Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antispywareupdates.net, 404search, 7fasst, Adbreak, Etc, Etc


  • This topic is locked This topic is locked
20 replies to this topic

#1 azwanzig

azwanzig

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 02 March 2008 - 10:47 PM

My system tray periodically shows a yellow triangle with exclamation point icon and a text bubble stating that I am being attacked over the internet and to click to run a full system scan. The icon links to antispywareupdates.net.

Also, a window periodically pops up on the screen with a Windows Security Alert stating something similar about a need for a full system scan. That window also links to antispywareupdates.net.

Teatimer is constantly popping up with Browser Helper Objects making additions to the following keys:

{00000012-890e-4aac-afd9-eff6954a34dd}
{06dfedaa-6196-11d5-bfc8-00508b4a487d}
{12F02779-6D88-4958-8AD3-83C12D86ADC7}
{1adbcce8-cf84-441e-9b38-afc7a19c06a4}
{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}
{944864a5-3916-46e2-96a9-a2e84f3f1208}
{bb936323-19fa-4521-ba29-eca6a121bc78}
{c5af2622-8c75-4dfb-9693-23ab7686a456}
{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}
{669695bc-a811-4a9d-8cdf-ba8c795f261e}
{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}
{8AD9C840-044E-11D1-B3E9-00805F499D93}
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

I ran adaware several times and each time it finds and removes 404search, 7FaSSt, AdBreak, Adware.Z-Quest, BargainBuddy, CnsMin, Toolbar.Softo and Win32.Spyware.Acoona.

I ran Spybot S&D and it removes several things, over and over.

I ran Housecall Antivirus, Panda Antivirus and BitDefender. Each found infections and each deleted them.

Here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:44:48 PM, on 3/2/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\system\proxy.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\mgmrwmrv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HIJACKTHIS\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Microsoft System Checkup] libsys32.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [cwcptray] C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINNT\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsys32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKLM\..\Policies\Explorer\Run: [lsass] C:\WINNT\system\alg.exe
O4 - HKLM\..\Policies\Explorer\Run: [svchost] C:\WINNT\svchost.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1204509422796
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{993B5030-D9E0-436A-B72A-28D3B44AC73F}: NameServer = 66.174.92.14 66.174.95.44
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MsService - Unknown owner - C:\WINNT\system\proxy.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINNT\system32\cool.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINNT\system32\perfs.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINNT\system32\routing.exe (file missing)

--
End of file - 8303 bytes

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:03 PM

Posted 03 March 2008 - 11:31 AM

Hello azwanzig,

NOTE: If you have downloaded SmitfraudFix previously please delete that version and download it again! Also delete C:\rapport.txt

Please download SmitfraudFix

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of the SmitfraudFix report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 azwanzig

azwanzig
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 04 March 2008 - 09:45 AM

Hi SifuMike. Thanks for your quick response.

I ran SmitfraudFix in safe mode. It appeared to crash while checking the registry with a message "Error accessing registry". A report was generated anyway, though.

Upon reload, teatimer caught several browser changes including home pages and default search pages.

The antispywareupdates.net popups seem to have stopped.

SmitfraudFix and Hijackthis reports attached. SmitfraudFix Hosts list deleted due to length. Let me know if you want to see it.

Thanks again!
-------------------------------------------------------------------------------------------------------
SmitFraudFix v2.300

Scan done at 6:16:41.26, Tue 03/04/2008
Run from C:\Program Files\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

*********Deleted due to escessive length***********

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINNT\764.exe Deleted
C:\WINNT\7search.dll Deleted
C:\WINNT\absolute key logger.lnk Deleted
C:\WINNT\aconti.exe Deleted
C:\WINNT\aconti.ini Deleted
C:\WINNT\aconti.log Deleted
C:\WINNT\aconti.sdb Deleted
C:\WINNT\acontidialer.txt Deleted
C:\WINNT\adbar.dll Deleted
C:\WINNT\cbinst$.exe Deleted
C:\WINNT\daxtime.dll Deleted
C:\WINNT\default.htm Deleted
C:\WINNT\dp0.dll Deleted
C:\WINNT\eventlowg.dll Deleted
C:\WINNT\fhfmm-Uninstaller.exe Deleted
C:\WINNT\fhfmm.exe Deleted
C:\WINNT\flt.dll Deleted
C:\WINNT\hcwprn.exe Deleted
C:\WINNT\hotporn.exe Deleted
C:\WINNT\iexplorr23.dll Deleted
C:\WINNT\ie_32.exe Deleted
C:\WINNT\jd2002.dll Deleted
C:\WINNT\kkcomp$.exe Deleted
C:\WINNT\kkcomp.dll Deleted
C:\WINNT\kkcomp.exe Deleted
C:\WINNT\kvnab$.exe Deleted
C:\WINNT\kvnab.dll Deleted
C:\WINNT\kvnab.exe Deleted
C:\WINNT\liqad$.exe Deleted
C:\WINNT\liqad.dll Deleted
C:\WINNT\liqad.exe Deleted
C:\WINNT\liqui-Uninstaller.exe Deleted
C:\WINNT\liqui.dll Deleted
C:\WINNT\liqui.exe Deleted
C:\WINNT\ngd.dll Deleted
C:\WINNT\pbar.dll Deleted
C:\WINNT\pbsysie.dll Deleted
C:\WINNT\settn.dll Deleted
C:\WINNT\spredirect.dll Deleted
C:\WINNT\vxddsk.exe Deleted
C:\WINNT\wbeCheck.exe Deleted
C:\WINNT\wbeInst$.exe Deleted
C:\WINNT\wml.exe Deleted
C:\WINNT\xadbrk.dll Deleted
C:\WINNT\xadbrk.exe Deleted
C:\WINNT\xadbrk_.exe Deleted
C:\WINNT\xxxvideo.exe Deleted
C:\WINNT\system32\ace16win.dll Deleted
C:\WINNT\system32\ESHOPEE.exe Deleted
C:\WINNT\system32\mgmrwmrv.exe Deleted
C:\WINNT\system32\msole32.exe Deleted
C:\WINNT\system32\vxddsk.exe Deleted
C:\WINNT\system32\winfrun32.bin Deleted
C:\WINNT\system32\wml.exe Deleted
C:\WINNT\system32\acespy\ Deleted
C:\Program Files\3721\ Deleted
C:\Program Files\Accoona\ Deleted
C:\Program Files\akl\ Deleted
C:\Program Files\amsys\ Deleted
C:\Program Files\e-zshopper\ Deleted
C:\Program Files\p2pnetworks\ Deleted

IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


DNS



Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End
-------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:34:09 AM, on 3/4/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\system\proxy.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HIJACKTHIS\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\system32\mgmrwmrv.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Microsoft System Checkup] libsys32.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [cwcptray] C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINNT\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsys32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKLM\..\Policies\Explorer\Run: [lsass] C:\WINNT\system\alg.exe
O4 - HKLM\..\Policies\Explorer\Run: [svchost] C:\WINNT\svchost.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1204509422796
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{993B5030-D9E0-436A-B72A-28D3B44AC73F}: NameServer = 66.174.92.14 66.174.95.44
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MsService - Unknown owner - C:\WINNT\system\proxy.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINNT\system32\cool.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINNT\system32\perfs.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINNT\system32\routing.exe (file missing)

--
End of file - 6569 bytes

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:03 PM

Posted 04 March 2008 - 01:39 PM

Hi azwanzig,

I think Teatimer was prevent SmitfruadFix from working correclty, so lets disable it and run SmitfraudFix again.

To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts


NOTE: If you have downloaded SmitfraudFix previously please delete that version and download it again! Also delete C:\rapport.txt

Please download SmitfraudFix

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of the SmitfraudFix report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 azwanzig

azwanzig
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 04 March 2008 - 09:45 PM

Hi SifuMike.

I disabled teatimer and reran SmitfraudFix in safe mode and got the same error after choosing to clean the registry. The error reads, "Cannot import cleanup.reg: Error accessing the registry"

This time when I reloaded, my home page had been changed to http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome

The changes teatimer caught on the last go round were as follows :

3/4/2008 6:25:49 AM Denied (based on user decision) value "Local Page" (new data: "C:\windows\system32\blank.htm") changed in Browser page!
3/4/2008 6:25:56 AM Denied (based on user decision) value "Search Page" (new data: "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch") changed in Browser page!
3/4/2008 6:26:01 AM Denied (based on user decision) value "Search Bar" (new data: "") deleted in Browser page!
3/4/2008 6:26:06 AM Denied (based on user decision) value "Start Page" (new data: "http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome") changed in Browser page!
3/4/2008 6:26:09 AM Denied (based on user decision) value "Default_Search_URL" (new data: "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch") added in Browser page!
3/4/2008 6:26:11 AM Denied (based on user decision) value "" (new data: "http://home.microsoft.com/access/autosearch.asp?p=%s") added in Browser page!
3/4/2008 6:26:13 AM Denied (based on user decision) value "Local Page" (new data: "C:\windows\system32\blank.htm") changed in Browser page!
3/4/2008 6:26:17 AM Denied (based on user decision) value "UserInit" (new data: "") deleted in Winlogon!
3/4/2008 6:26:19 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINNT\system32\userinit.exe,") changed in Winlogon!

The latest SmitfraudFix and Hijackthis logs are as follows (minus the hosts list - let me know if that's important).

Thanks!
------------------------------------------------------------------------------------------------------

SmitFraudFix v2.300

Scan done at 18:03:07.87, Tue 03/04/2008
Run from C:\Program Files\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

****************DELETED******************

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


DNS



Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

---------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:37:21 PM, on 3/4/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\system\proxy.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HIJACKTHIS\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Microsoft System Checkup] libsys32.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [cwcptray] C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINNT\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsys32.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [lsass] C:\WINNT\system\alg.exe
O4 - HKLM\..\Policies\Explorer\Run: [svchost] C:\WINNT\svchost.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1204509422796
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{993B5030-D9E0-436A-B72A-28D3B44AC73F}: NameServer = 66.174.92.14 66.174.95.44
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MsService - Unknown owner - C:\WINNT\system\proxy.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINNT\system32\cool.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINNT\system32\perfs.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINNT\system32\routing.exe (file missing)

--
End of file - 6677 bytes

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:03 PM

Posted 04 March 2008 - 10:21 PM

Hi azwanzig,

Before we start, you need to realize that you are missing one important program on that computer: An antivirus.

This is somewhat suicidal in today's digital world. :thumbsup:

You need to install an antivirus program as soon as you can and run a complete scan of the computer.

I recommend you download the free

Avast or
AntiVir or
AVG antivirus

Products from all three vendors received the Virus Bulletin's VB100% award and certification for virus detection from ICSA Labs.

Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!




Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Edited by SifuMike, 04 March 2008 - 10:42 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 azwanzig

azwanzig
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 06 March 2008 - 12:36 AM

Before we start, you need to realize that you are missing one important program on that computer: An antivirus.

This is somewhat suicidal in today's digital world. :blink:

You need to install an antivirus program as soon as you can and run a complete scan of the computer.


Understood. It has been less than a month since I upgraded from a 24 kbps dial-up. I had thought viruses were only email problems, so I didn't think I was at risk. Shame on me. I lost several hundred files to BitDefender and Avast, many of them prorgram files which I need. :thumbsup: Lesson learned. I would appreciate help getting set up with protection tools. Avast is installed and running. Do I need a firewall even though I don't have a wireless network?

SDFix gave the error message, "Cannot import assosfix.reg: Error opening the file. There may be a disk or file system error"

SDFix and HijackThis reports attached.

Thanks again for your help.

-----------------------------------------------------------------------------------------------

SDFix: Version 1.153

Run by Administrator on Wed 03/05/2008 at 8:53p

Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\DOCUME~1\ADMINI~1\Desktop\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINNT\system32\comsa32.sys - Deleted
C:\WINNT\system32\i - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 21:05:00
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Remaining Files :


File Backups: - C:\DOCUME~1\ADMINI~1\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 11 Dec 2004 24,576 A..H. --- "C:\Old Disk C\My Documents\~WRL1689.tmp"
Sat 11 Dec 2004 28,672 A..H. --- "C:\Old Disk C\My Documents\~WRL2111.tmp"
Sat 11 Dec 2004 24,576 A..H. --- "C:\Old Disk C\My Documents\~WRL3572.tmp"
Tue 3 Jun 2003 23,552 A..H. --- "C:\Old Disk D\My Documents\~WRL0001.tmp"
Thu 28 Aug 2003 70,144 A..H. --- "C:\Old Disk D\My Documents\~WRL0587.tmp"
Fri 29 Aug 2003 80,384 A..H. --- "C:\Old Disk D\My Documents\~WRL0677.tmp"
Thu 28 Aug 2003 57,344 A..H. --- "C:\Old Disk D\My Documents\~WRL1169.tmp"
Thu 28 Aug 2003 52,736 A..H. --- "C:\Old Disk D\My Documents\~WRL1971.tmp"
Fri 29 Aug 2003 85,504 A..H. --- "C:\Old Disk D\My Documents\~WRL1981.tmp"
Fri 29 Aug 2003 85,504 A..H. --- "C:\Old Disk D\My Documents\~WRL2596.tmp"
Thu 28 Aug 2003 74,752 A..H. --- "C:\Old Disk D\My Documents\~WRL3241.tmp"
Thu 28 Aug 2003 37,888 A..H. --- "C:\Old Disk D\My Documents\~WRL3577.tmp"
Thu 28 Aug 2003 20,992 A..H. --- "C:\Old Disk D\My Documents\~WRL3787.tmp"
Thu 28 Aug 2003 71,680 A..H. --- "C:\Old Disk D\My Documents\~WRL4040.tmp"
Thu 28 Aug 2003 49,664 A..H. --- "C:\Old Disk D\My Documents\~WRL4096.tmp"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sat 5 May 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 5 May 2007 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv18.bak"
Mon 11 May 1998 53,248 A..H. --- "C:\Old Disk C\Program Files\Accessories\mspcx32.dll"
Mon 11 May 1998 40,960 A..H. --- "C:\Old Disk C\Program Files\Accessories\HyperTerminal\hticons.dll"
Mon 11 May 1998 491,520 A..H. --- "C:\Old Disk C\Program Files\Accessories\HyperTerminal\hypertrm.dll"
Sun 6 Mar 2005 4,348 A.SH. --- "C:\Old Disk C\Windows\All Users\DRM\DRMv1.bak"
Sun 6 Mar 2005 401 A.SH. --- "C:\Old Disk C\Windows\All Users\DRM\DRMv18.bak"

Finished!

-----------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:46 PM, on 3/5/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\system\proxy.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HIJACKTHIS\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Microsoft System Checkup] libsys32.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [cwcptray] C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINNT\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsys32.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1204509422796
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{993B5030-D9E0-436A-B72A-28D3B44AC73F}: NameServer = 66.174.92.14 66.174.95.44
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MsService - Unknown owner - C:\WINNT\system\proxy.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINNT\system32\cool.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINNT\system32\perfs.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINNT\system32\routing.exe (file missing)

--
End of file - 7228 bytes

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:03 PM

Posted 06 March 2008 - 01:42 AM

Hi azwanzig,


You have some worms on this computer. :thumbsup:


Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************

Please disable Spybot Teatimer, as that will stop the Hijackthis fixes. You can enable it after we are done using Hijackthis.

To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts


Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O4 - HKLM\..\Run: [Microsoft System Checkup] libsys32.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsys32.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINNT\system32\cool.exe (file missing)
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINNT\system32\perfs.exe (file missing)
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINNT\system32\routing.exe (file missing)



Lets delete the bad services:
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the code box to Notepad.
Save it to your desktop, make sure the file type is All File and name it FixServices.bat

@echo off
sc stop ntlogin32
sc delete ntlogin32
sc stop perfmons 
sc delete perfmons
sc stop Routing 
sc delete Routing 
exit

Double click FixServices.bat. A window will open and close. This is normal.

*******************************************

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Winnt\System32\libsys32.exe
    C:\Winnt\System32\syslog32.exe


  • Return to OTMoveIt2, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
    C:\_OTMoveIt2\MovedFiles\********_******.log
    (where "********_******" is the "date_time")
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Caution: Be careful of what you copy and paste with this tool. OTMoveIt2 is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot your computer, post a new Hijackthis log, the OTMoveIt2 log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 azwanzig

azwanzig
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 07 March 2008 - 03:13 AM

Hi SifuMike.

I followed instructions several times before libsys32 and syslog32 stopped showing up in HijackThis. For what it's worth, when the computer starts up, after avast and net nanny load but before teatimer loads, a tab breafly appears on the start bar as if a program starts and stops quickly. There is no text on the tab, and it appears and disappears too quickly to get a look at the icon.

My computer connects to the internet in much less time than it had before, and web pages load faster.

Attached are the OTMoveIt2 and HijackThis logs:

-------------------------------------------------------------------------------

File/Folder C:\Winnt\System32\libsys32.exe not found.
File/Folder C:\Winnt\System32\syslog32.exe not found.

OTMoveIt2 v1.0.20 log created on 03062008_233516

-------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:02 AM, on 3/7/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\system\proxy.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HIJACKTHIS\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [cwcptray] C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINNT\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1204509422796
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{993B5030-D9E0-436A-B72A-28D3B44AC73F}: NameServer = 66.174.92.14 66.174.95.44
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MsService - Unknown owner - C:\WINNT\system\proxy.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINNT\system32\cool.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINNT\system32\perfs.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINNT\system32\routing.exe (file missing)

--
End of file - 7019 bytes

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:03 PM

Posted 07 March 2008 - 01:11 PM

Hi azwanzig,

None of the services were deleted, lets try again. Please follow the directions carefully.

Please disable Spybot Teatimer, as that will stop the Hijackthis fixes. You can enable it after we are done using Hijackthis.

To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts


Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINNT\system32\cool.exe (file missing)
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINNT\system32\perfs.exe (file missing)
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINNT\system32\routing.exe (file missing)



Lets delete the bad services:

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the code box to Notepad. Do not include the word Code in the copy and paste.
Save it to your desktop, make sure the file type is All File and name it FixServices.bat


@echo off
sc stop ntlogin32
sc delete ntlogin32
sc stop perfmons 
sc delete perfmons
sc stop Routing 
sc delete Routing 
exit

Double click FixServices.bat. A window will open and close. This is normal.


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

*******************************************

Reboot your computer, post a new Hijackthis log, and tell me how your computer is running.

Edited by SifuMike, 07 March 2008 - 01:12 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 azwanzig

azwanzig
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 07 March 2008 - 11:30 PM

Hi SifuMike. I appreciate your patience.

I followed directions carefully. I created the file FixServices.bat. I disabled Teatimer, ran HijackThis, checked the services you indicated, clicked on "Fix Checked".
I then restarted Teatimer, ran FixServices.bat, ran CCleaner, rebooted, ran HijackThis and copied the log.

I promise I followed directions, but cool.exe, perfs.exe and routing.exe were still there. In fact, after checking them and clicking Fix This, and then rescanning system in the same HijackThis session shows that these services have not been killed. After running FixServices.bat and scanning with HijackThis shows that they are still running.

Anyway, the antispywareupdates pop-ups are gone and the internet is running far better than it ever has.

I ran a file search for those 3 files and found that they don't exist in my computer. I guess the question is, what program is calling them, and why can't hijackthis kill them?

Thank you again for your help. HijackThis report follows.


-----------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:25 PM, on 3/7/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\system\proxy.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\HIJACKTHIS\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [cwcptray] C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINNT\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1204509422796
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MsService - Unknown owner - C:\WINNT\system\proxy.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINNT\system32\cool.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINNT\system32\perfs.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINNT\system32\routing.exe (file missing)

--
End of file - 6776 bytes

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:03 PM

Posted 07 March 2008 - 11:53 PM

Hi azwanzig,

I ran a file search for those 3 files and found that they don't exist in my computer. I guess the question is, what program is calling them, and why can't hijackthis kill them?


No program is calling them, and Hijackthis cant kill active services.


We will try a differenct tool. :thumbsup:

Download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

Close ALL OTHER PROGRAMS.
Open the WinPFind3u folder and double-click on WinPFind35U.exe to start the program.
In the Drivers section click on Non-Microsoft.
Under Additional Scans click the checkboxes in front of the following items to select them:

Reg - BotCheck
File - Additional Folder Scans


Do not change any other settings.
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in.

If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts or attach it as a file.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 azwanzig

azwanzig
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 08 March 2008 - 01:39 AM

WinPFind35 logfile created on: 3/7/2008 10:33:26 PM

WinPFind35U Version 1.0.3.1	 Folder = C:\Documents and Settings\Administrator\Desktop\WinPFind35u

Windows 2000 Professional Edition Service Pack 4 (Version = 5.0.2195) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2800.1106)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

 

1023.00 Mb Total Physical Memory | 670.08 Mb Available Physical Memory | 65.50% Memory free

2.40 Gb Paging File | 2.06 Gb Available in Paging File | 85.91% Paging File free

Paging file location(s): C:\pagefile.sys 1536 3072;

 

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files

Drive C: | 74.45 Gb Total Space | 35.34 Gb Free Space | 47.47% Space Free | Partition Type: NTFS

Drive D: | 46.93 Mb Total Space | 39.60 Mb Free Space | 84.39% Space Free | Partition Type: FAT

Drive E: | 240.29 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded



Computer Name: DEL65

Current User Name: Administrator

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user



[Processes - Non-Microsoft Only]

cwsvc.exe -> %ProgramFiles%\ContentWatch\Internet Protection\cwsvc.exe -> ContentWatch, Inc. [Ver = 2.6.0.178 | Size = 1223168 bytes | Modified Date = 10/17/2007 9:42:26 AM | Attr =	]

aawservice.exe -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft [Ver = 7,0,2,6 | Size = 587096 bytes | Modified Date = 1/4/2008 1:27:08 PM | Attr =	]

aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 17272 bytes | Modified Date = 12/4/2007 6:36:33 AM | Attr =	]

ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 140664 bytes | Modified Date = 12/4/2007 5:00:16 AM | Attr =	]

guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 4:31:10 AM | Attr =	]

lssrvc.exe -> %CommonProgramFiles%\LightScribe\LSSrvc.exe -> Hewlett-Packard Company [Ver = 1.6.45.1 | Size = 79400 bytes | Modified Date = 5/15/2007 5:20:12 PM | Attr =	]

proxy.exe -> %SystemRoot%\system\proxy.exe ->  [Ver =  | Size = 610816 bytes | Modified Date = 2/28/2008 6:17:21 AM | Attr =	]

nvsvc32.exe -> %SystemRoot%\system32\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.01.4354 | Size = 69632 bytes | Modified Date = 4/24/2003 3:58:00 PM | Attr =	]

hpwuschd2.exe -> %ProgramFiles%\HP\HP Software Update\hpwuSchd2.exe -> Hewlett-Packard Company [Ver = 2, 0, 39, 0 | Size = 49152 bytes | Modified Date = 2/12/2004 12:38:56 PM | Attr =	]

hpcmpmgr.exe -> %ProgramFiles%\HP\hpcoretech\hpcmpmgr.exe -> Hewlett-Packard Company [Ver = 2.1.1.0 | Size = 241664 bytes | Modified Date = 5/12/2004 2:18:56 PM | Attr =	]

cwtray.exe -> %ProgramFiles%\ContentWatch\Internet Protection\cwtray.exe -> ContentWatch, Inc. [Ver = 2.6.0.178 | Size = 403456 bytes | Modified Date = 10/17/2007 9:42:28 AM | Attr =	]

ashdisp.exe -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 79224 bytes | Modified Date = 12/4/2007 5:00:23 AM | Attr =	]

nmbgmonitor.exe -> %CommonProgramFiles%\Ahead\Lib\NMBgMonitor.exe -> Nero AG [Ver = 2,0,13,1 | Size = 153136 bytes | Modified Date = 6/1/2007 10:21:08 AM | Attr =	]

teatimer.exe -> %ProgramFiles%\Spybot - Search & Destroy\TeaTimer.exe -> Safer Networking Limited [Ver = 1, 5, 2, 16 | Size = 2097488 bytes | Modified Date = 1/28/2008 11:43:40 AM | Attr = RHS]

ashwebsv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 345464 bytes | Modified Date = 12/4/2007 4:59:01 AM | Attr =	]

ashmaisv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 247160 bytes | Modified Date = 12/4/2007 4:59:53 AM | Attr =	]

nmindexingservice.exe -> %CommonProgramFiles%\Ahead\Lib\NMIndexingService.exe -> Nero AG [Ver = 2,0,13,1 | Size = 271920 bytes | Modified Date = 6/1/2007 10:21:30 AM | Attr =	]

nmindexstoresvr.exe -> %CommonProgramFiles%\Ahead\Lib\NMIndexStoreSvr.exe -> Nero AG [Ver = 2,0,13,1 | Size = 1209904 bytes | Modified Date = 6/1/2007 10:21:30 AM | Attr =	]

winpfind35u.exe -> %UserProfile%\Desktop\WinPFind35u\WinPFind35U.exe -> OldTimer Tools [Ver = 1.0.3.1 | Size = 310784 bytes | Modified Date = 3/5/2008 1:21:14 AM | Attr =	]



[Win32 Services - Non-Microsoft Only]

(aawservice) Ad-Aware 2007 Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft [Ver = 7,0,2,6 | Size = 587096 bytes | Modified Date = 1/4/2008 1:27:08 PM | Attr =	]

(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 17272 bytes | Modified Date = 12/4/2007 6:36:33 AM | Attr =	]

(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 140664 bytes | Modified Date = 12/4/2007 5:00:16 AM | Attr =	]

(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 247160 bytes | Modified Date = 12/4/2007 4:59:53 AM | Attr =	]

(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 345464 bytes | Modified Date = 12/4/2007 4:59:01 AM | Attr =	]

(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 4:31:10 AM | Attr =	]

(CwAltaService20) ContentWatch [Win32_Own | Auto | Running] -> %ProgramFiles%\ContentWatch\Internet Protection\cwsvc.exe -> ContentWatch, Inc. [Ver = 2.6.0.178 | Size = 1223168 bytes | Modified Date = 10/17/2007 9:42:26 AM | Attr =	]

(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %SystemRoot%\system32\dmadmin.exe -> VERITAS Software Corp. [Ver = 2195.6624.297.3 | Size = 147728 bytes | Modified Date = 7/3/2003 7:36:04 AM | Attr =	]

(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 5/28/2007 9:04:08 PM | Attr =	]

(LightScribeService) LightScribeService Direct Disc Labeling Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\LightScribe\LSSrvc.exe -> Hewlett-Packard Company [Ver = 1.6.45.1 | Size = 79400 bytes | Modified Date = 5/15/2007 5:20:12 PM | Attr =	]

(MsService) MsService [Win32_Own | Auto | Running] -> %SystemRoot%\system\proxy.exe ->  [Ver =  | Size = 610816 bytes | Modified Date = 2/28/2008 6:17:21 AM | Attr =	]

(NBService) NBService [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Nero\Nero 7\Nero BackItUp\NBService.exe -> Nero AG [Ver = 2, 9, 1, 0 | Size = 792112 bytes | Modified Date = 4/13/2007 9:09:56 PM | Attr =	]

(NMIndexingService) NMIndexingService [Win32_Own | On_Demand | Running] -> %CommonProgramFiles%\Ahead\Lib\NMIndexingService.exe -> Nero AG [Ver = 2,0,13,1 | Size = 271920 bytes | Modified Date = 6/1/2007 10:21:30 AM | Attr =	]

(ntlogin32) NT login service [Win32_Own | Auto | Stopped] -> %SystemRoot%\system32\cool.exe -> File not found

(NVSvc) NVIDIA Driver Helper Service [Win32_Own | Auto | Running] -> %SystemRoot%\system32\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.01.4354 | Size = 69632 bytes | Modified Date = 4/24/2003 3:58:00 PM | Attr =	]

(perfmons) perfmons Service [Win32_Own | Auto | Stopped] -> %SystemRoot%\system32\perfs.exe -> File not found

(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\system32\HPZipm12.exe -> HP [Ver = 8, 0, 0, 0 | Size = 65536 bytes | Modified Date = 3/18/2004 3:55:48 PM | Attr =	]

(Routing) Routing Service [Win32_Own | Auto | Stopped] -> %SystemRoot%\system32\routing.exe -> File not found



[Driver Services - Non-Microsoft Only]

(Aavmker4) avast! Asynchronous Virus Monitor [Kernel | System | Running] -> %SystemRoot%\system32\drivers\aavmker4.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 26624 bytes | Modified Date = 12/4/2007 6:49:02 AM | Attr =	]

(Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped] ->  -> File not found

(abp480n5) abp480n5 [Kernel | Disabled | Stopped] ->  -> File not found

(adpu160m) adpu160m [Kernel | Disabled | Stopped] ->  -> File not found

(aeaudio) aeaudio [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\aeaudio.sys -> Andrea Electronics Corporation [Ver = 1.0.0.2 (STUB) | Size = 4816 bytes | Modified Date = 4/1/2002 12:15:00 PM | Attr =	]

(Aha154x) Aha154x [Kernel | Disabled | Stopped] ->  -> File not found

(aic116x) aic116x [Kernel | Disabled | Stopped] ->  -> File not found

(aic78u2) aic78u2 [Kernel | Disabled | Stopped] ->  -> File not found

(aic78xx) aic78xx [Kernel | Disabled | Stopped] ->  -> File not found

(ami0nt) ami0nt [Kernel | Disabled | Stopped] ->  -> File not found

(amsint) amsint [Kernel | Disabled | Stopped] ->  -> File not found

(asc) asc [Kernel | Disabled | Stopped] ->  -> File not found

(asc3350p) asc3350p [Kernel | Disabled | Stopped] ->  -> File not found

(asc3550) asc3550 [Kernel | Disabled | Stopped] ->  -> File not found

(aswMon) avast! Standard Shield Support [File_System | Auto | Running] -> %SystemRoot%\system32\drivers\aswmon.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 93264 bytes | Modified Date = 12/4/2007 6:56:02 AM | Attr =	]

(aswRdr) aswRdr [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\aswRdr.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 23152 bytes | Modified Date = 12/4/2007 6:53:39 AM | Attr =	]

(aswTdi) avast! Network Shield Support [Kernel | System | Running] -> %SystemRoot%\system32\drivers\aswTdi.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 42912 bytes | Modified Date = 12/4/2007 6:51:52 AM | Attr =	]

(Atdisk) Atdisk [Kernel | Disabled | Stopped] ->  -> File not found

(AVG Anti-Spyware Driver) AVG Anti-Spyware Driver [Kernel | System | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.sys ->  [Ver =  | Size = 11000 bytes | Modified Date = 5/30/2007 4:10:42 AM | Attr =	]

(AvgAsCln) AVG Anti-Spyware Clean Driver [Kernel | System | Running] -> %SystemRoot%\system32\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Modified Date = 5/30/2007 4:10:42 AM | Attr =	]

(BusLogic) BusLogic [Kernel | Disabled | Stopped] ->  -> File not found

(catchme) catchme [Kernel | On_Demand | Stopped] -> %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys -> File not found

(cd20xrnt) cd20xrnt [Kernel | Disabled | Stopped] ->  -> File not found

(cdrbsdrv) cdrbsdrv [Kernel | System | Running] -> %SystemRoot%\system32\drivers\CDRBSDRV.SYS -> B.H.A Corporation [Ver = 7. 0. 0. 5 | Size = 13567 bytes | Modified Date = 3/8/2004 11:55:50 AM | Attr =	]

(cdrbsvsd) cdrbsvsd [Kernel | System | Stopped] ->  -> File not found

(Changer) Changer [Kernel | System | Stopped] ->  -> File not found

(Cpqarray) Cpqarray [Kernel | Disabled | Stopped] ->  -> File not found

(cpqarry2) cpqarry2 [Kernel | Disabled | Stopped] ->  -> File not found

(cpqfcalm) cpqfcalm [Kernel | Disabled | Stopped] ->  -> File not found

(cpqfws2e) cpqfws2e [Kernel | Disabled | Stopped] ->  -> File not found

(dac960nt) dac960nt [Kernel | Disabled | Stopped] ->  -> File not found

(DCamUSBEMPIA) Dazzle DVC Video Device [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\emDevice.sys -> eMPIA Technology, Inc. [Ver = 1.1.0406.0 | Size = 100957 bytes | Modified Date = 12/21/2005 10:14:52 AM | Attr =	]

(deckzpsx) deckzpsx [Kernel | Disabled | Stopped] ->  -> File not found

(dmboot) dmboot [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\dmboot.sys -> VERITAS Software Corp. [Ver = 2195.6655.297.3 | Size = 369104 bytes | Modified Date = 7/3/2003 7:36:05 AM | Attr =	]

(dmio) Logical Disk Manager Driver [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\dmio.sys -> VERITAS Software Corp. [Ver = 2195.6655.297.3 | Size = 137936 bytes | Modified Date = 7/3/2003 7:36:07 AM | Attr =	]

(dmload) dmload [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\dmload.sys -> VERITAS Software Corp. [Ver = 2195.6655.297.3 | Size = 7312 bytes | Modified Date = 7/3/2003 7:36:07 AM | Attr =	]

(E1000) Intel(R) PRO/1000 Adapter Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\e1000nt5.sys -> Intel Corporation [Ver = 7.0.34.0 | Size = 126016 bytes | Modified Date = 3/8/2003 2:51:12 PM | Attr =	]

(emAudio) Dazzle DVC Audio Device [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\emAudio.sys -> Pinnacle Systems, Inc. [Ver = 1.1.0600.0 | Size = 19712 bytes | Modified Date = 12/21/2005 10:14:52 AM | Attr =	]

(Fd16_700) Fd16_700 [Kernel | Disabled | Stopped] ->  -> File not found

(FiltUSBEMPIA) USB Device Lower Filter [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\emFilter.sys -> eMPIA Technology, Inc. [Ver = 1.1.0406.0 | Size = 5245 bytes | Modified Date = 12/21/2005 10:14:52 AM | Attr =	]

(fireport) fireport [Kernel | Disabled | Stopped] ->  -> File not found

(flashpnt) flashpnt [Kernel | Disabled | Stopped] ->  -> File not found

(HPZid412) IEEE-1284.4 Driver HPZid412 [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\HPZid412.sys -> HP [Ver = 8, 0, 0, 0 | Size = 51088 bytes | Modified Date = 6/21/2004 2:40:48 AM | Attr =	]

(HPZipr12) Print Class Driver for IEEE-1284.4 HPZipr12 [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\HPZipr12.sys -> HP [Ver = 8, 0, 0, 0 | Size = 16496 bytes | Modified Date = 6/21/2004 2:40:48 AM | Attr =	]

(HPZius12) USB to IEEE-1284.4 Translation Driver HPZius12 [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\HPZius12.sys -> HP [Ver = 8, 0, 0, 0 | Size = 21744 bytes | Modified Date = 6/21/2004 2:40:48 AM | Attr =	]

(ini910u) ini910u [Kernel | Disabled | Stopped] ->  -> File not found

(ipsraidn) ipsraidn [Kernel | Disabled | Stopped] ->  -> File not found

(lbrtfdc) lbrtfdc [Kernel | System | Stopped] ->  -> File not found

(lp6nds35) lp6nds35 [Kernel | Disabled | Stopped] ->  -> File not found

(ltmodem5) LT Modem Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ltmdmnt.sys -> LT [Ver = 5.41G6 | Size = 413712 bytes | Modified Date = 10/23/1999 12:01:40 PM | Attr =	]

(mraid35x) mraid35x [Kernel | Disabled | Stopped] ->  -> File not found

(Ncrc710) Ncrc710 [Kernel | Disabled | Stopped] ->  -> File not found

(nv) nv [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\nv4_mini.sys -> NVIDIA Corporation [Ver = 6.14.01.4354 | Size = 1271706 bytes | Modified Date = 4/24/2003 3:58:00 PM | Attr =	]

(NWADI) NWADI Bus Enumerator [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\NWADIenum.sys -> Novatel Wireless Inc [Ver = 1.0.2.9 | Size = 194048 bytes | Modified Date = 4/19/2007 11:09:42 AM | Attr =	]

(NWUSBModem) Novatel Wireless USB Modem Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\nwusbmdm.sys -> Novatel Wireless Inc. [Ver = 3. 0. 1. 0 | Size = 99200 bytes | Modified Date = 4/19/2007 11:09:42 AM | Attr =	]

(NWUSBPort) Novatel Wireless USB Status Port Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\nwusbser.sys -> Novatel Wireless Inc. [Ver = 3. 0. 1. 0 | Size = 99200 bytes | Modified Date = 4/19/2007 11:09:42 AM | Attr =	]

(OMCI) OMCI [Kernel | System | Running] -> %SystemRoot%\system32\drivers\omci.sys -> Dell Computer Corporation [Ver = 6, 1, 0, 242 | Size = 13632 bytes | Modified Date = 8/22/2001 7:42:58 AM | Attr =	]

(PalmUSBD) PalmUSBD [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\PalmUSBD.sys -> Palm, Inc. [Ver = 1, 4, 0, 0 | Size = 16509 bytes | Modified Date = 4/13/2004 4:03:46 PM | Attr =	]

(PCIDump) PCIDump [Kernel | System | Stopped] ->  -> File not found

(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ptilink.sys -> Parallel Technologies, Inc. [Ver = 1.10 | Size = 17680 bytes | Modified Date = 7/3/2003 7:46:22 AM | Attr =	]

(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\pxhelp20.sys -> Sonic Solutions [Ver = 3.00.43J | Size = 36624 bytes | Modified Date = 11/2/2006 4:57:04 PM | Attr =	]

(ql1080) ql1080 [Kernel | Disabled | Stopped] ->  -> File not found

(Ql10wnt) Ql10wnt [Kernel | Disabled | Stopped] ->  -> File not found

(ql1240) ql1240 [Kernel | Disabled | Stopped] ->  -> File not found

(ql2100) ql2100 [Kernel | Disabled | Stopped] ->  -> File not found

(ScanUSBEMPIA) USB Still Image Capture Device [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\emScan.sys -> eMPIA Technology, Inc. [Ver = 1.1.0406.0 | Size = 4493 bytes | Modified Date = 12/21/2005 10:14:52 AM | Attr =	]

(SDTHOOK) SDTHOOK [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\SDTHOOK.SYS -> Panda Software [Ver = 1.6.0.0 | Size = 44928 bytes | Modified Date = 6/5/2007 10:56:40 AM | Attr =	]

(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\SECDRV.SYS ->  [Ver =  | Size = 11616 bytes | Modified Date = 8/3/2001 11:11:32 AM | Attr = R  ]

(sglfb) sglfb [Kernel | System | Stopped] ->  -> File not found

(Simbad) Simbad [Kernel | Disabled | Stopped] ->  -> File not found

(smwdm) smwdm [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\smwdm.sys -> Analog Devices, Inc. [Ver = 5.12.01.3555 | Size = 545024 bytes | Modified Date = 2/28/2003 8:17:18 AM | Attr =	]

(Sparrow) Sparrow [Kernel | Disabled | Stopped] ->  -> File not found

(symc810) symc810 [Kernel | Disabled | Stopped] ->  -> File not found

(symc8xx) symc8xx [Kernel | Disabled | Stopped] ->  -> File not found

(sym_hi) sym_hi [Kernel | Disabled | Stopped] ->  -> File not found

(tga) tga [Kernel | System | Stopped] ->  -> File not found

(ultra66) ultra66 [Kernel | Disabled | Stopped] ->  -> File not found



[Registry - Non-Microsoft Only]

< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 

avast! -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 79224 bytes | Modified Date = 12/4/2007 5:00:23 AM | Attr =	]

cwcptray -> %ProgramFiles%\ContentWatch\Internet Protection\cwtray.exe -> ContentWatch, Inc. [Ver = 2.6.0.178 | Size = 403456 bytes | Modified Date = 10/17/2007 9:42:28 AM | Attr =	]

HP Component Manager -> %ProgramFiles%\HP\hpcoretech\hpcmpmgr.exe -> Hewlett-Packard Company [Ver = 2.1.1.0 | Size = 241664 bytes | Modified Date = 5/12/2004 2:18:56 PM | Attr =	]

HP Software Update -> %ProgramFiles%\HP\HP Software Update\hpwuSchd2.exe -> Hewlett-Packard Company [Ver = 2, 0, 39, 0 | Size = 49152 bytes | Modified Date = 2/12/2004 12:38:56 PM | Attr =	]

NeroFilterCheck -> %CommonProgramFiles%\Ahead\Lib\NeroCheck.exe -> Nero AG [Ver = 1, 0, 0, 6 | Size = 153136 bytes | Modified Date = 3/1/2007 3:57:24 PM | Attr =	]

NvCplDaemon -> %SystemRoot%\system32\nvcpl.dll -> NVIDIA Corporation [Ver = 6.14.01.4354 | Size = 4616192 bytes | Modified Date = 4/24/2003 3:58:00 PM | Attr =	]

USB2Check -> %SystemRoot%\system32\PCLECoInst.dll -> Pinnacle Systems [Ver = 1, 1, 1, 18 | Size = 73728 bytes | Modified Date = 12/21/2005 10:14:52 AM | Attr =	]

< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ -> 

IMAIL-> Installed = 1 -> 

MAPI-> Installed = 1 -> 

MSFS-> Installed = 1 -> 

< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 

BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} -> %CommonProgramFiles%\Ahead\Lib\NMBgMonitor.exe -> Nero AG [Ver = 2,0,13,1 | Size = 153136 bytes | Modified Date = 6/1/2007 10:21:08 AM | Attr =	]

SpybotSD TeaTimer -> %ProgramFiles%\Spybot - Search & Destroy\TeaTimer.exe -> Safer Networking Limited [Ver = 1, 5, 2, 16 | Size = 2097488 bytes | Modified Date = 1/28/2008 11:43:40 AM | Attr = RHS]

< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks -> 

{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> GRISOFT s.r.o. [Ver = 7, 5, 1, 36 | Size = 79408 bytes | Modified Date = 5/30/2007 4:29:58 AM | Attr =	]

< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 

< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 

< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 

< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoCDBurning -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 -> 

< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 149 -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> -> 

< HOSTS File > (686 bytes) -> C:\WINNT\System32\drivers\etc\Hosts -> 

< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 

HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome -> 

HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 

HKEY_LOCAL_MACHINE\: Main\\Local Page -> C:\windows\system32\blank.htm -> 

HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 

HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home -> 

HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 

HKEY_LOCAL_MACHINE\: Search\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 

HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 

< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 

HKEY_CURRENT_USER\: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 

HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINNT\system32\blank.htm -> 

HKEY_CURRENT_USER\: Main\\Search Bar -> http://www.google.com/ie -> 

HKEY_CURRENT_USER\: Main\\Search Page -> http://www.google.com -> 

HKEY_CURRENT_USER\: Main\\Start Page -> http://www.google.com/ -> 

HKEY_CURRENT_USER\: SearchURL\\ -> http://home.microsoft.com/access/autosearch.asp?p=%s[gogl] -> 

HKEY_CURRENT_USER\: ProxyEnable -> 0 -> 

< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4023 domain(s) found. -> 

32 domain(s) and sub-domain(s) not assigned to a zone.

< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> 

< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4023 domain(s) found. -> 

32 domain(s) and sub-domain(s) not assigned to a zone.

< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> 

< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] -> Adobe Systems Incorporated [Ver = 6.0.1.2003110300 | Size = 54248 bytes | Modified Date = 11/3/2003 1:17:44 PM | Attr =	]

{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] -> Safer Networking Limited [Ver = 1, 5, 0, 11 | Size = 1554256 bytes | Modified Date = 1/28/2008 11:43:28 AM | Attr =	]

{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbar1.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 5/28/2007 9:04:07 PM | Attr = R  ]

< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 

{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 5/28/2007 9:04:07 PM | Attr = R  ]

< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 

ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 5/28/2007 9:04:07 PM | Attr = R  ]

WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 5/28/2007 9:04:07 PM | Attr = R  ]

< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 1:11:34 AM | Attr =	]

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} [HKEY_CURRENT_USER] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 9/25/2007 1:11:33 AM | Attr =	]

{85d1f590-48f4-11d9-9669-0800200c9a66}:Exec -> %SystemRoot%\bdoscandel.exe [Uninstall BitDefender Online Scanner v8] ->  [Ver =  | Size = 53248 bytes | Modified Date = 1/9/2008 3:01:48 PM | Attr =	]

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> Safer Networking Limited [Ver = 1, 5, 0, 11 | Size = 1554256 bytes | Modified Date = 1/28/2008 11:43:28 AM | Attr =	]

< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ -> 

CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 1:11:34 AM | Attr =	]

CmdMapping\\{85d1f590-48f4-11d9-9669-0800200c9a66} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\bdoscandel.exe [Uninstall BitDefender Online Scanner v8] ->  [Ver =  | Size = 53248 bytes | Modified Date = 1/9/2008 3:01:48 PM | Attr =	]

CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> Safer Networking Limited [Ver = 1, 5, 0, 11 | Size = 1554256 bytes | Modified Date = 1/28/2008 11:43:28 AM | Attr =	]

< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 

PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 

PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 

< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 

{998EF81F-32CE-443C-8C6A-31CEEF9C03F1} ->	(Intel(R) PRO/1000 MT Network Connection) -> 

{EDF1CAB7-1BAE-4BD7-8ACE-9AD8B05C183B} ->	() -> 

< Winsock2 Catalogs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\ -> 

Protocol_Catalog9\Catalog_Entries\000000000001 -> %SystemRoot%\system32\cwalsp.dll -> ContentWatch, Inc. [Ver = 2.6.0.178 | Size = 346624 bytes | Modified Date = 10/17/2007 9:25:10 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000002 -> %SystemRoot%\system32\cwalsp.dll -> ContentWatch, Inc. [Ver = 2.6.0.178 | Size = 346624 bytes | Modified Date = 10/17/2007 9:25:10 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000003 -> %SystemRoot%\system32\cwalsp.dll -> ContentWatch, Inc. [Ver = 2.6.0.178 | Size = 346624 bytes | Modified Date = 10/17/2007 9:25:10 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000004 -> %SystemRoot%\system32\cwalsp.dll -> ContentWatch, Inc. [Ver = 2.6.0.178 | Size = 346624 bytes | Modified Date = 10/17/2007 9:25:10 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000005 -> %SystemRoot%\system32\cwalsp.dll -> ContentWatch, Inc. [Ver = 2.6.0.178 | Size = 346624 bytes | Modified Date = 10/17/2007 9:25:10 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000006 -> %SystemRoot%\system32\cwalsp.dll -> ContentWatch, Inc. [Ver = 2.6.0.178 | Size = 346624 bytes | Modified Date = 10/17/2007 9:25:10 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000007 -> %SystemRoot%\system32\cwalsp.dll -> ContentWatch, Inc. [Ver = 2.6.0.178 | Size = 346624 bytes | Modified Date = 10/17/2007 9:25:10 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000008 -> %SystemRoot%\system32\cwalsp.dll -> ContentWatch, Inc. [Ver = 2.6.0.178 | Size = 346624 bytes | Modified Date = 10/17/2007 9:25:10 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000009 -> %SystemRoot%\system32\cwalsp.dll -> ContentWatch, Inc. [Ver = 2.6.0.178 | Size = 346624 bytes | Modified Date = 10/17/2007 9:25:10 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000010 -> %SystemRoot%\system32\cwalsp.dll -> ContentWatch, Inc. [Ver = 2.6.0.178 | Size = 346624 bytes | Modified Date = 10/17/2007 9:25:10 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000011 -> %SystemRoot%\system32\cwalsp.dll -> ContentWatch, Inc. [Ver = 2.6.0.178 | Size = 346624 bytes | Modified Date = 10/17/2007 9:25:10 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000012 -> %SystemRoot%\system32\cwalsp.dll -> ContentWatch, Inc. [Ver = 2.6.0.178 | Size = 346624 bytes | Modified Date = 10/17/2007 9:25:10 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000013 -> %SystemRoot%\system32\cwalsp.dll -> ContentWatch, Inc. [Ver = 2.6.0.178 | Size = 346624 bytes | Modified Date = 10/17/2007 9:25:10 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000014 -> %SystemRoot%\system32\cwalsp.dll -> ContentWatch, Inc. [Ver = 2.6.0.178 | Size = 346624 bytes | Modified Date = 10/17/2007 9:25:10 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000015 -> %SystemRoot%\system32\cwalsp.dll -> ContentWatch, Inc. [Ver = 2.6.0.178 | Size = 346624 bytes | Modified Date = 10/17/2007 9:25:10 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000016 -> %SystemRoot%\system32\cwalsp.dll -> ContentWatch, Inc. [Ver = 2.6.0.178 | Size = 346624 bytes | Modified Date = 10/17/2007 9:25:10 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000017 -> %SystemRoot%\system32\cwalsp.dll -> ContentWatch, Inc. [Ver = 2.6.0.178 | Size = 346624 bytes | Modified Date = 10/17/2007 9:25:10 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000018 -> %SystemRoot%\system32\cwalsp.dll -> ContentWatch, Inc. [Ver = 2.6.0.178 | Size = 346624 bytes | Modified Date = 10/17/2007 9:25:10 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000019 -> %SystemRoot%\system32\cwalsp.dll -> ContentWatch, Inc. [Ver = 2.6.0.178 | Size = 346624 bytes | Modified Date = 10/17/2007 9:25:10 AM | Attr =	]

Protocol_Catalog9\Catalog_Entries\000000000020 -> %SystemRoot%\system32\cwalsp.dll -> ContentWatch, Inc. [Ver = 2.6.0.178 | Size = 346624 bytes | Modified Date = 10/17/2007 9:25:10 AM | Attr =	]

< Default Protocols [HKEY_LOCAL_MACHINE\] - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults -> 

shell -> shell protocol not assigned -> 

< Default Protocols [HKEY_CURRENT_USER\] - Select to Repair > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults -> 

shell -> shell protocol not assigned -> 

< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ -> 

cetihpz:{CF184AD3-CDCB-4168-A3F7-8E447D129300} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\HP\hpcoretech\comp\hpuiprot.dll[CZipHandler Object] -> Hewlett-Packard Company [Ver = 2.1.5 | Size = 81920 bytes | Modified Date = 5/12/2004 2:18:56 PM | Attr =	]

ipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[Reg Error: Value  does not exist or could not be read.] -> File not found

msdaipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[Reg Error: Value  does not exist or could not be read.] -> File not found

vnd.ms.radio:{3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\msdxm.ocx[AsyncPProt Class] ->  [Ver =  | Size = 842268 bytes | Modified Date = 7/3/2003 7:42:32 AM | Attr =	]

< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 

{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}[HKEY_LOCAL_MACHINE] -> http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab[CKAVWebScan Object] -> 

{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}[HKEY_LOCAL_MACHINE] -> http://download.bitdefender.com/resources/scan8/oscan8.cab[BDSCANONLINE Control] -> 

{6414512B-B978-451D-A0D8-FCFDF33E833C}[HKEY_LOCAL_MACHINE] -> http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204509422796[WUWebControl Class] -> 

{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}[HKEY_LOCAL_MACHINE] -> http://acs.pandasoftware.com/activescan/as5free/asinst.cab[ActiveScan Installer Class] -> 





[Registry - Additional Scans - Non-Microsoft Only]

< BotCheck > -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\ -> ->

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\DefaultLaunchPermission -> (binary data) -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\EnableDCOM -> Y -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST\\System.EnterpriseServices.Thunk.dll ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ -> ->

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallOverride -> 0 -> 

Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ not found. -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ -> ->

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\\EnableFirewall -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ -> ->

*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages -> 

msv1_0 -> %SystemRoot%\system32\msv1_0.dll -> Microsoft Corporation [Ver = 5.00.2195.6680 | Size = 117520 bytes | Modified Date = 7/3/2003 7:43:10 AM | Attr =	]

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Bounds -> (binary data) -> 

*Security Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages -> 

kerberos -> %SystemRoot%\system32\kerberos.dll -> Microsoft Corporation [Ver = 5.00.2195.6666 | Size = 212752 bytes | Modified Date = 7/3/2003 7:39:15 AM | Attr =	]

msv1_0 -> %SystemRoot%\system32\msv1_0.dll -> Microsoft Corporation [Ver = 5.00.2195.6680 | Size = 117520 bytes | Modified Date = 7/3/2003 7:43:10 AM | Attr =	]

schannel -> %SystemRoot%\system32\schannel.dll -> Microsoft Corporation [Ver = 5.00.2195.6705 | Size = 147728 bytes | Modified Date = 7/3/2003 7:47:14 AM | Attr =	]

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\LsaPid -> 264 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\SecureBoot -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\auditbaseobjects -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\crashonauditfail -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fullprivilegeauditing -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\lmcompatibilitylevel -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymous -> 0 -> 

*Notification Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Notification Packages -> 

scecli -> %SystemRoot%\system32\scecli.dll -> Microsoft Corporation [Ver = 5.00.2195.6704 | Size = 114448 bytes | Modified Date = 7/3/2003 7:47:12 AM | Attr =	]

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\ -> -> 

*ProviderOrder* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\\ProviderOrder -> 

Windows NT Access Provider ->  -> File not found

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\\ProviderPath -> C:\WINNT\system32\ntmarta.dll [%SystemRoot%\system32\ntmarta.dll] -> Microsoft Corporation [Ver = 5.00.2195.6666 | Size = 102672 bytes | Modified Date = 7/3/2003 7:45:01 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\\Pattern -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\\GrafBlumGroup -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\\Lookup -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\Auth132 -> C:\WINNT\system32\iissuba.dll [IISSUBA] -> Microsoft Corporation [Ver = 5.00.0984 | Size = 10000 bytes | Modified Date = 7/3/2003 7:38:07 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\\SkewMatrix -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\\SSOURL -> http://www.passport.com -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\\Time -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Name -> Digest -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Comment -> Digest SSPI Authentication Package -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Capabilities -> 16464 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\RpcId -> 65535 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Version -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\TokenSize -> 65535 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Time -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Type -> 49 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Name -> DPA -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Comment -> DPA Security Package -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Capabilities -> 55 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\RpcId -> 17 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Version -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\TokenSize -> 768 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Time -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Type -> 49 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Name -> MSN -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Comment -> MSN Security Package -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Capabilities -> 55 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\RpcId -> 18 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Version -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\TokenSize -> 768 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Time -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Type -> 49 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ -> ->

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Type -> 288 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Start -> 3 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ErrorControl -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ImagePath -> C:\WINNT\system32\svchost.exe [%SystemRoot%\system32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.00.2134.1 | Size = 7952 bytes | Modified Date = 7/3/2003 7:49:07 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DisplayName -> Internet Connection Sharing -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnService -> RasMan; -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnGroup ->  -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ObjectName -> LocalSystem -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Description -> Provides network address translation, addressing, and name resolution services for all computers on your home network through a dial-up connection. -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\\ServiceDll -> C:\WINNT\system32\ipnathlp.dll [%SystemRoot%\System32\ipnathlp.dll] -> Microsoft Corporation [Ver = 5.00.2195.6708 | Size = 441616 bytes | Modified Date = 7/3/2003 7:38:26 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\P\ -> -> 

-> Reg Error: Key does not exist or could not be opened. -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security\\Security -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ -> ->

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Type -> 32 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Start -> 2 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ErrorControl -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ImagePath -> C:\WINNT\system32\svchost.exe [%systemroot%\system32\svchost.exe -k wugroup] -> Microsoft Corporation [Ver = 5.00.2134.1 | Size = 7952 bytes | Modified Date = 7/3/2003 7:49:07 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\DisplayName -> Automatic Updates -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ObjectName -> LocalSystem -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Description -> Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site. -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\\ServiceDll -> C:\WINNT\system32\wuauserv.dll [C:\WINNT\system32\wuauserv.dll] -> Microsoft Corporation [Ver = 5.4.3630.2554 built by: lab04_n | Size = 9216 bytes | Modified Date = 7/3/2003 7:52:51 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\\Security -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\0 -> Root\LEGACY_WUAUSERV\0000 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\Count -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\NextInstance -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\ -> ->

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Description -> Allows remote registry manipulation. -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\DisplayName -> Remote Registry Service -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ErrorControl -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ImagePath -> C:\WINNT\system32\regsvc.exe [%SystemRoot%\system32\regsvc.exe] -> Microsoft Corporation [Ver = 5.00.2195.6701 | Size = 68368 bytes | Modified Date = 7/3/2003 7:46:49 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ObjectName -> LocalSystem -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Start -> 4 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Type -> 16 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\FailureActions -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security\\Security -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\ -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\0 -> Root\LEGACY_REMOTEREGISTRY\0000 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\Count -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\NextInstance -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\ -> ->

*DependOnService* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DependOnService -> 

RpcSs -> %SystemRoot%\system32\rpcss.dll -> Microsoft Corporation [Ver = 5.00.2195.6702 | Size = 239376 bytes | Modified Date = 7/3/2003 7:46:58 AM | Attr =	]

TcpIp ->  -> File not found

*MultiFile Done* -> -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Description -> Allows a remote user to log on to the system and run console programs using the command line. -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DisplayName -> Telnet -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ErrorControl -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ImagePath -> C:\WINNT\system32\tlntsvr.exe [%SystemRoot%\system32\tlntsvr.exe] -> Microsoft Corporation [Ver = 5.00.99206.1 | Size = 186128 bytes | Modified Date = 7/3/2003 7:49:44 AM | Attr =	]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ObjectName -> LocalSystem -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Start -> 4 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Type -> 16 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ -> ->

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\\EnableAutodial -> (binary data) -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\\ProxyEnable -> 0 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\\NoNetAutodial -> (binary data) -> 





[Files/Folders - Created Within 30 days]

SmitfraudFix -> %SystemDrive%\SmitfraudFix ->  [Folder | Created Date = 3/4/2008 6:12:37 PM | Attr =	]

SmitfraudFix.exe -> %SystemDrive%\SmitfraudFix.exe ->  [Ver =  | Size = 1303792 bytes | Modified Date = 3/4/2008 5:58:36 AM | Attr =	]

_OTMoveIt -> %SystemDrive%\_OTMoveIt ->  [Folder | Created Date = 3/6/2008 10:23:52 PM | Attr =	]

aavmker4.sys -> %SystemRoot%\System32\drivers\aavmker4.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 26624 bytes | Modified Date = 12/4/2007 6:49:02 AM | Attr =	]

aswmon.sys -> %SystemRoot%\System32\drivers\aswmon.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 93264 bytes | Modified Date = 12/4/2007 6:56:02 AM | Attr =	]

aswmon2.sys -> %SystemRoot%\System32\drivers\aswmon2.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 94544 bytes | Modified Date = 12/4/2007 6:55:46 AM | Attr =	]

aswRdr.sys -> %SystemRoot%\System32\drivers\aswRdr.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 23152 bytes | Modified Date = 12/4/2007 6:53:39 AM | Attr =	]

aswTdi.sys -> %SystemRoot%\System32\drivers\aswTdi.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 42912 bytes | Modified Date = 12/4/2007 6:51:52 AM | Attr =	]

jrutqwywbiyv.sys -> %SystemRoot%\System32\drivers\jrutqwywbiyv.sys -> Panda Software International [Ver = 1, 0, 0, 5 | Size = 8576 bytes | Modified Date = 6/8/2007 9:44:36 AM | Attr =	]

SDTHOOK.SYS -> %SystemRoot%\System32\drivers\SDTHOOK.SYS -> Panda Software [Ver = 1.6.0.0 | Size = 44928 bytes | Modified Date = 6/5/2007 10:56:40 AM | Attr =	]

ActiveScan -> %SystemRoot%\System32\ActiveScan ->  [Folder | Created Date = 3/2/2008 2:15:07 PM | Attr =	]

3 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> 

actskin4.ocx -> %SystemRoot%\System32\actskin4.ocx ->  [Ver = 4, 2, 7, 3 | Size = 380928 bytes | Modified Date = 1/9/2004 1:13:58 AM | Attr =	]

asuninst.exe -> %SystemRoot%\System32\asuninst.exe -> Panda Software [Ver = 1, 0, 0, 2 | Size = 73728 bytes | Modified Date = 8/2/2006 12:39:06 PM | Attr =	]

aswBoot.exe -> %SystemRoot%\System32\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 837496 bytes | Modified Date = 12/4/2007 5:04:28 AM | Attr =	]

AvastSS.scr -> %SystemRoot%\System32\AvastSS.scr -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 95608 bytes | Modified Date = 12/4/2007 4:54:04 AM | Attr =	]

BITS -> %SystemRoot%\System32\BITS ->  [Folder | Created Date = 3/2/2008 6:12:23 PM | Attr =	]

CEWMDM.dll -> %SystemRoot%\System32\CEWMDM.dll ->  [Ver =  | Size = 147456 bytes | Modified Date = 10/1/2001 7:50:54 PM | Attr =	]

Help.ico -> %SystemRoot%\System32\Help.ico ->  [Ver =  | Size = 1406 bytes | Modified Date = 3/2/2008 2:15:14 PM | Attr =	]

java.exe -> %SystemRoot%\System32\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Modified Date = 9/24/2007 10:30:28 PM | Attr =	]

javacpl.cpl -> %SystemRoot%\System32\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 69632 bytes | Modified Date = 9/24/2007 11:31:42 PM | Attr =	]

javaw.exe -> %SystemRoot%\System32\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Modified Date = 9/24/2007 10:30:30 PM | Attr =	]

javaws.exe -> %SystemRoot%\System32\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 139264 bytes | Modified Date = 9/24/2007 11:31:42 PM | Attr =	]

pavas.ico -> %SystemRoot%\System32\pavas.ico ->  [Ver =  | Size = 30590 bytes | Modified Date = 3/2/2008 2:15:13 PM | Attr =	]

pdbrowse.bmp -> %SystemRoot%\System32\pdbrowse.bmp ->  [Ver =  | Size = 281456 bytes | Modified Date = 3/2/2001 8:56:02 PM | Attr =	]

pdbrowse.dll -> %SystemRoot%\System32\pdbrowse.dll ->  [Ver =  | Size = 270336 bytes | Modified Date = 10/1/2001 7:50:58 PM | Attr =	]

Perflib_Perfdata_270.dat -> %SystemRoot%\System32\Perflib_Perfdata_270.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 3/7/2008 8:04:49 PM | Attr =	]

Perflib_Perfdata_360.dat -> %SystemRoot%\System32\Perflib_Perfdata_360.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 2/12/2008 9:35:32 PM | Attr =	]

Perflib_Perfdata_368.dat -> %SystemRoot%\System32\Perflib_Perfdata_368.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 2/26/2008 3:40:43 PM | Attr =	]

Perflib_Perfdata_394.dat -> %SystemRoot%\System32\Perflib_Perfdata_394.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 3/5/2008 8:32:45 AM | Attr =	]

Perflib_Perfdata_3b4.dat -> %SystemRoot%\System32\Perflib_Perfdata_3b4.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 3/1/2008 11:37:51 AM | Attr =	]

Perflib_Perfdata_414.dat -> %SystemRoot%\System32\Perflib_Perfdata_414.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 3/7/2008 8:12:52 PM | Attr =	]

sl_anet.acm -> %SystemRoot%\System32\sl_anet.acm -> Sipro Lab Telecom Inc. [Ver = 3.02 | Size = 86016 bytes | Modified Date = 3/2/2001 7:46:18 PM | Attr =	]

tmp.reg -> %SystemRoot%\System32\tmp.reg ->  [Ver =  | Size = 2308 bytes | Modified Date = 3/4/2008 6:13:15 PM | Attr =	]

Uninstall.ico -> %SystemRoot%\System32\Uninstall.ico ->  [Ver =  | Size = 2550 bytes | Modified Date = 3/2/2008 2:15:14 PM | Attr =	]

wmp.ocx -> %SystemRoot%\System32\wmp.ocx ->  [Ver =  | Size = 188416 bytes | Modified Date = 10/1/2001 7:50:44 PM | Attr =	]

wmpcd.dll -> %SystemRoot%\System32\wmpcd.dll ->  [Ver =  | Size = 184320 bytes | Modified Date = 10/1/2001 7:50:14 PM | Attr =	]

wmpcore.dll -> %SystemRoot%\System32\wmpcore.dll ->  [Ver =  | Size = 819200 bytes | Modified Date = 10/1/2001 7:50:40 PM | Attr =	]

wmploc.dll -> %SystemRoot%\System32\wmploc.dll ->  [Ver =  | Size = 1290240 bytes | Modified Date = 10/1/2001 7:51:06 PM | Attr =	]

wmpscheme.xml -> %SystemRoot%\System32\wmpscheme.xml ->  [Ver =  | Size = 19012 bytes | Modified Date = 2/19/2008 8:55:27 PM | Attr =	]

wmpui.dll -> %SystemRoot%\System32\wmpui.dll ->  [Ver =  | Size = 1118208 bytes | Modified Date = 10/1/2001 7:50:30 PM | Attr =	]

ZPORT4AS.dll -> %SystemRoot%\System32\ZPORT4AS.dll ->  [Ver =  | Size = 11776 bytes | Modified Date = 3/25/2003 6:53:50 PM | Attr =	]

Battle.ini -> %SystemRoot%\Battle.ini ->  [Ver =  | Size = 29 bytes | Modified Date = 2/18/2008 6:22:44 PM | Attr =	]

BDOSCAN8 -> %SystemRoot%\BDOSCAN8 ->  [Folder | Created Date = 3/2/2008 4:33:30 PM | Attr =	]

3 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> 

ShellIconCache -> %SystemRoot%\ShellIconCache ->  [Ver =  | Size = 742156 bytes | Modified Date = 3/7/2008 12:12:56 AM | Attr =  H ]

SoftwareDistribution -> %SystemRoot%\SoftwareDistribution ->  [Folder | Created Date = 3/2/2008 5:57:19 PM | Attr =	]

Sun -> %SystemRoot%\Sun ->  [Folder | Created Date = 3/2/2008 1:01:59 PM | Attr =	]

unins000.dat -> %SystemRoot%\unins000.dat ->  [Ver =  | Size = 2548 bytes | Modified Date = 2/25/2008 11:03:08 AM | Attr =	]

unins000.exe -> %SystemRoot%\unins000.exe ->  [Ver = 51.49.0.0 | Size = 691545 bytes | Modified Date = 2/25/2008 11:00:54 AM | Attr =	]

zcwo.exe -> %SystemRoot%\zcwo.exe -> Microsoft [Ver = 1.00.0363 | Size = 89105 bytes | Modified Date = 2/25/2008 9:41:28 AM | Attr =	]

[Files Created - Additional Folder Scans - Non-Microsoft Only]

Lavasoft -> %AllUsersProfile%\Application Data\Lavasoft ->  [Folder | Created Date = 2/25/2008 11:45:44 AM | Attr =	]

Smith Micro -> %AppData%\Smith Micro ->  [Folder | Created Date = 2/15/2008 9:09:00 PM | Attr =	]

Sun -> %AppData%\Sun ->  [Folder | Created Date = 3/2/2008 1:01:59 PM | Attr =	]

Preparation Guide For Use Before Posting A Hijackthis Log.htm -> %UserProfile%\My Documents\Preparation Guide For Use Before Posting A Hijackthis Log.htm ->  [Ver =  | Size = 55816 bytes | Modified Date = 3/1/2008 11:00:47 AM | Attr =	]

Preparation Guide For Use Before Posting A Hijackthis Log_files -> %UserProfile%\My Documents\Preparation Guide For Use Before Posting A Hijackthis Log_files ->  [Folder | Created Date = 3/1/2008 10:59:47 AM | Attr =	]

THE LONLEY STONE MAN.doc -> %UserProfile%\My Documents\THE LONLEY STONE MAN.doc ->  [Ver =  | Size = 19456 bytes | Modified Date = 2/25/2008 9:09:21 PM | Attr =	]

~$ emergancy parigraph paper for vocab!.doc -> %UserProfile%\My Documents\~$ emergancy parigraph paper for vocab!.doc ->  [Ver =  | Size = 162 bytes | Modified Date = 2/12/2008 9:32:14 PM | Attr =  H ]

Google Earth.lnk -> %AllUsersProfile%\Desktop\Google Earth.lnk ->  [Ver =  | Size = 1684 bytes | Modified Date = 2/22/2008 9:54:44 PM | Attr =	]

Windows Media Player.lnk -> %AllUsersProfile%\Desktop\Windows Media Player.lnk ->  [Ver =  | Size = 735 bytes | Modified Date = 2/20/2008 10:15:33 PM | Attr =	]

aaw2007.exe -> %UserProfile%\Desktop\aaw2007.exe ->  [Ver =  | Size = 21364592 bytes | Modified Date = 2/25/2008 10:54:32 AM | Attr =	]

Battle Chess for Windows.zip -> %UserProfile%\Desktop\Battle Chess for Windows.zip ->  [Ver =  | Size = 775167 bytes | Modified Date = 2/18/2008 6:18:36 PM | Attr =	]

CCleanerBeginnersGuide.zip -> %UserProfile%\Desktop\CCleanerBeginnersGuide.zip ->  [Ver =  | Size = 64480 bytes | Modified Date = 3/6/2008 10:03:22 PM | Attr =	]

FixServices.bat -> %UserProfile%\Desktop\FixServices.bat ->  [Ver =  | Size = 134 bytes | Modified Date = 3/7/2008 7:57:25 PM | Attr =	]

HijackThis.lnk -> %UserProfile%\Desktop\HijackThis.lnk ->  [Ver =  | Size = 1471 bytes | Modified Date = 3/2/2008 6:44:28 PM | Attr =	]

Kaspersky -> %UserProfile%\Desktop\Kaspersky ->  [Folder | Created Date = 2/26/2008 7:33:51 PM | Attr =	]

OTMoveIt2.exe -> %UserProfile%\Desktop\OTMoveIt2.exe -> OldTimer Tools [Ver = 1.0.17.0 | Size = 290816 bytes | Modified Date = 3/6/2008 10:14:58 PM | Attr =	]

Preparation Guide For Use Before Posting A Hijackthis Log.htm -> %UserProfile%\Desktop\Preparation Guide For Use Before Posting A Hijackthis Log.htm ->  [Ver =  | Size = 57559 bytes | Modified Date = 3/2/2008 10:10:02 AM | Attr =	]

Preparation Guide For Use Before Posting A Hijackthis Log_files -> %UserProfile%\Desktop\Preparation Guide For Use Before Posting A Hijackthis Log_files ->  [Folder | Created Date = 3/2/2008 10:10:01 AM | Attr =	]

WinPFind35u -> %UserProfile%\Desktop\WinPFind35u ->  [Folder | Created Date = 3/7/2008 10:29:48 PM | Attr =	]

WinPFind35u.exe -> %UserProfile%\Desktop\WinPFind35u.exe ->  [Ver =  | Size = 481921 bytes | Modified Date = 3/7/2008 10:29:35 PM | Attr =	]

Java -> %CommonProgramFiles%\Java ->  [Folder | Created Date = 3/2/2008 12:57:34 PM | Attr =	]

Wise Installation Wizard -> %CommonProgramFiles%\Wise Installation Wizard ->  [Folder | Created Date = 2/25/2008 11:45:04 AM | Attr =	]



[Files/Folders - Modified Within 30 days]

Config.Msi -> %SystemDrive%\Config.Msi ->  [Folder | Modified Date = 3/6/2008 11:06:46 PM | Attr =  H ]

Documents and Settings -> %SystemDrive%\Documents and Settings ->  [Folder | Modified Date = 3/6/2008 11:19:08 PM | Attr =	]

Garmin -> %SystemDrive%\Garmin ->  [Folder | Modified Date = 3/2/2008 5:04:47 PM | Attr =	]

KA -> %SystemDrive%\KA ->  [Folder | Modified Date = 3/2/2008 5:05:37 PM | Attr =	]

Program Files -> %ProgramFiles% ->  [Folder | Modified Date = 3/6/2008 10:13:36 PM | Attr = R  ]

RISA 3D Demo -> %SystemDrive%\RISA 3D Demo ->  [Folder | Modified Date = 3/2/2008 5:35:16 PM | Attr =	]

RISADemo -> %SystemDrive%\RISADemo ->  [Folder | Modified Date = 3/2/2008 5:35:23 PM | Attr =	]

SmitfraudFix -> %SystemDrive%\SmitfraudFix ->  [Folder | Modified Date = 3/4/2008 6:15:02 PM | Attr =	]

SmitfraudFix.exe -> %SystemDrive%\SmitfraudFix.exe ->  [Ver =  | Size = 1303792 bytes | Modified Date = 3/4/2008 5:58:36 AM | Attr =	]

Temp -> %SystemDrive%\Temp ->  [Folder | Modified Date = 3/2/2008 5:35:35 PM | Attr =	]

WINNT -> %SystemRoot% ->  [Folder | Modified Date = 3/6/2008 11:00:42 PM | Attr =	]

_OTMoveIt -> %SystemDrive%\_OTMoveIt ->  [Folder | Modified Date = 3/6/2008 10:23:52 PM | Attr =	]

etc -> %SystemRoot%\System32\drivers\etc ->  [Folder | Modified Date = 3/5/2008 8:53:22 PM | Attr =	]

HOSTS -> %SystemRoot%\System32\drivers\etc\HOSTS ->  [Ver =  | Size = 686 bytes | Modified Date = 3/5/2008 8:53:22 PM | Attr =	]

ActiveScan -> %SystemRoot%\System32\ActiveScan ->  [Folder | Modified Date = 3/5/2008 7:29:50 PM | Attr =	]

3 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> 

BITS -> %SystemRoot%\System32\BITS ->  [Folder | Modified Date = 3/2/2008 6:12:24 PM | Attr =	]

config -> %SystemRoot%\System32\config ->  [Folder | Modified Date = 3/2/2008 3:45:01 PM | Attr =	]

CONFIG.NT -> %SystemRoot%\System32\CONFIG.NT ->  [Ver =  | Size = 2626 bytes | Modified Date = 3/5/2008 6:45:46 PM | Attr =	]

dllcache -> %SystemRoot%\System32\dllcache ->  [Folder | Modified Date = 3/2/2008 6:12:24 PM | Attr = RHS]

drivers -> %SystemRoot%\System32\drivers ->  [Folder | Modified Date = 3/5/2008 6:45:49 PM | Attr =	]

Help.ico -> %SystemRoot%\System32\Help.ico ->  [Ver =  | Size = 1406 bytes | Modified Date = 3/2/2008 2:15:14 PM | Attr =	]

NtmsData -> %SystemRoot%\System32\NtmsData ->  [Folder | Modified Date = 3/7/2008 8:05:56 PM | Attr =	]

pavas.ico -> %SystemRoot%\System32\pavas.ico ->  [Ver =  | Size = 30590 bytes | Modified Date = 3/2/2008 2:15:13 PM | Attr =	]

Perflib_Perfdata_270.dat -> %SystemRoot%\System32\Perflib_Perfdata_270.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 3/7/2008 8:04:49 PM | Attr =	]

Perflib_Perfdata_360.dat -> %SystemRoot%\System32\Perflib_Perfdata_360.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 2/12/2008 9:35:32 PM | Attr =	]

Perflib_Perfdata_368.dat -> %SystemRoot%\System32\Perflib_Perfdata_368.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 2/26/2008 3:40:43 PM | Attr =	]

Perflib_Perfdata_378.dat -> %SystemRoot%\System32\Perflib_Perfdata_378.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 2/17/2008 11:32:58 AM | Attr =	]

Perflib_Perfdata_394.dat -> %SystemRoot%\System32\Perflib_Perfdata_394.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 3/5/2008 8:32:45 AM | Attr =	]

Perflib_Perfdata_3b4.dat -> %SystemRoot%\System32\Perflib_Perfdata_3b4.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 3/1/2008 11:37:51 AM | Attr =	]

Perflib_Perfdata_414.dat -> %SystemRoot%\System32\Perflib_Perfdata_414.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 3/7/2008 8:12:52 PM | Attr =	]

tmp.reg -> %SystemRoot%\System32\tmp.reg ->  [Ver =  | Size = 2308 bytes | Modified Date = 3/4/2008 6:13:15 PM | Attr =	]

Uninstall.ico -> %SystemRoot%\System32\Uninstall.ico ->  [Ver =  | Size = 2550 bytes | Modified Date = 3/2/2008 2:15:14 PM | Attr =	]

wbem -> %SystemRoot%\System32\wbem ->  [Folder | Modified Date = 3/2/2008 3:49:05 PM | Attr =	]

wmpscheme.xml -> %SystemRoot%\System32\wmpscheme.xml ->  [Ver =  | Size = 19012 bytes | Modified Date = 2/19/2008 8:55:27 PM | Attr =	]

AppPatch -> %SystemRoot%\AppPatch ->  [Folder | Modified Date = 3/2/2008 3:41:06 PM | Attr =	]

3 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> 

Battle.ini -> %SystemRoot%\Battle.ini ->  [Ver =  | Size = 29 bytes | Modified Date = 2/18/2008 6:22:44 PM | Attr =	]

BDOSCAN8 -> %SystemRoot%\BDOSCAN8 ->  [Folder | Modified Date = 3/2/2008 5:41:18 PM | Attr =	]

CSC -> %SystemRoot%\CSC ->  [Folder | Modified Date = 3/5/2008 4:34:48 PM | Attr =  HS]

Debug -> %SystemRoot%\Debug ->  [Folder | Modified Date = 3/7/2008 8:05:24 PM | Attr =	]

Downloaded Installations -> %SystemRoot%\Downloaded Installations ->  [Folder | Modified Date = 2/15/2008 9:02:13 PM | Attr =	]

Downloaded Program Files -> %SystemRoot%\Downloaded Program Files ->  [Folder | Modified Date = 3/2/2008 5:57:19 PM | Attr =   S]

Help -> %SystemRoot%\Help ->  [Folder | Modified Date = 3/2/2008 5:58:29 PM | Attr =	]

inf -> %SystemRoot%\inf ->  [Folder | Modified Date = 3/2/2008 6:12:29 PM | Attr =  H ]

Installer -> %SystemRoot%\Installer ->  [Folder | Modified Date = 3/6/2008 11:06:46 PM | Attr =  HS]

NeroDigital.ini -> %SystemRoot%\NeroDigital.ini ->  [Ver =  | Size = 69 bytes | Modified Date = 2/19/2008 8:47:35 PM | Attr =	]

Registration -> %SystemRoot%\Registration ->  [Folder | Modified Date = 3/2/2008 3:44:07 PM | Attr =	]

security -> %SystemRoot%\security ->  [Folder | Modified Date = 3/5/2008 6:47:47 PM | Attr =	]

ShellIconCache -> %SystemRoot%\ShellIconCache ->  [Ver =  | Size = 742156 bytes | Modified Date = 3/7/2008 12:12:56 AM | Attr =  H ]

SoftwareDistribution -> %SystemRoot%\SoftwareDistribution ->  [Folder | Modified Date = 3/2/2008 5:59:15 PM | Attr =	]

Sun -> %SystemRoot%\Sun ->  [Folder | Modified Date = 3/2/2008 1:01:59 PM | Attr =	]

system -> %SystemRoot%\system ->  [Folder | Modified Date = 3/2/2008 5:39:22 PM | Attr =	]

system32 -> %SystemRoot%\system32 ->  [Folder | Modified Date = 3/7/2008 8:12:52 PM | Attr =	]

Temp -> %SystemRoot%\Temp ->  [Folder | Modified Date = 3/7/2008 8:24:19 PM | Attr =	]

unins000.dat -> %SystemRoot%\unins000.dat ->  [Ver =  | Size = 2548 bytes | Modified Date = 2/25/2008 11:03:08 AM | Attr =	]

unins000.exe -> %SystemRoot%\unins000.exe ->  [Ver = 51.49.0.0 | Size = 691545 bytes | Modified Date = 2/25/2008 11:00:54 AM | Attr =	]

Web -> %SystemRoot%\Web ->  [Folder | Modified Date = 2/25/2008 12:31:04 PM | Attr =   S]

win.ini -> %SystemRoot%\win.ini ->  [Ver =  | Size = 602 bytes | Modified Date = 3/2/2008 2:30:45 PM | Attr =	]

WMSysPr9.prx -> %SystemRoot%\WMSysPr9.prx ->  [Ver =  | Size = 316640 bytes | Modified Date = 2/19/2008 8:55:24 PM | Attr =	]

zcwo.exe -> %SystemRoot%\zcwo.exe -> Microsoft [Ver = 1.00.0363 | Size = 89105 bytes | Modified Date = 2/25/2008 9:41:28 AM | Attr =	]

SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 3/7/2008 8:05:06 PM | Attr =  H ]

qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat ->  [Ver =  | Size = 4603 bytes | Modified Date = 3/2/2008 6:12:12 PM | Attr =	]

qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat ->  [Ver =  | Size = 4232 bytes | Modified Date = 3/2/2008 6:12:12 PM | Attr =	]

[Files Modified - Additional Folder Scans - Non-Microsoft Only]

Lavasoft -> %AllUsersProfile%\Application Data\Lavasoft ->  [Folder | Modified Date = 2/25/2008 11:47:18 AM | Attr =	]

Microsoft -> %AllUsersProfile%\Application Data\Microsoft ->  [Folder | Modified Date = 2/19/2008 8:55:28 PM | Attr =	]

Spybot - Search & Destroy -> %AllUsersProfile%\Application Data\Spybot - Search & Destroy ->  [Folder | Modified Date = 2/25/2008 11:08:37 AM | Attr =	]

Google -> %AppData%\Google ->  [Folder | Modified Date = 2/22/2008 9:55:35 PM | Attr =	]

Microsoft -> %AppData%\Microsoft ->  [Folder | Modified Date = 2/25/2008 7:07:13 PM | Attr =   S]

Smith Micro -> %AppData%\Smith Micro ->  [Folder | Modified Date = 2/15/2008 9:09:00 PM | Attr =	]

Sun -> %AppData%\Sun ->  [Folder | Modified Date = 3/2/2008 1:01:59 PM | Attr =	]

Google -> %UserProfile%\Local Settings\Application Data\Google ->  [Folder | Modified Date = 2/22/2008 9:55:35 PM | Attr =	]

Preparation Guide For Use Before Posting A Hijackthis Log.htm -> %UserProfile%\My Documents\Preparation Guide For Use Before Posting A Hijackthis Log.htm ->  [Ver =  | Size = 55816 bytes | Modified Date = 3/1/2008 11:00:47 AM | Attr =	]

Preparation Guide For Use Before Posting A Hijackthis Log_files -> %UserProfile%\My Documents\Preparation Guide For Use Before Posting A Hijackthis Log_files ->  [Folder | Modified Date = 3/1/2008 11:00:47 AM | Attr =	]

THE LONLEY STONE MAN.doc -> %UserProfile%\My Documents\THE LONLEY STONE MAN.doc ->  [Ver =  | Size = 19456 bytes | Modified Date = 2/25/2008 9:09:21 PM | Attr =	]

~$ emergancy parigraph paper for vocab!.doc -> %UserProfile%\My Documents\~$ emergancy parigraph paper for vocab!.doc ->  [Ver =  | Size = 162 bytes | Modified Date = 2/12/2008 9:32:14 PM | Attr =  H ]

Google Earth.lnk -> %AllUsersProfile%\Desktop\Google Earth.lnk ->  [Ver =  | Size = 1684 bytes | Modified Date = 2/22/2008 9:54:44 PM | Attr =	]

Windows Media Player.lnk -> %AllUsersProfile%\Desktop\Windows Media Player.lnk ->  [Ver =  | Size = 735 bytes | Modified Date = 2/20/2008 10:15:33 PM | Attr =	]

aaw2007.exe -> %UserProfile%\Desktop\aaw2007.exe ->  [Ver =  | Size = 21364592 bytes | Modified Date = 2/25/2008 10:54:32 AM | Attr =	]

Battle Chess for Windows.zip -> %UserProfile%\Desktop\Battle Chess for Windows.zip ->  [Ver =  | Size = 775167 bytes | Modified Date = 2/18/2008 6:18:36 PM | Attr =	]

CCleanerBeginnersGuide.zip -> %UserProfile%\Desktop\CCleanerBeginnersGuide.zip ->  [Ver =  | Size = 64480 bytes | Modified Date = 3/6/2008 10:03:22 PM | Attr =	]

FixServices.bat -> %UserProfile%\Desktop\FixServices.bat ->  [Ver =  | Size = 134 bytes | Modified Date = 3/7/2008 7:57:25 PM | Attr =	]

games -> %UserProfile%\Desktop\games ->  [Folder | Modified Date = 2/18/2008 7:17:33 PM | Attr =	]

HijackThis.lnk -> %UserProfile%\Desktop\HijackThis.lnk ->  [Ver =  | Size = 1471 bytes | Modified Date = 3/2/2008 6:44:28 PM | Attr =	]

Kaspersky -> %UserProfile%\Desktop\Kaspersky ->  [Folder | Modified Date = 2/26/2008 8:49:14 PM | Attr =	]

Microsoft Word.lnk -> %UserProfile%\Desktop\Microsoft Word.lnk ->  [Ver =  | Size = 2394 bytes | Modified Date = 2/25/2008 7:13:14 PM | Attr =	]

OTMoveIt2.exe -> %UserProfile%\Desktop\OTMoveIt2.exe -> OldTimer Tools [Ver = 1.0.17.0 | Size = 290816 bytes | Modified Date = 3/6/2008 10:14:58 PM | Attr =	]

Preparation Guide For Use Before Posting A Hijackthis Log.htm -> %UserProfile%\Desktop\Preparation Guide For Use Before Posting A Hijackthis Log.htm ->  [Ver =  | Size = 57559 bytes | Modified Date = 3/2/2008 10:10:02 AM | Attr =	]

Preparation Guide For Use Before Posting A Hijackthis Log_files -> %UserProfile%\Desktop\Preparation Guide For Use Before Posting A Hijackthis Log_files ->  [Folder | Modified Date = 3/2/2008 10:10:02 AM | Attr =	]

WinPFind35u -> %UserProfile%\Desktop\WinPFind35u ->  [Folder | Modified Date = 3/7/2008 10:29:48 PM | Attr =	]

WinPFind35u.exe -> %UserProfile%\Desktop\WinPFind35u.exe ->  [Ver =  | Size = 481921 bytes | Modified Date = 3/7/2008 10:29:35 PM | Attr =	]

Autodesk Shared -> %CommonProgramFiles%\Autodesk Shared ->  [Folder | Modified Date = 3/2/2008 3:30:54 PM | Attr =	]

Java -> %CommonProgramFiles%\Java ->  [Folder | Modified Date = 3/2/2008 12:57:34 PM | Attr =	]

LightScribe -> %CommonProgramFiles%\LightScribe ->  [Folder | Modified Date = 3/2/2008 3:31:11 PM | Attr =	]

System -> %CommonProgramFiles%\System ->  [Folder | Modified Date = 3/2/2008 3:31:27 PM | Attr =	]

Wise Installation Wizard -> %CommonProgramFiles%\Wise Installation Wizard ->  [Folder | Modified Date = 2/25/2008 11:45:04 AM | Attr =	]



< End of report >


#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:03 PM

Posted 08 March 2008 - 11:34 AM

Hi azwanzig,

Now start WinPFind35U.
Copy/Paste the information in the code box below into the pane where it says "Paste fix here" and then click the Run Fix button.


[Kill Explorer]
[Win32 Services - Non-Microsoft Only]
YY -> (ntlogin32) NT login service [Win32_Own | Auto | Stopped] -> %SystemRoot%\system32\cool.exe
YY -> (perfmons) perfmons Service [Win32_Own | Auto | Stopped] -> %SystemRoot%\system32\perfs.exe
YY -> (Routing) Routing Service [Win32_Own | Auto | Stopped] -> %SystemRoot%\system32\routing.exe
[Empty Temp Folders]
[Start Explorer]
[Reboot]


The fix should only take a very short time. It will notifiy you when it is complete.
Click the Ok button and [b]Notepad will open with a list of the actions taken.
Post that information back here in your next post.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 azwanzig

azwanzig
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 08 March 2008 - 04:39 PM

Hi SifuMike!

I hope I don't seem repetitive, but thank you again for your patience. I keep fearing your next post will tell me I'm screwed and that I need to format my hard drive.

I ran the fix in WinPFind35U. It told me to reboot, so I rebooted. It did not open notepad, but I found the following file, C:\Documents and Settings\Administrator\Desktop\WinPFind35u\MovedFiles\03082008_131949.log - is that what you're looking for?

Another HijackThis log follows.

Thanks

---------------------------------------------------------------------------------

Explorer killed successfully
[Win32 Services - Non-Microsoft Only]
Service ntlogin32 stopped successfully.
Service ntlogin32 deleted successfully.
File C:\WINNT\system32\cool.exe not found.
Service perfmons stopped successfully.
Service perfmons deleted successfully.
File C:\WINNT\system32\perfs.exe not found.
Service Routing stopped successfully.
Service Routing deleted successfully.
File C:\WINNT\system32\routing.exe not found.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\etilqs_83NhEhuPBdrvhvo-journal scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\etilqs_grv0zXXgwJeDGCP scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\etilqs_IEMW9TEC9GJUr8c-journal scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\etilqs_Y5Sq6OpeZqUJRXl scheduled to be deleted on reboot.
File delete failed. C:\WINNT\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
User temp folders emptied.
SystemRoot temp folder emptied.
IE temp folders emptied
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
WinPFind35U Version 1.0.3.1 fix logfile created on 03082008_131949

---------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:30:35 PM, on 3/8/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\system\proxy.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HIJACKTHIS\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [cwcptray] C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINNT\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1204509422796
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{993B5030-D9E0-436A-B72A-28D3B44AC73F}: NameServer = 66.174.92.14 66.174.95.44
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MsService - Unknown owner - C:\WINNT\system\proxy.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

--
End of file - 6582 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users