Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Gebukecb.dll


  • This topic is locked This topic is locked
7 replies to this topic

#1 Yashii

Yashii

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Juneau, AK
  • Local time:02:05 AM

Posted 11 May 2008 - 01:45 AM

Hi
When I open internet explorer, multiple windows open. I also get the following message.

"Microsoft Visual C++ Runtime Library

Buffer overrun detected!

Program: C:\WINDOWS\explorer.exe

A buffer overrun has been detected which has corrupted the programs internal state. The program cannot safely continue execution and must now be terminated."

I would appreciate whatever help you can give me.

Thanks

I also have problems opening Itunes and Quicktime.





Deckard's System Scanner v20071014.68
Run by Edward on 2008-05-10 21:41:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 1 Restore Point(s) --
1: 2008-05-10 18:31:57 UTC - RP57 - Scheduled Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 1023 MiB (1024 MiB recommended).


-- HijackThis (run as Edward.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:24 PM, on 5/10/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavBckPT.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Edward\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Edward.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\PrevxCSI.exe" /bootupreg
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\\PrevxCSI.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrvx86.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PskSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe

--
End of file - 10141 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 pxark - c:\windows\system32\drivers\pxark.sys <Not Verified; ; Prevx CSI>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-04-10 and 2008-05-10 -----------------------------

2008-05-10 21:43:53 0 d-------- C:\Program Files\Trend Micro
2008-05-10 17:07:03 0 d-------- C:\Users\All Users\Kaspersky Lab
2008-05-10 17:07:02 0 d-------- C:\Windows\system32\Kaspersky Lab
2008-05-08 14:49:02 0 d-------- C:\Windows\BDOSCAN8
2008-05-08 11:30:14 0 --a------ C:\Windows\system32\drivers\ShldDrv.sys
2008-05-08 11:29:47 0 --a------ C:\Windows\system32\drivers\AmFSM.sys
2008-05-08 11:28:04 10880 --a------ C:\Windows\system32\drivers\pxark.sys <Not Verified; ; Prevx CSI>
2008-05-08 11:28:04 0 d-------- C:\Program Files\PrevxCSI
2008-05-08 11:27:58 0 d-------- C:\Users\All Users\PrevxCSI
2008-05-07 20:00:07 0 d-------- C:\VundoFix Backups
2008-05-06 22:37:34 0 d-------- C:\Program Files\Palm Inc
2008-05-06 18:49:27 0 d-------- C:\Users\All Users\TiVo
2008-05-06 18:49:27 0 d-------- C:\Program Files\TiVo
2008-05-06 18:49:25 0 d-------- C:\Program Files\Common Files\TiVo Shared
2008-05-06 18:19:18 0 d-------- C:\Users\All Users\SlySoft
2008-05-06 18:12:52 0 d-------- C:\Program Files\SlySoft
2008-05-06 17:54:32 0 d-------- C:\Users\All Users\Azureus
2008-05-06 17:52:16 0 d-------- C:\Program Files\Azureus
2008-05-06 16:34:52 0 d-------- C:\Program Files\DVDFab Platinum 4
2008-05-06 16:32:15 0 d-------- C:\Program Files\ZipGenius 6
2008-05-06 14:41:00 0 d-------- C:\Program Files\Lavasoft
2008-05-06 14:40:59 0 d-------- C:\Users\All Users\Lavasoft
2008-05-06 14:39:11 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-06 13:24:23 0 d-------- C:\Program Files\Common Files\SWF Studio
2008-05-06 13:13:46 0 d-------- C:\Program Files\iPod
2008-05-06 13:13:31 0 d-------- C:\Program Files\iTunes
2008-05-06 12:59:36 0 d-------- C:\Windows\system32\appmgmt
2008-05-06 11:55:41 0 d-------- C:\Program Files\Audible
2008-05-06 10:28:28 0 --a------ C:\Windows\nsreg.dat
2008-05-06 10:00:59 0 d-------- C:\Program Files\Opera
2008-05-05 21:51:52 0 d-------- C:\Program Files\Free Internet Window Washer
2008-05-05 15:30:06 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-05-05 11:22:47 0 d-------- C:\Users\All Users\sentinel
2008-05-05 11:16:16 261 --a------ C:\Windows\system32\PavCPL.dat
2008-05-05 11:16:06 210812 --a------ C:\Windows\system32\drivers\APPFCONT.DAT
2008-05-05 11:13:50 0 d-------- C:\Users\All Users\Backup
2008-05-05 11:12:52 446464 --a------ C:\Windows\system32\HHActiveX.dll <Not Verified; eHelp Corporation.; RoboHELP HTML 9.2>
2008-05-05 11:12:27 0 d-------- C:\Windows\system32\PAV
2008-05-05 11:12:18 0 d-------- C:\Program Files\Panda Security
2008-05-04 22:39:18 0 d-------- C:\Program Files\Common Files\Panda Software
2008-05-04 20:59:37 0 d-------- C:\Windows\pss
2008-05-04 20:41:49 0 d-------- C:\Users\All Users\HotSync
2008-05-04 20:36:32 0 d-------- C:\Program Files\Avvenu
2008-05-04 18:16:10 0 d-------- C:\Windows\Downloaded Installations
2008-05-04 16:56:58 0 d-------- C:\Users\All Users\Real
2008-05-04 16:56:58 0 d-------- C:\Program Files\Real Alternative
2008-05-04 16:47:51 0 d-------- C:\Users\Edward\browser - logitech
2008-05-04 16:46:43 0 d-------- C:\Users\Edward\logitech
2008-05-04 16:41:44 0 d-------- C:\Program Files\Common Files\Remote Control Software Common
2008-05-04 16:41:38 0 d-------- C:\Program Files\Logitech
2008-05-04 16:40:42 0 d-------- C:\Program Files\Common Files\Remote Control USB Driver
2008-05-04 16:29:19 0 d-------- C:\Windows\system32\QuickTime
2008-05-04 16:29:17 0 d-------- C:\Program Files\QuickTime Alternative
2008-05-04 16:29:17 0 d-------- C:\Program Files\Media Player Classic
2008-05-04 16:23:51 0 d-------- C:\Windows\WinAVI Video Converter 9.0
2008-05-04 16:23:51 0 d-------- C:\Program Files\WinAVI Video Converter 9.0
2008-05-04 16:19:46 0 d-------- C:\Users\All Users\TEMP
2008-05-04 16:18:26 0 d-------- C:\Program Files\VideoReDoPlus
2008-05-04 16:05:49 0 d-------- C:\Windows\system32\Macromed
2008-05-04 15:48:11 0 d-------- C:\Users\All Users\CyberLink
2008-05-04 15:43:35 0 d-------- C:\Program Files\CyberLink
2008-05-03 22:58:53 0 d-------- C:\Program Files\Sigmatel
2008-05-03 22:32:18 0 d-------- C:\Program Files\MSXML 4.0
2008-05-03 21:05:02 0 d-------- C:\Users\All Users\FLEXnet
2008-05-03 21:04:51 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-03 20:57:56 0 d-------- C:\Users\All Users\Adobe
2008-05-03 20:57:56 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-03 18:57:35 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-03 18:56:47 1843200 --a------ C:\Windows\system32\acXMLParser.dll <Not Verified; Apache Software Foundation; Xerces-C Version 2.7.0>
2008-05-03 18:56:44 3518464 --a------ C:\Windows\system32\cdintf300.dll <Not Verified; Amyuni Technologies
http://www.amyuni.com; Amyuni Common Driver Interface>
2008-05-03 18:56:16 0 d-------- C:\Program Files\Common Files\Palo Alto Software
2008-05-03 18:55:59 0 d-------- C:\Program Files\Common Files\Intuit
2008-05-03 18:55:50 0 d-------- C:\Program Files\Quicken
2008-05-03 18:55:23 0 d-------- C:\Users\All Users\Intuit
2008-05-03 18:21:24 0 d-------- C:\Program Files\Apple Software Update
2008-05-03 18:11:52 0 d-------- C:\Program Files\Bonjour
2008-05-03 18:10:49 0 d-------- C:\Program Files\QuickTime
2008-05-03 18:10:48 0 d-------- C:\Users\All Users\Apple Computer
2008-05-03 18:09:26 0 d-------- C:\Program Files\Common Files\Apple
2008-05-03 18:09:25 0 d-------- C:\Users\All Users\Apple
2008-05-03 18:06:13 0 d-------- C:\Program Files\VideoLAN
2008-05-03 17:25:37 0 d-------- C:\Program Files\Microsoft Expression
2008-05-03 16:25:19 0 d-------- C:\Program Files\PowerISO
2008-05-03 16:25:15 43520 --a------ C:\Windows\system32\geBUKecb.dll
2008-05-03 16:00:38 0 d-------- C:\Users\All Users\Nero
2008-05-03 16:00:38 0 d-------- C:\Program Files\Nero
2008-05-03 16:00:38 0 d-------- C:\Program Files\Common Files\Nero
2008-05-03 15:33:44 717296 --a------ C:\Windows\system32\drivers\sptd.sys
2008-05-03 14:47:22 0 d-------- C:\Program Files\Microsoft Works
2008-05-03 14:45:32 0 d-------- C:\Windows\PCHEALTH
2008-05-03 14:45:31 0 d-------- C:\Program Files\Microsoft.NET
2008-05-03 14:42:10 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-05-03 14:40:15 0 d-------- C:\Users\All Users\Microsoft Help
2008-05-03 14:39:41 0 dr-h----- C:\MSOCache
2008-05-03 13:58:57 0 d-------- C:\Program Files\MagicISO
2008-05-03 13:41:59 0 d-------- C:\Program Files\Palm
2008-05-03 13:37:22 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-03 13:37:20 0 d--hs---- C:\Windows\Installer
2008-05-03 13:16:40 0 dr------- C:\Users\Edward\Searches
2008-05-03 13:16:29 0 dr------- C:\Users\Edward\Contacts
2008-05-03 13:14:30 0 d--hs---- C:\Users\Edward\Templates
2008-05-03 13:14:30 0 d--hs---- C:\Users\Edward\Start Menu
2008-05-03 13:14:30 0 d--hs---- C:\Users\Edward\SendTo
2008-05-03 13:14:30 0 d--hs---- C:\Users\Edward\Recent
2008-05-03 13:14:30 0 d--hs---- C:\Users\Edward\PrintHood
2008-05-03 13:14:30 0 d--hs---- C:\Users\Edward\NetHood
2008-05-03 13:14:30 0 d--hs---- C:\Users\Edward\My Documents
2008-05-03 13:14:30 0 d--hs---- C:\Users\Edward\Local Settings
2008-05-03 13:14:30 0 d--hs---- C:\Users\Edward\Cookies
2008-05-03 13:14:30 0 d--hs---- C:\Users\Edward\Application Data
2008-05-03 13:14:29 0 dr------- C:\Users\Edward\Videos
2008-05-03 13:14:29 0 dr------- C:\Users\Edward\Saved Games
2008-05-03 13:14:29 0 dr------- C:\Users\Edward\Pictures
2008-05-03 13:14:29 0 dr------- C:\Users\Edward\Music
2008-05-03 13:14:29 0 dr------- C:\Users\Edward\Links
2008-05-03 13:14:29 0 dr------- C:\Users\Edward\Favorites
2008-05-03 13:14:29 0 dr------- C:\Users\Edward\Downloads
2008-05-03 13:14:29 0 dr------- C:\Users\Edward\Documents
2008-05-03 13:14:29 0 dr------- C:\Users\Edward\Desktop
2008-05-03 13:14:29 0 d--h----- C:\Users\Edward\AppData
2008-05-03 13:14:28 1572864 --ahs---- C:\Users\Edward\NTUSER.DAT
2008-05-03 13:14:02 171136 -rahs---- C:\grldr
2008-05-03 12:56:57 0 d-------- C:\Windows\Panther
2008-05-03 12:56:43 0 d--hs---- C:\Boot
2008-05-03 12:56:07 0 d-------- C:\Windows\system32\OEM
2008-05-03 12:56:07 59 -ra------ C:\Windows\DELL_VERSION
2008-05-03 12:03:38 12 --a------ C:\Windows\bthservsdp.dat
2008-05-03 12:02:38 0 d-------- C:\Windows\SoftwareDistribution
2008-05-03 11:59:58 0 d-------- C:\Windows\Debug
2008-05-03 11:59:57 0 d-------- C:\Windows\CSC
2008-05-03 11:57:57 0 d-------- C:\Windows\Prefetch
2008-05-03 11:57:44 0 d--hs---- C:\System Volume Information


-- Find3M Report ---------------------------------------------------------------

2008-05-06 19:38:32 0 d-------- C:\Users\Edward\AppData\Roaming\ZipGenius
2008-05-06 19:38:32 139 --a------ C:\Users\Edward\AppData\Roaming\mainhst.zgh
2008-05-06 18:49:25 0 d-------- C:\Program Files\Common Files
2008-05-06 18:13:53 0 d-------- C:\Users\Edward\AppData\Roaming\Azureus
2008-05-06 17:15:22 0 d-------- C:\Users\Edward\AppData\Roaming\Vso
2008-05-06 16:36:02 34 --a------ C:\Users\Edward\AppData\Roaming\pcouffin.log
2008-05-06 16:35:00 7887 --a------ C:\Users\Edward\AppData\Roaming\pcouffin.cat
2008-05-06 10:34:50 0 d-------- C:\Users\Edward\AppData\Roaming\Adobe
2008-05-06 10:28:22 0 d-------- C:\Users\Edward\AppData\Roaming\Mozilla
2008-05-06 10:02:13 0 d-------- C:\Users\Edward\AppData\Roaming\Opera
2008-05-05 21:49:22 0 d-------- C:\Users\Edward\AppData\Roaming\Macromedia
2008-05-04 20:41:49 0 d-------- C:\Users\Edward\AppData\Roaming\HotSync
2008-05-04 18:40:38 0 d-------- C:\Users\Edward\AppData\Roaming\Leadertech
2008-05-04 17:07:45 0 d-------- C:\Users\Edward\AppData\Roaming\DVD Shrink
2008-05-04 16:56:58 0 d-------- C:\Users\Edward\AppData\Roaming\Real
2008-05-04 16:39:44 0 d-------- C:\Users\Edward\AppData\Roaming\InstallShield
2008-05-04 16:18:27 0 d-------- C:\Users\Edward\AppData\Roaming\VideoReDoPlus
2008-05-04 00:07:40 0 d-------- C:\Program Files\Windows Mail
2008-05-04 00:07:40 0 d-------- C:\Program Files\Microsoft Games
2008-05-03 18:56:33 0 d-------- C:\Users\Edward\AppData\Roaming\Intuit
2008-05-03 18:13:09 0 d-------- C:\Users\Edward\AppData\Roaming\Apple Computer
2008-05-03 18:06:45 0 d-------- C:\Users\Edward\AppData\Roaming\vlc
2008-05-03 16:03:05 0 d-------- C:\Users\Edward\AppData\Roaming\Nero
2008-05-03 15:33:34 0 d-------- C:\Users\Edward\AppData\Roaming\DAEMON Tools
2008-05-03 14:47:03 0 d-------- C:\Program Files\MSBuild
2008-05-03 13:42:43 0 d-------- C:\Users\Edward\AppData\Roaming\Arcsoft
2008-05-03 13:16:31 0 d-------- C:\Users\Edward\AppData\Roaming\Identities
2008-05-03 12:04:40 174 --ahs---- C:\Program Files\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [07/11/2007 07:26 AM]
"@"="" []
"MSConfig"="C:\Windows\system32\msconfig.exe" [11/02/2006 01:45 AM]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.exe" [07/23/2007 06:30 PM]
"SCANINICIO"="C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe" [07/11/2007 03:17 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"Windows Mobile-based device management"="%windir%\WindowsMobile\wmdSync.exe" []
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [09/28/2006 11:21 AM]
"PrevxCSI"="C:\Program Files\PrevxCSI\PrevxCSI.exe" [05/08/2008 11:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/08/2008 02:33 PM]
"TivoTransfer"="C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [04/04/2008 10:54 AM]
"TivoNotify"="C:\Program Files\TiVo\Desktop\TiVoNotify.exe" [04/04/2008 10:54 AM]
"TivoServer"="C:\Program Files\TiVo\Desktop\TiVoServer.exe" [04/04/2008 10:56 AM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [11/02/2006 04:33 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 02/15/2007 08:02 PM 50736 C:\Windows\System32\avldr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Avvenu Connector.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Avvenu Connector.lnk
backup=C:\Windows\pss\Avvenu Connector.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\Windows\pss\HotSync Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^Edward^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Users\Edward\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\Windows\pss\HotSync Manager.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\747fc238]
rundll32.exe "C:\Users\Edward\AppData\Local\Temp\kwkxvgmb.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Avvenu Access n Share Update]
"C:\Program Files\Avvenu\Avvenu_updater.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM774cf1a4]
Rundll32.exe "C:\Users\Edward\AppData\Local\Temp\nsebinyp.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmds]
rundll32.exe C:\Users\Edward\AppData\Local\Temp\efcCUmjj.dll,c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Internet Window Washer]
C:\PROGRA~1\FREEIN~1\Clearpch.exe -Start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotSync]
"C:\Program Files\Palm\Hotsync.exe" -AllUsers

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
rundll32.exe C:\Users\Edward\AppData\Local\Temp\wvUkKETN.dll,#1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
WindowsMobile wcescomm rapimgr
LocalServiceRestricted WcesComm RapiMgr


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\wd_windows_tools\WDEULA.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04cee04f-1956-11dd-a689-0016411c7960}]
AutoRun\command- H:\wd_windows_tools\WDEULA.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04cee057-1956-11dd-a689-0016411c7960}]
AutoRun\command- I:\SETUP.EXE
configure\command- I:\SETUP.EXE
install\command- I:\SETUP.EXE


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-05-10 21:50:27 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Ultimate (build 6000)
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1.86GHz
Percentage of Memory in Use: 62%
Physical Memory (total/avail): 1022.82 MiB / 378.59 MiB
Pagefile Memory (total/avail): 2299.23 MiB / 1288.88 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1880.32 MiB

C: is Fixed (NTFS) - 44.28 GiB total, 21.49 GiB free.
D: is Fixed (NTFS) - 44.17 GiB total, 30.28 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - FUJITSU MHV2100AH ATA Device - 93.16 GiB - 4 partitions
\PARTITION0 - Unknown - 62.72 MiB
\PARTITION1 (bootable) - Installable File System - 44.28 GiB - C:
\PARTITION2 - Extended w/Extended Int 13 - 44.17 GiB - D:
\PARTITION3 - Unknown - 4.64 GiB



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is disabled.

FW: Panda Internet Security 2008 v12.00.00 (Panda Security) Disabled
AV: Panda Internet Security 2008 v12.00.00 (Panda Security) Disabled Outdated
AS: Panda Internet Security 2008 v12.00.00 (Panda Security) Disabled Outdated
AS: Spybot - Search and Destroy v1.0.0.5 (Safer Networking Ltd.) Disabled Outdated
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Edward\AppData\Roaming
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=OMICRON
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Edward
LOCALAPPDATA=C:\Users\Edward\AppData\Local
LOGONSERVER=\\OMICRON
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\Panda Security\Panda Internet Security 2008\;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\ZipGenius 6\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Edward\AppData\Local\Temp
TMP=C:\Users\Edward\AppData\Local\Temp
USERDOMAIN=Omicron
USERNAME=Edward
USERPROFILE=C:\Users\Edward
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Edward


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Windows\UNNeroBackItUp.exe /UNINSTALL
--> C:\Windows\UNNeroMediaHome.exe /UNINSTALL
--> C:\Windows\UNNeroShowTime.exe /UNINSTALL
--> C:\Windows\UNNeroVision.exe /UNINSTALL
--> C:\Windows\UNRecode.exe /UNINSTALL
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 8.1.2 Professional --> msiexec /I {AC76BA86-1033-F400-7760-000000000003}
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop Elements 6.0 --> msiexec /I {F54AC413-D2C6-4A24-B324-370C223C6250}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
AudibleManager --> C:\Program Files\Audible\Bin\Upgrade.exe /Uninstall
Avvenu --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{16551E12-7EBB-4F63-9B6D-4AED6C2A6FB0}\setup.exe" -l0x9 -removeonly
Azureus Vuze --> C:\Program Files\Azureus\uninstall.exe
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
CloneCD --> "C:\Program Files\SlySoft\CloneCD\ccd-uninst.exe" /D="C:\Program Files\SlySoft\CloneCD"
DVDFab Platinum 4.1.2.0 --> "C:\Program Files\DVDFab Platinum 4\unins000.exe"
Free Internet Window Washer --> C:\PROGRA~1\FREEIN~1\UNWISE.EXE C:\PROGRA~1\FREEIN~1\INSTALL.LOG
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Kaspersky Online Scanner --> C:\Windows\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Logitech Harmony Remote Software 7 --> C:\Program Files\InstallShield Installation Information\{5C6F884D-680C-448B-B4C9-22296EE1B206}\setup.exe -runfromtemp -l0x0009 -removeonly
Microsoft Expression Web --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall WEBDESIGNER /dll ESETUP.DLL
Microsoft Expression Web --> MsiExec.exe /X{90120000-0026-0000-0000-0000000FF1CE}
Microsoft Expression Web MUI (English) --> MsiExec.exe /X{90120000-0026-0409-0000-0000000FF1CE}
Microsoft Expression Web Service Pack 1 (SP1) --> msiexec /package {90120000-0026-0000-0000-0000000FF1CE} /uninstall {9037FDA8-8383-4B6F-859D-D49C3C625225}
Microsoft Expression Web Service Pack 1 (SP1) --> msiexec /package {90120000-0026-0409-0000-0000000FF1CE} /uninstall {DA3B8FC6-8B1D-447A-A5EE-B226DCC10662}
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Visio 2007 Service Pack 1 (SP1) --> msiexec /package {90120000-0051-0000-0000-0000000FF1CE} /uninstall {AA4F2610-5FF1-4DCD-A6FB-BCA2D09A6443}
Microsoft Office Visio 2007 Service Pack 1 (SP1) --> msiexec /package {90120000-0054-0409-0000-0000000FF1CE} /uninstall {EA35370F-586C-45E1-AC6C-A4E275C6B762}
Microsoft Office Visio MUI (English) 2007 --> MsiExec.exe /X{90120000-0054-0409-0000-0000000FF1CE}
Microsoft Office Visio Professional 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall VISPRO /dll OSETUP.DLL
Microsoft Office Visio Professional 2007 --> MsiExec.exe /X{90120000-0051-0000-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
Nero 8 --> MsiExec.exe /X{5FCCD531-1B38-4A94-924C-127F722F1033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Opera 9.27 --> MsiExec.exe /X{503D6E3E-1A48-44F5-BB7C-EB3B593FAED0}
Palm Desktop by ACCESS --> MsiExec.exe /X{FD6034A3-655C-49F0-B496-D4CBFD74D7A7}
Palm Outlook Conduits Updater --> MsiExec.exe /I{616A66CD-D36D-4E24-8B67-33AFDFF48061}
Panda Internet Security 2008 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EEBA9416-3207-47E0-9022-116440599DBC}\SETUP.EXE" -l0x9 -removeonly
Panda TotalScan --> C:\Program Files\Panda Security\TotalScan\ascuninst.exe
PowerDVD --> "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -l0x000409 /z-uninstall
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
Prevx CSI --> "C:\Program Files\PrevxCSI\\PrevxCSI.exe" /prop UNINSTALL=Y
Quicken 2008 --> MsiExec.exe /X{3B0F52AC-EF5C-4831-B221-06C782E41280}
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
QuickTime Alternative 1.47 --> "C:\Program Files\QuickTime Alternative\unins000.exe"
Real Alternative 1.60 --> "C:\Program Files\Real Alternative\unins000.exe"
Remote Control USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8471021C-F529-43DE-84DF-3612E10F58C4}\setup.exe" -l0x9 -removeonly
Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office Visio 2007 (KB947590) --> msiexec /package {90120000-0051-0000-0000-0000000FF1CE} /uninstall {199018BD-578E-44BD-A28F-7F944931CABD}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
TiVo Desktop 2.6.1 --> MsiExec.exe /X{4E839090-3B68-436A-B3CF-A2A08C38DD26}
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0026-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0051-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb949037) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {B4F188C6-6DBF-42A5-A8A3-3086D1A384F2}
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
VideoLAN VLC media player 0.8.6e --> C:\Program Files\VideoLAN\VLC\uninstall.exe
VideoReDo/Plus Version 2.5.5.512 --> "C:\Program Files\VideoReDoPlus\unins000.exe"
WinAVI Video Converter 9.0 --> "C:\Windows\WinAVI Video Converter 9.0\uninstall.exe" "/U:C:\Program Files\WinAVI Video Converter 9.0\Uninstall\uninstall.xml"
ZipGenius 6 (6.0.3.1150) --> "C:\Program Files\ZipGenius 6\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type2411 / Success
Event Submitted/Written: 05/10/2008 08:15:17 PM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type2410 / Success
Event Submitted/Written: 05/10/2008 08:15:16 PM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type2406 / Success
Event Submitted/Written: 05/10/2008 08:15:10 PM
Event ID/Source: 2570 / Adobe Active File Monitor 6.0
Event Description:
Adobe Active File Monitor Service has Started.

Event Record #/Type2405 / Success
Event Submitted/Written: 05/10/2008 08:14:59 PM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type2393 / Warning
Event Submitted/Written: 05/10/2008 07:47:24 PM
Event ID/Source: 6005 / Wlclntfy
Event Description:
The winlogon notification subscriber <Sens> is taking long time to handle the notification event (Logoff).



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type9442 / Warning
Event Submitted/Written: 05/10/2008 09:49:42 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Omicron27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Omicron27 can't undo changes that you allow.

For more information please see the following:
%Omicron275

Scan ID: {A280D40C-FDA8-4A68-8B3D-D8D4B70349E0}

User: Omicron\Edward

Name: %Omicron271

ID: %Omicron272

Severity ID: %Omicron273

Category ID: %Omicron274

Path Found: %Omicron276

Alert Type: %Omicron278

Detection Type: 1.1.1505.02

Event Record #/Type9441 / Warning
Event Submitted/Written: 05/10/2008 09:49:41 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Omicron27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Omicron27 can't undo changes that you allow.

For more information please see the following:
%Omicron275

Scan ID: {32584820-E8F6-470A-B759-744203D64C05}

User: Omicron\Edward

Name: %Omicron271

ID: %Omicron272

Severity ID: %Omicron273

Category ID: %Omicron274

Path Found: %Omicron276

Alert Type: %Omicron278

Detection Type: 1.1.1505.02

Event Record #/Type9318 / Error
Event Submitted/Written: 05/10/2008 08:14:28 PM
Event ID/Source: 6008 / EventLog
Event Description:
The previous system shutdown at 8:12:46 PM on 5/10/2008 was unexpected.

Event Record #/Type9313 / Error
Event Submitted/Written: 05/10/2008 07:44:41 PM
Event ID/Source: 10010 / DCOM
Event Description:
{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

Event Record #/Type9303 / Warning
Event Submitted/Written: 05/10/2008 05:52:36 PM
Event ID/Source: 57 / volmgr
Event Description:
The system failed to flush data to the transaction log. Corruption may occur.



-- End of Deckard's System Scanner: finished at 2008-05-10 21:50:27 ------------

KASPERSKY ONLINE SCANNER REPORT
Saturday, May 10, 2008 9:32:20 PM
Operating System: Microsoft Windows Vista Professional, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/05/2008
Kaspersky Anti-Virus database records: 755482


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 99916
Number of viruses found 5
Number of infected objects 8
Number of suspicious objects 0
Duration of the scan process 01:07:10

Infected Object Name Virus Name Last Action
C:\Boot\BCD Object is locked skipped

C:\Boot\BCD.LOG Object is locked skipped

C:\Program Files\Nero\Nero8\Nero BackItUp\BIU2F39.txt Object is locked skipped

C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\MshConf\scoffset.bin.incr Object is locked skipped

C:\Program Files\Panda Security\Panda Internet Security 2008\f4d4851e8935eebef0f2eb52b3212bc9PSK_NAMES Object is locked skipped

C:\Program Files\Panda Security\Panda Internet Security 2008\f4d4851e8935eebef0f2eb52b3212bc9PSK_NAMES2 Object is locked skipped

C:\Program Files\Panda Security\Panda Internet Security 2008\PavCntrs.dat Object is locked skipped

C:\ProgramData\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008051020080511\index.dat Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\UsrClass.dat{6687e9f7-194c-11dd-89b7-0016411c7960}.TM.blf Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\UsrClass.dat{6687e9f7-194c-11dd-89b7-0016411c7960}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\UsrClass.dat{6687e9f7-194c-11dd-89b7-0016411c7960}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\WindowsUpdate.log Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows Defender\FileTracker\{98455FDE-06D4-4C6F-81DB-D36A49CD4123} Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows Sidebar\Settings.ini Object is locked skipped

C:\Users\Edward\AppData\Local\Temp\FXSAPIDebugLogFile.txt Object is locked skipped

C:\Users\Edward\AppData\Local\Temp\kwkxvgmb.dll Infected: Trojan.Win32.Monder.db skipped

C:\Users\Edward\AppData\Local\TiVo Desktop\Logs\TiVoNotify.log Object is locked skipped

C:\Users\Edward\AppData\Local\TiVo Desktop\Logs\TiVoServer.log Object is locked skipped

C:\Users\Edward\AppData\Local\TiVo Desktop\Logs\TiVoTransfer.log Object is locked skipped

C:\Users\Edward\AppData\Local\TiVo Desktop\Logs\Transcode.log Object is locked skipped

C:\Users\Edward\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped

C:\Users\Edward\Downloads\Omicron Vista\Nero 8 Ultra Edition 8.2.8.0_(+ Keygen!)\Nero 8_Keygen.EXE/WINDOW~1.EXE Infected: Backdoor.Win32.VB.cyt skipped

C:\Users\Edward\Downloads\Omicron Vista\Nero 8 Ultra Edition 8.2.8.0_(+ Keygen!)\Nero 8_Keygen.EXE CAB: infected - 1 skipped

C:\Users\Edward\Downloads\Omicron Vista\Nero 8 Ultra Edition 8.2.8.0_(+ Keygen!)\Nero-8.2.8.0-eng.exe/WINDOW~1.EXE Infected: Backdoor.Win32.VB.cyy skipped

C:\Users\Edward\Downloads\Omicron Vista\Nero 8 Ultra Edition 8.2.8.0_(+ Keygen!)\Nero-8.2.8.0-eng.exe/NERO-8~1.EXE/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped

C:\Users\Edward\Downloads\Omicron Vista\Nero 8 Ultra Edition 8.2.8.0_(+ Keygen!)\Nero-8.2.8.0-eng.exe/NERO-8~1.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped

C:\Users\Edward\Downloads\Omicron Vista\Nero 8 Ultra Edition 8.2.8.0_(+ Keygen!)\Nero-8.2.8.0-eng.exe CAB: infected - 3 skipped

C:\Users\Edward\NTUSER.DAT Object is locked skipped

C:\Users\Edward\ntuser.dat.LOG1 Object is locked skipped

C:\Users\Edward\ntuser.dat.LOG2 Object is locked skipped

C:\Users\Edward\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf Object is locked skipped

C:\Users\Edward\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

C:\Users\Edward\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

C:\Windows\bthservsdp.dat Object is locked skipped

C:\Windows\Debug\PASSWD.LOG Object is locked skipped

C:\Windows\Debug\sam.log Object is locked skipped

C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped

C:\Windows\Logs\DPX\setupact.log Object is locked skipped

C:\Windows\Logs\DPX\setuperr.log Object is locked skipped

C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config Object is locked skipped

C:\Windows\Panther\UnattendGC\diagerr.xml Object is locked skipped

C:\Windows\Panther\UnattendGC\diagwrn.xml Object is locked skipped

C:\Windows\Panther\UnattendGC\setupact.log Object is locked skipped

C:\Windows\Panther\UnattendGC\setuperr.log Object is locked skipped

C:\Windows\security\database\secedit.sdb Object is locked skipped

C:\Windows\SFE8E9951.tmp Object is locked skipped

C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped

C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped

C:\Windows\System32\catroot2\edb.log Object is locked skipped

C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped

C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped

C:\Windows\System32\config\COMPONENTS Object is locked skipped

C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped

C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped

C:\Windows\System32\config\DEFAULT Object is locked skipped

C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped

C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped

C:\Windows\System32\config\SAM Object is locked skipped

C:\Windows\System32\config\SAM.LOG1 Object is locked skipped

C:\Windows\System32\config\SAM.LOG2 Object is locked skipped

C:\Windows\System32\config\SECURITY Object is locked skipped

C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped

C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped

C:\Windows\System32\config\SOFTWARE Object is locked skipped

C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped

C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped

C:\Windows\System32\config\SYSTEM Object is locked skipped

C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped

C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped

C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.0.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.1.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.2.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.blf Object is locked skipped

C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped

C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

C:\Windows\System32\drivers\sptd.sys Object is locked skipped

C:\Windows\System32\geBUKecb.dll Infected: Trojan.Win32.Monder.gen skipped

C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped

C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\Windows\System32\restore\MachineGuid.txt Object is locked skipped

C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped

C:\Windows\System32\wbem\AutoRecover\3460B7617E0429A960E481B197F238A3.mof Object is locked skipped

C:\Windows\System32\wbem\AutoRecover\E478A5DB75C9721E744C05D78DBACFD3.mof Object is locked skipped

C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped

C:\Windows\System32\wbem\Repository\INDEX.BTR Object is locked skipped

C:\Windows\System32\wbem\Repository\MAPPING1.MAP Object is locked skipped

C:\Windows\System32\wbem\Repository\MAPPING2.MAP Object is locked skipped

C:\Windows\System32\wbem\Repository\OBJECTS.DATA Object is locked skipped

C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Backup.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winsock-WS2HELP%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Setup.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped

C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped

C:\Windows\WindowsUpdate.log Object is locked skipped

C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6000.16386_none_cef7ceb03914a67f\dnary.xsd Object is locked skipped

Scan process completed.

BC AdBot (Login to Remove)

 


m

#2 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 AM

Posted 02 June 2008 - 07:25 PM

Hello


Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.



Next
Please do an online scan with Kaspersky WebScanner

Click on Accept Button

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#3 Yashii

Yashii
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Juneau, AK
  • Local time:02:05 AM

Posted 03 June 2008 - 06:00 PM

Thank you for looking into this.

Deckard's System Scanner v20071014.68
Run by Edward on 2008-06-03 10:32:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 1023 MiB (1024 MiB recommended).


-- HijackThis (run as Edward.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:37 AM, on 6/3/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\apvxdwin.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\SRVLOAD.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\WebProxy.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavBckPT.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Edward\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Edward.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\avciman.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrvx86.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PskSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe

--
End of file - 10235 bytes

-- Files created between 2008-05-03 and 2008-06-03 -----------------------------

2008-05-20 13:35:52 0 d-------- C:\Program Files\iDump
2008-05-13 12:55:53 0 d-------- C:\Program Files\Exact Audio Copy
2008-05-13 12:45:11 0 d-------- C:\Program Files\AviSynth 2.5
2008-05-13 12:45:06 0 d-------- C:\Program Files\Red Kawa
2008-05-10 21:43:53 0 d-------- C:\Program Files\Trend Micro
2008-05-10 17:07:03 0 d-------- C:\Users\All Users\Kaspersky Lab
2008-05-10 17:07:02 0 d-------- C:\Windows\system32\Kaspersky Lab
2008-05-08 14:49:02 0 d-------- C:\Windows\BDOSCAN8
2008-05-08 11:30:14 0 --a------ C:\Windows\system32\drivers\ShldDrv.sys
2008-05-08 11:29:47 0 --a------ C:\Windows\system32\drivers\AmFSM.sys
2008-05-07 20:00:07 0 d-------- C:\VundoFix Backups
2008-05-06 22:37:34 0 d-------- C:\Program Files\Palm Inc
2008-05-06 18:49:27 0 d-------- C:\Users\All Users\TiVo
2008-05-06 18:49:27 0 d-------- C:\Program Files\TiVo
2008-05-06 18:49:25 0 d-------- C:\Program Files\Common Files\TiVo Shared
2008-05-06 18:19:18 0 d-------- C:\Users\All Users\SlySoft
2008-05-06 18:12:52 0 d-------- C:\Program Files\SlySoft
2008-05-06 17:54:32 0 d-------- C:\Users\All Users\Azureus
2008-05-06 17:52:16 0 d-------- C:\Program Files\Azureus
2008-05-06 16:34:52 0 d-------- C:\Program Files\DVDFab Platinum 4
2008-05-06 16:32:15 0 d-------- C:\Program Files\ZipGenius 6
2008-05-06 14:41:00 0 d-------- C:\Program Files\Lavasoft
2008-05-06 14:40:59 0 d-------- C:\Users\All Users\Lavasoft
2008-05-06 14:39:11 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-06 13:24:23 0 d-------- C:\Program Files\Common Files\SWF Studio
2008-05-06 13:13:46 0 d-------- C:\Program Files\iPod
2008-05-06 13:13:31 0 d-------- C:\Program Files\iTunes
2008-05-06 12:59:36 0 d-------- C:\Windows\system32\appmgmt
2008-05-06 11:55:41 0 d-------- C:\Program Files\Audible
2008-05-06 10:28:28 0 --a------ C:\Windows\nsreg.dat
2008-05-06 10:00:59 0 d-------- C:\Program Files\Opera
2008-05-05 21:51:52 0 d-------- C:\Program Files\Free Internet Window Washer
2008-05-05 15:30:06 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-05-05 11:22:47 0 d-------- C:\Users\All Users\sentinel
2008-05-05 11:16:16 261 --a------ C:\Windows\system32\PavCPL.dat
2008-05-05 11:16:06 208640 --a------ C:\Windows\system32\drivers\APPFCONT.DAT
2008-05-05 11:13:50 0 d-------- C:\Users\All Users\Backup
2008-05-05 11:12:52 446464 --a------ C:\Windows\system32\HHActiveX.dll <Not Verified; eHelp Corporation.; RoboHELP HTML 9.2>
2008-05-05 11:12:27 0 d-------- C:\Windows\system32\PAV
2008-05-05 11:12:18 0 d-------- C:\Program Files\Panda Security
2008-05-04 22:39:18 0 d-------- C:\Program Files\Common Files\Panda Software
2008-05-04 20:59:37 0 d-------- C:\Windows\pss
2008-05-04 20:41:49 0 d-------- C:\Users\All Users\HotSync
2008-05-04 20:36:32 0 d-------- C:\Program Files\Avvenu
2008-05-04 18:16:10 0 d-------- C:\Windows\Downloaded Installations
2008-05-04 16:56:58 0 d-------- C:\Users\All Users\Real
2008-05-04 16:56:58 0 d-------- C:\Program Files\Real Alternative
2008-05-04 16:47:51 0 d-------- C:\Users\Edward\browser - logitech
2008-05-04 16:46:43 0 d-------- C:\Users\Edward\logitech
2008-05-04 16:41:44 0 d-------- C:\Program Files\Common Files\Remote Control Software Common
2008-05-04 16:41:38 0 d-------- C:\Program Files\Logitech
2008-05-04 16:40:42 0 d-------- C:\Program Files\Common Files\Remote Control USB Driver
2008-05-04 16:29:19 0 d-------- C:\Windows\system32\QuickTime
2008-05-04 16:29:17 0 d-------- C:\Program Files\QuickTime Alternative
2008-05-04 16:29:17 0 d-------- C:\Program Files\Media Player Classic
2008-05-04 16:23:51 0 d-------- C:\Windows\WinAVI Video Converter 9.0
2008-05-04 16:23:51 0 d-------- C:\Program Files\WinAVI Video Converter 9.0
2008-05-04 16:19:46 0 d-------- C:\Users\All Users\TEMP
2008-05-04 16:18:26 0 d-------- C:\Program Files\VideoReDoPlus
2008-05-04 16:05:49 0 d-------- C:\Windows\system32\Macromed
2008-05-04 15:48:11 0 d-------- C:\Users\All Users\CyberLink
2008-05-04 15:43:35 0 d-------- C:\Program Files\CyberLink
2008-05-03 22:58:53 0 d-------- C:\Program Files\Sigmatel
2008-05-03 22:32:18 0 d-------- C:\Program Files\MSXML 4.0
2008-05-03 21:05:02 0 d-------- C:\Users\All Users\FLEXnet
2008-05-03 21:04:51 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-03 20:57:56 0 d-------- C:\Users\All Users\Adobe
2008-05-03 20:57:56 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-03 18:57:35 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-03 18:56:47 1843200 --a------ C:\Windows\system32\acXMLParser.dll <Not Verified; Apache Software Foundation; Xerces-C Version 2.7.0>
2008-05-03 18:56:44 3518464 --a------ C:\Windows\system32\cdintf300.dll <Not Verified; Amyuni Technologies
http://www.amyuni.com; Amyuni Common Driver Interface>
2008-05-03 18:56:16 0 d-------- C:\Program Files\Common Files\Palo Alto Software
2008-05-03 18:55:59 0 d-------- C:\Program Files\Common Files\Intuit
2008-05-03 18:55:50 0 d-------- C:\Program Files\Quicken
2008-05-03 18:55:23 0 d-------- C:\Users\All Users\Intuit
2008-05-03 18:21:24 0 d-------- C:\Program Files\Apple Software Update
2008-05-03 18:11:52 0 d-------- C:\Program Files\Bonjour
2008-05-03 18:10:49 0 d-------- C:\Program Files\QuickTime
2008-05-03 18:10:48 0 d-------- C:\Users\All Users\Apple Computer
2008-05-03 18:09:26 0 d-------- C:\Program Files\Common Files\Apple
2008-05-03 18:09:25 0 d-------- C:\Users\All Users\Apple
2008-05-03 18:06:13 0 d-------- C:\Program Files\VideoLAN
2008-05-03 17:25:37 0 d-------- C:\Program Files\Microsoft Expression
2008-05-03 16:25:19 0 d-------- C:\Program Files\PowerISO
2008-05-03 16:25:15 43520 --a------ C:\Windows\system32\geBUKecb.dll
2008-05-03 16:00:38 0 d-------- C:\Users\All Users\Nero
2008-05-03 16:00:38 0 d-------- C:\Program Files\Nero
2008-05-03 16:00:38 0 d-------- C:\Program Files\Common Files\Nero
2008-05-03 15:33:44 717296 --a------ C:\Windows\system32\drivers\sptd.sys
2008-05-03 14:47:22 0 d-------- C:\Program Files\Microsoft Works
2008-05-03 14:45:32 0 d-------- C:\Windows\PCHEALTH
2008-05-03 14:45:31 0 d-------- C:\Program Files\Microsoft.NET
2008-05-03 14:42:10 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-05-03 14:40:15 0 d-------- C:\Users\All Users\Microsoft Help
2008-05-03 14:39:41 0 dr-h----- C:\MSOCache
2008-05-03 13:58:57 0 d-------- C:\Program Files\MagicISO
2008-05-03 13:41:59 0 d-------- C:\Program Files\Palm
2008-05-03 13:37:22 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-03 13:37:20 0 d--hs---- C:\Windows\Installer
2008-05-03 13:16:40 0 dr------- C:\Users\Edward\Searches
2008-05-03 13:16:29 0 dr------- C:\Users\Edward\Contacts
2008-05-03 13:14:30 0 d--hs---- C:\Users\Edward\Templates
2008-05-03 13:14:30 0 d--hs---- C:\Users\Edward\Start Menu
2008-05-03 13:14:30 0 d--hs---- C:\Users\Edward\SendTo
2008-05-03 13:14:30 0 d--hs---- C:\Users\Edward\Recent
2008-05-03 13:14:30 0 d--hs---- C:\Users\Edward\PrintHood
2008-05-03 13:14:30 0 d--hs---- C:\Users\Edward\NetHood
2008-05-03 13:14:30 0 d--hs---- C:\Users\Edward\My Documents
2008-05-03 13:14:30 0 d--hs---- C:\Users\Edward\Local Settings
2008-05-03 13:14:30 0 d--hs---- C:\Users\Edward\Cookies
2008-05-03 13:14:30 0 d--hs---- C:\Users\Edward\Application Data
2008-05-03 13:14:29 0 dr------- C:\Users\Edward\Videos
2008-05-03 13:14:29 0 dr------- C:\Users\Edward\Saved Games
2008-05-03 13:14:29 0 dr------- C:\Users\Edward\Pictures
2008-05-03 13:14:29 0 dr------- C:\Users\Edward\Music
2008-05-03 13:14:29 0 dr------- C:\Users\Edward\Links
2008-05-03 13:14:29 0 dr------- C:\Users\Edward\Favorites
2008-05-03 13:14:29 0 dr------- C:\Users\Edward\Downloads
2008-05-03 13:14:29 0 dr------- C:\Users\Edward\Documents
2008-05-03 13:14:29 0 dr------- C:\Users\Edward\Desktop
2008-05-03 13:14:29 0 d--h----- C:\Users\Edward\AppData
2008-05-03 13:14:28 1572864 --ahs---- C:\Users\Edward\NTUSER.DAT
2008-05-03 13:14:02 171136 -rahs---- C:\grldr
2008-05-03 12:56:57 0 d-------- C:\Windows\Panther
2008-05-03 12:56:43 0 d--hs---- C:\Boot
2008-05-03 12:56:07 0 d-------- C:\Windows\system32\OEM
2008-05-03 12:56:07 59 -ra------ C:\Windows\DELL_VERSION
2008-05-03 12:03:38 12 --a------ C:\Windows\bthservsdp.dat
2008-05-03 12:02:38 0 d-------- C:\Windows\SoftwareDistribution
2008-05-03 11:59:58 0 d-------- C:\Windows\Debug
2008-05-03 11:59:57 0 d-------- C:\Windows\CSC
2008-05-03 11:57:57 0 d-------- C:\Windows\Prefetch
2008-05-03 11:57:44 0 d--hs---- C:\System Volume Information


-- Find3M Report ---------------------------------------------------------------

2008-05-18 11:36:37 38431 --a------ C:\Users\Edward\AppData\Roaming\Comma Separated Values (Windows).ADR
2008-05-18 10:30:10 267 --a------ C:\Users\Edward\AppData\Roaming\mainhst.zgh
2008-05-13 15:56:10 0 d-------- C:\Users\Edward\AppData\Roaming\CyberLink
2008-05-06 19:38:32 0 d-------- C:\Users\Edward\AppData\Roaming\ZipGenius
2008-05-06 18:49:25 0 d-------- C:\Program Files\Common Files
2008-05-06 18:13:53 0 d-------- C:\Users\Edward\AppData\Roaming\Azureus
2008-05-06 17:15:22 0 d-------- C:\Users\Edward\AppData\Roaming\Vso
2008-05-06 16:36:02 34 --a------ C:\Users\Edward\AppData\Roaming\pcouffin.log
2008-05-06 16:35:00 7887 --a------ C:\Users\Edward\AppData\Roaming\pcouffin.cat
2008-05-06 10:34:50 0 d-------- C:\Users\Edward\AppData\Roaming\Adobe
2008-05-06 10:28:22 0 d-------- C:\Users\Edward\AppData\Roaming\Mozilla
2008-05-06 10:02:13 0 d-------- C:\Users\Edward\AppData\Roaming\Opera
2008-05-05 21:49:22 0 d-------- C:\Users\Edward\AppData\Roaming\Macromedia
2008-05-04 20:41:49 0 d-------- C:\Users\Edward\AppData\Roaming\HotSync
2008-05-04 18:40:38 0 d-------- C:\Users\Edward\AppData\Roaming\Leadertech
2008-05-04 17:07:45 0 d-------- C:\Users\Edward\AppData\Roaming\DVD Shrink
2008-05-04 16:56:58 0 d-------- C:\Users\Edward\AppData\Roaming\Real
2008-05-04 16:39:44 0 d-------- C:\Users\Edward\AppData\Roaming\InstallShield
2008-05-04 16:18:27 0 d-------- C:\Users\Edward\AppData\Roaming\VideoReDoPlus
2008-05-04 00:07:40 0 d-------- C:\Program Files\Windows Mail
2008-05-04 00:07:40 0 d-------- C:\Program Files\Microsoft Games
2008-05-03 18:56:33 0 d-------- C:\Users\Edward\AppData\Roaming\Intuit
2008-05-03 18:13:09 0 d-------- C:\Users\Edward\AppData\Roaming\Apple Computer
2008-05-03 18:06:45 0 d-------- C:\Users\Edward\AppData\Roaming\vlc
2008-05-03 16:03:05 0 d-------- C:\Users\Edward\AppData\Roaming\Nero
2008-05-03 15:33:34 0 d-------- C:\Users\Edward\AppData\Roaming\DAEMON Tools
2008-05-03 14:47:03 0 d-------- C:\Program Files\MSBuild
2008-05-03 13:42:43 0 d-------- C:\Users\Edward\AppData\Roaming\Arcsoft
2008-05-03 13:16:31 0 d-------- C:\Users\Edward\AppData\Roaming\Identities
2008-05-03 12:04:40 174 --ahs---- C:\Program Files\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [07/11/2007 07:26 AM]
"@"="" []
"MSConfig"="C:\Windows\system32\msconfig.exe" [11/02/2006 01:45 AM]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.exe" [07/23/2007 06:30 PM]
"SCANINICIO"="C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe" [07/11/2007 03:17 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"Windows Mobile-based device management"="%windir%\WindowsMobile\wmdSync.exe" []
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [09/28/2006 11:21 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/08/2008 02:33 PM]
"TivoTransfer"="C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [04/04/2008 10:54 AM]
"TivoNotify"="C:\Program Files\TiVo\Desktop\TiVoNotify.exe" [04/04/2008 10:54 AM]
"TivoServer"="C:\Program Files\TiVo\Desktop\TiVoServer.exe" [04/04/2008 10:56 AM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [11/02/2006 04:33 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 02/15/2007 08:02 PM 50736 C:\Windows\System32\avldr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Avvenu Connector.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Avvenu Connector.lnk
backup=C:\Windows\pss\Avvenu Connector.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\Windows\pss\HotSync Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^Edward^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Users\Edward\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\Windows\pss\HotSync Manager.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\747fc238]
rundll32.exe "C:\Users\Edward\AppData\Local\Temp\kwkxvgmb.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Avvenu Access n Share Update]
"C:\Program Files\Avvenu\Avvenu_updater.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM774cf1a4]
Rundll32.exe "C:\Users\Edward\AppData\Local\Temp\nsebinyp.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmds]
rundll32.exe C:\Users\Edward\AppData\Local\Temp\efcCUmjj.dll,c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Internet Window Washer]
C:\PROGRA~1\FREEIN~1\Clearpch.exe -Start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotSync]
"C:\Program Files\Palm\Hotsync.exe" -AllUsers

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
rundll32.exe C:\Users\Edward\AppData\Local\Temp\wvUkKETN.dll,#1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
WindowsMobile wcescomm rapimgr
LocalServiceRestricted WcesComm RapiMgr


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\wd_windows_tools\WDEULA.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04cee04f-1956-11dd-a689-0016411c7960}]
AutoRun\command- H:\wd_windows_tools\WDEULA.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04cee057-1956-11dd-a689-0016411c7960}]
AutoRun\command- I:\SETUP.EXE
configure\command- I:\SETUP.EXE
install\command- I:\SETUP.EXE


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-06-03 10:33:43 ------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:26 AM, on 6/3/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\apvxdwin.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\SRVLOAD.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\WebProxy.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavBckPT.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\avciman.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrvx86.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PskSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe

--
End of file - 10273 bytes

KASPERSKY ONLINE SCANNER REPORT
Tuesday, June 03, 2008 2:20:02 PM
Operating System: Microsoft Windows Vista Professional, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/06/2008
Kaspersky Anti-Virus database records: 826461


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
L:\

Scan Statistics
Total number of scanned objects 103964
Number of viruses found 4
Number of infected objects 7
Number of suspicious objects 0
Duration of the scan process 01:09:45

Infected Object Name Virus Name Last Action
C:\Deckard\System Scanner\20080603101548\backup\Users\Edward\AppData\Local\Temp\kwkxvgmb.dll Object is locked skipped

C:\Program Files\Nero\Nero8\Nero BackItUp\BIU2BDD.txt Object is locked skipped

C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\MshConf\scoffset.bin.incr Object is locked skipped

C:\Program Files\Panda Security\Panda Internet Security 2008\f4d4851e8935eebef0f2eb52b3212bc9PSK_NAMES Object is locked skipped

C:\Program Files\Panda Security\Panda Internet Security 2008\f4d4851e8935eebef0f2eb52b3212bc9PSK_NAMES2 Object is locked skipped

C:\Program Files\Panda Security\Panda Internet Security 2008\PavCntrs.dat Object is locked skipped

C:\ProgramData\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\UsrClass.dat{6687e9f7-194c-11dd-89b7-0016411c7960}.TM.blf Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\UsrClass.dat{6687e9f7-194c-11dd-89b7-0016411c7960}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\UsrClass.dat{6687e9f7-194c-11dd-89b7-0016411c7960}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows\WindowsUpdate.log Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows Defender\FileTracker\{F8DD212F-D76B-4FC1-9055-6F660573DD8E} Object is locked skipped

C:\Users\Edward\AppData\Local\Microsoft\Windows Sidebar\Settings.ini Object is locked skipped

C:\Users\Edward\AppData\Local\Temp\FXSAPIDebugLogFile.txt Object is locked skipped

C:\Users\Edward\AppData\Local\Temp\~DFFC89.tmp Object is locked skipped

C:\Users\Edward\AppData\Local\TiVo Desktop\Logs\TiVoNotify.log Object is locked skipped

C:\Users\Edward\AppData\Local\TiVo Desktop\Logs\TiVoServer.log Object is locked skipped

C:\Users\Edward\AppData\Local\TiVo Desktop\Logs\TiVoTransfer.log Object is locked skipped

C:\Users\Edward\AppData\Local\TiVo Desktop\Logs\Transcode.log Object is locked skipped

C:\Users\Edward\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped

C:\Users\Edward\Downloads\Omicron Vista\Nero 8 Ultra Edition 8.2.8.0_(+ Keygen!)\Nero 8_Keygen.EXE/WINDOW~1.EXE Infected: Backdoor.Win32.VB.cyt skipped

C:\Users\Edward\Downloads\Omicron Vista\Nero 8 Ultra Edition 8.2.8.0_(+ Keygen!)\Nero 8_Keygen.EXE CAB: infected - 1 skipped

C:\Users\Edward\Downloads\Omicron Vista\Nero 8 Ultra Edition 8.2.8.0_(+ Keygen!)\Nero-8.2.8.0-eng.exe/WINDOW~1.EXE Infected: Backdoor.Win32.VB.cyy skipped

C:\Users\Edward\Downloads\Omicron Vista\Nero 8 Ultra Edition 8.2.8.0_(+ Keygen!)\Nero-8.2.8.0-eng.exe/NERO-8~1.EXE/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped

C:\Users\Edward\Downloads\Omicron Vista\Nero 8 Ultra Edition 8.2.8.0_(+ Keygen!)\Nero-8.2.8.0-eng.exe/NERO-8~1.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped

C:\Users\Edward\Downloads\Omicron Vista\Nero 8 Ultra Edition 8.2.8.0_(+ Keygen!)\Nero-8.2.8.0-eng.exe CAB: infected - 3 skipped

C:\Users\Edward\NTUSER.DAT Object is locked skipped

C:\Users\Edward\ntuser.dat.LOG1 Object is locked skipped

C:\Users\Edward\ntuser.dat.LOG2 Object is locked skipped

C:\Users\Edward\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf Object is locked skipped

C:\Users\Edward\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

C:\Users\Edward\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

C:\Windows\bthservsdp.dat Object is locked skipped

C:\Windows\Debug\PASSWD.LOG Object is locked skipped

C:\Windows\Debug\sam.log Object is locked skipped

C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped

C:\Windows\Logs\DPX\setupact.log Object is locked skipped

C:\Windows\Logs\DPX\setuperr.log Object is locked skipped

C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config Object is locked skipped

C:\Windows\Panther\UnattendGC\diagerr.xml Object is locked skipped

C:\Windows\Panther\UnattendGC\diagwrn.xml Object is locked skipped

C:\Windows\Panther\UnattendGC\setupact.log Object is locked skipped

C:\Windows\Panther\UnattendGC\setuperr.log Object is locked skipped

C:\Windows\security\database\secedit.sdb Object is locked skipped

C:\Windows\SFE8E9951.tmp Object is locked skipped

C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped

C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped

C:\Windows\System32\catroot2\edb.log Object is locked skipped

C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped

C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped

C:\Windows\System32\config\COMPONENTS Object is locked skipped

C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped

C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped

C:\Windows\System32\config\DEFAULT Object is locked skipped

C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped

C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped

C:\Windows\System32\config\SAM Object is locked skipped

C:\Windows\System32\config\SAM.LOG1 Object is locked skipped

C:\Windows\System32\config\SAM.LOG2 Object is locked skipped

C:\Windows\System32\config\SECURITY Object is locked skipped

C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped

C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped

C:\Windows\System32\config\SOFTWARE Object is locked skipped

C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped

C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped

C:\Windows\System32\config\SYSTEM Object is locked skipped

C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped

C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped

C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.0.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.1.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.2.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.blf Object is locked skipped

C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped

C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

C:\Windows\System32\drivers\sptd.sys Object is locked skipped

C:\Windows\System32\geBUKecb.dll Infected: Trojan.Win32.Monder.gen skipped

C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped

C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\Windows\System32\restore\MachineGuid.txt Object is locked skipped

C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT Object is locked skipped

C:\Windows\System32\SMI\Store\Machine\schema.dat.LOG1 Object is locked skipped

C:\Windows\System32\SMI\Store\Machine\schema.dat.LOG2 Object is locked skipped

C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{0f694469-6a70-11db-8eb3-985e31beb686}.TM.blf Object is locked skipped

C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{0f694469-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{0f694469-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped

C:\Windows\System32\wbem\AutoRecover\3460B7617E0429A960E481B197F238A3.mof Object is locked skipped

C:\Windows\System32\wbem\AutoRecover\E478A5DB75C9721E744C05D78DBACFD3.mof Object is locked skipped

C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped

C:\Windows\System32\wbem\Repository\INDEX.BTR Object is locked skipped

C:\Windows\System32\wbem\Repository\MAPPING1.MAP Object is locked skipped

C:\Windows\System32\wbem\Repository\MAPPING2.MAP Object is locked skipped

C:\Windows\System32\wbem\Repository\OBJECTS.DATA Object is locked skipped

C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Backup.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winsock-WS2HELP%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Setup.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped

C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped

C:\Windows\WindowsUpdate.log Object is locked skipped

C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6000.16386_none_cef7ceb03914a67f\dnary.xsd Object is locked skipped

Scan process completed.

#4 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 AM

Posted 06 June 2008 - 07:07 AM

Hi,

The steps that I am about to suggest involve modifying the registry. Modfying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot preform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry
  • Go Here and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
Follow this instructions:
  • Open a new notepad window (Start>All Programs>Accessories>Notepad)
  • Copy & paste the contents of the following codebox into the notepad window
    REGEDIT4
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\747fc238]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM774cf1a4]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmds]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
  • Click File > Save as
  • In the box labelled File name copy and paste cleanup.reg
  • Change Save as type to All Files
  • Save it to your desktop
  • Close the notepad window
  • Right click on cleanup.reg and click Merge
  • If windows tells you that it needs your permission to continue, click Continue
  • When asked Are you sure you want to continue?, click Yes
  • When told that The keys and values contained in C:\users\username\desktop\cleaup.reg have been successfully added to the registry, click OK
Next,

Please set your system to show All Files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Using Windows Explorer, delete the following files/folders in red (Do not be concerned if they do not exist)

C:\Users\Edward\Downloads\Omicron Vista\Nero 8 Ultra Edition 8.2.8.0_(+ Keygen!)\Nero 8_Keygen.EXE <--this file
C:\Users\Edward\Downloads\Omicron Vista\Nero 8 Ultra Edition 8.2.8.0_(+ Keygen!)\Nero-8.2.8.0-eng.exe <--this file
C:\Windows\System32\geBUKecb.dll <--this file

After all, please clean out your recycle bin.

Reboot your computer into normal windows. Run Deckard System Scanner and post a new log.
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#5 Yashii

Yashii
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Juneau, AK
  • Local time:02:05 AM

Posted 06 June 2008 - 12:55 PM

Here is the new Deckard Log. Again, thanks for your help with this.




Deckard's System Scanner v20071014.68
Run by Edward on 2008-06-06 09:44:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 1023 MiB (1024 MiB recommended).


-- HijackThis (run as Edward.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:31 AM, on 6/6/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavBckPT.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Edward\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Edward.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrvx86.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PskSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe

--
End of file - 9985 bytes

-- Files created between 2008-05-06 and 2008-06-06 -----------------------------

2008-06-03 11:27:17 0 d-------- C:\Users\All Users\Kaspersky Lab
2008-06-03 11:27:14 0 d-------- C:\Windows\system32\Kaspersky Lab
2008-05-20 13:35:52 0 d-------- C:\Program Files\iDump
2008-05-13 12:55:53 0 d-------- C:\Program Files\Exact Audio Copy
2008-05-13 12:45:11 0 d-------- C:\Program Files\AviSynth 2.5
2008-05-13 12:45:06 0 d-------- C:\Program Files\Red Kawa
2008-05-10 21:43:53 0 d-------- C:\Program Files\Trend Micro
2008-05-08 14:49:02 0 d-------- C:\Windows\BDOSCAN8
2008-05-08 11:30:14 0 --a------ C:\Windows\system32\drivers\ShldDrv.sys
2008-05-08 11:29:47 0 --a------ C:\Windows\system32\drivers\AmFSM.sys
2008-05-07 20:00:07 0 d-------- C:\VundoFix Backups
2008-05-06 22:37:34 0 d-------- C:\Program Files\Palm Inc
2008-05-06 18:49:27 0 d-------- C:\Users\All Users\TiVo
2008-05-06 18:49:27 0 d-------- C:\Program Files\TiVo
2008-05-06 18:49:25 0 d-------- C:\Program Files\Common Files\TiVo Shared
2008-05-06 18:19:18 0 d-------- C:\Users\All Users\SlySoft
2008-05-06 18:12:52 0 d-------- C:\Program Files\SlySoft
2008-05-06 17:54:32 0 d-------- C:\Users\All Users\Azureus
2008-05-06 17:52:16 0 d-------- C:\Program Files\Azureus
2008-05-06 16:34:52 0 d-------- C:\Program Files\DVDFab Platinum 4
2008-05-06 16:32:15 0 d-------- C:\Program Files\ZipGenius 6
2008-05-06 14:41:00 0 d-------- C:\Program Files\Lavasoft
2008-05-06 14:40:59 0 d-------- C:\Users\All Users\Lavasoft
2008-05-06 14:39:11 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-06 13:24:23 0 d-------- C:\Program Files\Common Files\SWF Studio
2008-05-06 13:13:46 0 d-------- C:\Program Files\iPod
2008-05-06 13:13:31 0 d-------- C:\Program Files\iTunes
2008-05-06 12:59:36 0 d-------- C:\Windows\system32\appmgmt
2008-05-06 11:55:41 0 d-------- C:\Program Files\Audible
2008-05-06 10:28:28 0 --a------ C:\Windows\nsreg.dat
2008-05-06 10:00:59 0 d-------- C:\Program Files\Opera


-- Find3M Report ---------------------------------------------------------------

2008-06-06 09:40:20 12 --a------ C:\Windows\bthservsdp.dat
2008-05-18 11:36:37 38431 --a------ C:\Users\Edward\AppData\Roaming\Comma Separated Values (Windows).ADR
2008-05-18 10:30:10 267 --a------ C:\Users\Edward\AppData\Roaming\mainhst.zgh
2008-05-13 15:56:10 0 d-------- C:\Users\Edward\AppData\Roaming\CyberLink
2008-05-08 09:35:48 0 d-------- C:\Program Files\Panda Security
2008-05-06 19:38:32 0 d-------- C:\Users\Edward\AppData\Roaming\ZipGenius
2008-05-06 18:49:25 0 d-------- C:\Program Files\Common Files
2008-05-06 18:13:53 0 d-------- C:\Users\Edward\AppData\Roaming\Azureus
2008-05-06 17:15:22 0 d-------- C:\Users\Edward\AppData\Roaming\Vso
2008-05-06 16:36:02 34 --a------ C:\Users\Edward\AppData\Roaming\pcouffin.log
2008-05-06 16:35:00 7887 --a------ C:\Users\Edward\AppData\Roaming\pcouffin.cat
2008-05-06 13:11:27 0 d-------- C:\Program Files\QuickTime
2008-05-06 12:58:54 0 d-------- C:\Program Files\QuickTime Alternative
2008-05-06 10:34:50 0 d-------- C:\Users\Edward\AppData\Roaming\Adobe
2008-05-06 10:28:22 0 d-------- C:\Users\Edward\AppData\Roaming\Mozilla
2008-05-06 10:02:13 0 d-------- C:\Users\Edward\AppData\Roaming\Opera
2008-05-05 22:04:05 0 d-------- C:\Program Files\Free Internet Window Washer
2008-05-05 21:49:22 0 d-------- C:\Users\Edward\AppData\Roaming\Macromedia
2008-05-05 11:16:16 261 --a------ C:\Windows\system32\PavCPL.dat
2008-05-05 11:12:19 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-04 22:39:18 0 d-------- C:\Program Files\Common Files\Panda Software
2008-05-04 21:52:40 0 d-------- C:\Program Files\Palm
2008-05-04 20:41:49 0 d-------- C:\Users\Edward\AppData\Roaming\HotSync
2008-05-04 20:36:39 0 d-------- C:\Program Files\Avvenu
2008-05-04 18:40:38 0 d-------- C:\Users\Edward\AppData\Roaming\Leadertech
2008-05-04 17:07:45 0 d-------- C:\Users\Edward\AppData\Roaming\DVD Shrink
2008-05-04 16:57:03 0 d-------- C:\Program Files\Real Alternative
2008-05-04 16:56:58 0 d-------- C:\Users\Edward\AppData\Roaming\Real
2008-05-04 16:42:36 0 d-------- C:\Program Files\Common Files\Remote Control Software Common
2008-05-04 16:41:38 0 d-------- C:\Program Files\Logitech
2008-05-04 16:40:43 0 d-------- C:\Program Files\Common Files\Remote Control USB Driver
2008-05-04 16:39:44 0 d-------- C:\Users\Edward\AppData\Roaming\InstallShield
2008-05-04 16:29:18 0 d-------- C:\Program Files\Media Player Classic
2008-05-04 16:23:57 0 d-------- C:\Program Files\WinAVI Video Converter 9.0
2008-05-04 16:21:42 0 d-------- C:\Program Files\VideoReDoPlus
2008-05-04 16:18:27 0 d-------- C:\Users\Edward\AppData\Roaming\VideoReDoPlus
2008-05-04 16:07:13 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-04 15:47:03 0 d-------- C:\Program Files\CyberLink
2008-05-04 00:07:40 0 d-------- C:\Program Files\Windows Mail
2008-05-04 00:07:40 0 d-------- C:\Program Files\Microsoft Games
2008-05-03 22:58:53 0 d-------- C:\Program Files\Sigmatel
2008-05-03 22:32:18 0 d-------- C:\Program Files\MSXML 4.0
2008-05-03 21:04:51 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-03 18:59:51 0 d-------- C:\Program Files\Quicken
2008-05-03 18:57:24 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-03 18:56:33 0 d-------- C:\Users\Edward\AppData\Roaming\Intuit
2008-05-03 18:56:16 0 d-------- C:\Program Files\Common Files\Palo Alto Software
2008-05-03 18:55:59 0 d-------- C:\Program Files\Common Files\Intuit
2008-05-03 18:21:28 0 d-------- C:\Program Files\Apple Software Update
2008-05-03 18:13:09 0 d-------- C:\Users\Edward\AppData\Roaming\Apple Computer
2008-05-03 18:11:53 0 d-------- C:\Program Files\Bonjour
2008-05-03 18:09:26 0 d-------- C:\Program Files\Common Files\Apple
2008-05-03 18:06:45 0 d-------- C:\Users\Edward\AppData\Roaming\vlc
2008-05-03 18:06:13 0 d-------- C:\Program Files\VideoLAN
2008-05-03 17:39:49 0 d-------- C:\Program Files\MagicISO
2008-05-03 17:27:39 0 d-------- C:\Program Files\Microsoft Expression
2008-05-03 16:25:20 0 d-------- C:\Program Files\PowerISO
2008-05-03 16:03:05 0 d-------- C:\Users\Edward\AppData\Roaming\Nero
2008-05-03 16:01:43 0 d-------- C:\Program Files\Common Files\Nero
2008-05-03 16:00:38 0 d-------- C:\Program Files\Nero
2008-05-03 15:33:34 0 d-------- C:\Users\Edward\AppData\Roaming\DAEMON Tools
2008-05-03 14:47:22 0 d-------- C:\Program Files\Microsoft Works
2008-05-03 14:47:03 0 d-------- C:\Program Files\MSBuild
2008-05-03 14:45:31 0 d-------- C:\Program Files\Microsoft.NET
2008-05-03 14:42:12 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-05-03 13:42:43 0 d-------- C:\Users\Edward\AppData\Roaming\Arcsoft
2008-05-03 13:16:31 0 d-------- C:\Users\Edward\AppData\Roaming\Identities
2008-05-03 12:04:40 174 --ahs---- C:\Program Files\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [07/11/2007 07:26 AM]
"@"="" []
"MSConfig"="C:\Windows\system32\msconfig.exe" [11/02/2006 01:45 AM]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.exe" [07/23/2007 06:30 PM]
"SCANINICIO"="C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe" [07/11/2007 03:17 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"Windows Mobile-based device management"="%windir%\WindowsMobile\wmdSync.exe" []
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [09/28/2006 11:21 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/08/2008 02:33 PM]
"TivoTransfer"="C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [04/04/2008 10:54 AM]
"TivoNotify"="C:\Program Files\TiVo\Desktop\TiVoNotify.exe" [04/04/2008 10:54 AM]
"TivoServer"="C:\Program Files\TiVo\Desktop\TiVoServer.exe" [04/04/2008 10:56 AM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [11/02/2006 04:33 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 02/15/2007 08:02 PM 50736 C:\Windows\System32\avldr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Avvenu Connector.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Avvenu Connector.lnk
backup=C:\Windows\pss\Avvenu Connector.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\Windows\pss\HotSync Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^Edward^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Users\Edward\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\Windows\pss\HotSync Manager.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Avvenu Access n Share Update]
"C:\Program Files\Avvenu\Avvenu_updater.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Internet Window Washer]
C:\PROGRA~1\FREEIN~1\Clearpch.exe -Start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotSync]
"C:\Program Files\Palm\Hotsync.exe" -AllUsers

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
WindowsMobile wcescomm rapimgr
LocalServiceRestricted WcesComm RapiMgr


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\wd_windows_tools\WDEULA.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04cee04f-1956-11dd-a689-0016411c7960}]
AutoRun\command- H:\wd_windows_tools\WDEULA.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04cee057-1956-11dd-a689-0016411c7960}]
AutoRun\command- I:\SETUP.EXE
configure\command- I:\SETUP.EXE
install\command- I:\SETUP.EXE


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-06-06 09:44:55 ------------

#6 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 AM

Posted 07 June 2008 - 09:17 AM

Hi,

You now appear to be clean. Congratulations!

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  • Follow the instructions here for Windows Vista to disable and then reenable system restore in order to clear old restore points:
    http://www.pchell.com/virus/systemrestore.shtml
    Note: only do this once, and not on a regular basis
  • Download and install an antivirus program, and make sure that you keep it updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software
    Two good antivirus programs free for non-commercial home use are Avast! and Antivir
    Two good paid for antivirus programs are NOD32 and Bitdefender
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  • Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  • Install and use Spybot Search & Destroy
    Instructions are located here
    Make sure you update, reimmunize & scan regularly
  • Make use of the HOSTS file included with Spybot Search & Destroy
    Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
    Spybot Search & Destroy has a good HOSTS file built in, to enable the HOSTS file in Spybot Search & Destroy
    • Run Spybot Search & Destroy
    • Click on Mode, and then place a tick next to Advanced mode
    • Click Yes
    • In the left hand pane of Spybot Search & Destroy, click on Tools, and then on Hosts File
    • Click on Add Spybot-S&D hosts list
    Note: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start > Run
    • Type services.msc & click OK
    • In the list, find the service called DNS Client & double click on it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK & then close the Services window
    For a more detailed explanation of the HOSTS file, click here
  • Install a-squared Free & update and scan with it regularly
    a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
    Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers
  • Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date

Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#7 Yashii

Yashii
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Juneau, AK
  • Local time:02:05 AM

Posted 07 June 2008 - 07:49 PM

Thank you very much for your help and I will implement your suggestions.

#8 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:05:05 AM

Posted 17 June 2008 - 09:40 PM

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users