14:49 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-09-10 10:40 <DIR> d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\Nero
2007-09-10 10:29 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-09-10 10:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-09-09 01:44 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\SiteAdvisor
2007-09-09 01:40 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\SiteAdvisor
2007-09-09 01:39 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-09-09 01:38 <DIR> d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\SiteAdvisor
2007-09-09 01:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SiteAdvisor
2007-09-08 18:19 <DIR> d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\Systweak
2007-09-08 18:17 <DIR> d-------- C:\Program Files\Advanced System Optimizer
2007-09-06 16:44 <DIR> d-------- C:\!KillBox
2007-09-06 12:26 <DIR> d-------- C:\Program Files\A-squared
2007-09-04 09:48 <DIR> d-------- C:\Program Files\Grisoft AVG
2007-09-02 13:31 <DIR> d-------- C:\VirtumundoBeGone
2007-09-02 12:09 <DIR> d-------- C:\VundoFix Backups
2007-09-02 12:07 <DIR> d-------- C:\Program Files\VundoFix
2007-09-02 02:58 <DIR> d-------- C:\Program Files\Webroot
2007-09-01 08:45 7,939,032 --a------ C:\WINDOWS\Windows-KB890830-V1.32.exe
2007-08-31 11:23 <DIR> d-------- C:\Program Files\IDM Computer Solutions
2007-08-31 11:23 <DIR> d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\IDMComp
2007-08-30 13:45 <DIR> d-------- C:\Program Files\Windows Defender
2007-08-30 02:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SlySoft
2007-08-30 01:34 <DIR> d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\SlySoft
2007-08-28 19:12 <DIR> d-------- C:\Diskkeeper
2007-08-28 13:35 <DIR> d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\Leadertech
2007-08-28 12:52 <DIR> d-------- C:\Program Files\Diskeeper Corporation
2007-08-27 22:06 <DIR> d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\Reasonable Software House Ltd
2007-08-27 22:04 <DIR> d-------- C:\Program Files\Reasonable NoClone 2007 Enterprise
2007-08-27 20:49 <DIR> d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\MailFrontier
2007-08-27 20:29 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-08-27 20:29 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-08-27 12:43 <DIR> d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\Apple Computer
2007-08-27 12:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-08-25 12:08 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2007-08-25 12:08 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-25 18:28 29899552 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-25 18:09 401324 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-09-25 17:49 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-09-24 22:56 --------- d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\Azureus
2007-09-23 16:42 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-09-23 16:42 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-09-23 16:42 --------- d-------- C:\Program Files\AdAware2007
2007-09-22 23:13 --------- d-------- C:\Program Files\MSN Messenger
2007-09-22 23:04 --------- d-------- C:\Program Files\Google
2007-09-22 23:02 --------- d-------- C:\Program Files\Copernic Agent
2007-09-22 22:46 --------- d-------- C:\Program Files\Bonjour
2007-09-22 16:51 --------- d-------- C:\Program Files\jv16 PowerTools 2007
2007-09-20 18:25 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-19 22:18 --------- d-------- C:\Program Files\Final Draft AV 2.5
2007-09-19 22:18 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-19 22:18 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Final Draft
2007-09-19 22:16 --------- d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\Writer's Cafe
2007-09-19 22:14 --------- d-------- C:\Program Files\OpenOffice.org 2.2
2007-09-19 15:02 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-09-17 11:31 --------- d-------- C:\Program Files\MagicISO
2007-09-17 11:28 --------- d-------- C:\Program Files\IZArc
2007-09-16 18:14 --------- d-------- C:\Program Files\CCleaner
2007-09-16 16:28 --------- d-------- C:\Program Files\support.com
2007-09-16 16:28 --------- d-------- C:\Program Files\Messenger Plus! Live
2007-09-16 16:28 --------- d-------- C:\Program Files\Liquid Story Binder
2007-09-16 16:28 --------- d-------- C:\Program Files\Laughingbird Software
2007-09-16 16:27 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-16 16:27 --------- d-------- C:\Program Files\Common Files\aolshare
2007-09-16 16:15 --------- d-------- C:\Program Files\AuctionSieve
2007-09-16 16:15 --------- d-------- C:\Program Files\America Online 9.0
2007-09-13 00:46 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-10 12:24 --------- d-------- C:\Program Files\NotePad Pro
2007-09-10 10:29 --------- d-------- C:\Program Files\Nero
2007-09-10 10:29 --------- d-------- C:\Program Files\Common Files\Ahead
2007-09-09 20:55 --------- d-------- C:\Program Files\Ahead
2007-09-09 01:40 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-08-31 03:42 --------- d-------- C:\Program Files\Affiliate Link Masker
2007-08-31 03:40 --------- d-------- C:\Program Files\Instant Video Suite
2007-08-31 03:40 --------- d-------- C:\Program Files\Instant Content Creator
2007-08-31 02:01 --------- d-------- C:\Program Files\Torrents
2007-08-30 17:39 --------- d-------- C:\Program Files\The Rosetta Stone
2007-08-30 02:00 --------- d-------- C:\Program Files\SlySoft
2007-08-27 12:29 --------- d-------- C:\Program Files\QuickTime
2007-08-24 11:22 --------- d-------- C:\Program Files\A Tech Group
2007-08-24 10:27 --------- d-------- C:\Program Files\TextPad 5
2007-08-24 10:27 --------- d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\Helios
2007-08-18 00:03 --------- d-------- C:\Program Files\The Logo Creator v5
2007-08-17 18:37 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Acronis
2007-08-17 14:33 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Maxtor
2007-08-16 23:09 --------- d-------- C:\Program Files\Common Files\Acronis
2007-08-16 23:09 --------- d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\Acronis
2007-08-16 07:28 392320 --a------ C:\WINDOWS\system32\drivers\timntr.sys
2007-08-16 07:28 32768 --a------ C:\WINDOWS\system32\drivers\tifsfilt.sys
2007-08-16 07:28 114048 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2007-08-16 07:28 --------- d-------- C:\Program Files\Acronis
2007-08-13 00:11 --------- d-------- C:\Program Files\PageBreeze
2007-08-10 15:56 93128 --a------ C:\WINDOWS\system32\ElbyCDIO.dll
2007-08-08 09:33 132904 --a------ C:\WINDOWS\system32\drivers\imagesrv.sys
2007-08-08 09:33 11304 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys
2007-08-07 15:48 25160 --a------ C:\WINDOWS\system32\drivers\ElbyCDIO.sys
2007-08-04 10:40 972072 --a------ C:\WINDOWS\UNRecode.exe
2007-08-04 06:59 96704 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-08-03 12:52 972072 --a------ C:\WINDOWS\UNNeroMediaHome.exe
2007-08-02 13:48 --------- d-------- C:\Program Files\DeskTopAuthorEval
2007-07-31 22:50 --------- d-------- C:\Program Files\VirusTotalUploader
2007-07-30 19:20 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:12 --------- d-------- C:\Program Files\CyberLink
2007-07-30 19:00 505392 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-07-27 03:07 --------- d-------- C:\Program Files\DirectX 9.0
2007-07-26 14:21 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-07-25 15:32 --------- d-------- C:\Program Files\MSBuild
2007-07-25 15:23 --------- d-------- C:\Program Files\Reference Assemblies
2007-07-25 13:24 --------- d-------- C:\Program Files\TechSmith
2007-07-25 11:32 --------- d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\Skype
2007-07-25 11:28 --------- d-------- C:\Program Files\Common Files\Skype
2007-07-25 11:28 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
2007-07-25 11:02 --------- d-------- C:\DOCUME~1\LWINTE~1\APPLIC~1\Real
2007-07-25 10:44 --------- d-------- C:\Program Files\Common Files\xing shared
2007-07-25 10:44 --------- d-------- C:\Program Files\Common Files\Real
2007-07-21 00:34 971232 --a------ C:\WINDOWS\dbplugin.exe
2007-07-20 02:11 3129901 --a------ C:\LandingPageQuizCreator.1.08.exe
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
.

((((((((((((((((((((((((((((( snapshot_2007-09-20_175200.76 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 163,328 2007-09-20 03:46:25 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
----a-w 12,464,128 2007-09-22 06:30:42 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
----a-w 290,816 2007-09-22 06:30:42 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
----a-w 9,728 2007-09-22 20:50:27 C:\WINDOWS\system32\BASSMOD.dll
----a-w 83,432 2007-09-06 20:14:04 C:\WINDOWS\system32\vsdata.dll
----a-w 395,080 2007-09-06 20:14:28 C:\WINDOWS\system32\vsdatant.sys
----a-w 157,160 2007-09-06 20:14:04 C:\WINDOWS\system32\vsinit.dll
----a-w 103,912 2007-09-06 20:14:04 C:\WINDOWS\system32\vsmonapi.dll
----a-w 275,944 2007-09-06 20:14:04 C:\WINDOWS\system32\vspubapi.dll
----a-w 71,144 2007-09-06 20:14:04 C:\WINDOWS\system32\vsregexp.dll
----a-w 472,552 2007-09-06 20:14:06 C:\WINDOWS\system32\vsutil.dll
----a-w 46,568 2007-09-06 20:14:06 C:\WINDOWS\system32\vswmi.dll
----a-w 99,816 2007-09-06 20:14:06 C:\WINDOWS\system32\vsxml.dll
----a-w 83,432 2007-09-06 20:14:06 C:\WINDOWS\system32\zlcomm.dll
----a-w 71,144 2007-09-06 20:14:08 C:\WINDOWS\system32\zlcommdb.dll
---h--w 4,212 2007-09-25 22:11:51 C:\WINDOWS\system32\zllictbl.dat
----a-w 127,768 2007-07-19 19:10:28 C:\WINDOWS\system32\drivers\klif.sys
----a-w 370,208 2007-09-06 20:13:56 C:\WINDOWS\system32\ZoneLabs\av.dll
----a-w 99,816 2007-09-06 20:13:56 C:\WINDOWS\system32\ZoneLabs\camupd.dll
----a-w 128,480 2007-09-06 20:13:58 C:\WINDOWS\system32\ZoneLabs\fbl.dll
----a-w 38,376 2007-09-06 20:13:58 C:\WINDOWS\system32\ZoneLabs\featuremap.dll
----a-w 321,016 2007-09-06 20:13:58 C:\WINDOWS\system32\ZoneLabs\imsecure.dll
----a-w 714,208 2007-08-15 19:45:42 C:\WINDOWS\system32\ZoneLabs\qrbase.dll
----a-w 787,936 2007-08-15 19:45:44 C:\WINDOWS\system32\ZoneLabs\qrsrecl.dll
----a-w 173,544 2007-09-06 20:14:00 C:\WINDOWS\system32\ZoneLabs\scheduler.dll
----a-w 5,642,223 2007-09-24 08:16:42 C:\WINDOWS\system32\ZoneLabs\spyware.dat
----a-w 5,607,106 2007-09-24 08:16:23 C:\WINDOWS\system32\ZoneLabs\spyware0.dat
----a-w 1,500,640 2007-08-15 19:45:44 C:\WINDOWS\system32\ZoneLabs\srescan.dll
----a-w 50,416 2007-06-11 16:44:10 C:\WINDOWS\system32\ZoneLabs\srescan.sys
----a-w 456,168 2007-09-06 20:14:02 C:\WINDOWS\system32\ZoneLabs\ssleay32.dll
----a-w 833,248 2007-08-01 10:30:04 C:\WINDOWS\system32\ZoneLabs\updating.dll
----a-w 149,032 2007-09-06 20:14:18 C:\WINDOWS\system32\ZoneLabs\updclient.exe
----a-w 108,008 2007-09-06 20:14:04 C:\WINDOWS\system32\ZoneLabs\vsavpro.dll
----a-w 79,336 2007-09-06 20:14:04 C:\WINDOWS\system32\ZoneLabs\vsdb.dll
----a-w 75,304 2007-09-06 20:14:18 C:\WINDOWS\system32\ZoneLabs\vsmon.exe
----a-w 2,024,936 2007-09-06 20:14:04 C:\WINDOWS\system32\ZoneLabs\vsmondll.dll
----a-w 1,345,000 2007-09-06 20:14:06 C:\WINDOWS\system32\ZoneLabs\vsruledb.dll
----a-w 239,080 2007-09-06 20:14:06 C:\WINDOWS\system32\ZoneLabs\vsvault.dll
----a-w 177,640 2007-09-06 20:14:08 C:\WINDOWS\system32\ZoneLabs\zlparser.dll
----a-w 7,822,848 2007-09-25 02:33:14 C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
----a-w 79,344 2007-09-06 20:14:08 C:\WINDOWS\system32\ZoneLabs\zlquarantine.dll
----a-w 382,440 2007-09-06 20:14:08 C:\WINDOWS\system32\ZoneLabs\zlsre.dll
----a-w 120,296 2007-09-06 20:14:08 C:\WINDOWS\system32\ZoneLabs\zlupdate.dll
----a-w 77,824 2007-05-31 04:03:16 C:\WINDOWS\system32\ZoneLabs\avsys\CKAHComm.dll
----a-w 110,592 2007-05-31 04:03:16 C:\WINDOWS\system32\ZoneLabs\avsys\CKAHrule.dll
----a-w 331,776 2007-05-31 04:03:16 C:\WINDOWS\system32\ZoneLabs\avsys\CKAHUM.dll
----a-w 38,400 2007-05-31 04:03:16 C:\WINDOWS\system32\ZoneLabs\avsys\FSSync.dll
----a-w 274,432 2007-08-24 23:31:48 C:\WINDOWS\system32\ZoneLabs\avsys\kave.dll
----a-w 548,864 2007-05-31 04:03:20 C:\WINDOWS\system32\ZoneLabs\avsys\msvcp80.dll
----a-w 626,688 2007-05-31 04:03:20 C:\WINDOWS\system32\ZoneLabs\avsys\msvcr80.dll
----a-w 184,320 2007-05-31 04:03:18 C:\WINDOWS\system32\ZoneLabs\avsys\prloader.dll
----a-w 90,112 2007-05-31 04:03:22 C:\WINDOWS\system32\ZoneLabs\avsys\prremote.dll
----a-w 135,168 2007-08-24 23:31:48 C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
----a-w 65,248 2007-05-31 04:03:30 C:\WINDOWS\system32\ZoneLabs\avsys\bases\aphish.dat
----a-w 670,472 2007-09-25 22:16:21 C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
----a-w 110,360 2007-07-19 19:10:32 C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\w2kxp32\kl1.sys
----a-w 186,128 2007-07-19 19:10:32 C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\w2kxp32\klif.sys
----a-w 110,360 2007-05-31 04:03:48 C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\kl1.sys
----a-w 127,768 2007-07-19 19:10:28 C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\klif.sys
----a-w 45,056 2007-05-31 04:03:50 C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\regcat.exe
----a-w 288,144 2007-09-06 20:14:30 C:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard.zip.dll
----a-w 152,976 2007-09-06 20:14:30 C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll
----a-w 26,000 2007-09-06 20:14:30 C:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll
----a-w 1,361,296 2007-09-06 20:14:32 C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
----a-w 71,056 2007-09-06 20:14:32 C:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll
----a-w 30,184 2007-09-06 20:15:50 C:\WINDOWS\system32\ZoneLabs\plugins\rpc_server\rpc_server.dll
----a-w 30,216 2007-09-06 20:15:52 C:\WINDOWS\system32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
----a-w 214,528 2007-09-06 20:15:52 C:\WINDOWS\system32\ZoneLabs\streamapi\httpblocker\httpblocker.dll
----a-w 3,266,040 2007-09-06 20:15:54 C:\WINDOWS\system32\ZoneLabs\streamapi\imslsp\imslsp.dll
.
----a-w 163,328 2007-09-13 10:50:49 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
----a-w 12,177,408 2007-09-15 23:55:22 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
----a-w 290,816 2007-09-15 23:55:22 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
----a-w 83,696 2007-03-09 04:01:24 C:\WINDOWS\system32\vsdata.dll
----a-w 394,192 2007-03-09 04:02:10 C:\WINDOWS\system32\vsdatant.sys
----a-w 157,424 2007-03-09 04:01:24 C:\WINDOWS\system32\vsinit.dll
----a-w 104,176 2007-03-09 04:01:26 C:\WINDOWS\system32\vsmonapi.dll
----a-w 276,208 2007-03-09 04:01:26 C:\WINDOWS\system32\vspubapi.dll
----a-w 71,408 2007-03-09 04:01:26 C:\WINDOWS\system32\vsregexp.dll
----a-w 472,816 2007-03-09 04:01:28 C:\WINDOWS\system32\vsutil.dll
----a-w 46,832 2007-03-09 04:01:30 C:\WINDOWS\system32\vswmi.dll
----a-w 100,080 2007-03-09 04:01:30 C:\WINDOWS\system32\vsxml.dll
----a-w 83,696 2007-03-09 04:01:30 C:\WINDOWS\system32\zlcomm.dll
----a-w 71,408 2007-03-09 04:01:32 C:\WINDOWS\system32\zlcommdb.dll
---h--w 4,212 2007-09-20 17:50:57 C:\WINDOWS\system32\zllictbl.dat
----a-w 362,280 2007-03-09 04:01:10 C:\WINDOWS\system32\ZoneLabs\av.dll
----a-w 100,080 2007-03-09 04:01:10 C:\WINDOWS\system32\ZoneLabs\camupd.dll
----a-w 128,744 2007-03-09 04:01:14 C:\WINDOWS\system32\ZoneLabs\fbl.dll
----a-w 38,640 2007-03-09 04:01:14 C:\WINDOWS\system32\ZoneLabs\featuremap.dll
----a-w 321,280 2007-03-09 04:01:14 C:\WINDOWS\system32\ZoneLabs\imsecure.dll
----a-w 714,208 2007-08-28 01:08:44 C:\WINDOWS\system32\ZoneLabs\qrbase.dll
----a-w 787,936 2007-08-28 01:08:44 C:\WINDOWS\system32\ZoneLabs\qrsrecl.dll
----a-w 173,808 2007-03-09 04:01:20 C:\WINDOWS\system32\ZoneLabs\scheduler.dll
----a-w 5,600,151 2007-09-19 15:42:32 C:\WINDOWS\system32\ZoneLabs\spyware.dat
----a-w 4,977,606 2007-08-28 01:08:49 C:\WINDOWS\system32\ZoneLabs\spyware0.dat
----a-w 1,500,640 2007-08-28 01:08:44 C:\WINDOWS\system32\ZoneLabs\srescan.dll
----a-w 50,152 2007-08-28 01:08:44 C:\WINDOWS\system32\ZoneLabs\srescan.sys
----a-w 456,432 2007-03-09 04:01:20 C:\WINDOWS\system32\ZoneLabs\ssleay32.dll
----a-w 833,248 2007-08-28 01:08:42 C:\WINDOWS\system32\ZoneLabs\updating.dll
----a-w 141,104 2007-03-09 04:01:58 C:\WINDOWS\system32\ZoneLabs\updclient.exe
----a-w 108,272 2007-03-09 04:01:24 C:\WINDOWS\system32\ZoneLabs\vsavpro.dll
----a-w 79,600 2007-03-09 04:01:24 C:\WINDOWS\system32\ZoneLabs\vsdb.dll
----a-w 75,568 2007-03-09 04:01:58 C:\WINDOWS\system32\ZoneLabs\vsmon.exe
----a-w 2,025,200 2007-03-09 04:01:26 C:\WINDOWS\system32\ZoneLabs\vsmondll.dll
----a-w 1,345,264 2007-03-09 04:01:28 C:\WINDOWS\system32\ZoneLabs\vsruledb.dll
----a-w 243,440 2007-03-09 04:01:28 C:\WINDOWS\system32\ZoneLabs\vsvault.dll
----a-w 177,904 2007-03-09 04:01:32 C:\WINDOWS\system32\ZoneLabs\zlparser.dll
----a-w 8,228,352 2007-09-13 22:09:39 C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
----a-w 79,608 2007-03-09 04:01:32 C:\WINDOWS\system32\ZoneLabs\zlquarantine.dll
----a-w 378,608 2007-03-09 04:01:34 C:\WINDOWS\system32\ZoneLabs\zlsre.dll
----a-w 120,560 2007-03-09 04:01:34 C:\WINDOWS\system32\ZoneLabs\zlupdate.dll
----a-w 61,565 2006-12-19 22:13:50 C:\WINDOWS\system32\ZoneLabs\avsys\CKAHComm.dll
----a-w 114,813 2006-12-19 22:13:50 C:\WINDOWS\system32\ZoneLabs\avsys\CKAHrule.dll
----a-w 307,323 2006-12-19 22:13:50 C:\WINDOWS\system32\ZoneLabs\avsys\CKAHUM.dll
----a-w 36,923 2006-11-30 02:02:26 C:\WINDOWS\system32\ZoneLabs\avsys\FSSync.dll
----a-w 274,514 2007-01-11 21:31:04 C:\WINDOWS\system32\ZoneLabs\avsys\kave.dll
----a-w 184,445 2006-11-30 02:02:26 C:\WINDOWS\system32\ZoneLabs\avsys\prloader.dll
----a-w 94,313 2006-12-19 22:13:52 C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
----a-w 884,196 2007-09-20 21:00:47 C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
----a-w 288,408 2007-03-09 04:02:12 C:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard.zip.dll
----a-w 153,240 2007-03-09 04:02:12 C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll
----a-w 26,264 2007-03-09 04:02:14 C:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll
----a-w 1,361,560 2007-03-09 04:02:14 C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
----a-w 71,320 2007-03-09 04:02:14 C:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll
----a-w 30,448 2007-03-09 04:04:42 C:\WINDOWS\system32\ZoneLabs\plugins\rpc_server\rpc_server.dll
----a-w 30,480 2007-03-09 04:04:44 C:\WINDOWS\system32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
----a-w 210,696 2007-03-09 04:04:44 C:\WINDOWS\system32\ZoneLabs\streamapi\httpblocker\httpblocker.dll
----a-w 3,229,440 2007-03-09 04:04:46 C:\WINDOWS\system32\ZoneLabs\streamapi\imslsp\imslsp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 14:04]
"Gateway Extended Warranty"="C:\Program Files\Gateway\GWCares\GWCares.exe" [2004-02-08 20:30]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 13:47]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 13:47]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 03:42]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-02 01:05]
"CTRegRun"="C:\WINDOWS\CTRegRun.EXE" [1999-10-10 21:00]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 02:46]
"HPHmon03"="C:\WINDOWS\system32\hphmon03.exe" [2006-01-13 02:46]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"Ad-Watch"="C:\Program Files\AdAware2007\Ad-Watch2007.exe" [2007-07-19 13:06]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-13 14:05]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 09:25]
"RegistryMechanic"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-09 15:45]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-09-17 13:34]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"IETI"=C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^L Winters^Start Menu^Programs^Startup^Diskeeper 10 Professional Edition Registration.lnk]
backup=C:\WINDOWS\pss\Diskeeper 10 Professional Edition Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^L Winters^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1&1 EasyLogin]
"C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe" HIDE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
"C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1133494656\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jing]
C:\Program Files\TechSmith\Jing\Jing.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KlipFolio]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCAutoLiveUpdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCSystemTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R0 timounter;Acronis True Image Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\timntr.sys
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\C:\Program Files\CyberLink\PowerDVD\000.fcl
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
R2 tifsfilter;Acronis True Image FS Filter;C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
S3 Dot4 HPH09;Dot4 HPH09;C:\WINDOWS\system32\DRIVERS\hphid409.sys
S3 Dot4Print HPH09;Print Class Driver for IEEE-1284.4 HPH09;C:\WINDOWS\system32\DRIVERS\hphipr09.sys
S3 Dot4Storage HPH09;Storage Class Driver for IEEE-1284.4 (HPH09);C:\WINDOWS\system32\Drivers\hphs2k09.sys
S3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\system32\drivers\hphius09.sys
S3 MXOPSWD;Maxtor OneTouch Security Driver;C:\WINDOWS\system32\DRIVERS\mxopswd.sys
S3 P1171VID;Creative WebCam Notebook #2;C:\WINDOWS\system32\DRIVERS\P1171Vid.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-07-14 18:39:12 C:\WINDOWS\Tasks\1 Copernic Intra-Daily ~LWINTERS L Winters.job"
"2007-07-14 18:39:12 C:\WINDOWS\Tasks\2 Copernic Daily ~LWINTERS L Winters.job"
- C:\Program Files\Copernic Agent\CopernicAgent.exe
"2007-07-14 18:39:12 C:\WINDOWS\Tasks\3 Copernic Weekly ~LWINTERS L Winters.job"
- C:\Program Files\Copernic Agent\CopernicAgent.exe
"2007-07-14 18:39:12 C:\WINDOWS\Tasks\4 Copernic Monthly ~LWINTERS L Winters.job"
- C:\Program Files\Copernic Agent\CopernicAgent.exe
"2007-09-25 22:13:43 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-25 18:28:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-25 18:29:46
C:\ComboFix-quarantined-files.txt ... 2007-09-16 17:05
C:\ComboFix2.txt ... 2007-09-20 17:53
C:\ComboFix3.txt ... 2007-09-16 17:05
.
--- E O F ---

____________________________________________________________________________________________

B. Fresh HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:43:27 PM, on 9/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AdAware2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\A-squared\a-squared Free\a2service.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\AdAware2007\Ad-Watch2007.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\Findvundo.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Ad-Watch] "C:\Program Files\AdAware2007\Ad-Watch2007.exe"
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6172\SiteAdv.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BE71A78B-77DB-451C-A761-59B37022D544} (AOL Newport Downloader Ctrl) - http://pictures.aolcdn.com/ap/Resources/1....-US.9.3.2.0.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\A-squared\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\AdAware2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11689 bytes

________________________________________________________________________

I am curious about several items on the HJT log

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
_________________________________________________________________________________________________________

*** Often times I get an error message that says " vsmon.exe " cannot load because there is not sufficient memory ***

*** For some reason my pc freezes up when I am viewing a .pdf file ***

*** My pc frequently freezes up when I attempt to play online games. I read something on the internet that this may have something
to do with the ZA vsmon.exe ***

*** Often time my browser freezes up and requires me to reboot the system; and when I attempt to X out, I get a message that " the program is not responding" ***

These are things I hope to resolve so my system will be clean.


Again, thanks so much for your help.

#13 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:04:29 PM

Posted 26 September 2007 - 02:12 AM

Hi,

Thanks for the logs.

Your HJT concerns:

Leftover from previous McAfee install:
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)


Site Advisor:
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
http://www.siteadvisor.com/

Part of your Java:
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll


O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
It is a search engine.
http://www.copernic.com/en/products/agent/index.html


BitDefender online virus scanner:
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

Part of iTunes:
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

Part of Zone Alarm:
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

-----------------------

The other issues you are still having is likely going to take a bit of time to resolve.
I did find your other thread at CastleCops and you were badly infested.
When you get hit that bad.... it takes alot of repairs and such to resolve.

If that were my box I would have just formatted.

As for vsmon.exe slowing down games... yes it may. That is part of your firewall but it should work right if you allow the game to have proper access.

------------------

For some reason Ad-Watch don't want to stop or remain disabled.
Uninstall Ad-Aware till we are done please.

next:

Copy the following text to a new notepad file.
Save as file name CFScript.txt
Save it to the desktop.

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Close down running programs.
Drag CFScript.txt on top of ComboFix.exe.
Like this:

Posted Image

Post the new ComboFix.txt please.

Do not mouse click in the combofix window it it might hang.

Next:

Using Internet Explorer please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save report button.
  • Call it Kaspersky.txt
  • Expand the arrow beside "file types" and save as .txt file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Shut down other unessary programs as well to free up memory.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Upload this file to Virus Total and post the scan results:

C:\WINDOWS\system32\fceec1_r.dll

Logs to post:

New hijackthis log
Log from Kaspersky
Virus Total on fceec1_r.dll
C:\Combofix.txt

If KAV log is too big please attach it to your reply.

Let me know how system is running.

Thanks
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#14 Wintcom

Wintcom
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 26 September 2007 - 11:50 PM

Hi Blender. If you don't mine me asking, what is the purpose of the CF Script change in the registry? I sort of like to know why
I am doing things, especially to the registry.

Thanks

#15 Wintcom

Wintcom
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 27 September 2007 - 06:20 AM

I saved the Kaspersky report as a .txt file and the only thing that showed up was this below:

 ■-




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users