Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

18 Viruses Found! Trojan Downloader Win 32, Virtumonde


  • Please log in to reply
32 replies to this topic

#1 trailcreek

trailcreek

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 06 June 2008 - 07:28 PM

When searching on Yahoo several additional windows open with pop-ups, car ads, porn sites, t-shirt ads, system freezing.

Deckard's Scan main:
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-06 16:44:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 84% (more than 75%).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:22 PM, on 6/6/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\TELUS\TELUS eProtect\Fws.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\TapeWare\TWWINSDR.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\System32\RPSCServerLicense.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\QuickTime\qttask.exe
C:\winnt\system32\jnwnw64n.exe
C:\WINNT\system32\mcntpkdm.exe
C:\Program Files\TELUS\eProtect Advisor\TEPA.exe
C:\Program Files\TELUS\TELUS eProtect\Rps.exe
C:\WINNT\System32\Rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\MBOLS~1\msconfig.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\TELUS\eProtect Advisor\TEPAComHandler.exe
C:\Program Files\TELUS\TELUS eProtect\rpsupdaterR.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\administrator\Desktop\dss.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weatheroffice.ec.gc.ca/city/pag...1_metric_e.html
O2 - BHO: gooochi browser optimizer - {1ade9a44-4986-762a-19ca-193008a0eda8} - C:\WINNT\system32\{66670039-904a-7bc7-d7a3-5a12acd59499}.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\TELUS\TELUS eProtect\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {56C851E7-DDB9-439D-A491-FA0F549A9295} - C:\WINNT\system32\xxywWoNH.dll
O2 - BHO: MySidesearch Search Assistant - {9506910A-0F94-4ea1-B567-7070428B8B2B} - C:\WINNT\system32\mysidesearch_sidebar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: {f3d150d7-2f4c-0249-ff74-93dcfe1a7a1b} - {b1a7a1ef-cd39-47ff-9420-c4f27d051d3f} - C:\WINNT\system32\dqbvmojr.dll
O2 - BHO: (no name) - {F9DF827A-8FA7-48A3-B268-CA4DB563EA40} - C:\WINNT\system32\geBstsrs.dll
O2 - BHO: (no name) - {FA479F38-51D9-5D05-FF4F-0BA291EE4CC5} - C:\WINNT\system32\iggwj.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [RPCSLicServer] C:\WINNT\System32\RPSCServerLicense.exe /R2P1S9C6
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [runner1] C:\WINNT\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [{36-6D-D5-5D-DW}] C:\winnt\system32\jnwnw64n.exe DWram
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINNT\system32\mcntpkdm.exe DWram
O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN
O4 - HKLM\..\Run: [TELUS eProtect] "C:\Program Files\TELUS\TELUS eProtect\Rps.exe"
O4 - HKLM\..\Run: [PPRT] C:\Program Files\CA\PPRT\bin\ITMRTSVC_Logon.exe
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\TELUS\TELUS eProtect\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [{2fe16a0a-a354-7dbd-8da8-57d1604df162}] C:\WINNT\System32\Rundll32.exe "C:\WINNT\system32\{66670039-904a-7bc7-d7a3-5a12acd59499}.dll" DllStart
O4 - HKLM\..\Run: [BM5f805e6e] Rundll32.exe "C:\WINNT\system32\gnacdvum.dll",s
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\TELUS\TELUS eProtect\IdxClnR.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Tctp] "C:\PROGRA~1\MBOLS~1\msconfig.exe" -vt yazb
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\TELUS\TELUS eProtect\IdxClnR.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINNT\system32\mcntpkdm.exe
O4 - Startup: DW_Start.lnk = C:\WINNT\system32\jnwnw64n.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Hearts - http://download2.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O20 - Winlogon Notify: geBstsrs - C:\WINNT\SYSTEM32\geBstsrs.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\dXNlcjE\command.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: TELUS eProtect Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\TELUS\TELUS eProtect\rpsupdaterR.exe
O23 - Service: TELUS eProtect Firewall (RP_FWS) - TELUS - C:\Program Files\TELUS\TELUS eProtect\Fws.exe
O23 - Service: TapeWare - Unknown owner - C:\Program Files\TapeWare\TWWINSDR.EXE

--
End of file - 7348 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Vmodem (W2k Vmodem) - c:\winnt\system32\drivers\vmodem.sys <Not Verified; PCTEL, INC.; HSP Modem Modem Device>
R0 Vpctcom (W2k Vpctcom) - c:\winnt\system32\drivers\vpctcom.sys <Not Verified; PCtel, Inc.; HSP Modem Virtual Control Device>
R0 Vvoice (W2k Vvoice) - c:\winnt\system32\drivers\vvoice.sys <Not Verified; PCtel, Inc.; PCTEL HSP Modem Voice Device>
R1 StarOpen - c:\winnt\system32\drivers\staropen.sys
R2 hardlock - c:\winnt\system32\drivers\hardlock.sys <Not Verified; Aladdin Knowledge Systems; Hardlock Device Driver for Windows NT>
R2 Haspnt - c:\winnt\system32\drivers\haspnt.sys <Not Verified; Aladdin Knowledge Systems; Windows NT HASP Kernel Device Driver>
R3 Ptserial (W2K Pctel Serial Device Driver) - c:\winnt\system32\drivers\ptserial.sys <Not Verified; PCTEL, INC.; HSP Modem Serial Device>
R3 RPPKT (Radialpoint Filter (x86)) - c:\winnt\system32\drivers\rp_pkt32.sys <Not Verified; Radialpoint, Inc.; Radialpoint 6.0.0>

S3 vsdatant - c:\winnt\system32\vsdatant.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 TapeWare - c:\program files\tapeware\twwinsdr.exe

S2 cmdService (Command Service) - c:\winnt\dxnlcje\command.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-05-06 and 2008-06-06 -----------------------------

2165-11-23 18:09:59 0 d-------- C:\Program Files\ahead
2165-11-23 17:48:53 0 d-------- C:\Program Files\SiSLan
2165-11-23 17:46:56 0 d-------- C:\WINNT\system32\Tools
2165-11-23 17:46:50 0 d-------- C:\Program Files\Common Files\InstallShield
2165-11-23 17:42:53 1369702 ---h----- C:\WINNT\ShellIconCache
2165-11-23 17:41:19 0 d--hs---- C:\WINNT\Installer
2165-11-23 17:41:18 0 d-------- C:\Documents and Settings\user1\Application Data\Identities
2165-11-23 17:41:07 0 d-------- C:\WINNT\system32\NtmsData
2165-11-23 17:41:05 0 d--h----- C:\WINNT\system32\GroupPolicy
2165-11-23 17:41:04 0 d--h----- C:\Documents and Settings\user1\Templates
2165-11-23 17:41:04 0 d-------- C:\Documents and Settings\user1\Start Menu
2165-11-23 17:41:04 0 d--h----- C:\Documents and Settings\user1\SendTo
2165-11-23 17:41:04 0 dr-h----- C:\Documents and Settings\user1\Recent
2165-11-23 17:41:04 0 d--h----- C:\Documents and Settings\user1\PrintHood
2165-11-23 17:41:04 274432 --ah----- C:\Documents and Settings\user1\NTUSER.DAT
2165-11-23 17:41:04 0 d--h----- C:\Documents and Settings\user1\NetHood
2165-11-23 17:41:04 0 d-------- C:\Documents and Settings\user1\My Documents
2165-11-23 17:41:04 0 d--h----- C:\Documents and Settings\user1\Local Settings
2165-11-23 17:41:04 0 dr------- C:\Documents and Settings\user1\Favorites
2165-11-23 17:41:04 0 d-------- C:\Documents and Settings\user1\Desktop
2165-11-23 17:41:04 0 d---s---- C:\Documents and Settings\user1\Cookies
2165-11-23 17:41:04 0 d--h----- C:\Documents and Settings\user1\Application Data
2165-11-23 17:41:04 0 d---s---- C:\Documents and Settings\user1\Application Data\Microsoft
2165-11-23 17:41:03 0 d--hs---- C:\WINNT\CSC
2165-11-23 17:40:26 0 d--hs---- C:\System Volume Information
2165-11-23 17:35:04 0 d-------- C:\WINNT\system32\rpcproxy
2165-11-23 17:35:04 0 d-------- C:\WINNT\system32\rocket
2165-11-23 17:35:04 0 d-------- C:\WINNT\system32\inetsrv
2165-11-23 17:35:04 0 d-------- C:\WINNT\mww32
2165-11-23 17:35:04 0 d-------- C:\WINNT\ime
2165-11-23 17:35:04 0 d-------- C:\Program Files\microsoft frontpage
2165-11-23 17:34:42 118784 ---h----- C:\Documents and Settings\Default User.WINNT\NTUSER.DAT
2165-11-23 17:34:13 0 -rahs---- C:\MSDOS.SYS
2165-11-23 17:34:13 0 -rahs---- C:\IO.SYS
2165-11-23 17:34:13 0 ---h----- C:\CONFIG.SYS
2165-11-23 17:34:13 0 ---h----- C:\AUTOEXEC.BAT
2165-11-23 17:33:42 0 d---s---- C:\Documents and Settings\Default User.WINNT\Application Data\Microsoft
2165-11-23 17:23:32 0 d--hs---- C:\Documents and Settings\All Users.WINNT\DRM
2165-11-23 17:02:29 0 d--hs---- C:\Documents and Settings\All Users\DRM
2165-11-23 17:02:24 0 dr------- C:\WINNT\Offline Web Pages
2165-11-23 17:02:24 0 d---s---- C:\WINNT\Downloaded Program Files
2165-11-23 17:02:03 0 d-a-s---- C:\WINNT\Tasks
2165-11-23 17:01:37 15012 --a------ C:\WINNT\system32\emptyregdb.dat
2165-11-23 17:00:53 0 d-------- C:\WINNT\Registration
2165-11-23 17:00:34 0 d-------- C:\WINNT\system32\DTCLog
2165-11-23 09:19:53 0 d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Microsoft
2165-11-23 09:12:36 0 d--h----- C:\Documents and Settings\Default User.WINNT\Templates
2165-11-23 09:12:36 0 d-------- C:\Documents and Settings\Default User.WINNT\Start Menu
2165-11-23 09:12:36 0 d--h----- C:\Documents and Settings\Default User.WINNT\SendTo
2165-11-23 09:12:36 0 d--h----- C:\Documents and Settings\Default User.WINNT\Recent
2165-11-23 09:12:36 0 d--h----- C:\Documents and Settings\Default User.WINNT\PrintHood
2165-11-23 09:12:36 0 d--h----- C:\Documents and Settings\Default User.WINNT\NetHood
2165-11-23 09:12:36 0 d-------- C:\Documents and Settings\Default User.WINNT\My Documents
2165-11-23 09:12:36 0 d--h----- C:\Documents and Settings\Default User.WINNT\Local Settings
2165-11-23 09:12:36 0 d-------- C:\Documents and Settings\Default User.WINNT\Favorites
2165-11-23 09:12:36 0 d-------- C:\Documents and Settings\Default User.WINNT\Desktop
2165-11-23 09:12:36 0 d---s---- C:\Documents and Settings\Default User.WINNT\Cookies
2165-11-23 09:12:36 0 d--h----- C:\Documents and Settings\Default User.WINNT\Application Data
2165-11-23 09:12:36 0 d--h----- C:\Documents and Settings\All Users.WINNT\Templates
2165-11-23 09:12:36 0 d-------- C:\Documents and Settings\All Users.WINNT\Start Menu
2165-11-23 09:12:36 0 d-------- C:\Documents and Settings\All Users.WINNT\Favorites
2165-11-23 09:12:36 0 d-a------ C:\Documents and Settings\All Users.WINNT\Documents
2165-11-23 09:12:36 0 d-------- C:\Documents and Settings\All Users.WINNT\Desktop
2165-11-23 09:12:36 0 d-ah----- C:\Documents and Settings\All Users.WINNT\Application Data
2165-11-23 09:00:06 0 d-a------ C:\Program Files\Accessories
2165-11-23 09:00:01 0 d-a------ C:\Program Files\Windows NT
2165-11-23 08:59:59 0 d-a------ C:\WINNT\system32\Com
2165-11-23 08:58:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft
2165-11-23 08:53:31 0 d-a------ C:\Program Files\Common Files\ODBC
2165-11-23 08:53:28 0 d-a------ C:\WINNT\Speech
2165-11-23 08:53:27 0 d-a------ C:\Program Files\Common Files
2165-11-23 08:53:26 0 dra------ C:\Program Files
2165-11-23 08:53:16 0 d--h----- C:\Documents and Settings\Default User\Templates
2165-11-23 08:53:16 0 d-------- C:\Documents and Settings\Default User\Start Menu
2165-11-23 08:53:16 0 d--h----- C:\Documents and Settings\Default User\SendTo
2165-11-23 08:53:16 0 d--h----- C:\Documents and Settings\Default User\Recent
2165-11-23 08:53:16 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2165-11-23 08:53:16 0 d--h----- C:\Documents and Settings\Default User\NetHood
2165-11-23 08:53:16 0 d-------- C:\Documents and Settings\Default User\My Documents
2165-11-23 08:53:16 0 d--h----- C:\Documents and Settings\Default User\Local Settings
2165-11-23 08:53:16 0 d-------- C:\Documents and Settings\Default User\Favorites
2165-11-23 08:53:16 0 d-------- C:\Documents and Settings\Default User\Desktop
2165-11-23 08:53:16 0 d--h----- C:\Documents and Settings\Default User\Cookies
2165-11-23 08:53:16 0 d--h----- C:\Documents and Settings\Default User\Application Data
2165-11-23 08:53:16 0 d--h----- C:\Documents and Settings\All Users\Templates
2165-11-23 08:53:16 0 d-------- C:\Documents and Settings\All Users\Start Menu
2165-11-23 08:53:16 0 d-------- C:\Documents and Settings\All Users\Favorites
2165-11-23 08:53:16 0 d-a------ C:\Documents and Settings\All Users\Documents
2165-11-23 08:53:16 0 d-------- C:\Documents and Settings\All Users\Desktop
2165-11-23 08:53:16 0 d-ah----- C:\Documents and Settings\All Users\Application Data
2165-11-23 08:53:07 0 d-a------ C:\WINNT\system32\CatRoot
2165-11-23 08:52:49 0 d-a------ C:\Documents and Settings
2008-06-06 16:45:27 0 d-------- C:\Program Files\Trend Micro
2008-06-06 16:25:57 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_4f0.dat
2008-06-06 14:34:03 0 d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Kaspersky Lab
2008-06-06 14:33:53 0 d-------- C:\WINNT\system32\Kaspersky Lab
2008-06-06 10:47:48 2560 --a------ C:\WINNT\system32\vulraojv.exe
2008-06-05 16:00:27 0 d-------- C:\Program Files\CCleaner
2008-06-05 15:25:10 49177 --a------ C:\WINNT\system32\jnwnw64n.exe <Not Verified; ; Browser Driver>
2008-06-05 14:49:54 60928 --a------ C:\WINNT\system32\iggwj.dll
2008-06-05 14:46:06 52736 --a------ C:\WINNT\system32\awtrRLFU.dll
2008-06-05 14:39:39 41723 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2008-06-05 14:39:05 52736 --a------ C:\WINNT\system32\hgGaxvvw.dll
2008-06-05 14:19:00 200777 --a------ C:\WINNT\system32\kcntokdm.exe
2008-06-05 14:18:53 401975 --a------ C:\WINNT\system32\g45.exe
2008-06-05 13:45:16 0 d-------- C:\Program Files\Common Files\Authentium
2008-06-05 13:43:58 0 d-------- C:\Program Files\Raxco
2008-06-05 13:43:58 0 d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Raxco
2008-06-05 13:42:50 0 d-------- C:\Program Files\CA
2008-06-05 13:42:08 0 d-------- C:\Program Files\Common Files\Scanner
2008-06-05 13:37:05 0 d-------- C:\Documents and Settings\administrator\Application Data\TELUS
2008-06-05 13:36:05 0 d-------- C:\Program Files\TELUS
2008-06-05 13:34:32 0 d-------- C:\Documents and Settings\All Users.WINNT\Application Data\TELUS
2008-06-05 13:33:54 0 d-------- C:\Documents and Settings\administrator\Application Data\InstallShield
2008-06-05 13:07:25 52736 --a------ C:\WINNT\system32\wvUkIXnl.dll
2008-06-05 13:05:11 52736 --a------ C:\WINNT\system32\mlJBSjgg.dll
2008-06-05 13:03:12 52736 --a------ C:\WINNT\system32\wvUnOGvu.dll
2008-06-05 11:51:40 401974 --a------ C:\WINNT\system32\g94.exe
2008-06-05 11:06:13 0 d-------- C:\Documents and Settings\Default User.WINNT\Application Data\Google
2008-06-05 09:58:54 2560 --a------ C:\WINNT\system32\srwcqegq.exe
2008-06-05 09:56:08 134144 --a------ C:\WINNT\system32\dqbvmojr.dll
2008-06-05 09:55:50 126976 --a------ C:\WINNT\system32\gnacdvum.dll
2008-06-05 09:53:38 49175 --a------ C:\WINNT\system32\jownw64o.exe <Not Verified; ; Browser Driver>
2008-06-05 01:03:58 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_268.dat
2008-06-05 01:03:44 458575 --ahs---- C:\WINNT\system32\HNoWwyxx.ini2
2008-06-05 01:03:26 373248 --a------ C:\WINNT\system32\xxywWoNH.dll
2008-06-05 01:02:40 0 d-------- C:\Program Files\AntiSpywareMaster
2008-06-05 01:02:09 52736 --a------ C:\WINNT\system32\mlJBUMGv.dll
2008-06-05 01:00:39 52736 --a------ C:\WINNT\system32\vtUkkhEU.dll
2008-06-05 01:00:34 860 --a------ C:\WINNT\system32\winpfz33.sys
2008-06-05 01:00:20 88961 --a------ C:\WINNT\system32\mysidesearch_sidebar_uninstall.exe
2008-06-05 01:00:01 200775 --a------ C:\WINNT\system32\mcntpkdm.exe
2008-06-05 00:59:59 298307 --a------ C:\WINNT\system32\gside.exe
2008-06-05 00:59:38 0 d-------- C:\Documents and Settings\Default User.WINNT\Application Data\NetMon
2008-06-05 00:59:31 41984 --a------ C:\WINNT\17PHolmes1000106.exe
2008-06-05 00:59:30 0 d-------- C:\Program Files\Network Monitor
2008-06-05 00:59:29 0 d--hs---- C:\WINNT\dXNlcjE
2008-06-05 00:59:26 49171 --a------ C:\WINNT\system32\rwwnw64d.exe <Not Verified; ; Browser Driver>
2008-06-05 00:59:18 0 d-------- C:\WINNT\system32\ske
2008-06-05 00:59:18 0 d-------- C:\WINNT\system32\ISA
2008-06-05 00:59:18 0 d-------- C:\WINNT\system32\b3
2008-06-05 00:58:50 0 d-------- C:\Program Files\Outerinfo
2008-06-05 00:58:48 41984 --a------ C:\WINNT\17PHolmes572.exe
2008-06-05 00:58:32 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_2f0.dat
2008-06-05 00:58:31 0 d-------- C:\Program Files\??mbols
2008-06-05 00:58:13 52736 --a------ C:\WINNT\system32\geBstsrs.dll
2008-06-05 00:58:12 0 d-------- C:\WINNT\system32\vntiho01
2008-06-02 11:48:55 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_334.dat
2008-05-27 06:31:40 370688 --a------ C:\WINNT\system32\{66670039-904a-7bc7-d7a3-5a12acd59499}.dll
2008-05-24 19:03:06 0 d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-06-05 13:34:55 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-05 00:58:31 0 d-------- C:\Program Files\??mbols
2008-05-24 19:01:47 0 d-------- C:\Documents and Settings\administrator\Application Data\AdobeUM
2008-05-05 09:24:34 330752 --a------ C:\WINNT\system32\_{66670039-904a-7bc7-d7a3-5a12acd59499}.dll
2008-04-21 12:47:39 0 d-------- C:\Documents and Settings\administrator\Application Data\Adobe
2008-03-27 08:35:26 333824 --a------ C:\WINNT\system32\mysidesearch_sidebar.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1ade9a44-4986-762a-19ca-193008a0eda8}]
05/27/08 06:31a 370688 --a------ C:\WINNT\system32\{66670039-904a-7bc7-d7a3-5a12acd59499}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56C851E7-DDB9-439D-A491-FA0F549A9295}]
06/05/08 01:03a 373248 --a------ C:\WINNT\system32\xxywWoNH.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9506910A-0F94-4ea1-B567-7070428B8B2B}]
03/27/08 08:35a 333824 --a------ C:\WINNT\system32\mysidesearch_sidebar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b1a7a1ef-cd39-47ff-9420-c4f27d051d3f}]
06/05/08 09:56a 134144 --a------ C:\WINNT\system32\dqbvmojr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9DF827A-8FA7-48A3-B268-CA4DB563EA40}]
06/05/08 12:58a 52736 --a------ C:\WINNT\system32\geBstsrs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FA479F38-51D9-5D05-FF4F-0BA291EE4CC5}]
05/29/08 11:34a 60928 --a------ C:\WINNT\system32\iggwj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 12:05p C:\WINNT\system32\mobsync.exe]
"Cmaudio"="cmicnfg.cpl" []
"NeroCheck"="C:\WINNT\System32\NeroCheck.exe" [03/26/02 12:44a]
"RPCSLicServer"="C:\WINNT\System32\RPSCServerLicense.exe" [05/17/02 01:02p]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [09/10/02 10:26p]
"PCTVOICE"="pctspk.exe" [07/11/02 01:49a C:\WINNT\system32\pctspk.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/24/07 12:03p]
"runner1"="C:\WINNT\mrofinu572.exe" []
"{36-6D-D5-5D-DW}"="C:\winnt\system32\jnwnw64n.exe" [06/05/08 03:25p]
"ntdll.dll"="C:\Program Files\QuickTime\qttask.exe" [05/24/07 12:03p]
"ExploreUpdSched"="C:\WINNT\system32\mcntpkdm.exe" [06/05/08 01:00a]
"TEPA.exe"="C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" [05/14/07 09:10a]
"TELUS eProtect"="C:\Program Files\TELUS\TELUS eProtect\Rps.exe" [09/13/07 04:22p]
"PPRT"="C:\Program Files\CA\PPRT\bin\ITMRTSVC_Logon.exe" [12/19/06 01:45p]
"-FreedomNeedsReboot"="C:\Program Files\TELUS\TELUS eProtect\ZkRunOnceR.exe" [09/13/07 04:22p]
"{2fe16a0a-a354-7dbd-8da8-57d1604df162}"="C:\WINNT\system32\{66670039-904a-7bc7-d7a3-5a12acd59499}.dll" [05/27/08 06:31a]
"BM5f805e6e"="C:\WINNT\system32\gnacdvum.dll" [06/05/08 09:55a]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/22/07 01:25p]
"Tctp"="C:\PROGRA~1\MBOLS~1\msconfig.exe" [06/05/08 12:58a]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"IndexCleaner"="C:\Program Files\TELUS\TELUS eProtect\IdxClnR.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"IndexCleaner"="C:\Program Files\TELUS\TELUS eProtect\IdxClnR.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\administrator\Start Menu\Programs\Startup\
Deewoo.lnk - C:\WINNT\system32\mcntpkdm.exe [6/5/2008 1:00:01 AM]
DW_Start.lnk - C:\WINNT\system32\jnwnw64n.exe [6/5/2008 3:25:10 PM]

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [11/17/2004 1:11:47 PM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4/23/2008 3:38:16 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 1:05:56 PM]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [3/9/2006 8:03:40 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F9DF827A-8FA7-48A3-B268-CA4DB563EA40}"= C:\WINNT\system32\geBstsrs.dll [06/05/08 12:58a 52736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBstsrs]
geBstsrs.dll 06/05/08 12:58a 52736 C:\WINNT\system32\geBstsrs.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINNT\system32\xxywWoNH

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2008-06-06 16:53:25 ------------

Deckard's scan extra

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ Processor
Percentage of Memory in Use: 86%
Physical Memory (total/avail): 255.48 MiB / 35.36 MiB
Pagefile Memory (total/avail): 616.63 MiB / 282.6 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1949.56 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 28.63 GiB total, 24.91 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 2F030J0 - 28.63 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 28.63 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINNT
APPDATA=C:\Documents and Settings\administrator\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=REGISTER1
ComSpec=C:\WINNT\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\administrator
LOGONSERVER=\\REGISTER1
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\Program Files\CA\PPRT\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 6 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0602
ProgramFiles=C:\Program Files
PROMPT=$P$G
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=REGISTER1
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\administrator
windir=C:\WINNT


-- User Profiles ---------------------------------------------------------------

user1 (admin)
staff (new local)
administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

Access Runtime --> C:\AccessRT\setup\setup.exe
Ad-aware 6 Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 5.0 --> C:\WINNT\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINNT\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop 7.0 --> C:\WINNT\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 7.0.5 Language Support --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-7050000000A7}
Adobe Reader 7.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}
Adobe Shockwave Player --> C:\WINNT\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINNT\system32\Macromed\SHOCKW~1\Install.log
Authentium AntiVirus SDK - 2 --> MsiExec.exe /I{1ACE3F9D-CDA4-4F39-9605-334CF37A1579}
BroadJump Client Foundation --> C:\WINNT\IsUninst.exe -f"C:\Program Files\BroadJump\Client Foundation\Uninst.isu" -c"C:\Program Files\BroadJump\Client Foundation\RmvBJCFD.dll" -b"CFD" -h"CFD" -a
C-Media WDM Audio Driver --> C:\WINNT\system32\cmirmdrv.exe
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Create-A-Label 3 v3.04 --> C:\WINNT\IsUninst.exe -f"c:\program files\CAL304\Uninst.isu"
Deewoo Network Manager removal --> C:\WINNT\system32\kcntokdm.exe -UPop
Enhancement Browser Tools Gooochi --> C:\WINNT\system32\{66670039-904a-7bc7-d7a3-5a12acd59499}.dll-uninst.exe
Font Downloader --> C:\WINNT\uninst.exe -f"C:\Program Files\FontDown\DeIsL1.isu"
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar4.dll"
HSP56 MR Drivers --> ptuninst.exe
Internet Explorer Q903235 --> C:\WINNT\ieuninst.exe C:\WINNT\INF\Q903235.inf
Kaspersky Online Scanner --> C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LorexClient --> MsiExec.exe /I{8794D346-9534-421A-A4DA-BD386D9341A6}
Microsoft Office 2000 Small Business --> MsiExec.exe /I{00030409-78E1-11D2-B60F-006097C998E7}
Microsoft VGX Q833989 --> C:\WINNT\vgxuninst.exe C:\WINNT\INF\Q833989.inf
MySidesearch Search Assistant Bfinding --> C:\WINNT\system32\mysidesearch_sidebar_uninstall.exe
Nero - Burning Rom --> MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
Outerinfo --> "C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe"
PerfectDisk --> MsiExec.exe /I{212F5777-1190-4DEF-8E4D-6B2F313B45E7}
PPSDKRedistributables --> MsiExec.exe /I{C869F4FF-E5FF-4FBB-9A31-33C23605E170}
QuickTime --> C:\WINNT\unvise32qt.exe C:\WINNT\System32\QuickTime\Uninstall.log
RPS Ad Blocker --> MsiExec.exe /I{BAC15E33-870A-4D27-B247-999F6A735B45}
RPS AntiFraud --> MsiExec.exe /I{A642450B-A20E-420D-83F5-DF5C418C50D1}
RPS AntiSpyware --> MsiExec.exe /I{743F47C1-1194-4C70-8565-2E7A21379F4A}
RPS AntiVirus --> MsiExec.exe /I{C66F62AD-551B-428F-9183-F5802333367F}
RPS App Detector --> MsiExec.exe /I{DC626552-2C9D-4C5E-8367-22FB0C1758B0}
RPS AsRealtime --> MsiExec.exe /I{4023AAE4-E434-4028-85C5-8FF4159F7AF6}
RPS Backup --> MsiExec.exe /I{0EFED4A3-64ED-470B-A860-BFA5B470845E}
RPS Burn --> MsiExec.exe /I{E2DAC54C-1560-4F00-B7CD-E9BD89ACFAFD}
RPS Diagnostic Utility --> MsiExec.exe /I{D2E3D944-B08E-4446-B0C2-A0E66CB8A7C0}
RPS Firewall --> MsiExec.exe /I{336844B0-0CB8-4C73-80E6-383FB169BC0E}
RPS ParentalControl --> MsiExec.exe /I{AA47BB0B-933B-49DF-BE3A-17BFA60B7623}
RPS Performance Tool --> MsiExec.exe /I{760E1F3F-F2F6-47C7-B4F0-560B8ACA8999}
RPS PopupBlocker --> MsiExec.exe /I{BD6CB9F6-3AF3-49F0-BBD1-9D13495655F6}
RPS Privacy Manager --> MsiExec.exe /I{3BC4489D-686F-4D34-AD7D-DAB727CC2D85}
RPS RpsCore --> MsiExec.exe /I{5462A3AE-5D32-4613-876E-D0CD1756B6E5}
RPS Security Cleanup --> MsiExec.exe /I{78B7F1F6-9D66-4509-B216-96F4ACBBAC15}
RPS Zip --> MsiExec.exe /I{A62AE053-EB18-4EEF-9EFD-FFE5A4244ADB}
Security Update for Windows 2000 (KB904706) --> "C:\WINNT\$NtUninstallKB904706$\spuninst\spuninst.exe"
SiS 900 PCI Fast Ethernet Adapter Driver --> C:\Progra~1\SiSLan\Uninst.exe
Sports Store POS --> C:\SSPCLI~1\UNWISE.EXE C:\SSPCLI~1\INSTALL.LOG
Sports Store POS - Server --> C:\RPSCData\SSPData\UNWISE.EXE C:\RPSCData\SSPData\INSTALL.LOG
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
TapeWare --> C:\Program Files\TapeWare\Setup.Exe
TELUS eProtect --> C:\Program Files\InstallShield Installation Information\{045FE8EA-F79B-4629-B680-D8E52EFCD189}\setup.exe -runfromtemp -l0x0009 -removeonly
TELUS eProtect Advisor 1.5.12 --> "C:\Program Files\TELUS\eProtect Advisor\unins000.exe"
Windows 2000 Service Pack 4 --> C:\WINNT\$NtServicePackUninstall$\spuninst\spuninst.exe
Windows Genuine Advantage v1.3.0254.0 --> MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Media Player 9 Hotfix [See KB885492 for more information] --> C:\WINNT\$NtUninstallKB885492$\spuninst\spuninst.exe
Windows Media Player system update (9 Series) --> C:\PROGRA~1\WINDOW~2\setup_wm.exe /Uninstall
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type5592 / Error
Event Submitted/Written: 06/06/2008 04:26:57 PM
Event ID/Source: 1008 / Perflib
Event Description:
The Open Procedure for service "RSVP" in DLL "C:\WINNT\System32\rsvpperf.dll" failed.
Performance data for this service will not be available. Status code
returned is data DWORD 0.

Event Record #/Type5591 / Error
Event Submitted/Written: 06/06/2008 04:26:42 PM
Event ID/Source: 1008 / Perflib
Event Description:
The Open Procedure for service "IAS" in DLL "C:\WINNT\System32\iasperf.dll" failed.
Performance data for this service will not be available. Status code
returned is data DWORD 0.

Event Record #/Type5590 / Error
Event Submitted/Written: 06/06/2008 04:26:42 PM
Event ID/Source: 1008 / Perflib
Event Description:
The Open Procedure for service "RSVP" in DLL "C:\WINNT\System32\rsvpperf.dll" failed.
Performance data for this service will not be available. Status code
returned is data DWORD 0.

Event Record #/Type5589 / Error
Event Submitted/Written: 06/06/2008 04:26:41 PM
Event ID/Source: 1008 / Perflib
Event Description:
The Open Procedure for service "IAS" in DLL "C:\WINNT\System32\iasperf.dll" failed.
Performance data for this service will not be available. Status code
returned is data DWORD 0.

Event Record #/Type5588 / Error
Event Submitted/Written: 06/06/2008 04:26:37 PM
Event ID/Source: 1008 / Perflib
Event Description:
The Open Procedure for service "IAS" in DLL "C:\WINNT\System32\iasperf.dll" failed.
Performance data for this service will not be available. Status code
returned is data DWORD 0.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type138 / Error
Event Submitted/Written: 06/06/2008 04:27:37 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {222F1C6D-F430-4B76-B3F1-1FE92E214AD3} did not register with DCOM within the required timeout.

Event Record #/Type137 / Error
Event Submitted/Written: 06/06/2008 04:26:03 PM
Event ID/Source: 17 / Removable Storage Service
Event Description:
RSM cannot manage library Tape0. It encountered an unspecified error.
This can be caused by a number of problems including, but not limited
to, database corruption, failure communicating with the library, or
insufficient system resources.

Event Record #/Type136 / Error
Event Submitted/Written: 06/06/2008 04:25:11 PM / 06/06/2008 04:25:12 PM
Event ID/Source: 7022 / Service Control Manager
Event Description:
The TapeWare service hung on starting.

Event Record #/Type134 / Error
Event Submitted/Written: 06/06/2008 04:24:04 PM
Event ID/Source: 102 / Removable Storage Service
Event Description:
Unable to register COM class objects.

Event Record #/Type130 / Error
Event Submitted/Written: 06/06/2008 10:45:20 AM / 06/06/2008 10:45:22 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {222F1C6D-F430-4B76-B3F1-1FE92E214AD3} did not register with DCOM within the required timeout.



-- End of Deckard's System Scanner: finished at 2008-06-06 16:53:25 ------------

Kaspersky Online Scan - attached as the computer is very slow and I'm not able to

Attached Files



BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:12 PM

Posted 08 June 2008 - 12:16 AM

Hello trailcreek and welcome to BC. Let's see what we can find. Please follow the steps below in order:

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt from here or here to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 trailcreek

trailcreek
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 09 June 2008 - 09:22 PM

Hi OT,
Thanks for getting back to me so soon -- I certainly didn't expect a reply on Sunday!!! It was very slow going today, I spent 4 1/2 hours running the ATV and OTScanIT. As soon as I opened IE I start receiving messages that the antivirus software was detecting and quantined the Virtumonde VT virus. If I restart the computer it takes a long time (20 minutes to reboot) and I have very little time to do anything on the web before the pop-ups started and the messages start again regarding the Virtumonde virus! It was impossible to get the log from the OTScanIT uploaded either to this site or as an email attachment to send to another computer so I could upload it to this site. The computer just seems to hang up about 1/4 way through any searches/uploads on the net! Very frustrating!
Is it safe for me to save the file to a flashdrive and email it from my laptop or do you have any other suggestions as to how I can get that log to you?

Cheers,
Trailcreek

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:12 PM

Posted 09 June 2008 - 10:15 PM

Hi trailcreek. You could save it to your laptop and then just upload it here.

Cheers.

OT

Edited by OldTimer, 09 June 2008 - 10:16 PM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 trailcreek

trailcreek
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 10 June 2008 - 03:07 PM

Hi OT,

Attached please find the OTScanIT log.

Cheers,
trailcreek

Attached Files



#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:12 PM

Posted 10 June 2008 - 11:59 PM

Hi trailcreek. Let's see what we can do. Follow the steps below in order:

Step #1

Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:
cmdService
Files to delete:
%commonprogramfiles%\yazzle1281oinuninstaller.exe
%programfiles%\ѕуmbols\msconfig.exe
%systemroot%\17pholmes1000106.exe
%systemroot%\17pholmes572.exe
%systemroot%\bm5f805e6e.xml
%systemroot%\dxnlcje\command.exe
%systemroot%\system32\{66670039-904a-7bc7-d7a3-5a12acd59499}.dll
%systemroot%\system32\{66670039-904a-7bc7-d7a3-5a12acd59499}.dll-uninst.exe
%systemroot%\system32\awtrrlfu.dll
%systemroot%\system32\byjghggi.ini
%systemroot%\system32\dqbvmojr.dll
%systemroot%\system32\fbetph.dll
%systemroot%\system32\g45.exe
%systemroot%\system32\g94.exe
%systemroot%\system32\gebstsrs.dll
%systemroot%\system32\gnacdvum.dll
%systemroot%\system32\gside.exe
%systemroot%\system32\hggaxvvw.dll
%systemroot%\system32\hnowwyxx.ini
%systemroot%\system32\hnowwyxx.ini2
%systemroot%\system32\htpfrghp.dll
%systemroot%\system32\jnwnw64n.exe
%systemroot%\system32\jownw64o.exe
%systemroot%\system32\jpstriqs.dll
%systemroot%\system32\kcntokdm.exe
%systemroot%\system32\mcntpkdm.exe
%systemroot%\system32\mljbsjgg.dll
%systemroot%\system32\mljbumgv.dll
%systemroot%\system32\msnav32.ax
%systemroot%\system32\mysidesearch_sidebar.dll
%systemroot%\system32\mysidesearch_sidebar_uninstall.exe
%systemroot%\system32\qchtoufh.ini
%systemroot%\system32\rbtafrrr.exe
%systemroot%\system32\rscfyexv.ini
%systemroot%\system32\rwwnw64d.exe
%systemroot%\system32\sqirtspj.ini
%systemroot%\system32\srwcqegq.exe
%systemroot%\system32\vtukkheu.dll
%systemroot%\system32\vulraojv.exe
%systemroot%\system32\winpfz33.sys
%systemroot%\system32\wvukixnl.dll
%systemroot%\system32\wvunogvu.dll
%systemroot%\system32\xxywwonh.dll
%systemroot%\system32\yeqpjghe.exe
%systemroot%\system32\zxdnt3d.cfg
%userprofile%\desktop\setup_sbd_en.exe
%userprofile%\start menu\programs\startup\deewoo.lnk
%userprofile%\start menu\programs\startup\dw_start.lnk
c:\documents and settings\all users.winnt\application data\microsoft\network\downloader\qmgr0.dat
c:\documents and settings\all users.winnt\application data\microsoft\network\downloader\qmgr1.dat
Folders to delete:
%systemroot%\dxnlcje
%systemroot%\system32\b3
%systemroot%\system32\ske
%systemroot%\system32\vntiho01

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
  • Click the Execute button
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Step #2

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Processes - Non-Microsoft Only]
YY -> jnwnw64n.exe -> %SystemRoot%\system32\jnwnw64n.exe
YY -> mcntpkdm.exe -> %SystemRoot%\system32\mcntpkdm.exe
YY -> msconfig.exe -> %ProgramFiles%\ѕуmbols\msconfig.exe
[Win32 Services - Non-Microsoft Only]
YY -> (cmdService) Command Service [Win32_Own | Auto | Stopped] -> %SystemRoot%\dXNlcjE\command.exe
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> {2fe16a0a-a354-7dbd-8da8-57d1604df162} -> %SystemRoot%\system32\{66670039-904a-7bc7-d7a3-5a12acd59499}.dll [C:\WINNT\System32\Rundll32.exe "C:\WINNT\system32\{66670039-904a-7bc7-d7a3-5a12acd59499}.dll" DllStart]
YY -> {36-6D-D5-5D-DW} -> %SystemRoot%\system32\jnwnw64n.exe [C:\winnt\system32\jnwnw64n.exe DWram]
YN -> 5cb36df2 -> %SystemRoot%\system32\hfuothcq.DLL [rundll32.exe "C:\WINNT\system32\hfuothcq.dll",b]
YY -> BM5f805e6e -> %SystemRoot%\system32\gnacdvum.dll [Rundll32.exe "C:\WINNT\system32\gnacdvum.dll",s]
YY -> ExploreUpdSched -> %SystemRoot%\system32\mcntpkdm.exe [C:\WINNT\system32\mcntpkdm.exe DWram]
YN -> runner1 -> %SystemRoot%\mrofinu572.exe [C:\WINNT\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> Tctp -> %ProgramFiles%\ѕуmbols\msconfig.exe ["C:\PROGRA~1\MBOLS~1\msconfig.exe" -vt yazb]
< administrator Startup Folder > -> C:\Documents and Settings\administrator\Start Menu\Programs\Startup
YY -> %UserProfile%\Start Menu\Programs\Startup\Deewoo.lnk -> %SystemRoot%\system32\mcntpkdm.exe
YY -> %UserProfile%\Start Menu\Programs\Startup\DW_Start.lnk -> %SystemRoot%\system32\jnwnw64n.exe
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YY -> {F9DF827A-8FA7-48A3-B268-CA4DB563EA40} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\geBstsrs.dll []
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YY -> geBstsrs -> %SystemRoot%\system32\geBstsrs.dll
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {1ade9a44-4986-762a-19ca-193008a0eda8} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\{66670039-904a-7bc7-d7a3-5a12acd59499}.dll [gooochi browser optimizer]
YY -> {41b60680-4a77-411b-aebd-b60266d2f104} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\htpfrghp.dll [Reg Error: Value  does not exist or could not be read.]
YY -> {61140E8C-1AC3-4181-89E8-1602144C937E} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\xxywWoNH.dll [Reg Error: Value  does not exist or could not be read.]
YY -> {9506910A-0F94-4ea1-B567-7070428B8B2B} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\mysidesearch_sidebar.dll [MySidesearch Search Assistant]
YY -> {AA17986B-57DB-0D58-FF4F-0BA291EE1AC6} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\fbetph.dll [Reg Error: Value  does not exist or could not be read.]
YY -> {F9DF827A-8FA7-48A3-B268-CA4DB563EA40} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\geBstsrs.dll [Reg Error: Value  does not exist or could not be read.]
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YY -> {FABA076A-478A-4c32-A0A5-C774607901C2} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\mysidesearch_sidebar.dll [ADPanel]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
YY -> C:\WINNT\system32\xxywWoNH -> %SystemRoot%\system32\xxywWoNH.dll
< BotCheck > -> 
[Files/Folders - Created Within 30 days]
NY -> awtrRLFU.dll -> %SystemRoot%\System32\awtrRLFU.dll
NY -> b3 -> %SystemRoot%\System32\b3
NY -> 6 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp
NY -> byjghggi.ini -> %SystemRoot%\System32\byjghggi.ini
NY -> dqbvmojr.dll -> %SystemRoot%\System32\dqbvmojr.dll
NY -> fbetph.dll -> %SystemRoot%\System32\fbetph.dll
NY -> g45.exe -> %SystemRoot%\System32\g45.exe
NY -> g94.exe -> %SystemRoot%\System32\g94.exe
NY -> geBstsrs.dll -> %SystemRoot%\System32\geBstsrs.dll
NY -> gnacdvum.dll -> %SystemRoot%\System32\gnacdvum.dll
NY -> gside.exe -> %SystemRoot%\System32\gside.exe
NY -> hgGaxvvw.dll -> %SystemRoot%\System32\hgGaxvvw.dll
NY -> HNoWwyxx.ini -> %SystemRoot%\System32\HNoWwyxx.ini
NY -> HNoWwyxx.ini2 -> %SystemRoot%\System32\HNoWwyxx.ini2
NY -> htpfrghp.dll -> %SystemRoot%\System32\htpfrghp.dll
NY -> jnwnw64n.exe -> %SystemRoot%\System32\jnwnw64n.exe
NY -> jownw64o.exe -> %SystemRoot%\System32\jownw64o.exe
NY -> jpstriqs.dll -> %SystemRoot%\System32\jpstriqs.dll
NY -> kcntokdm.exe -> %SystemRoot%\System32\kcntokdm.exe
NY -> mcntpkdm.exe -> %SystemRoot%\System32\mcntpkdm.exe
NY -> mlJBSjgg.dll -> %SystemRoot%\System32\mlJBSjgg.dll
NY -> mlJBUMGv.dll -> %SystemRoot%\System32\mlJBUMGv.dll
NY -> msnav32.ax -> %SystemRoot%\System32\msnav32.ax
NY -> mysidesearch_sidebar_uninstall.exe -> %SystemRoot%\System32\mysidesearch_sidebar_uninstall.exe
NY -> qchtoufh.ini -> %SystemRoot%\System32\qchtoufh.ini
NY -> rbtafrrr.exe -> %SystemRoot%\System32\rbtafrrr.exe
NY -> rscfyexv.ini -> %SystemRoot%\System32\rscfyexv.ini
NY -> rwwnw64d.exe -> %SystemRoot%\System32\rwwnw64d.exe
NY -> ske -> %SystemRoot%\System32\ske
NY -> sqirtspj.ini -> %SystemRoot%\System32\sqirtspj.ini
NY -> srwcqegq.exe -> %SystemRoot%\System32\srwcqegq.exe
NY -> vntiho01 -> %SystemRoot%\System32\vntiho01
NY -> vtUkkhEU.dll -> %SystemRoot%\System32\vtUkkhEU.dll
NY -> vulraojv.exe -> %SystemRoot%\System32\vulraojv.exe
NY -> winpfz33.sys -> %SystemRoot%\System32\winpfz33.sys
NY -> wvUkIXnl.dll -> %SystemRoot%\System32\wvUkIXnl.dll
NY -> wvUnOGvu.dll -> %SystemRoot%\System32\wvUnOGvu.dll
NY -> xxywWoNH.dll -> %SystemRoot%\System32\xxywWoNH.dll
NY -> yeqpjghe.exe -> %SystemRoot%\System32\yeqpjghe.exe
NY -> zxdnt3d.cfg -> %SystemRoot%\System32\zxdnt3d.cfg
NY -> {66670039-904a-7bc7-d7a3-5a12acd59499}.dll -> %SystemRoot%\System32\{66670039-904a-7bc7-d7a3-5a12acd59499}.dll
NY -> {66670039-904a-7bc7-d7a3-5a12acd59499}.dll-uninst.exe -> %SystemRoot%\System32\{66670039-904a-7bc7-d7a3-5a12acd59499}.dll-uninst.exe
NY -> 17PHolmes1000106.exe -> %SystemRoot%\17PHolmes1000106.exe
NY -> 17PHolmes572.exe -> %SystemRoot%\17PHolmes572.exe
NY -> BM5f805e6e.xml -> %SystemRoot%\BM5f805e6e.xml
NY -> 6 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp
NY -> dXNlcjE -> %SystemRoot%\dXNlcjE
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> setup_sbd_en.exe -> %UserProfile%\Desktop\setup_sbd_en.exe
NY -> Deewoo.lnk -> %UserProfile%\Start Menu\Programs\Startup\Deewoo.lnk
NY -> DW_Start.lnk -> %UserProfile%\Start Menu\Programs\Startup\DW_Start.lnk
NY -> Yazzle1281OinUninstaller.exe -> %CommonProgramFiles%\Yazzle1281OinUninstaller.exe
NY -> ??mbols -> %ProgramFiles%\ѕуmbols
[Files/Folders - Modified Within 30 days]
NY -> awtrRLFU.dll -> %SystemRoot%\System32\awtrRLFU.dll
NY -> b3 -> %SystemRoot%\System32\b3
NY -> 6 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp
NY -> byjghggi.ini -> %SystemRoot%\System32\byjghggi.ini
NY -> dqbvmojr.dll -> %SystemRoot%\System32\dqbvmojr.dll
NY -> fbetph.dll -> %SystemRoot%\System32\fbetph.dll
NY -> g45.exe -> %SystemRoot%\System32\g45.exe
NY -> g94.exe -> %SystemRoot%\System32\g94.exe
NY -> geBstsrs.dll -> %SystemRoot%\System32\geBstsrs.dll
NY -> gnacdvum.dll -> %SystemRoot%\System32\gnacdvum.dll
NY -> gside.exe -> %SystemRoot%\System32\gside.exe
NY -> hgGaxvvw.dll -> %SystemRoot%\System32\hgGaxvvw.dll
NY -> HNoWwyxx.ini -> %SystemRoot%\System32\HNoWwyxx.ini
NY -> HNoWwyxx.ini2 -> %SystemRoot%\System32\HNoWwyxx.ini2
NY -> htpfrghp.dll -> %SystemRoot%\System32\htpfrghp.dll
NY -> jnwnw64n.exe -> %SystemRoot%\System32\jnwnw64n.exe
NY -> jownw64o.exe -> %SystemRoot%\System32\jownw64o.exe
NY -> jpstriqs.dll -> %SystemRoot%\System32\jpstriqs.dll
NY -> kcntokdm.exe -> %SystemRoot%\System32\kcntokdm.exe
NY -> mcntpkdm.exe -> %SystemRoot%\System32\mcntpkdm.exe
NY -> mlJBSjgg.dll -> %SystemRoot%\System32\mlJBSjgg.dll
NY -> mlJBUMGv.dll -> %SystemRoot%\System32\mlJBUMGv.dll
NY -> msnav32.ax -> %SystemRoot%\System32\msnav32.ax
NY -> mysidesearch_sidebar_uninstall.exe -> %SystemRoot%\System32\mysidesearch_sidebar_uninstall.exe
NY -> qchtoufh.ini -> %SystemRoot%\System32\qchtoufh.ini
NY -> rbtafrrr.exe -> %SystemRoot%\System32\rbtafrrr.exe
NY -> rscfyexv.ini -> %SystemRoot%\System32\rscfyexv.ini
NY -> rwwnw64d.exe -> %SystemRoot%\System32\rwwnw64d.exe
NY -> ske -> %SystemRoot%\System32\ske
NY -> sqirtspj.ini -> %SystemRoot%\System32\sqirtspj.ini
NY -> srwcqegq.exe -> %SystemRoot%\System32\srwcqegq.exe
NY -> vntiho01 -> %SystemRoot%\System32\vntiho01
NY -> vtUkkhEU.dll -> %SystemRoot%\System32\vtUkkhEU.dll
NY -> vulraojv.exe -> %SystemRoot%\System32\vulraojv.exe
NY -> winpfz33.sys -> %SystemRoot%\System32\winpfz33.sys
NY -> wvUkIXnl.dll -> %SystemRoot%\System32\wvUkIXnl.dll
NY -> wvUnOGvu.dll -> %SystemRoot%\System32\wvUnOGvu.dll
NY -> xxywWoNH.dll -> %SystemRoot%\System32\xxywWoNH.dll
NY -> yeqpjghe.exe -> %SystemRoot%\System32\yeqpjghe.exe
NY -> zxdnt3d.cfg -> %SystemRoot%\System32\zxdnt3d.cfg
NY -> {66670039-904a-7bc7-d7a3-5a12acd59499}.dll -> %SystemRoot%\System32\{66670039-904a-7bc7-d7a3-5a12acd59499}.dll
NY -> {66670039-904a-7bc7-d7a3-5a12acd59499}.dll-uninst.exe -> %SystemRoot%\System32\{66670039-904a-7bc7-d7a3-5a12acd59499}.dll-uninst.exe
NY -> 17PHolmes1000106.exe -> %SystemRoot%\17PHolmes1000106.exe
NY -> 17PHolmes572.exe -> %SystemRoot%\17PHolmes572.exe
NY -> BM5f805e6e.xml -> %SystemRoot%\BM5f805e6e.xml
NY -> 6 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp
NY -> dXNlcjE -> %SystemRoot%\dXNlcjE
NY -> qmgr0.dat -> C:\Documents and Settings\All Users.WINNT\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users.WINNT\Application Data\Microsoft\Network\Downloader\qmgr1.dat
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> Deewoo.lnk -> %UserProfile%\Start Menu\Programs\Startup\Deewoo.lnk
NY -> DW_Start.lnk -> %UserProfile%\Start Menu\Programs\Startup\DW_Start.lnk
NY -> Yazzle1281OinUninstaller.exe -> %CommonProgramFiles%\Yazzle1281OinUninstaller.exe
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #3

Now let's run an online virus scan. Both of these require Internet Explorer. Try F-Secure first. Sometimes it doesn't play nice with other system components so if it cannot complete then try the Kaspersky scan. You only need to complete one of the two.

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on Online Services and then Online Scanner
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
If the F-Secure scan did not work then try an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step #4

Run a new OTScanIt scan with the following options

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
  • Just use the default settings.
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it and close Notepad (save changes if necessary).
  • Close OTScanIt and locate the OTScanIt.txt file in the folder where OTScanIt.exe is located.
  • Attach that file back here in your next reply.
Step #5

Copy/paste the following back here in your next reply:
  • The Avenger report (c:\Avenger.txt)
  • The latest OTScanIt fix log (look in the OTScanIt folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
  • The online virus scan report (whichever one you ran)
Attach the following back here in your next reply:
  • The new OTScanIt scan log
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 trailcreek

trailcreek
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 11 June 2008 - 02:50 PM

Hi OT,

Things started off really good this morning. Received a message that whoever had the redirect on the computer (Adult Page) has had their account suspended. No more porn sites popping up! But I get a new window opening with "Cannot find the server". The anti virus is also not detecting virtumonde, which I take as a good sign.

I was able to run Avenger and the OT Scan It however now I'm having trouble with IE. I can open my homepage which is Environment Canada and go to links within that page. But when I use my favorite links or type in the URL for BC or Yahoo mail the computer just keeps seaching on and on. I've tried google and yahoo but still no luck. So I changed my homepage to Bleeping Computer and I get the login page but when I enter my information the computer just keeps spinning away.

Any suggestions??

Cheers,
Trailcreek

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:12 PM

Posted 11 June 2008 - 05:08 PM

Hi trailcreek. Well, I would need to see the logs first. If you cannot get to them on that machine then copy the logs to a thumbdrive or cd and post them from another machine.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 trailcreek

trailcreek
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 12 June 2008 - 12:37 PM

Good morning OT,

What a day yesterday was! After several hours I was able to run the scans. The problem was I couldn't get onto IE to run the F-Secure Online Scan or the Kaspersky. But after several attempts I was able to change the homepage and to the site.
I first ran the F-Secure scan and it ran successfully but when I clicked the Automatic Cleaning IE disappeared. That was a real let down - it took a long time to get there then over an hour to run! I was able to run Kaspersky but again had to change the homepage - only way I can get IE to load the page.

So here are the results:
Averger.txt

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows 2000

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "cmdService" deleted successfully.
File "C:\Program Files\Common Files\yazzle1281oinuninstaller.exe" deleted successfully.

Error: could not open file "C:\Program Files\??mbols\msconfig.exe"
Deletion of file "C:\Program Files\??mbols\msconfig.exe" failed!
Status: 0xc0000033 (STATUS_OBJECT_NAME_INVALID)
--> an object cannot have this name

File "C:\WINNT\17pholmes1000106.exe" deleted successfully.
File "C:\WINNT\17pholmes572.exe" deleted successfully.
File "C:\WINNT\bm5f805e6e.xml" deleted successfully.

Error: file "C:\WINNT\dxnlcje\command.exe" not found!
Deletion of file "C:\WINNT\dxnlcje\command.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINNT\system32\{66670039-904a-7bc7-d7a3-5a12acd59499}.dll" deleted successfully.
File "C:\WINNT\system32\{66670039-904a-7bc7-d7a3-5a12acd59499}.dll-uninst.exe" deleted successfully.
File "C:\WINNT\system32\awtrrlfu.dll" deleted successfully.
File "C:\WINNT\system32\byjghggi.ini" deleted successfully.
File "C:\WINNT\system32\dqbvmojr.dll" deleted successfully.

Error: file "C:\WINNT\system32\fbetph.dll" not found!
Deletion of file "C:\WINNT\system32\fbetph.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINNT\system32\g45.exe" deleted successfully.
File "C:\WINNT\system32\g94.exe" deleted successfully.
File "C:\WINNT\system32\gebstsrs.dll" deleted successfully.
File "C:\WINNT\system32\gnacdvum.dll" deleted successfully.
File "C:\WINNT\system32\gside.exe" deleted successfully.
File "C:\WINNT\system32\hggaxvvw.dll" deleted successfully.
File "C:\WINNT\system32\hnowwyxx.ini" deleted successfully.
File "C:\WINNT\system32\hnowwyxx.ini2" deleted successfully.
File "C:\WINNT\system32\htpfrghp.dll" deleted successfully.
File "C:\WINNT\system32\jnwnw64n.exe" deleted successfully.
File "C:\WINNT\system32\jownw64o.exe" deleted successfully.
File "C:\WINNT\system32\jpstriqs.dll" deleted successfully.
File "C:\WINNT\system32\kcntokdm.exe" deleted successfully.
File "C:\WINNT\system32\mcntpkdm.exe" deleted successfully.
File "C:\WINNT\system32\mljbsjgg.dll" deleted successfully.
File "C:\WINNT\system32\mljbumgv.dll" deleted successfully.
File "C:\WINNT\system32\msnav32.ax" deleted successfully.
File "C:\WINNT\system32\mysidesearch_sidebar.dll" deleted successfully.
File "C:\WINNT\system32\mysidesearch_sidebar_uninstall.exe" deleted successfully.
File "C:\WINNT\system32\qchtoufh.ini" deleted successfully.
File "C:\WINNT\system32\rbtafrrr.exe" deleted successfully.
File "C:\WINNT\system32\rscfyexv.ini" deleted successfully.
File "C:\WINNT\system32\rwwnw64d.exe" deleted successfully.
File "C:\WINNT\system32\sqirtspj.ini" deleted successfully.
File "C:\WINNT\system32\srwcqegq.exe" deleted successfully.
File "C:\WINNT\system32\vtukkheu.dll" deleted successfully.
File "C:\WINNT\system32\vulraojv.exe" deleted successfully.
File "C:\WINNT\system32\winpfz33.sys" deleted successfully.
File "C:\WINNT\system32\wvukixnl.dll" deleted successfully.
File "C:\WINNT\system32\wvunogvu.dll" deleted successfully.
File "C:\WINNT\system32\xxywwonh.dll" deleted successfully.
File "C:\WINNT\system32\yeqpjghe.exe" deleted successfully.
File "C:\WINNT\system32\zxdnt3d.cfg" deleted successfully.
File "C:\Documents and Settings\administrator\desktop\setup_sbd_en.exe" deleted successfully.
File "C:\Documents and Settings\administrator\start menu\programs\startup\deewoo.lnk" deleted successfully.
File "C:\Documents and Settings\administrator\start menu\programs\startup\dw_start.lnk" deleted successfully.
File "c:\documents and settings\all users.winnt\application data\microsoft\network\downloader\qmgr0.dat" deleted successfully.
File "c:\documents and settings\all users.winnt\application data\microsoft\network\downloader\qmgr1.dat" deleted successfully.
Folder "C:\WINNT\dxnlcje" deleted successfully.
Folder "C:\WINNT\system32\b3" deleted successfully.
Folder "C:\WINNT\system32\ske" deleted successfully.
Folder "C:\WINNT\system32\vntiho01" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

OTScanIt fix log

Explorer killed successfully
[Processes - Non-Microsoft Only]
Unable to kill process jnwnw64n.exe .
File C:\WINNT\system32\jnwnw64n.exe not found.
Unable to kill process mcntpkdm.exe .
File C:\WINNT\system32\mcntpkdm.exe not found.
Process msconfig.exe killed successfully.
C:\Program Files\ѕуmbols\msconfig.exe moved successfully.
[Win32 Services - Non-Microsoft Only]
Unable to stop service cmdService .
Unable to delete service cmdService .
File C:\WINNT\dXNlcjE\command.exe not found.
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\{2fe16a0a-a354-7dbd-8da8-57d1604df162} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2fe16a0a-a354-7dbd-8da8-57d1604df162}\ not found.
File C:\WINNT\system32\{66670039-904a-7bc7-d7a3-5a12acd59499}.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\{36-6D-D5-5D-DW} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36-6D-D5-5D-DW}\ not found.
File C:\WINNT\system32\jnwnw64n.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\5cb36df2 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\BM5f805e6e deleted successfully.
File C:\WINNT\system32\gnacdvum.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ExploreUpdSched deleted successfully.
File C:\WINNT\system32\mcntpkdm.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\runner1 deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Tctp deleted successfully.
File C:\Program Files\ѕуmbols\msconfig.exe not found.
File C:\WINNT\system32\mcntpkdm.exe not found.
File C:\Documents and Settings\administrator\Start Menu\Programs\Startup\Deewoo.lnk not found.
File C:\WINNT\system32\jnwnw64n.exe not found.
File C:\Documents and Settings\administrator\Start Menu\Programs\Startup\DW_Start.lnk not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{F9DF827A-8FA7-48A3-B268-CA4DB563EA40} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9DF827A-8FA7-48A3-B268-CA4DB563EA40}\ deleted successfully.
File C:\WINNT\system32\geBstsrs.dll not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\geBstsrs\ deleted successfully.
File C:\WINNT\system32\geBstsrs.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1ade9a44-4986-762a-19ca-193008a0eda8}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1ade9a44-4986-762a-19ca-193008a0eda8}\ deleted successfully.
File C:\WINNT\system32\{66670039-904a-7bc7-d7a3-5a12acd59499}.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{41b60680-4a77-411b-aebd-b60266d2f104}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41b60680-4a77-411b-aebd-b60266d2f104}\ not found.
File C:\WINNT\system32\htpfrghp.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{61140E8C-1AC3-4181-89E8-1602144C937E}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61140E8C-1AC3-4181-89E8-1602144C937E}\ not found.
File C:\WINNT\system32\xxywWoNH.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9506910A-0F94-4ea1-B567-7070428B8B2B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9506910A-0F94-4ea1-B567-7070428B8B2B}\ deleted successfully.
File C:\WINNT\system32\mysidesearch_sidebar.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA17986B-57DB-0D58-FF4F-0BA291EE1AC6}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AA17986B-57DB-0D58-FF4F-0BA291EE1AC6}\ not found.
File C:\WINNT\system32\fbetph.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9DF827A-8FA7-48A3-B268-CA4DB563EA40}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9DF827A-8FA7-48A3-B268-CA4DB563EA40}\ not found.
File C:\WINNT\system32\geBstsrs.dll not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FABA076A-478A-4c32-A0A5-C774607901C2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FABA076A-478A-4c32-A0A5-C774607901C2}\ deleted successfully.
File C:\WINNT\system32\mysidesearch_sidebar.dll not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c95fe080-8f5d-11d2-a20b-00aa003c157a}\ not found.
[Registry - Additional Scans - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages:C:\WINNT\system32\xxywWoNH deleted successfully.
File C:\WINNT\system32\xxywWoNH.dll not found.
[Files/Folders - Created Within 30 days]
File C:\WINNT\System32\awtrRLFU.dll not found!
File C:\WINNT\System32\b3 not found!
File C:\WINNT\System32\byjghggi.ini not found!
File C:\WINNT\System32\dqbvmojr.dll not found!
File C:\WINNT\System32\fbetph.dll not found!
File C:\WINNT\System32\g45.exe not found!
File C:\WINNT\System32\g94.exe not found!
File C:\WINNT\System32\geBstsrs.dll not found!
File C:\WINNT\System32\gnacdvum.dll not found!
File C:\WINNT\System32\gside.exe not found!
File C:\WINNT\System32\hgGaxvvw.dll not found!
File C:\WINNT\System32\HNoWwyxx.ini not found!
File C:\WINNT\System32\HNoWwyxx.ini2 not found!
File C:\WINNT\System32\htpfrghp.dll not found!
File C:\WINNT\System32\jnwnw64n.exe not found!
File C:\WINNT\System32\jownw64o.exe not found!
File C:\WINNT\System32\jpstriqs.dll not found!
File C:\WINNT\System32\kcntokdm.exe not found!
File C:\WINNT\System32\mcntpkdm.exe not found!
File C:\WINNT\System32\mlJBSjgg.dll not found!
File C:\WINNT\System32\mlJBUMGv.dll not found!
File C:\WINNT\System32\msnav32.ax not found!
File C:\WINNT\System32\mysidesearch_sidebar_uninstall.exe not found!
File C:\WINNT\System32\qchtoufh.ini not found!
File C:\WINNT\System32\rbtafrrr.exe not found!
File C:\WINNT\System32\rscfyexv.ini not found!
File C:\WINNT\System32\rwwnw64d.exe not found!
File C:\WINNT\System32\ske not found!
File C:\WINNT\System32\sqirtspj.ini not found!
File C:\WINNT\System32\srwcqegq.exe not found!
File C:\WINNT\System32\vntiho01 not found!
File C:\WINNT\System32\vtUkkhEU.dll not found!
File C:\WINNT\System32\vulraojv.exe not found!
File C:\WINNT\System32\winpfz33.sys not found!
File C:\WINNT\System32\wvUkIXnl.dll not found!
File C:\WINNT\System32\wvUnOGvu.dll not found!
File C:\WINNT\System32\xxywWoNH.dll not found!
File C:\WINNT\System32\yeqpjghe.exe not found!
File C:\WINNT\System32\zxdnt3d.cfg not found!
File C:\WINNT\System32\{66670039-904a-7bc7-d7a3-5a12acd59499}.dll not found!
File C:\WINNT\System32\{66670039-904a-7bc7-d7a3-5a12acd59499}.dll-uninst.exe not found!
File C:\WINNT\17PHolmes1000106.exe not found!
File C:\WINNT\17PHolmes572.exe not found!
C:\WINNT\BM5f805e6e.xml moved successfully.
C:\WINNT\msdownld.tmp folder deleted successfully.
C:\WINNT\msiinst.tmp folder deleted successfully.
File C:\WINNT\dXNlcjE not found!
[Files Created - Additional Folder Scans - Non-Microsoft Only]
File C:\Documents and Settings\administrator\Desktop\setup_sbd_en.exe not found!
File C:\Documents and Settings\administrator\Start Menu\Programs\Startup\Deewoo.lnk not found!
File C:\Documents and Settings\administrator\Start Menu\Programs\Startup\DW_Start.lnk not found!
File C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe not found!
C:\Program Files\ѕуmbols\ѕуmbols folder moved successfully.
C:\Program Files\ѕуmbols folder moved successfully.
[Files/Folders - Modified Within 30 days]
File C:\WINNT\System32\awtrRLFU.dll not found!
File C:\WINNT\System32\b3 not found!
File C:\WINNT\System32\byjghggi.ini not found!
File C:\WINNT\System32\dqbvmojr.dll not found!
File C:\WINNT\System32\fbetph.dll not found!
File C:\WINNT\System32\g45.exe not found!
File C:\WINNT\System32\g94.exe not found!
File C:\WINNT\System32\geBstsrs.dll not found!
File C:\WINNT\System32\gnacdvum.dll not found!
File C:\WINNT\System32\gside.exe not found!
File C:\WINNT\System32\hgGaxvvw.dll not found!
File C:\WINNT\System32\HNoWwyxx.ini not found!
File C:\WINNT\System32\HNoWwyxx.ini2 not found!
File C:\WINNT\System32\htpfrghp.dll not found!
File C:\WINNT\System32\jnwnw64n.exe not found!
File C:\WINNT\System32\jownw64o.exe not found!
File C:\WINNT\System32\jpstriqs.dll not found!
File C:\WINNT\System32\kcntokdm.exe not found!
File C:\WINNT\System32\mcntpkdm.exe not found!
File C:\WINNT\System32\mlJBSjgg.dll not found!
File C:\WINNT\System32\mlJBUMGv.dll not found!
File C:\WINNT\System32\msnav32.ax not found!
File C:\WINNT\System32\mysidesearch_sidebar_uninstall.exe not found!
File C:\WINNT\System32\qchtoufh.ini not found!
File C:\WINNT\System32\rbtafrrr.exe not found!
File C:\WINNT\System32\rscfyexv.ini not found!
File C:\WINNT\System32\rwwnw64d.exe not found!
File C:\WINNT\System32\ske not found!
File C:\WINNT\System32\sqirtspj.ini not found!
File C:\WINNT\System32\srwcqegq.exe not found!
File C:\WINNT\System32\vntiho01 not found!
File C:\WINNT\System32\vtUkkhEU.dll not found!
File C:\WINNT\System32\vulraojv.exe not found!
File C:\WINNT\System32\winpfz33.sys not found!
File C:\WINNT\System32\wvUkIXnl.dll not found!
File C:\WINNT\System32\wvUnOGvu.dll not found!
File C:\WINNT\System32\xxywWoNH.dll not found!
File C:\WINNT\System32\yeqpjghe.exe not found!
File C:\WINNT\System32\zxdnt3d.cfg not found!
File C:\WINNT\System32\{66670039-904a-7bc7-d7a3-5a12acd59499}.dll not found!
File C:\WINNT\System32\{66670039-904a-7bc7-d7a3-5a12acd59499}.dll-uninst.exe not found!
File C:\WINNT\17PHolmes1000106.exe not found!
File C:\WINNT\17PHolmes572.exe not found!
File C:\WINNT\BM5f805e6e.xml not found!
File C:\WINNT\dXNlcjE not found!
File C:\Documents and Settings\All Users.WINNT\Application Data\Microsoft\Network\Downloader\qmgr0.dat not found!
File C:\Documents and Settings\All Users.WINNT\Application Data\Microsoft\Network\Downloader\qmgr1.dat not found!
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
File C:\Documents and Settings\administrator\Start Menu\Programs\Startup\Deewoo.lnk not found!
File C:\Documents and Settings\administrator\Start Menu\Programs\Startup\DW_Start.lnk not found!
File C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe not found!
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\administrator\Local Settings\Temp\~DF7C52.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.15.12 fix logfile created on 06112008_111257

Files moved on Reboot...
C:\Documents and Settings\administrator\Local Settings\Temp\~DF7C52.tmp moved successfully.


Kaspersky Scan

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, June 11, 2008
Operating System: Microsoft Windows 2000 Professional Service Pack 4 (build 2195)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, June 11, 2008 22:27:06
Records in database: 853614
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 23877
Threat name: 13
Infected objects: 56
Suspicious objects: 0
Duration of the scan: 01:00:38


File name / Threat name / Threats count
explorer.exe\guimxwac.dll/explorer.exe\guimxwac.dll Infected: Trojan.Win32.Monder.mx 1
C:\WINNT\system32\guimxwac.dll/C:\WINNT\system32\guimxwac.dll Infected: Trojan.Win32.Monder.mx 15
C:\WINNT\system32\tixiiurf.dll/C:\WINNT\system32\tixiiurf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yeb 15
RPSCServerLicen\guimxwac.dll/RPSCServerLicen\guimxwac.dll Infected: Trojan.Win32.Monder.mx 1
CFD.exe\guimxwac.dll/CFD.exe\guimxwac.dll Infected: Trojan.Win32.Monder.mx 1
pctspk.exe\tixiiurf.dll/pctspk.exe\tixiiurf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yeb 1
qttask.exe\tixiiurf.dll/qttask.exe\tixiiurf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yeb 1
TEPA.exe\tixiiurf.dll/TEPA.exe\tixiiurf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yeb 1
rundll32.exe\tixiiurf.dll/rundll32.exe\tixiiurf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yeb 1
rundll32.exe\guimxwac.dll/rundll32.exe\guimxwac.dll Infected: Trojan.Win32.Monder.mx 1
jusched.exe\tixiiurf.dll/jusched.exe\tixiiurf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yeb 1
WZQKPICK.EXE\tixiiurf.dll/WZQKPICK.EXE\tixiiurf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yeb 1
TEPAComHandler.\tixiiurf.dll/TEPAComHandler.\tixiiurf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yeb 1
C:\WINNT\system32\aeeskk.dll//PE_Patch.PECompact//PecBundle//PECompact/C:\WINNT\system32\aeeskk.dll//PE_Patch.PECompact//PecBundle//PECompact Infected: not-a-virus:AdWare.Win32.PurityScan.if 1
C:\Documents and Settings\administrator\Desktop\OTScanIt\MovedFiles\06112008_111257\C_Program Files\ѕуmbols\msconfig.exe Infected: Trojan-Downloader.Win32.PurityScan.fj 1
C:\Documents and Settings\administrator\Local Settings\Application Data\Identities\{C98A5416-2C83-4F89-B0F0-E65FF65E438F}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-PSW.Win32.Papras.ac 1
C:\Documents and Settings\administrator\Local Settings\Application Data\Identities\{C98A5416-2C83-4F89-B0F0-E65FF65E438F}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-PSW.Win32.Small.bs 2
C:\Documents and Settings\administrator\Local Settings\Application Data\Identities\{C98A5416-2C83-4F89-B0F0-E65FF65E438F}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Exploit.Win32.PDF-URI.k 1
C:\Documents and Settings\administrator\Local Settings\Application Data\Identities\{C98A5416-2C83-4F89-B0F0-E65FF65E438F}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan.Win32.Pakes.bpn 1
C:\Documents and Settings\administrator\Local Settings\Application Data\Identities\{C98A5416-2C83-4F89-B0F0-E65FF65E438F}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Exploit.Win32.PDF-URI.l 1
C:\Program Files\AntiSpywareMaster\asm.exe Infected: not-a-virus:FraudTool.Win32.AntiSpywareMaster 1
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe Infected: Trojan.Win32.Scapur.k 1
C:\Program Files\Outerinfo\FF\components\FF.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad 1
C:\WINNT\system32\aeeskk.dll Infected: not-a-virus:AdWare.Win32.PurityScan.if 1
C:\WINNT\system32\guimxwac.dll Infected: Trojan.Win32.Monder.mx 1
C:\WINNT\system32\tixiiurf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yeb 1
C:\WINNT\system32\_{66670039-904a-7bc7-d7a3-5a12acd59499}.dll Infected: not-a-virus:AdWare.Win32.Agent.byy 1

The selected area was scanned.

Attached Files



#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:12 PM

Posted 12 June 2008 - 01:52 PM

Hi trailcreek. There are still some lingering remains so let's get those:

Step #1

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
%systemdrive%\s87ekhv.exe
%systemroot%\bm5f805e6e.xml
%systemroot%\system32\aeeskk.dll
%systemroot%\system32\fruiixit.ini
%systemroot%\system32\guimxwac.dll
%systemroot%\system32\sqynagdr.dll
%systemroot%\system32\tixiiurf.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
  • Click the Execute button
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Step #2

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> 5cb36df2 -> %SystemRoot%\system32\tixiiurf.dll [rundll32.exe "C:\WINNT\system32\tixiiurf.dll",b]
YY -> BM5f805e6e -> %SystemRoot%\system32\guimxwac.dll [Rundll32.exe "C:\WINNT\system32\guimxwac.dll",s]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {2AAB38CC-8C94-49E2-94F4-C9CBE6247A7C} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\xxywWoNH.dll [Reg Error: Value  does not exist or could not be read.]
YY -> {d858da7e-ec83-4a2b-81ca-ebb3b4d2c65d} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\sqynagdr.dll [Reg Error: Value  does not exist or could not be read.]
YY -> {F948986C-058C-5E02-FF4F-0BA291EE1995} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\aeeskk.dll [Reg Error: Value  does not exist or could not be read.]
[Files/Folders - Created Within 30 days]
NY -> S87ekhV.exe -> %SystemDrive%\S87ekhV.exe
NY -> fruiixit.ini -> %SystemRoot%\System32\fruiixit.ini
NY -> guimxwac.dll -> %SystemRoot%\System32\guimxwac.dll
NY -> sqynagdr.dll -> %SystemRoot%\System32\sqynagdr.dll
NY -> tixiiurf.dll -> %SystemRoot%\System32\tixiiurf.dll
NY -> BM5f805e6e.xml -> %SystemRoot%\BM5f805e6e.xml
[Files/Folders - Modified Within 30 days]
NY -> S87ekhV.exe -> %SystemDrive%\S87ekhV.exe
NY -> aeeskk.dll -> %SystemRoot%\System32\aeeskk.dll
NY -> fruiixit.ini -> %SystemRoot%\System32\fruiixit.ini
NY -> guimxwac.dll -> %SystemRoot%\System32\guimxwac.dll
NY -> sqynagdr.dll -> %SystemRoot%\System32\sqynagdr.dll
NY -> tixiiurf.dll -> %SystemRoot%\System32\tixiiurf.dll
NY -> BM5f805e6e.xml -> %SystemRoot%\BM5f805e6e.xml
[Extra Files]
C:\Program Files\AntiSpywareMaster\
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe 
C:\Program Files\Outerinfo\
Purity
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #3

Download Dr.Web CureIt
  • Doubleclick the drweb-cureit.exe file and then Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options and Change settings
  • Choose the Scan tab and remove the mark at Heuristic analysis.
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click Yes to all if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click File and choose Save Report List
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
Step #4

Run a new OTScanIt scan with the following options

OTScanIt Just Standard Log -

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it and close Notepad (save changes if necessary).
  • Close OTScanIt and locate the OTScanIt.txt file in the folder where OTScanIt.exe is located.
  • Attach that file back here in your next reply.
Step #5

Copy/paste the following back here in your next reply:
  • The Avenger report (c:\Avenger.txt)
  • The latest OTScanIt fix log (look in the OTScanIt folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
  • The report from Dr.WebCureIt
Attach the following back here in your next reply:
  • The new OTScanIt scan log
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 trailcreek

trailcreek
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 12 June 2008 - 05:47 PM

Hi OT,

Things are progressing much better today!

Here are the results of the Scans

Avenger report:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows 2000

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\s87ekhv.exe" deleted successfully.
File "C:\WINNT\bm5f805e6e.xml" deleted successfully.
File "C:\WINNT\system32\aeeskk.dll" deleted successfully.
File "C:\WINNT\system32\fruiixit.ini" deleted successfully.
File "C:\WINNT\system32\guimxwac.dll" deleted successfully.
File "C:\WINNT\system32\sqynagdr.dll" deleted successfully.
File "C:\WINNT\system32\tixiiurf.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Received RUNDLL Error loading C:\WINNT\system32\guimxwac.dll
The specified module could not be found.
RUNDLL Error loading C:\WINNT\system32\tixiiurf.dll
The specified module could not be found

OTScanIT

Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\5cb36df2 deleted successfully.
File C:\WINNT\system32\tixiiurf.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\BM5f805e6e deleted successfully.
File C:\WINNT\system32\guimxwac.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2AAB38CC-8C94-49E2-94F4-C9CBE6247A7C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2AAB38CC-8C94-49E2-94F4-C9CBE6247A7C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d858da7e-ec83-4a2b-81ca-ebb3b4d2c65d}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d858da7e-ec83-4a2b-81ca-ebb3b4d2c65d}\ deleted successfully.
File C:\WINNT\system32\sqynagdr.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F948986C-058C-5E02-FF4F-0BA291EE1995}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F948986C-058C-5E02-FF4F-0BA291EE1995}\ deleted successfully.
File C:\WINNT\system32\aeeskk.dll not found.
[Files/Folders - Created Within 30 days]
File C:\S87ekhV.exe not found!
File C:\WINNT\System32\fruiixit.ini not found!
File C:\WINNT\System32\guimxwac.dll not found!
File C:\WINNT\System32\sqynagdr.dll not found!
File C:\WINNT\System32\tixiiurf.dll not found!
File C:\WINNT\BM5f805e6e.xml not found!
[Files/Folders - Modified Within 30 days]
File C:\S87ekhV.exe not found!
File C:\WINNT\System32\aeeskk.dll not found!
File C:\WINNT\System32\fruiixit.ini not found!
File C:\WINNT\System32\guimxwac.dll not found!
File C:\WINNT\System32\sqynagdr.dll not found!
File C:\WINNT\System32\tixiiurf.dll not found!
File C:\WINNT\BM5f805e6e.xml not found!
[Extra Files]
< C:\Program Files\AntiSpywareMaster\ >
C:\Program Files\AntiSpywareMaster folder moved successfully.
< C:\Program Files\Common Files\Yazzle1281OinAdmin.exe >
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe moved successfully.
< C:\Program Files\Outerinfo\ >
C:\Program Files\Outerinfo\FF\components folder moved successfully.
C:\Program Files\Outerinfo\FF folder moved successfully.
C:\Program Files\Outerinfo folder moved successfully.
< Purity >
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\administrator\Local Settings\Temp\~DF7E5C.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.15.12 fix logfile created on 06122008_124758

Files moved on Reboot...
C:\Documents and Settings\administrator\Local Settings\Temp\~DF7E5C.tmp moved successfully.

Dr.CureIT

Didn't follow along as your instructions did. Ran full scan on the second run. At the finish had Program Error: setup.exe has generated errors and will be closed by Windows. You need to restart the program. An error log is being created.

cfd.exe;c:\program files\broadjump\client foundation;Adware.Cfd;Incurable.Moved.;
msconfig.exe;C:\Documents and Settings\administrator\Desktop\OTScanIt\MovedFiles\06112008_111257\C_Program Files\MBOLS~1;Adware.ClickSpring;Incurable.Moved.;
Yazzle1281OinAdmin.exe;C:\Documents and Settings\administrator\Desktop\OTScanIt\MovedFiles\06122008_124758\C_Program Files\Common Files;Adware.ClickSpring;Incurable.Moved.;
FF.dll;C:\Documents and Settings\administrator\Desktop\OTScanIt\MovedFiles\06122008_124758\C_Program Files\Outerinfo\FF\components;Adware.ClickSpring;Deleted.;


Last OTScanIT file is too large to upload. I'm doing a copy/paste. If this is not acceptable please advise how I can create more room.

OTScanIt logfile created on: 6/12/2008 3:17:39 PM
OTScanIt by OldTimer - Version 1.0.15.12	 Folder = C:\Documents and Settings\administrator\Desktop\OTScanIt
Windows 2000 Professional Edition Service Pack 4 (Version = 5.0.2195) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
255.48 Mb Total Physical Memory | 66.52 Mb Available Physical Memory | 26.04% Memory free
616.62 Mb Paging File | 427.71 Mb Available in Paging File | 69.36% Paging File free
Paging file location(s): C:\pagefile.sys 384 768;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 28.63 Gb Total Space | 24.78 Gb Free Space | 86.58% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: REGISTER1
Current User Name: Administrator
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user

[Processes - Non-Microsoft Only]
fws.exe -> %ProgramFiles%\TELUS\TELUS eProtect\Fws.exe -> TELUS [Ver = 6.0.1.22524 | Size = 293104 bytes | Modified Date = 9/13/2007 4:21:50 PM | Attr =	]
dvpapi.exe -> %CommonProgramFiles%\Authentium\AntiVirus\dvpapi.exe -> Authentium, Inc. [Ver = 4,94,107,129 | Size = 177672 bytes | Modified Date = 4/4/2007 5:41:28 PM | Attr = R  ]
itmrtsvc.exe -> %ProgramFiles%\CA\PPRT\bin\ITMRTSVC.exe -> CA, Inc. [Ver = 1.1.0.24 | Size = 280080 bytes | Modified Date = 12/19/2006 1:45:16 PM | Attr =	]
pdagent.exe -> %ProgramFiles%\Raxco\PerfectDisk\PDAgent.exe -> Raxco Software, Inc. [Ver = 8, 0, 0, 57 | Size = 407056 bytes | Modified Date = 3/2/2007 12:24:42 PM | Attr =	]
twwinsdr.exe -> %ProgramFiles%\TapeWare\twwinsdr.exe ->  [Ver =  | Size = 126976 bytes | Modified Date = 12/31/2002 11:31:14 AM | Attr =	]
rpscserverlicense.exe -> %SystemRoot%\system32\RPSCServerLicense.exe -> Retail Professionals Software Corp. [Ver = 5.04.0005 | Size = 65536 bytes | Modified Date = 5/17/2002 1:02:24 PM | Attr =	]
pctspk.exe -> %SystemRoot%\system32\pctspk.exe ->  [Ver = 1, 0, 0, 1 | Size = 167936 bytes | Modified Date = 7/11/2002 1:49:18 AM | Attr =	]
qttask.exe -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Inc. [Ver = 7.1.6 | Size = 282624 bytes | Modified Date = 5/24/2007 12:03:11 PM | Attr =	]
tepa.exe -> %ProgramFiles%\TELUS\eProtect Advisor\TEPA.exe -> TELUS [Ver = 1.5.12.18248 | Size = 2061816 bytes | Modified Date = 5/14/2007 9:10:38 AM | Attr =	]
rps.exe -> %ProgramFiles%\TELUS\TELUS eProtect\RPS.exe -> TELUS [Ver = 6.0.1.22524 | Size = 310000 bytes | Modified Date = 9/13/2007 4:22:08 PM | Attr =	]
jusched.exe -> %ProgramFiles%\Java\jre1.6.0_06\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.60.2 | Size = 144784 bytes | Modified Date = 3/25/2008 4:28:02 AM | Attr =	]
googletoolbarnotifier.exe -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 6/22/2007 1:25:51 PM | Attr =	]
reader_sl.exe -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.1.0.2008042300 | Size = 29696 bytes | Modified Date = 4/23/2008 3:38:16 AM | Attr =	]
wzqkpick.exe -> %ProgramFiles%\WinZip\WZQKPICK.EXE -> WinZip Computing LP [Ver = 1.0 (32-bit) | Size = 122880 bytes | Modified Date = 2/16/2006 11:00:00 AM | Attr =	]
tepacomhandler.exe -> %ProgramFiles%\TELUS\eProtect Advisor\TEPAComHandler.exe -> Radialpoint Inc. [Ver = 1.5.12.18248 | Size = 292344 bytes | Modified Date = 5/14/2007 9:10:40 AM | Attr =	]
rpsupdaterr.exe -> %ProgramFiles%\TELUS\TELUS eProtect\rpsupdaterr.exe -> Radialpoint Inc. [Ver = 6.0.1.26541 | Size = 99056 bytes | Modified Date = 2/7/2008 2:46:16 PM | Attr = R  ]
pdengine.exe -> %ProgramFiles%\Raxco\PerfectDisk\PDEngine.exe -> Raxco Software, Inc. [Ver = 8, 0, 0, 57 | Size = 734736 bytes | Modified Date = 3/2/2007 12:24:52 PM | Attr =	]
otscanit.exe -> %UserProfile%\Desktop\OTScanIt\OTScanIt.exe -> OldTimer Tools [Ver = 1.0.15.12 | Size = 397312 bytes | Modified Date = 6/7/2008 11:09:00 AM | Attr =	]

[Win32 Services - Non-Microsoft Only]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %SystemRoot%\system32\dmadmin.exe -> VERITAS Software Corp. [Ver = 2195.6624.297.3 | Size = 147728 bytes | Modified Date = 6/19/2003 12:05:04 PM | Attr =	]
(dvpapi) dvpapi [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Authentium\AntiVirus\dvpapi.exe -> Authentium, Inc. [Ver = 4,94,107,129 | Size = 177672 bytes | Modified Date = 4/4/2007 5:41:28 PM | Attr = R  ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 2/14/2007 8:33:36 PM | Attr =	]
(ITMRTSVC) CA Pest Patrol Realtime Protection Service [Win32_Own | Auto | Running] -> %ProgramFiles%\CA\PPRT\bin\ITMRTSVC.exe -> CA, Inc. [Ver = 1.1.0.24 | Size = 280080 bytes | Modified Date = 12/19/2006 1:45:16 PM | Attr =	]
(PDAgent) PDAgent [Win32_Own | Auto | Running] -> %ProgramFiles%\Raxco\PerfectDisk\PDAgent.exe -> Raxco Software, Inc. [Ver = 8, 0, 0, 57 | Size = 407056 bytes | Modified Date = 3/2/2007 12:24:42 PM | Attr =	]
(PDEngine) PDEngine [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Raxco\PerfectDisk\PDEngine.exe -> Raxco Software, Inc. [Ver = 8, 0, 0, 57 | Size = 734736 bytes | Modified Date = 3/2/2007 12:24:52 PM | Attr =	]
(RPSUpdaterR) TELUS eProtect Update Service [Win32_Own | On_Demand | Running] -> %ProgramFiles%\TELUS\TELUS eProtect\rpsupdaterr.exe -> Radialpoint Inc. [Ver = 6.0.1.26541 | Size = 99056 bytes | Modified Date = 2/7/2008 2:46:16 PM | Attr = R  ]
(RP_FWS) TELUS eProtect Firewall [Win32_Own | Auto | Running] -> %ProgramFiles%\TELUS\TELUS eProtect\Fws.exe -> TELUS [Ver = 6.0.1.22524 | Size = 293104 bytes | Modified Date = 9/13/2007 4:21:50 PM | Attr =	]
(TapeWare) TapeWare [Win32_Own | Auto | Running] -> %ProgramFiles%\TapeWare\twwinsdr.exe ->  [Ver =  | Size = 126976 bytes | Modified Date = 12/31/2002 11:31:14 AM | Attr =	]

[Driver Services - Non-Microsoft Only]
(Cdr4_2K) Cdr4_2K [Kernel | System | Running] -> %SystemRoot%\System32\drivers\cdr4_2K.sys -> Roxio [Ver = 5.3.2.31 | Size = 58000 bytes | Modified Date = 11/18/2004 12:10:43 PM | Attr =	]
(Cdralw2k) Cdralw2k [Kernel | System | Running] -> %SystemRoot%\System32\drivers\cdralw2k.sys -> Roxio [Ver = 5.3.2.31 | Size = 23420 bytes | Modified Date = 11/18/2004 12:10:42 PM | Attr =	]
(cmuda) C-Media WDM Audio Interface [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\cmuda.sys -> C-Media Inc [Ver = 5.12.01.0023 | Size = 417999 bytes | Modified Date = 9/30/2002 8:24:58 PM | Attr = R  ]
(CSS DVP) Dynamic Virus Protection [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\Css-Dvp.sys -> Authentium, Inc. [Ver = 4.94.107.403 | Size = 839880 bytes | Modified Date = 4/4/2007 5:15:02 PM | Attr =	]
(DefragFS) DefragFS [File_System | Boot | Running] -> %SystemRoot%\System32\drivers\DefragFs.sys -> Raxco Software, Inc. [Ver = 8.0011 built by: WinDDK | Size = 67352 bytes | Modified Date = 3/2/2007 10:26:18 AM | Attr =	]
(dmboot) dmboot [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\dmboot.sys -> VERITAS Software Corp. [Ver = 2195.6655.297.3 | Size = 369104 bytes | Modified Date = 6/19/2003 12:05:04 PM | Attr =	]
(dmio) Logical Disk Manager Driver [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\dmio.sys -> VERITAS Software Corp. [Ver = 2195.6655.297.3 | Size = 137936 bytes | Modified Date = 6/19/2003 12:05:04 PM | Attr =	]
(dmload) dmload [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\dmload.sys -> VERITAS Software Corp. [Ver = 2195.6655.297.3 | Size = 7312 bytes | Modified Date = 6/19/2003 12:05:04 PM | Attr =	]
(EL90BC) 3Com EtherLink XL B/C Adapter Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\el90xbc5.sys -> 3Com Corporation [Ver = 1.56.50.0013 | Size = 61712 bytes | Modified Date = 10/23/1999 5:22:20 AM | Attr =	]
(hardlock) hardlock [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\hardlock.sys -> Aladdin Knowledge Systems [Ver = 2.36 | Size = 404480 bytes | Modified Date = 12/30/2002 4:58:47 PM | Attr =	]
(Haspnt) Haspnt [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\Haspnt.sys -> Aladdin Knowledge Systems [Ver = 4.13 | Size = 47616 bytes | Modified Date = 12/30/2002 4:58:47 PM | Attr =	]
(nv4) nv4 [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\nv4.sys -> NVIDIA Corporation [Ver = 5.00.2165.0327 | Size = 345040 bytes | Modified Date = 10/27/1999 8:23:38 AM | Attr =	]
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ptilink.sys -> Parallel Technologies, Inc. [Ver = 1.10 | Size = 17680 bytes | Modified Date = 6/19/2003 12:05:04 PM | Attr =	]
(Ptserial) W2K Pctel Serial Device Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ptserial.sys -> PCTEL, INC. [Ver = 7.54.07 | Size = 131708 bytes | Modified Date = 8/9/2002 9:57:34 AM | Attr =	]
(RPPKT) Radialpoint Filter (x86) [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\rp_pkt32.sys -> Radialpoint, Inc. [Ver = 6.0.0.0 | Size = 39296 bytes | Modified Date = 1/17/2007 5:17:32 PM | Attr =	]
(RPSKT) Security Services Driver (x86) [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\rp_skt32.sys -> Radialpoint Inc. [Ver = 6.1.11.16607 | Size = 53192 bytes | Modified Date = 6/5/2008 3:31:00 PM | Attr =	]
(SISNIC) SiS PCI Fast Ethernet Adapter Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\sisnic.sys -> SiS Corporation [Ver = 1.11.00.00 | Size = 33347 bytes | Modified Date = 11/8/2000 10:16:26 AM | Attr = R  ]
(StarOpen) StarOpen [File_System | System | Running] -> %SystemRoot%\System32\drivers\StarOpen.sys ->  [Ver =  | Size = 5632 bytes | Modified Date = 2/20/2007 2:07:56 PM | Attr = R  ]
(sttravan) sttravan [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\sttravan.sys -> Certance, LLC [Ver = 1.3 | Size = 12800 bytes | Modified Date = 9/5/2004 2:03:00 AM | Attr =	]
(Vmodem) W2k Vmodem [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\vmodem.sys -> PCTEL, INC. [Ver = 7.60.10A | Size = 696077 bytes | Modified Date = 8/9/2002 9:56:36 AM | Attr =	]
(Vpctcom) W2k Vpctcom [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\vpctcom.sys -> PCtel, Inc. [Ver = 2.41-9K | Size = 550667 bytes | Modified Date = 8/9/2002 9:55:42 AM | Attr =	]
(vsdatant) vsdatant [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\vsdatant.sys -> File not found
(Vvoice) W2k Vvoice [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\vvoice.sys -> PCtel, Inc. [Ver = 3.53.00 | Size = 65343 bytes | Modified Date = 8/9/2002 9:57:02 AM | Attr =	]

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
Cmaudio ->  [RunDll32 cmicnfg.cpl,CMICtrlWnd] -> File not found
-FreedomNeedsReboot -> %ProgramFiles%\TELUS\TELUS eProtect\zkrunoncer.exe ["C:\Program Files\TELUS\TELUS eProtect\ZkRunOnceR.exe"] -> TELUS [Ver = 6.0.1.22524 | Size = 13552 bytes | Modified Date = 9/13/2007 4:22:28 PM | Attr =	]
NeroCheck -> %SystemRoot%\system32\NeroCheck.exe [C:\WINNT\System32\NeroCheck.exe] -> Ahead Software Gmbh [Ver = 1, 0, 0, 2 | Size = 155648 bytes | Modified Date = 3/26/2002 12:44:00 AM | Attr =	]
ntdll.dll -> %ProgramFiles%\QuickTime\qttask.exe ["C:\Program Files\QuickTime\qttask.exe" -atboottime] -> Apple Inc. [Ver = 7.1.6 | Size = 282624 bytes | Modified Date = 5/24/2007 12:03:11 PM | Attr =	]
PCTVOICE -> %SystemRoot%\system32\pctspk.exe [pctspk.exe] ->  [Ver = 1, 0, 0, 1 | Size = 167936 bytes | Modified Date = 7/11/2002 1:49:18 AM | Attr =	]
PPRT -> %ProgramFiles%\CA\PPRT\bin\ITMRTSVC_Logon.exe [C:\Program Files\CA\PPRT\bin\ITMRTSVC_Logon.exe] -> CA, Inc. [Ver = 1.1.0.24 | Size = 21520 bytes | Modified Date = 12/19/2006 1:45:40 PM | Attr =	]
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe ["C:\Program Files\QuickTime\qttask.exe" -atboottime] -> Apple Inc. [Ver = 7.1.6 | Size = 282624 bytes | Modified Date = 5/24/2007 12:03:11 PM | Attr =	]
RPCSLicServer -> %SystemRoot%\system32\RPSCServerLicense.exe [C:\WINNT\System32\RPSCServerLicense.exe /R2P1S9C6] -> Retail Professionals Software Corp. [Ver = 5.04.0005 | Size = 65536 bytes | Modified Date = 5/17/2002 1:02:24 PM | Attr =	]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_06\bin\jusched.exe ["C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"] -> Sun Microsystems, Inc. [Ver = 6.0.60.2 | Size = 144784 bytes | Modified Date = 3/25/2008 4:28:02 AM | Attr =	]
TELUS eProtect -> %ProgramFiles%\TELUS\TELUS eProtect\RPS.exe ["C:\Program Files\TELUS\TELUS eProtect\Rps.exe"] -> TELUS [Ver = 6.0.1.22524 | Size = 310000 bytes | Modified Date = 9/13/2007 4:22:08 PM | Attr =	]
TEPA.exe -> %ProgramFiles%\TELUS\eProtect Advisor\TEPA.exe ["C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN] -> TELUS [Ver = 1.5.12.18248 | Size = 2061816 bytes | Modified Date = 5/14/2007 9:10:38 AM | Attr =	]
< RunOnce [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce -> 
IndexCleaner -> %ProgramFiles%\TELUS\TELUS eProtect\IdxClnR.exe ["C:\Program Files\TELUS\TELUS eProtect\IdxClnR.exe"] -> TELUS [Ver = 6.0.1.22524 | Size = 61168 bytes | Modified Date = 9/13/2007 4:21:50 PM | Attr =	]
< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ -> 
IMAIL-> Installed = 1 -> 
MAPI-> Installed = 1 -> 
MSFS-> Installed = 1 -> 
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe] -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 6/22/2007 1:25:51 PM | Attr =	]
< RunOnce [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce -> 
IndexCleaner -> %ProgramFiles%\TELUS\TELUS eProtect\IdxClnR.exe ["C:\Program Files\TELUS\TELUS eProtect\IdxClnR.exe"] -> TELUS [Ver = 6.0.1.22524 | Size = 61168 bytes | Modified Date = 9/13/2007 4:21:50 PM | Attr =	]
< All Users.WINNT Startup Folder > -> C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup -> 
%AllUsersProfile%\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk -> %CommonProgramFiles%\Adobe\Calibration\Adobe Gamma Loader.exe -> Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 113664 bytes | Modified Date = 11/4/1999 4:06:48 PM | Attr =	]
%AllUsersProfile%\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.1.0.2008042300 | Size = 29696 bytes | Modified Date = 4/23/2008 3:38:16 AM | Attr =	]
%AllUsersProfile%\Start Menu\Programs\Startup\WinZip Quick Pick.lnk -> %ProgramFiles%\WinZip\WZQKPICK.EXE -> WinZip Computing LP [Ver = 1.0 (32-bit) | Size = 122880 bytes | Modified Date = 2/16/2006 11:00:00 AM | Attr =	]
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 -> 
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 149 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\CDRAutoRun -> 0 -> 
< CDROM Autorun Settings > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Autorun -> 1 -> 
*AutoRunAlwaysDisable* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRunAlwaysDisable -> 
NEC	 MBR-7	->  -> File not found
NEC	 MBR-7.4  ->  -> File not found
PIONEER CHANGR DRM-1804X ->  -> File not found
PIONEER CD-ROM DRM-6324X ->  -> File not found
PIONEER CD-ROM DRM-624X  ->  -> File not found
TORiSAN CD-ROM CDR_C36 ->  -> File not found
*MultiFile Done* -> -> 
*DependOnGroup* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DependOnGroup -> 
SCSI miniport ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Group -> SCSI CDROM Class -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Start -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Tag -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Type -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DisplayName -> CD-ROM Driver -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ImagePath -> %SystemRoot%\system32\drivers\cdrom.sys [System32\DRIVERS\cdrom.sys] -> Microsoft Corporation [Ver = 5.00.2195.6655 | Size = 27984 bytes | Modified Date = 6/19/2003 12:05:04 PM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\0 -> IDE\CdRomAOPEN_CD-RW_CRW4048_____________________1.01____\5&1edb1713&0&0.1.0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\Count -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\NextInstance -> 1 -> 
< Drives - Autoruns > ->  -> 
AUTOEXEC.BAT [] -> %SystemDrive%\AUTOEXEC.BAT [ NTFS ] ->  [Ver =  | Size = 0 bytes | Modified Date = 11/23/2165 5:34:13 PM | Attr =  H ]
< HOSTS File > (734 bytes) -> C:\WINNT\System32\drivers\etc\Hosts -> 
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://www.google.com/ie -> 
HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm -> 
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home -> 
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 
HKEY_LOCAL_MACHINE\: Search\\Default_Search_URL -> http://www.google.com/ie -> 
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://www.google.com/ie -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINNT\System32\blank.htm -> 
HKEY_CURRENT_USER\: Main\\Search Bar -> http://www.google.com/ie -> 
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.google.com -> 
HKEY_CURRENT_USER\: Main\\Start Page -> http://www.msn.com/ -> 
HKEY_CURRENT_USER\: Search\\SearchAssistant -> http://www.google.com/ie -> 
HKEY_CURRENT_USER\: SearchURL\\ -> http://www.google.com/search?q=%s[gogl] -> 
HKEY_CURRENT_USER\: ProxyEnable -> 0 -> 
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1204 domain(s) found. -> 
65 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 27 range(s) found. -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Reg Error: Value  does not exist or could not be read.] -> Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 5/31/2005 2:04:00 AM | Attr =	]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_06\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.60.2 | Size = 509328 bytes | Modified Date = 3/25/2008 4:28:01 AM | Attr =	]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbar4.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/20/2007 12:55:32 AM | Attr = R  ]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [Google Toolbar Notifier BHO] -> Google Inc. [Ver = 2, 0, 301, 7164 | Size = 325048 bytes | Modified Date = 6/22/2007 1:25:51 PM | Attr =	]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbar4.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/20/2007 12:55:32 AM | Attr = R  ]
{8E718888-423F-11D2-876E-00A0C9082467} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\msdxm.ocx [&Radio] ->  [Ver =  | Size = 844560 bytes | Modified Date = 3/31/2005 12:10:40 AM | Attr =	]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn0\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2005, 8, 4, 2 | Size = 343112 bytes | Modified Date = 8/4/2005 9:54:42 PM | Attr =	]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 
ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbar4.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/20/2007 12:55:32 AM | Attr = R  ]
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbar4.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/20/2007 12:55:32 AM | Attr = R  ]
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn0\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2005, 8, 4, 2 | Size = 343112 bytes | Modified Date = 8/4/2005 9:54:42 PM | Attr =	]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_06\bin\npjpi160_06.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.60.2 | Size = 132496 bytes | Modified Date = 3/25/2008 4:28:01 AM | Attr =	]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} [HKEY_CURRENT_USER] -> %ProgramFiles%\Java\jre1.6.0_06\bin\ssv.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.60.2 | Size = 509328 bytes | Modified Date = 3/25/2008 4:28:01 AM | Attr =	]
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 
Extension\.spop -> %ProgramFiles%\Internet Explorer\PLUGINS\NPDocBox.dll [] -> InterTrust Technologies Corporation, Inc. [Ver = 1.0.30.95 | Size = 225280 bytes | Modified Date = 1/30/2001 2:56:24 PM | Attr =	]
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{6C46E16F-B78E-49F7-A1E0-E1F46111E2B7} ->	(SiS 900 PCI Fast Ethernet Adapter) -> 
{93E3B7AA-E3A8-46F4-B576-BBABC8679D37} ->	(3Com EtherLink XL 10/100 PCI For Complete PC Management NIC (3C905C-TX)) -> 
{F2920C91-1C20-4FE3-BAC3-C64EADC5743D} ->	(SiS 900 PCI Fast Ethernet Adapter) -> 
< Default Protocols [HKEY_CURRENT_USER\] - Select to Repair > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults -> 
shell -> shell protocol not assigned -> 
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ -> 
ipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
vnd.ms.radio:{3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\msdxm.ocx[AsyncPProt Class] ->  [Ver =  | Size = 844560 bytes | Modified Date = 3/31/2005 12:10:40 AM | Attr =	]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}[HKEY_LOCAL_MACHINE] -> http://www.apple.com/qtactivex/qtplugin.cab[QuickTime Object] -> 
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}[HKEY_LOCAL_MACHINE] -> http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab[CKAVWebScan Object] -> 
{31564D57-0000-0010-8000-00AA00389B71}[HKEY_LOCAL_MACHINE] -> http://codecs.microsoft.com/codecs/i386/wmvax.cab[Reg Error: Key does not exist or could not be opened.] -> 
{32564D57-0000-0010-8000-00AA00389B71}[HKEY_LOCAL_MACHINE] -> http://codecs.microsoft.com/codecs/i386/wmv8ax.cab[Reg Error: Key does not exist or could not be opened.] -> 
{33564D57-9980-0010-8000-00AA00389B71}[HKEY_LOCAL_MACHINE] -> http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab[Reg Error: Key does not exist or could not be opened.] -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871[Java Plug-in 1.6.0_06] -> 
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}[HKEY_LOCAL_MACHINE] -> http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab[Reg Error: Key does not exist or could not be opened.] -> 
{9F1C11AA-197B-4942-BA54-47A8489BB47F}[HKEY_LOCAL_MACHINE] -> http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38017.3906365741[Reg Error: Key does not exist or could not be opened.] -> 
{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876}[HKEY_LOCAL_MACHINE] -> http://support.f-secure.com/ols/fscax.cab[F-Secure Online Scanner 3.3] -> 
{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab[Java Plug-in 1.6.0_06] -> 
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab[Java Plug-in 1.6.0_06] -> 
{D27CDB6E-AE6D-11CF-96B8-444553540000}[HKEY_LOCAL_MACHINE] -> http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[Shockwave Flash Object] -> 
DirectAnimation Java Classes[HKEY_LOCAL_MACHINE] -> file://C:\WINNT\Java\classes\dajava.cab[Reg Error: Key does not exist or could not be opened.] -> 
Microsoft XML Parser for Java[HKEY_LOCAL_MACHINE] -> file://C:\WINNT\Java\classes\xmldso.cab[Reg Error: Key does not exist or could not be opened.] -> 
Yahoo! Hearts[HKEY_LOCAL_MACHINE] -> http://download2.games.yahoo.com/games/clients/y/ht1_x.cab[Reg Error: Key does not exist or could not be opened.] -> 
< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/auc_lib.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/auc_lib.dll\\.Owner -> {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/auc_lib.dll\\{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/ca.pub\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/ca.pub\\.Owner -> {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/ca.pub\\{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/daas_s.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/daas_s.dll\\.Owner -> {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/daas_s.dll\\{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/fscax.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/fscax.dll\\.Owner -> {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/fscax.dll\\{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/gatelauncher.exe\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/gatelauncher.exe\\.Owner -> {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/gatelauncher.exe\\{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/danim.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/danim.dll\\.Owner -> {DC38CC30-4E3B-11d1-9071-0060081840BC} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/danim.dll\\{DC38CC30-4E3B-11d1-9071-0060081840BC} -> {DC38CC30-4E3B-11d1-9071-0060081840BC} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/ddrawex.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/ddrawex.dll\\.Owner -> {DC38CC30-4E3B-11d1-9071-0060081840BC} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/ddrawex.dll\\{DC38CC30-4E3B-11d1-9071-0060081840BC} -> {DC38CC30-4E3B-11d1-9071-0060081840BC} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/ddrawex.dll\\22d6f312-b0f6-11d0-94ab-0080c74c7e95 -> 22d6f312-b0f6-11d0-94ab-0080c74c7e95 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/iuctl.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/iuctl.dll\\.Owner -> {9F1C11AA-197B-4942-BA54-47A8489BB47F} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/iuctl.dll\\{9F1C11AA-197B-4942-BA54-47A8489BB47F} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/iuengine.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/iuengine.dll\\.Owner -> {9F1C11AA-197B-4942-BA54-47A8489BB47F} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/iuengine.dll\\{9F1C11AA-197B-4942-BA54-47A8489BB47F} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/quartz.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/quartz.dll\\.Owner -> {DC38CC30-4E3B-11d1-9071-0060081840BC} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/quartz.dll\\{DC38CC30-4E3B-11d1-9071-0060081840BC} -> {DC38CC30-4E3B-11d1-9071-0060081840BC} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/quartz.dll\\{4112DF42-0DCB-11d1-8177-00AA00576BAD} -> {4112DF42-0DCB-11d1-8177-00AA00576BAD} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/quartz.dll\\{22d6f312-b0f6-11d0-94ab-0080c74c7e95} -> {22d6f312-b0f6-11d0-94ab-0080c74c7e95} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/system32/wuweb.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/system32/wuweb.dll\\.Owner -> Unknown Owner -> 


[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\DefaultLaunchPermission -> [Binary data over 100 bytes] -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\EnableDCOM -> Y -> 
Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ not found. -> -> 
Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ not found. -> -> 
Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ not found. -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ -> ->
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages -> 
msv1_0 -> %SystemRoot%\system32\MSV1_0.DLL -> Microsoft Corporation [Ver = 5.00.2195.6926 | Size = 125200 bytes | Modified Date = 4/8/2005 4:51:18 AM | Attr =	]
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Bounds -> 0  [binary data] -> 
*Security Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages -> 
kerberos -> %SystemRoot%\system32\kerberos.dll -> Microsoft Corporation [Ver = 5.00.2195.7053 | Size = 208144 bytes | Modified Date = 6/14/2005 9:22:48 PM | Attr =	]
msv1_0 -> %SystemRoot%\system32\MSV1_0.DLL -> Microsoft Corporation [Ver = 5.00.2195.6926 | Size = 125200 bytes | Modified Date = 4/8/2005 4:51:18 AM | Attr =	]
schannel -> %SystemRoot%\system32\SCHANNEL.DLL -> Microsoft Corporation [Ver = 5.00.2195.6960 | Size = 151312 bytes | Modified Date = 4/8/2005 4:51:24 AM | Attr =	]
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\LsaPid -> 248 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\SecureBoot -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\auditbaseobjects -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\crashonauditfail -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fullprivilegeauditing ->  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\lmcompatibilitylevel -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymous -> 0 -> 
*Notification Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Notification Packages -> 
scecli -> %SystemRoot%\system32\scecli.dll -> Microsoft Corporation [Ver = 5.00.2195.7013 | Size = 114448 bytes | Modified Date = 1/12/2005 12:39:44 PM | Attr =	]
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\SecureLsaInterfaceSupport -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\ -> -> 
*ProviderOrder* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\\ProviderOrder -> 
Windows NT Access Provider ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\\ProviderPath -> %SystemRoot%\system32\NTMARTA.DLL [%SystemRoot%\system32\ntmarta.dll] -> Microsoft Corporation [Ver = 5.00.2195.6666 | Size = 102672 bytes | Modified Date = 6/19/2003 12:05:04 PM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\\Pattern -> 44 20 90 5D 30 AA E1 70 88 3F AE FC 67 4F 5C 61 64 37 32 33 61 63 30 31 00 FD 06 00 01 00 00 00 A8 00 00 00 B4 00 00 00 58 FA 06 00 57 4C 5A 78 04 00 00 00 B4 FD 06 00 AC FD 06 00 77 70 A8 51  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\\GrafBlumGroup -> AA 38 89 30 15 70 0B 27 91  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\\Lookup -> 0E 25 36 4B A8 DD  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\Auth132 -> %SystemRoot%\system32\iissuba.dll [IISSUBA] -> Microsoft Corporation [Ver = 5.00.0984 | Size = 10000 bytes | Modified Date = 5/8/2001 5:00:00 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\\SkewMatrix -> 17 1B 00 90 28 B0 A2 71 CE E4 BE 55 C6 05 DD 73  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\\SSOURL -> http://www.passport.com -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\\Time -> 70 7A DB 74 D9 CC C8 01  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Name -> Digest -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Comment -> Digest SSPI Authentication Package -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Capabilities -> 16464 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\RpcId -> 65535 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Version -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\TokenSize -> 65535 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Time -> 00 88 CB 69 66 4F C2 01  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Type -> 49 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Name -> DPA -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Comment -> DPA Security Package -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Capabilities -> 55 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\RpcId -> 17 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Version -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\TokenSize -> 768 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Time -> 00 E0 48 68 B6 D7 C0 01  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Type -> 49 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Name -> MSN -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Comment -> MSN Security Package -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Capabilities -> 55 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\RpcId -> 18 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Version -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\TokenSize -> 768 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Time -> 00 E0 48 68 B6 D7 C0 01  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Type -> 49 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Type -> 288 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Start -> 3 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ImagePath -> %SystemRoot%\system32\svchost.exe [%SystemRoot%\System32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.00.2134.1 | Size = 7952 bytes | Modified Date = 5/8/2001 5:00:00 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DisplayName -> Internet Connection Sharing -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnService -> RasMan; -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnGroup ->  -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ObjectName -> LocalSystem -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Description -> Provides network address translation, addressing, and name resolution services for all computers on your home network through a dial-up connection. -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\\ServiceDll -> %SystemRoot%\system32\ipnathlp.dll [%SystemRoot%\System32\ipnathlp.dll] -> Microsoft Corporation [Ver = 5.00.2195.6902 | Size = 442640 bytes | Modified Date = 1/12/2005 12:39:52 PM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security\\Security -> [Binary data over 100 bytes] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Description -> Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site. -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\DisplayName -> Automatic Updates -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ImagePath -> %SystemRoot%\system32\svchost.exe [%systemroot%\system32\svchost.exe -k wugroup] -> Microsoft Corporation [Ver = 5.00.2134.1 | Size = 7952 bytes | Modified Date = 5/8/2001 5:00:00 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ObjectName -> LocalSystem -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Start -> 4 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Type -> 32 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\\ServiceDll -> %SystemRoot%\system32\wuauserv.dll [C:\WINNT\system32\wuauserv.dll] -> Microsoft Corporation [Ver = 5.4.3630.2554 built by: lab04_n | Size = 9216 bytes | Modified Date = 6/19/2003 12:05:04 PM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\\Security -> [Binary data over 100 bytes] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\0 -> Root\LEGACY_WUAUSERV\0000 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\Count -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\NextInstance -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Description -> Allows remote registry manipulation. -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\DisplayName -> Remote Registry Service -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ImagePath -> %SystemRoot%\system32\regsvc.exe [%SystemRoot%\system32\regsvc.exe] -> Microsoft Corporation [Ver = 5.00.2195.6701 | Size = 68368 bytes | Modified Date = 6/19/2003 12:05:04 PM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ObjectName -> LocalSystem -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Start -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Type -> 16 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\FailureActions -> 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 E0 AD 08 00 01 00 00 00 E8 03 00 00  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security\\Security -> [Binary data over 100 bytes] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\0 -> Root\LEGACY_REMOTEREGISTRY\0000 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\Count -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\NextInstance -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\ -> ->
*DependOnService* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DependOnService -> 
RpcSs -> %SystemRoot%\system32\rpcss.dll -> Microsoft Corporation [Ver = 5.00.2195.7059 | Size = 212240 bytes | Modified Date = 9/5/2005 1:18:45 AM | Attr =	]
TcpIp ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Description -> Allows a remote user to log on to the system and run console programs using the command line. -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DisplayName -> Telnet -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ImagePath -> %SystemRoot%\system32\tlntsvr.exe [%SystemRoot%\system32\tlntsvr.exe] -> Microsoft Corporation [Ver = 5.00.99206.1 | Size = 186128 bytes | Modified Date = 6/19/2003 12:05:04 PM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ObjectName -> LocalSystem -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Start -> 3 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Type -> 16 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\\EnableAutodial ->  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\\ProxyEnable -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\\NoNetAutodial ->  [binary data] -> 


[Files/Folders - Created Within 30 days]
AUTOEXEC.BAT -> %SystemDrive%\AUTOEXEC.BAT ->  [Ver =  | Size = 0 bytes | Created Date = 11/23/2165 5:34:13 PM | Attr =  H ]
Avenger -> %SystemDrive%\Avenger ->  [Folder | Created Date = 6/11/2008 10:58:56 AM | Attr =	]
CONFIG.SYS -> %SystemDrive%\CONFIG.SYS ->  [Ver =  | Size = 0 bytes | Created Date = 11/23/2165 5:34:13 PM | Attr =  H ]
Deckard -> %SystemDrive%\Deckard ->  [Folder | Created Date = 6/6/2008 4:42:53 PM | Attr =	]
Documents and Settings -> %SystemDrive%\Documents and Settings ->  [Folder | Created Date = 11/23/2165 8:52:49 AM | Attr =	]
fsaua.data -> %SystemDrive%\fsaua.data ->  [Folder | Created Date = 6/11/2008 1:10:57 PM | Attr =	]
IO.SYS -> %SystemDrive%\IO.SYS ->  [Ver =  | Size = 0 bytes | Created Date = 11/23/2165 5:34:13 PM | Attr = RHS]
MSDOS.SYS -> %SystemDrive%\MSDOS.SYS ->  [Ver =  | Size = 0 bytes | Created Date = 11/23/2165 5:34:13 PM | Attr = RHS]
Program Files -> %ProgramFiles% ->  [Folder | Created Date = 11/23/2165 8:53:26 AM | Attr = R  ]
System Volume Information -> %SystemDrive%\System Volume Information ->  [Folder | Created Date = 11/23/2165 5:40:26 PM | Attr =  HS]
dgrpsetu.dll -> %SystemRoot%\System32\dllcache\dgrpsetu.dll -> Digi [Ver = 2.2.1 | Size = 123904 bytes | Created Date = 11/23/2165 8:53:24 AM | Attr =	]
dgsetup.dll -> %SystemRoot%\System32\dllcache\dgsetup.dll -> Digi International [Ver = v3.7.1.10 | Size = 85264 bytes | Created Date = 11/23/2165 8:53:23 AM | Attr =	]
eqnclass.dll -> %SystemRoot%\System32\dllcache\eqnclass.dll -> Equinox Systems Inc. [Ver = 3.0d | Size = 176400 bytes | Created Date = 11/23/2165 8:53:23 AM | Attr =	]
fpencode.dll -> %SystemRoot%\System32\dllcache\fpencode.dll ->  [Ver =  | Size = 94208 bytes | Created Date = 11/23/2165 5:35:11 PM | Attr =	]
mei32api.dll -> %SystemRoot%\System32\dllcache\mei32api.dll -> IBM Corporation [Ver = 2.60.35.0 | Size = 31232 bytes | Created Date = 11/23/2165 5:36:53 PM | Attr =	]
meiw0439.dll -> %SystemRoot%\System32\dllcache\meiw0439.dll -> IBM Corporation [Ver = 2.60.35.0 | Size = 83968 bytes | Created Date = 11/23/2165 5:36:53 PM | Attr =	]
mwave.dll -> %SystemRoot%\System32\dllcache\mwave.dll -> IBM Corporation [Ver = 2.60.35.0 | Size = 50688 bytes | Created Date = 11/23/2165 5:37:17 PM | Attr =	]
mwavesrv.dll -> %SystemRoot%\System32\dllcache\mwavesrv.dll -> IBM Corporation [Ver = 2.60.35.0 | Size = 129024 bytes | Created Date = 11/23/2165 5:37:17 PM | Attr =	]
mwblw32.dll -> %SystemRoot%\System32\dllcache\mwblw32.dll -> IBM Corporation [Ver = 2.60.35.0 | Size = 56832 bytes | Created Date = 11/23/2165 5:37:17 PM | Attr =	]
mwci32.dll -> %SystemRoot%\System32\dllcache\mwci32.dll -> IBM Corporation [Ver = 2.60.35.0 | Size = 51712 bytes | Created Date = 11/23/2165 5:37:18 PM | Attr =	]
mwcicore.dll -> %SystemRoot%\System32\dllcache\mwcicore.dll -> IBM Corporation [Ver = 2.60.35.0 | Size = 71168 bytes | Created Date = 11/23/2165 5:37:18 PM | Attr =	]
mwcload.exe -> %SystemRoot%\System32\dllcache\mwcload.exe -> IBM Corporation [Ver = 2.60.35.0 | Size = 56832 bytes | Created Date = 11/23/2165 5:37:18 PM | Attr =	]
mwcloadw.exe -> %SystemRoot%\System32\dllcache\mwcloadw.exe -> IBM Corporation [Ver = 2.60.35.0 | Size = 60928 bytes | Created Date = 11/23/2165 5:37:18 PM | Attr =	]
mwclw32.dll -> %SystemRoot%\System32\dllcache\mwclw32.dll -> IBM Corporation [Ver = 2.60.35.0 | Size = 90624 bytes | Created Date = 11/23/2165 5:37:18 PM | Attr =	]
mwcnam32.dll -> %SystemRoot%\System32\dllcache\mwcnam32.dll -> IBM Corporation [Ver = 2.60.35.0 | Size = 33280 bytes | Created Date = 11/23/2165 5:37:18 PM | Attr =	]
mwcpa32.cpl -> %SystemRoot%\System32\dllcache\mwcpa32.cpl -> IBM Corporation [Ver = 2.60.35.0 | Size = 94208 bytes | Created Date = 11/23/2165 5:37:18 PM | Attr =	]
mwcpyrt.exe -> %SystemRoot%\System32\dllcache\mwcpyrt.exe -> IBM Corporation [Ver = 2.60.35.0 | Size = 26112 bytes | Created Date = 11/23/2165 5:37:18 PM | Attr =	]
mwcsw32.exe -> %SystemRoot%\System32\dllcache\mwcsw32.exe -> IBM Corporation [Ver = 2.60.35.0 | Size = 160256 bytes | Created Date = 11/23/2165 5:37:18 PM | Attr =	]
mwmdmsvc.exe -> %SystemRoot%\System32\dllcache\mwmdmsvc.exe -> IBM Corporation [Ver = 2.60.35.0 | Size = 50688 bytes | Created Date = 11/23/2165 5:37:18 PM | Attr =	]
mwmlw32.dll -> %SystemRoot%\System32\dllcache\mwmlw32.dll -> IBM Corporation [Ver = 2.60.35.0 | Size = 262144 bytes | Created Date = 11/23/2165 5:37:19 PM | Attr =	]
mwmmw32.dll -> %SystemRoot%\System32\dllcache\mwmmw32.dll -> IBM Corporation [Ver = 2.60.35.0 | Size = 40448 bytes | Created Date = 11/23/2165 5:37:19 PM | Attr =	]
mwmpw32.dll -> %SystemRoot%\System32\dllcache\mwmpw32.dll -> IBM Corporation [Ver = 2.60.35.0 | Size = 164352 bytes | Created Date = 11/23/2165 5:37:19 PM | Attr =	]
mwmw32.dll -> %SystemRoot%\System32\dllcache\mwmw32.dll -> IBM Corporation [Ver = 2.60.35.0 | Size = 121344 bytes | Created Date = 11/23/2165 5:37:19 PM | Attr =	]
mwrcov16.exe -> %SystemRoot%\System32\dllcache\mwrcov16.exe -> IBM Corporation [Ver = 2.51:01   | Size = 42496 bytes | Created Date = 11/23/2165 5:37:19 PM | Attr =	]
mwremind.exe -> %SystemRoot%\System32\dllcache\mwremind.exe -> IBM Corporation [Ver = 2.60.35.0 | Size = 202752 bytes | Created Date = 11/23/2165 5:37:19 PM | Attr =	]
mwsetupk.sys -> %SystemRoot%\System32\dllcache\mwsetupk.sys -> IBM Corporation [Ver = 2.60.01.0 | Size = 3216 bytes | Created Date = 11/23/2165 5:37:19 PM | Attr =	]
mwssw32.exe -> %SystemRoot%\System32\dllcache\mwssw32.exe -> IBM Corporation [Ver = 2.60.35.0 | Size = 29184 bytes | Created Date = 11/23/2165 5:37:19 PM | Attr =	]
mwwdm.sys -> %SystemRoot%\System32\dllcache\mwwdm.sys -> IBM Corporation [Ver = 2.60.05.0 | Size = 39200 bytes | Created Date = 11/23/2165 5:37:19 PM | Attr =	]
mwwdmhlp.dll -> %SystemRoot%\System32\dllcache\mwwdmhlp.dll -> IBM Corporation [Ver = 2.60.35.0 | Size = 30720 bytes | Created Date = 11/23/2165 5:37:19 PM | Attr =	]
mwwtt32.dll -> %SystemRoot%\System32\dllcache\mwwtt32.dll -> IBM Corporation [Ver = 2.60.35.0 | Size = 108032 bytes | Created Date = 11/23/2165 5:37:19 PM | Attr =	]
nt5.cat -> %SystemRoot%\System32\dllcache\nt5.cat ->  [Ver =  | Size = 1969938 bytes | Created Date = 11/23/2165 8:53:07 AM | Attr =	]
pinball.exe -> %SystemRoot%\System32\dllcache\pinball.exe -> Cinematronics [Ver = 5.00.2134.1 | Size = 302352 bytes | Created Date = 11/23/2165 9:00:20 AM | Attr =	]
qtest32.exe -> %SystemRoot%\System32\dllcache\qtest32.exe -> IBM Corporation [Ver = 2.60.35.0 | Size = 155648 bytes | Created Date = 11/23/2165 5:37:48 PM | Attr =	]
qtestm32.dll -> %SystemRoot%\System32\dllcache\qtestm32.dll -> IBM Corporation [Ver = 2.60.35.0 | Size = 31744 bytes | Created Date = 11/23/2165 5:37:48 PM | Attr =	]
spxcoins.dll -> %SystemRoot%\System32\dllcache\spxcoins.dll -> Specialix International Ltd. [Ver = 1.0.0.0004 | Size = 148992 bytes | Created Date = 11/23/2165 8:53:23 AM | Attr =	]
tcarc.sys -> %SystemRoot%\System32\dllcache\tcarc.sys -> Thomas-Conrad Corporation [Ver = 1.10.0.0 | Size = 10800 bytes | Created Date = 11/23/2165 5:38:23 PM | Attr =	]
tifflt.dll -> %SystemRoot%\System32\dllcache\tifflt.dll -> Eastman Software, Inc., A Kodak Business [Ver = 5.00.2920.0000 | Size = 33552 bytes | Created Date = 11/23/2165 9:00:05 AM | Attr =	]
wangimg.exe -> %SystemRoot%\System32\dllcache\wangimg.exe -> Eastman Software, Inc., A Kodak Business [Ver = 5.00.2134.1 | Size = 7440 bytes | Created Date = 11/23/2165 5:38:33 PM | Attr =	]
xiffr3_0.dll -> %SystemRoot%\System32\dllcache\xiffr3_0.dll -> Scansoft [Ver = 3. 0. 0. 18 | Size = 641808 bytes | Created Date = 11/23/2165 9:00:05 AM | Attr =	]
xilinxit.dll -> %SystemRoot%\System32\dllcache\xilinxit.dll -> IBM Corporation [Ver = 2.60.35.0 | Size = 36352 bytes | Created Date = 11/23/2165 5:38:40 PM | Attr =	]
el90xbc5.sys -> %SystemRoot%\System32\drivers\el90xbc5.sys -> 3Com Corporation [Ver = 1.56.50.0013 | Size = 61712 bytes | Created Date = 11/23/2165 8:54:58 AM | Attr =	]
nv4.sys -> %SystemRoot%\System32\drivers\nv4.sys -> NVIDIA Corporation [Ver = 5.00.2165.0327 | Size = 345040 bytes | Created Date = 11/23/2165 8:55:10 AM | Attr =	]
amcompat.tlb -> %SystemRoot%\System32\amcompat.tlb ->  [Ver =  | Size = 16832 bytes | Created Date = 11/23/2165 5:34:12 PM | Attr =	]
AUTOEXEC.NT -> %SystemRoot%\System32\AUTOEXEC.NT ->  [Ver =  | Size = 438 bytes | Created Date = 11/23/2165 8:53:21 AM | Attr =	]
bopomofo.uce -> %SystemRoot%\System32\bopomofo.uce ->  [Ver =  | Size = 22984 bytes | Created Date = 11/23/2165 9:00:07 AM | Attr =	]
CatRoot -> %SystemRoot%\System32\CatRoot ->  [Folder | Created Date = 11/23/2165 8:53:07 AM | Attr =	]
1 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> 
Com -> %SystemRoot%\System32\Com ->  [Folder | Created Date = 11/23/2165 8:59:59 AM | Attr =	]
CONFIG.NT -> %SystemRoot%\System32\CONFIG.NT ->  [Ver =  | Size = 2620 bytes | Created Date = 11/23/2165 5:34:13 PM | Attr =	]
c_20127.nls -> %SystemRoot%\System32\c_20127.nls ->  [Ver =  | Size = 66082 bytes | Created Date = 11/23/2165 8:53:24 AM | Attr =	]
desktop.ini -> %SystemRoot%\System32\desktop.ini ->  [Ver =  | Size = 271 bytes | Created Date = 11/23/2165 5:02:25 PM | Attr =  H ]
dgrpsetu.dll -> %SystemRoot%\System32\dgrpsetu.dll -> Digi [Ver = 2.2.1 | Size = 123904 bytes | Created Date = 11/23/2165 8:53:24 AM | Attr =	]
dgsetup.dll -> %SystemRoot%\System32\dgsetup.dll -> Digi International [Ver = v3.7.1.10 | Size = 85264 bytes | Created Date = 11/23/2165 8:53:23 AM | Attr =	]
DTCLog -> %SystemRoot%\System32\DTCLog ->  [Folder | Created Date = 11/23/2165 5:00:34 PM | Attr =	]
emptyregdb.dat -> %SystemRoot%\System32\emptyregdb.dat ->  [Ver =  | Size = 15012 bytes | Created Date = 11/23/2165 5:01:37 PM | Attr =	]
EqnClass.Dll -> %SystemRoot%\System32\EqnClass.Dll -> Equinox Systems Inc. [Ver = 3.0d | Size = 176400 bytes | Created Date = 11/23/2165 8:53:23 AM | Attr =	]
FNTCACHE.DAT -> %SystemRoot%\System32\FNTCACHE.DAT ->  [Ver =  | Size = 97456 bytes | Created Date = 11/23/2165 8:52:48 AM | Attr =	]
folder.htt -> %SystemRoot%\System32\folder.htt ->  [Ver =  | Size = 21692 bytes | Created Date = 11/23/2165 5:02:25 PM | Attr =  H ]
gb2312.uce -> %SystemRoot%\System32\gb2312.uce ->  [Ver =  | Size = 24006 bytes | Created Date = 11/23/2165 9:00:07 AM | Attr =	]
GroupPolicy -> %SystemRoot%\System32\GroupPolicy ->  [Folder | Created Date = 11/23/2165 5:41:05 PM | Attr =  H ]
ideograf.uce -> %SystemRoot%\System32\ideograf.uce ->  [Ver =  | Size = 60458 bytes | Created Date = 11/23/2165 9:00:07 AM | Attr =	]
imgadmin.ocx -> %SystemRoot%\System32\imgadmin.ocx -> Eastman Software, Inc., A Kodak Business [Ver = 5.00.2134.1 | Size = 102672 bytes | Created Date = 11/23/2165 9:00:06 AM | Attr =	]
imgcmn.dll -> %SystemRoot%\System32\imgcmn.dll -> Eastman Software, Inc., A Kodak Business [Ver = 5.00.2134.1 | Size = 60688 bytes | Created Date = 11/23/2165 9:00:05 AM | Attr =	]
imgscan.ocx -> %SystemRoot%\System32\imgscan.ocx -> Eastman Software, Inc., A Kodak Business [Ver = 5.00.2134.1 | Size = 117520 bytes | Created Date = 11/23/2165 9:00:06 AM | Attr =	]
imgshl.dll -> %SystemRoot%\System32\imgshl.dll -> Eastman Software, Inc., A Kodak Business [Ver = 5.00.2134.1 | Size = 13584 bytes | Created Date = 11/23/2165 9:00:05 AM | Attr =	]
imgthumb.ocx -> %SystemRoot%\System32\imgthumb.ocx -> Eastman Software, Inc., A Kodak Business [Ver = 5.00.2134.1 | Size = 107792 bytes | Created Date = 11/23/2165 9:00:06 AM | Attr =	]
inetsrv -> %SystemRoot%\System32\inetsrv ->  [Folder | Created Date = 11/23/2165 5:35:04 PM | Attr =	]
ISA -> %SystemRoot%\System32\ISA ->  [Folder | Created Date = 6/5/2008 12:59:18 AM | Attr =	]
java.exe -> %SystemRoot%\System32\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.60.2 | Size = 135168 bytes | Created Date = 6/11/2008 3:38:01 PM | Attr =	]
javacpl.cpl -> %SystemRoot%\System32\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.60.2 | Size = 69632 bytes | Created Date = 6/11/2008 3:38:02 PM | Attr =	]
javaw.exe -> %SystemRoot%\System32\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.60.2 | Size = 135168 bytes | Created Date = 6/11/2008 3:38:02 PM | Attr =	]
javaws.exe -> %SystemRoot%\System32\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.60.2 | Size = 139264 bytes | Created Date = 6/11/2008 3:38:02 PM | Attr =	]
jpeg1x32.dll -> %SystemRoot%\System32\jpeg1x32.dll -> Eastman Software, Inc., A Kodak Business [Ver = 5.00.2134.1 | Size = 27920 bytes | Created Date = 11/23/2165 9:00:05 AM | Attr =	]
jpeg2x32.dll -> %SystemRoot%\System32\jpeg2x32.dll -> Eastman Software, Inc., A Kodak Business [Ver = 5.00.2134.1 | Size = 38160 bytes | Created Date = 11/23/2165 9:00:05 AM | Attr =	]
kanji_1.uce -> %SystemRoot%\System32\kanji_1.uce ->  [Ver =  | Size = 6948 bytes | Created Date = 11/23/2165 9:00:07 AM | Attr =	]
kanji_2.uce -> %SystemRoot%\System32\kanji_2.uce ->  [Ver =  | Size = 8484 bytes | Created Date = 11/23/2165 9:00:07 AM | Attr =	]
Kaspersky Lab -> %SystemRoot%\System32\Kaspersky Lab ->  [Folder | Created Date = 6/6/2008 2:33:53 PM | Attr =	]
korean.uce -> %SystemRoot%\System32\korean.uce ->  [Ver =  | Size = 12876 bytes | Created Date = 11/23/2165 9:00:07 AM | Attr =	]
mapisvc.inf -> %SystemRoot%\System32\mapisvc.inf ->  [Ver =  | Size = 535 bytes | Created Date = 11/23/2165 5:01:45 PM | Attr =	]
msdtcprf.h -> %SystemRoot%\System32\msdtcprf.h ->  [Ver =  | Size = 768 bytes | Created Date = 11/23/2165 9:00:04 AM | Attr =	]
msdtcprf.ini -> %SystemRoot%\System32\msdtcprf.ini ->  [Ver =  | Size = 1931 bytes | Created Date = 11/23/2165 9:00:04 AM | Attr =	]
n2k.bmp -> %SystemRoot%\System32\n2k.bmp ->  [Ver =  | Size = 2048 bytes | Created Date = 11/23/2165 9:00:15 AM | Attr =	]
nscompat.tlb -> %SystemRoot%\System32\nscompat.tlb ->  [Ver =  | Size = 23392 bytes | Created Date = 11/23/2165 5:34:12 PM | Attr =	]
NtmsData -> %SystemRoot%\System32\NtmsData ->  [Folder | Created Date = 11/23/2165 5:41:07 PM | Attr =	]
nv4.dll -> %SystemRoot%\System32\nv4.dll -> NVidia Corporation [Ver = 5.00.2160.0327 | Size = 530192 bytes | Created Date = 11/23/2165 8:55:10 AM | Attr =	]
oiprt400.dll -> %SystemRoot%\System32\oiprt400.dll -> Eastman Software, Inc., A Kodak Business [Ver = 5.00.2134.1 | Size = 13072 bytes | Created Date = 11/23/2165 9:00:05 AM | Attr =	]
oislb400.dll -> %SystemRoot%\System32\oislb400.dll -> Eastman Software, Inc., A Kodak Business [Ver = 5.00.2134.1 | Size = 21776 bytes | Created Date = 11/23/2165 9:00:05 AM | Attr =	]
oissq400.dll -> %SystemRoot%\System32\oissq400.dll -> Eastman Software, Inc., A Kodak Business [Ver = 5.00.2134.1 | Size = 13072 bytes | Created Date = 11/23/2165 9:00:05 AM | Attr =	]
oitwa400.dll -> %SystemRoot%\System32\oitwa400.dll -> Eastman Software, Inc., A Kodak Business [Ver = 5.00.2134.1 | Size = 25872 bytes | Created Date = 11/23/2165 9:00:05 AM | Attr =	]
oiui400.dll -> %SystemRoot%\System32\oiui400.dll -> Eastman Software, Inc., A Kodak Business [Ver = 5.00.2195.6601 | Size = 61712 bytes | Created Date = 11/23/2165 9:00:05 AM | Attr =	]
Perflib_Perfdata_268.dat -> %SystemRoot%\System32\Perflib_Perfdata_268.dat ->  [Ver =  | Size = 16384 bytes | Created Date = 6/5/2008 1:03:58 AM | Attr =	]
Perflib_Perfdata_2f0.dat -> %SystemRoot%\System32\Perflib_Perfdata_2f0.dat ->  [Ver =  | Size = 16384 bytes | Created Date = 6/5/2008 12:58:32 AM | Attr =	]
Perflib_Perfdata_334.dat -> %SystemRoot%\System32\Perflib_Perfdata_334.dat ->  [Ver =  | Size = 16384 bytes | Created Date = 6/2/2008 11:48:55 AM | Attr =	]
Perflib_Perfdata_380.dat -> %SystemRoot%\System32\Perflib_Perfdata_380.dat ->  [Ver =  | Size = 16384 bytes | Created Date = 6/7/2008 10:43:58 AM | Attr =	]
Perflib_Perfdata_418.dat -> %SystemRoot%\System32\Perflib_Perfdata_418.dat ->  [Ver =  | Size = 16384 bytes | Created Date = 6/11/2008 9:13:07 AM | Attr =	]
Perflib_Perfdata_4f0.dat -> %SystemRoot%\System32\Perflib_Perfdata_4f0.dat ->  [Ver =  | Size = 16384 bytes | Created Date = 6/6/2008 4:25:57 PM | Attr =	]
Perflib_Perfdata_500.dat -> %SystemRoot%\System32\Perflib_Perfdata_500.dat ->  [Ver =  | Size = 16384 bytes | Created Date = 6/7/2008 10:38:36 AM | Attr =	]
Perflib_Perfdata_514.dat -> %SystemRoot%\System32\Perflib_Perfdata_514.dat ->  [Ver =  | Size = 16384 bytes | Created Date = 6/8/2008 12:04:47 PM | Attr =	]
Perflib_Perfdata_520.dat -> %SystemRoot%\System32\Perflib_Perfdata_520.dat ->  [Ver =  | Size = 16384 bytes | Created Date = 6/11/2008 9:22:31 AM | Attr =	]
PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI ->  [Ver =  | Size = 303354 bytes | Created Date = 11/23/2165 8:53:33 AM | Attr =	]
PerfStringBackup_001.INI -> %SystemRoot%\System32\PerfStringBackup_001.INI ->  [Ver =  | Size = 130 bytes | Created Date = 11/23/2165 9:12:46 AM | Attr =	]
rocket -> %SystemRoot%\System32\rocket ->  [Folder | Created Date = 11/23/2165 5:35:04 PM | Attr =	]
rpcproxy -> %SystemRoot%\System32\rpcproxy ->  [Folder | Created Date = 11/23/2165 5:35:04 PM | Attr =	]
shiftjis.uce -> %SystemRoot%\System32\shiftjis.uce ->  [Ver =  | Size = 16740 bytes | Created Date = 11/23/2165 9:00:07 AM | Attr =	]
spxcoins.dll -> %SystemRoot%\System32\spxcoins.dll -> Specialix International Ltd. [Ver = 1.0.0.0004 | Size = 148992 bytes | Created Date = 11/23/2165 8:53:23 AM | Attr =	]
subrange.uce -> %SystemRoot%\System32\subrange.uce ->  [Ver =  | Size = 93702 bytes | Created Date = 11/23/2165 9:00:07 AM | Attr =	]
tifflt.dll -> %SystemRoot%\System32\tifflt.dll -> Eastman Software, Inc., A Kodak Business [Ver = 5.00.2920.0000 | Size = 33552 bytes | Created Date = 11/23/2165 9:00:05 AM | Attr =	]
Tools -> %SystemRoot%\System32\Tools ->  [Folder | Created Date = 11/23/2165 5:46:56 PM | Attr =	]
tunes.bmp -> %SystemRoot%\System32\tunes.bmp ->  [Ver =  | Size = 1584 bytes | Created Date = 11/23/2165 9:00:15 AM | Attr =	]
xiffr3_0.dll -> %SystemRoot%\System32\xiffr3_0.dll -> Scansoft [Ver = 3. 0. 0. 18 | Size = 641808 bytes | Created Date = 11/23/2165 9:00:05 AM | Attr =	]
Blue Lace 16.bmp -> %SystemRoot%\Blue Lace 16.bmp ->  [Ver =  | Size = 1272 bytes | Created Date = 11/23/2165 9:00:07 AM | Attr =	]
Coffee Bean.bmp -> %SystemRoot%\Coffee Bean.bmp ->  [Ver =  | Size = 17062 bytes | Created Date = 11/23/2165 9:00:08 AM | Attr =	]
control.ini -> %SystemRoot%\control.ini ->  [Ver =  | Size = 0 bytes | Created Date = 11/23/2165 5:34:13 PM | Attr =	]
cookies.ini -> %SystemRoot%\cookies.ini ->  [Ver =  | Size = 1283 bytes | Created Date = 6/5/2008 11:20:34 AM | Attr =	]
CSC -> %SystemRoot%\CSC ->  [Folder | Created Date = 11/23/2165 5:41:03 PM | Attr =  HS]
desktop.ini -> %SystemRoot%\desktop.ini ->  [Ver =  | Size = 271 bytes | Created Date = 11/23/2165 5:02:25 PM | Attr =  H ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files ->  [Folder | Created Date = 11/23/2165 5:02:24 PM | Attr =   S]
ERDNT -> %SystemRoot%\ERDNT ->  [Folder | Created Date = 6/6/2008 4:44:13 PM | Attr =	]
FeatherTexture.bmp -> %SystemRoot%\FeatherTexture.bmp ->  [Ver =  | Size = 16730 bytes | Created Date = 11/23/2165 9:00:08 AM | Attr =	]
folder.htt -> %SystemRoot%\folder.htt ->  [Ver =  | Size = 21692 bytes | Created Date = 11/23/2165 5:02:25 PM | Attr =  H ]
Gone Fishing.bmp -> %SystemRoot%\Gone Fishing.bmp ->  [Ver =  | Size = 17336 bytes | Created Date = 11/23/2165 9:00:08 AM | Attr =	]
Greenstone.bmp -> %SystemRoot%\Greenstone.bmp ->  [Ver =  | Size = 26582 bytes | Created Date = 11/23/2165 9:00:08 AM | Attr =	]
ime -> %SystemRoot%\ime ->  [Folder | Created Date = 11/23/2165 5:35:04 PM | Attr =	]
Installer -> %SystemRoot%\Installer ->  [Folder | Created Date = 11/23/2165 5:41:19 PM | Attr =  HS]
mww32 -> %SystemRoot%\mww32 ->  [Folder | Created Date = 11/23/2165 5:35:04 PM | Attr =	]
ODBCINST.INI -> %SystemRoot%\ODBCINST.INI ->  [Ver =  | Size = 4073 bytes | Created Date = 11/23/2165 8:53:31 AM | Attr =	]
Offline Web Pages -> %SystemRoot%\Offline Web Pages ->  [Folder | Created Date = 11/23/2165 5:02:24 PM | Attr = R  ]
Prairie Wind.bmp -> %SystemRoot%\Prairie Wind.bmp ->  [Ver =  | Size = 65954 bytes | Created Date = 11/23/2165 9:00:08 AM | Attr =	]
pskt.ini -> %SystemRoot%\pskt.ini ->  [Ver =  | Size = 22 bytes | Created Date = 6/5/2008 9:55:55 AM | Attr =	]
Registration -> %SystemRoot%\Registration ->  [Folder | Created Date = 11/23/2165 5:00:53 PM | Attr =	]
REGLOCS.OLD -> %SystemRoot%\REGLOCS.OLD ->  [Ver =  | Size = 8192 bytes | Created Date = 11/23/2165 6:07:47 PM | Attr =	]
Rhododendron.bmp -> %SystemRoot%\Rhododendron.bmp ->  [Ver =  | Size = 17362 bytes | Created Date = 11/23/2165 9:00:08 AM | Attr =	]
River Sumida.bmp -> %SystemRoot%\River Sumida.bmp ->  [Ver =  | Size = 26680 bytes | Created Date = 11/23/2165 9:00:08 AM | Attr =	]
Santa Fe Stucco.bmp -> %SystemRoot%\Santa Fe Stucco.bmp ->  [Ver =  | Size = 65832 bytes | Created Date = 11/23/2165 9:00:08 AM | Attr =	]
ShellIconCache -> %SystemRoot%\ShellIconCache ->  [Ver =  | Size = 1369702 bytes | Created Date = 11/23/2165 5:42:53 PM | Attr =  H ]
Soap Bubbles.bmp -> %SystemRoot%\Soap Bubbles.bmp ->  [Ver =  | Size = 65978 bytes | Created Date = 11/23/2165 9:00:08 AM | Attr =	]
Speech -> %SystemRoot%\Speech ->  [Folder | Created Date = 11/23/2165 8:53:28 AM | Attr =	]
Sun -> %SystemRoot%\Sun ->  [Folder | Created Date = 6/11/2008 3:38:33 PM | Attr =	]
Tasks -> %SystemRoot%\Tasks ->  [Folder | Created Date = 11/23/2165 5:02:03 PM | Attr =   S]
vb.ini -> %SystemRoot%\vb.ini ->  [Ver =  | Size = 36 bytes | Created Date = 11/23/2165 5:00:51 PM | Attr =	]
vbaddin.ini -> %SystemRoot%\vbaddin.ini ->  [Ver =  | Size = 37 bytes | Created Date = 11/23/2165 5:00:51 PM | Attr =	]
WMSysPrx.prx -> %SystemRoot%\WMSysPrx.prx ->  [Ver =  | Size = 288880 bytes | Created Date = 11/23/2165 6:09:58 PM | Attr =	]
Zapotec.bmp -> %SystemRoot%\Zapotec.bmp ->  [Ver =  | Size = 9522 bytes | Created Date = 11/23/2165 9:00:08 AM | Attr =	]
desktop.ini -> %SystemRoot%\tasks\desktop.ini ->  [Ver =  | Size = 65 bytes | Created Date = 11/23/2165 5:23:02 PM | Attr = RH ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Created Date = 11/23/2165 5:34:00 PM | Attr =  H ]
[Files Created - Additional Folder Scans - Non-Microsoft Only]
Adobe -> %AllUsersProfile%\Application Data\Adobe ->  [Folder | Created Date = 5/24/2008 7:03:06 PM | Attr =	]
Kaspersky Lab -> %AllUsersProfile%\Application Data\Kaspersky Lab ->  [Folder | Created Date = 6/6/2008 2:34:03 PM | Attr =	]
Microsoft -> %AllUsersProfile%\Application Data\Microsoft ->  [Folder | Created Date = 11/23/2165 9:19:53 AM | Attr =	]
Raxco -> %AllUsersProfile%\Application Data\Raxco ->  [Folder | Created Date = 6/5/2008 1:43:58 PM | Attr =	]
TELUS -> %AllUsersProfile%\Application Data\TELUS ->  [Folder | Created Date = 6/5/2008 1:34:32 PM | Attr =	]
InstallShield -> %AppData%\InstallShield ->  [Folder | Created Date = 6/5/2008 1:33:54 PM | Attr =	]
Sun -> %AppData%\Sun ->  [Folder | Created Date = 6/11/2008 3:38:33 PM | Attr =	]
TELUS -> %AppData%\TELUS ->  [Folder | Created Date = 6/5/2008 1:37:05 PM | Attr =	]
GDIPFONTCACHEV1.DAT -> %UserProfile%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT ->  [Ver =  | Size = 12888 bytes | Created Date = 6/5/2008 2:19:56 PM | Attr =	]
NOS -> %UserProfile%\Local Settings\Application Data\NOS ->  [Folder | Created Date = 5/24/2008 7:01:47 PM | Attr =	]
My Faxes -> %AllUsersProfile%\Documents\My Faxes ->  [Folder | Created Date = 11/23/2165 9:19:50 AM | Attr =	]
2008%20Head%20Alpine%20Order%20Form(1).xls -> %UserProfile%\My Documents\2008%20Head%20Alpine%20Order%20Form(1).xls ->  [Ver =  | Size = 216576 bytes | Created Date = 5/21/2008 8:29:50 AM | Attr =	]
2008%20Head%20AlpineBoot.xls -> %UserProfile%\My Documents\2008%20Head%20AlpineBoot.xls ->  [Ver =  | Size = 173568 bytes | Created Date = 5/21/2008 8:52:37 AM | Attr =	]
Adobe Reader 7.0.lnk -> %AllUsersProfile%\Desktop\Adobe Reader 7.0.lnk ->  [Ver =  | Size = 1547 bytes | Created Date = 5/24/2008 7:03:12 PM | Attr =	]
TELUS eProtect.lnk -> %AllUsersProfile%\Desktop\TELUS eProtect.lnk ->  [Ver =  | Size = 1642 bytes | Created Date = 6/5/2008 1:39:50 PM | Attr =	]
#1 CCleaner.lnk -> %UserProfile%\Desktop\#1 CCleaner.lnk ->  [Ver =  | Size = 1423 bytes | Created Date = 6/5/2008 4:00:28 PM | Attr =	]
ATF-Cleaner.exe -> %UserProfile%\Desktop\ATF-Cleaner.exe -> Atribune.org [Ver = 3.00.0002 | Size = 50688 bytes | Created Date = 6/9/2008 1:51:12 PM | Attr =	]
avenger.zip -> %UserProfile%\Desktop\avenger.zip ->  [Ver =  | Size = 724952 bytes | Created Date = 6/11/2008 10:53:14 AM | Attr =	]
ccsetup208.exe -> %UserProfile%\Desktop\ccsetup208.exe -> Piriform Ltd [Ver = 2.0.0.0 | Size = 2914296 bytes | Created Date = 6/5/2008 3:59:47 PM | Attr =	]
cureit.exe -> %UserProfile%\Desktop\cureit.exe -> Doctor Web, Ltd. [Ver = 4, 44, 0, 0 | Size = 10506672 bytes | Created Date = 6/12/2008 1:02:37 PM | Attr =	]
DrWeb.csv -> %UserProfile%\Desktop\DrWeb.csv ->  [Ver =  | Size = 577 bytes | Created Date = 6/12/2008 3:06:02 PM | Attr =	]
dss.exe -> %UserProfile%\Desktop\dss.exe ->  [Ver = 3, 2, 8, 1 | Size = 686630 bytes | Created Date = 6/6/2008 4:42:04 PM | Attr =	]
HijackThis.lnk -> %UserProfile%\Desktop\HijackThis.lnk ->  [Ver =  | Size = 708 bytes | Created Date = 6/6/2008 4:45:28 PM | Attr =	]
OTScanIt -> %UserProfile%\Desktop\OTScanIt ->  [Folder | Created Date = 6/9/2008 2:52:27 PM | Attr =	]
OTScanIt.exe -> %UserProfile%\Desktop\OTScanIt.exe ->  [Ver =  | Size = 568544 bytes | Created Date = 6/9/2008 1:54:17 PM | Attr =	]
PCPC_Setup_Free.exe -> %UserProfile%\Desktop\PCPC_Setup_Free.exe ->  [Ver =  | Size = 61092 bytes | Created Date = 6/6/2008 12:13:59 PM | Attr =	]
TELUS-eProtect-6_0.exe -> %UserProfile%\Desktop\TELUS-eProtect-6_0.exe -> TELUS [Ver = 6.0.1.22524 | Size = 35405104 bytes | Created Date = 6/5/2008 1:32:12 PM | Attr =	]
Adobe Reader Speed Launch.lnk -> %AllUsersProfile%\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk ->  [Ver =  | Size = 1575 bytes | Created Date = 5/24/2008 7:03:12 PM | Attr =	]
Authentium -> %CommonProgramFiles%\Authentium ->  [Folder | Created Date = 6/5/2008 1:45:16 PM | Attr =	]
InstallShield -> %CommonProgramFiles%\InstallShield ->  [Folder | Created Date = 11/23/2165 5:46:50 PM | Attr =	]
Java -> %CommonProgramFiles%\Java ->  [Folder | Created Date = 6/11/2008 3:33:48 PM | Attr =	]
Microsoft Shared -> %CommonProgramFiles%\Microsoft Shared ->  [Folder | Created Date = 11/23/2165 8:53:27 AM | Attr =	]
ODBC -> %CommonProgramFiles%\ODBC ->  [Folder | Created Date = 11/23/2165 8:53:31 AM | Attr =	]
Scanner -> %CommonProgramFiles%\Scanner ->  [Folder | Created Date = 6/5/2008 1:42:08 PM | Attr =	]
Services -> %CommonProgramFiles%\Services ->  [Folder | Created Date = 11/23/2165 5:02:05 PM | Attr =	]
System -> %CommonProgramFiles%\System ->  [Folder | Created Date = 11/23/2165 5:01:47 PM | Attr =	]
Accessories -> %ProgramFiles%\Accessories ->  [Folder | Created Date = 11/23/2165 9:00:06 AM | Attr =	]
ahead -> %ProgramFiles%\ahead ->  [Folder | Created Date = 11/23/2165 6:09:59 PM | Attr =	]
CA -> %ProgramFiles%\CA ->  [Folder | Created Date = 6/5/2008 1:42:50 PM | Attr =	]
CCleaner -> %ProgramFiles%\CCleaner ->  [Folder | Created Date = 6/5/2008 4:00:27 PM | Attr =	]
Common Files -> %CommonProgramFiles% ->  [Folder | Created Date = 11/23/2165 8:53:27 AM | Attr =	]
ComPlus Applications -> %ProgramFiles%\ComPlus Applications ->  [Folder | Created Date = 11/23/2165 5:01:37 PM | Attr =	]
desktop.ini -> %ProgramFiles%\desktop.ini ->  [Ver =  | Size = 271 bytes | Created Date = 11/23/2165 5:02:25 PM | Attr =  H ]
folder.htt -> %ProgramFiles%\folder.htt ->  [Ver =  | Size = 21952 bytes | Created Date = 11/23/2165 5:02:25 PM | Attr =  H ]
Internet Explorer -> %ProgramFiles%\Internet Explorer ->  [Folder | Created Date = 11/23/2165 5:01:50 PM | Attr =	]
Java -> %ProgramFiles%\Java ->  [Folder | Created Date = 6/11/2008 3:35:08 PM | Attr =	]
microsoft frontpage -> %ProgramFiles%\microsoft frontpage ->  [Folder | Created Date = 11/23/2165 5:35:04 PM | Attr =	]
NetMeeting -> %ProgramFiles%\NetMeeting ->  [Folder | Created Date = 11/23/2165 5:01:58 PM | Attr =	]
Network Monitor -> %ProgramFiles%\Network Monitor ->  [Folder | Created Date = 6/5/2008 12:59:30 AM | Attr =	]
Outlook Express -> %ProgramFiles%\Outlook Express ->  [Folder | Created Date = 11/23/2165 5:01:55 PM | Attr =	]
Raxco -> %ProgramFiles%\Raxco ->  [Folder | Created Date = 6/5/2008 1:43:58 PM | Attr =	]
SiSLan -> %ProgramFiles%\SiSLan ->  [Folder | Created Date = 11/23/2165 5:48:53 PM | Attr =	]
TELUS -> %ProgramFiles%\TELUS ->  [Folder | Created Date = 6/5/2008 1:36:05 PM | Attr =	]
Trend Micro -> %ProgramFiles%\Trend Micro ->  [Folder | Created Date = 6/6/2008 4:45:27 PM | Attr =	]
Windows Media Player -> %ProgramFiles%\Windows Media Player ->  [Folder | Created Date = 11/23/2165 5:02:09 PM | Attr =	]
Windows NT -> %ProgramFiles%\Windows NT ->  [Folder | Created Date = 11/23/2165 9:00:01 AM | Attr =	]

[Files/Folders - Modified Within 30 days]
AUTOEXEC.BAT -> %SystemDrive%\AUTOEXEC.BAT ->  [Ver =  | Size = 0 bytes | Modified Date = 11/23/2165 5:34:13 PM | Attr =  H ]
Avenger -> %SystemDrive%\Avenger ->  [Folder | Modified Date = 6/12/2008 12:41:50 PM | Attr =	]
boot.ini -> %SystemDrive%\boot.ini ->  [Ver =  | Size = 192 bytes | Modified Date = 11/23/2165 9:19:53 AM | Attr =  HS]
CONFIG.SYS -> %SystemDrive%\CONFIG.SYS ->  [Ver =  | Size = 0 bytes | Modified Date = 11/23/2165 5:34:13 PM | Attr =  H ]
Deckard -> %SystemDrive%\Deckard ->  [Folder | Modified Date = 6/6/2008 4:42:53 PM | Attr =	]
fsaua.data -> %SystemDrive%\fsaua.data ->  [Folder | Modified Date = 6/11/2008 1:10:57 PM | Attr =	]
IO.SYS -> %SystemDrive%\IO.SYS ->  [Ver =  | Size = 0 bytes | Modified Date = 11/23/2165 5:34:13 PM | Attr = RHS]
MSDOS.SYS -> %SystemDrive%\MSDOS.SYS ->  [Ver =  | Size = 0 bytes | Modified Date = 11/23/2165 5:34:13 PM | Attr = RHS]
Program Files -> %ProgramFiles% ->  [Folder | Modified Date = 6/12/2008 12:47:58 PM | Attr = R  ]
SSPClient -> %SystemDrive%\SSPClient ->  [Folder | Modified Date = 6/5/2008 2:28:50 PM | Attr =	]
System Volume Information -> %SystemDrive%\System Volume Information ->  [Folder | Modified Date = 11/23/2165 5:40:27 PM | Attr =  HS]
Temp -> %SystemDrive%\Temp ->  [Folder | Modified Date = 6/5/2008 12:59:22 AM | Attr =	]
WINNT -> %SystemRoot% ->  [Folder | Modified Date = 6/12/2008 3:14:04 PM | Attr =	]
rp_skt32.sys -> %SystemRoot%\System32\drivers\rp_skt32.sys -> Radialpoint Inc. [Ver = 6.1.11.16607 | Size = 53192 bytes | Modified Date = 6/5/2008 3:31:00 PM | Attr =	]
$winnt$.inf -> %SystemRoot%\System32\$winnt$.inf ->  [Ver =  | Size = 301 bytes | Modified Date = 11/23/2165 9:12:23 AM | Attr =	]
CatRoot -> %SystemRoot%\System32\CatRoot ->  [Folder | Modified Date = 11/23/2165 8:53:07 AM | Attr =	]
1 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> 
config -> %SystemRoot%\System32\config ->  [Folder | Modified Date = 11/23/2165 5:38:48 PM | Attr =	]
config.hsp -> %SystemRoot%\System32\config.hsp ->  [Ver =  | Size = 2577 bytes | Modified Date = 11/23/2165 5:34:13 PM | Attr =	]
desktop.ini -> %SystemRoot%\System32\desktop.ini ->  [Ver =  | Size = 271 bytes | Modified Date = 11/23/2165 5:23:29 PM | Attr =  H ]
drivers -> %SystemRoot%\System32\drivers ->  [Folder | Modified Date = 6/12/2008 12:40:43 PM | Attr =	]
DTCLog -> %SystemRoot%\System32\DTCLog ->  [Folder | Modified Date = 11/23/2165 5:00:37 PM | Attr =	]
emptyregdb.dat -> %SystemRoot%\System32\emptyregdb.dat ->  [Ver =  | Size = 15012 bytes | Modified Date = 11/23/2165 5:22:32 PM | Attr =	]
folder.htt -> %SystemRoot%\System32\folder.htt ->  [Ver =  | Size = 21692 bytes | Modified Date = 11/23/2165 5:23:29 PM | Attr =  H ]
GroupPolicy -> %SystemRoot%\System32\GroupPolicy ->  [Folder | Modified Date = 11/23/2165 5:41:05 PM | Attr =  H ]
ISA -> %SystemRoot%\System32\ISA ->  [Folder | Modified Date = 6/7/2008 11:51:40 AM | Attr =	]
Kaspersky Lab -> %SystemRoot%\System32\Kaspersky Lab ->  [Folder | Modified Date = 6/6/2008 2:33:53 PM | Attr =	]
mapisvc.inf -> %SystemRoot%\System32\mapisvc.inf ->  [Ver =  | Size = 535 bytes | Modified Date = 11/23/2165 5:22:40 PM | Attr =	]
NtmsData -> %SystemRoot%\System32\NtmsData ->  [Folder | Modified Date = 6/12/2008 3:15:26 PM | Attr =	]
perfc009.dat -> %SystemRoot%\System32\perfc009.dat ->  [Ver =  | Size = 36034 bytes | Modified Date = 11/23/2165 5:01:45 PM | Attr =	]
perfh009.dat -> %SystemRoot%\System32\perfh009.dat ->  [Ver =  | Size = 294538 bytes | Modified Date = 11/23/2165 5:01:45 PM | Attr =	]
Perflib_Perfdata_268.dat -> %SystemRoot%\System32\Perflib_Perfdata_268.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 6/5/2008 1:03:58 AM | Attr =	]
Perflib_Perfdata_2f0.dat -> %SystemRoot%\System32\Perflib_Perfdata_2f0.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 6/5/2008 12:58:32 AM | Attr =	]
Perflib_Perfdata_334.dat -> %SystemRoot%\System32\Perflib_Perfdata_334.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 6/2/2008 11:48:55 AM | Attr =	]
Perflib_Perfdata_380.dat -> %SystemRoot%\System32\Perflib_Perfdata_380.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 6/7/2008 10:43:58 AM | Attr =	]
Perflib_Perfdata_418.dat -> %SystemRoot%\System32\Perflib_Perfdata_418.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 6/11/2008 9:13:07 AM | Attr =	]
Perflib_Perfdata_4f0.dat -> %SystemRoot%\System32\Perflib_Perfdata_4f0.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 6/6/2008 4:25:57 PM | Attr =	]
Perflib_Perfdata_500.dat -> %SystemRoot%\System32\Perflib_Perfdata_500.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 6/7/2008 10:38:36 AM | Attr =	]
Perflib_Perfdata_514.dat -> %SystemRoot%\System32\Perflib_Perfdata_514.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 6/8/2008 12:04:47 PM | Attr =	]
Perflib_Perfdata_520.dat -> %SystemRoot%\System32\Perflib_Perfdata_520.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 6/11/2008 9:22:31 AM | Attr =	]
PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI ->  [Ver =  | Size = 303354 bytes | Modified Date = 11/23/2165 8:53:33 AM | Attr =	]
PerfStringBackup_001.INI -> %SystemRoot%\System32\PerfStringBackup_001.INI ->  [Ver =  | Size = 130 bytes | Modified Date = 11/23/2165 9:12:46 AM | Attr =	]
rocket -> %SystemRoot%\System32\rocket ->  [Folder | Modified Date = 11/23/2165 5:35:04 PM | Attr =	]
rpcproxy -> %SystemRoot%\System32\rpcproxy ->  [Folder | Modified Date = 11/23/2165 5:35:04 PM | Attr =	]
spool -> %SystemRoot%\System32\spool ->  [Folder | Modified Date = 11/23/2165 8:59:15 AM | Attr =	]
Tools -> %SystemRoot%\System32\Tools ->  [Folder | Modified Date = 11/23/2165 5:47:01 PM | Attr =	]
control.ini -> %SystemRoot%\control.ini ->  [Ver =  | Size = 0 bytes | Modified Date = 11/23/2165 5:34:13 PM | Attr =	]
cookies.ini -> %SystemRoot%\cookies.ini ->  [Ver =  | Size = 1283 bytes | Modified Date = 6/11/2008 5:39:49 PM | Attr =	]
CSC -> %SystemRoot%\CSC ->  [Folder | Modified Date = 6/11/2008 10:43:33 AM | Attr =  HS]
Debug -> %SystemRoot%\Debug ->  [Folder | Modified Date = 6/12/2008 3:14:59 PM | Attr =	]
desktop.ini -> %SystemRoot%\desktop.ini ->  [Ver =  | Size = 271 bytes | Modified Date = 11/23/2165 5:23:29 PM | Attr =  H ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files ->  [Folder | Modified Date = 6/11/2008 3:38:28 PM | Attr =   S]
ERDNT -> %SystemRoot%\ERDNT ->  [Folder | Modified Date = 6/6/2008 4:44:13 PM | Attr =	]
folder.htt -> %SystemRoot%\folder.htt ->  [Ver =  | Size = 21692 bytes | Modified Date = 11/23/2165 5:23:29 PM | Attr =  H ]
ime -> %SystemRoot%\ime ->  [Folder | Modified Date = 11/23/2165 5:35:04 PM | Attr =	]
inf -> %SystemRoot%\inf ->  [Folder | Modified Date = 6/6/2008 2:33:52 PM | Attr =  H ]
Installer -> %SystemRoot%\Installer ->  [Folder | Modified Date = 6/12/2008 12:53:47 PM | Attr =  HS]
java -> %SystemRoot%\java ->  [Folder | Modified Date = 11/23/2165 5:33:43 PM | Attr =	]
Media -> %SystemRoot%\Media ->  [Folder | Modified Date = 11/23/2165 9:00:14 AM | Attr =	]
Minidump -> %SystemRoot%\Minidump ->  [Folder | Modified Date = 6/11/2008 3:54:52 PM | Attr =	]
mww32 -> %SystemRoot%\mww32 ->  [Folder | Modified Date = 11/23/2165 5:35:04 PM | Attr =	]
ODBCINST.INI -> %SystemRoot%\ODBCINST.INI ->  [Ver =  | Size = 4073 bytes | Modified Date = 11/23/2165 5:33:43 PM | Attr =	]
Offline Web Pages -> %SystemRoot%\Offline Web Pages ->  [Folder | Modified Date = 11/23/2165 5:02:24 PM | Attr = R  ]
pskt.ini -> %SystemRoot%\pskt.ini ->  [Ver =  | Size = 22 bytes | Modified Date = 6/12/2008 9:59:00 AM | Attr =	]
Registration -> %SystemRoot%\Registration ->  [Folder | Modified Date = 11/23/2165 5:41:03 PM | Attr =	]
REGLOCS.OLD -> %SystemRoot%\REGLOCS.OLD ->  [Ver =  | Size = 8192 bytes | Modified Date = 11/23/2165 6:07:47 PM | Attr =	]
repair -> %SystemRoot%\repair ->  [Folder | Modified Date = 11/23/2165 5:34:54 PM | Attr =	]
security -> %SystemRoot%\security ->  [Folder | Modified Date = 6/12/2008 10:04:39 AM | Attr =	]
Speech -> %SystemRoot%\Speech ->  [Folder | Modified Date = 11/23/2165 8:53:30 AM | Attr =	]
Sun -> %SystemRoot%\Sun ->  [Folder | Modified Date = 6/11/2008 3:38:33 PM | Attr =	]
system.ini -> %SystemRoot%\system.ini ->  [Ver =  | Size = 231 bytes | Modified Date = 11/23/2165 9:12:41 AM | Attr =	]
system32 -> %SystemRoot%\system32 ->  [Folder | Modified Date = 6/12/2008 3:15:12 PM | Attr =	]
Tasks -> %SystemRoot%\Tasks ->  [Folder | Modified Date = 6/5/2008 11:57:02 AM | Attr =   S]
Temp -> %SystemRoot%\Temp ->  [Folder | Modified Date = 6/12/2008 12:53:40 PM | Attr =	]
twain_32 -> %SystemRoot%\twain_32 ->  [Folder | Modified Date = 11/23/2165 5:35:04 PM | Attr =	]
vb.ini -> %SystemRoot%\vb.ini ->  [Ver =  | Size = 36 bytes | Modified Date = 11/23/2165 5:00:51 PM | Attr =	]
vbaddin.ini -> %SystemRoot%\vbaddin.ini ->  [Ver =  | Size = 37 bytes | Modified Date = 11/23/2165 5:00:51 PM | Attr =	]
winsxs -> %SystemRoot%\winsxs ->  [Folder | Modified Date = 6/5/2008 1:39:47 PM | Attr =	]
SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 6/12/2008 3:13:23 PM | Attr =  H ]
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
Adobe -> %AllUsersProfile%\Application Data\Adobe ->  [Folder | Modified Date = 5/24/2008 7:03:06 PM | Attr =	]
Kaspersky Lab -> %AllUsersProfile%\Application Data\Kaspersky Lab ->  [Folder | Modified Date = 6/6/2008 2:34:03 PM | Attr =	]
Raxco -> %AllUsersProfile%\Application Data\Raxco ->  [Folder | Modified Date = 6/5/2008 1:43:58 PM | Attr =	]
Spybot - Search & Destroy -> %AllUsersProfile%\Application Data\Spybot - Search & Destroy ->  [Folder | Modified Date = 6/5/2008 4:02:15 PM | Attr =	]
TELUS -> %AllUsersProfile%\Application Data\TELUS ->  [Folder | Modified Date = 6/5/2008 1:38:52 PM | Attr =	]
AdobeUM -> %AppData%\AdobeUM ->  [Folder | Modified Date = 5/24/2008 7:01:47 PM | Attr =	]
InstallShield -> %AppData%\InstallShield ->  [Folder | Modified Date = 6/5/2008 1:33:54 PM | Attr =	]
Sun -> %AppData%\Sun ->  [Folder | Modified Date = 6/11/2008 3:38:33 PM | Attr =	]
TELUS -> %AppData%\TELUS ->  [Folder | Modified Date = 6/5/2008 1:37:05 PM | Attr =	]
GDIPFONTCACHEV1.DAT -> %UserProfile%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT ->  [Ver =  | Size = 12888 bytes | Modified Date = 6/5/2008 2:19:56 PM | Attr =	]
NOS -> %UserProfile%\Local Settings\Application Data\NOS ->  [Folder | Modified Date = 5/24/2008 7:03:31 PM | Attr =	]
My Faxes -> %AllUsersProfile%\Documents\My Faxes ->  [Folder | Modified Date = 11/23/2165 5:22:40 PM | Attr =	]
2008%20Head%20Alpine%20Order%20Form(1).xls -> %UserProfile%\My Documents\2008%20Head%20Alpine%20Order%20Form(1).xls ->  [Ver =  | Size = 216576 bytes | Modified Date = 5/21/2008 8:29:51 AM | Attr =	]
2008%20Head%20AlpineBoot.xls -> %UserProfile%\My Documents\2008%20Head%20AlpineBoot.xls ->  [Ver =  | Size = 173568 bytes | Modified Date = 5/21/2008 8:52:37 AM | Attr =	]
Adobe Reader 7.0.lnk -> %AllUsersProfile%\Desktop\Adobe Reader 7.0.lnk ->  [Ver =  | Size = 1547 bytes | Modified Date = 5/24/2008 7:03:12 PM | Attr =	]
LorexClient.lnk -> %AllUsersProfile%\Desktop\LorexClient.lnk ->  [Ver =  | Size = 2217 bytes | Modified Date = 6/12/2008 10:01:21 AM | Attr =	]
TELUS eProtect.lnk -> %AllUsersProfile%\Desktop\TELUS eProtect.lnk ->  [Ver =  | Size = 1642 bytes | Modified Date = 6/5/2008 1:39:50 PM | Attr =	]
#1 CCleaner.lnk -> %UserProfile%\Desktop\#1 CCleaner.lnk ->  [Ver =  | Size = 1423 bytes | Modified Date = 6/5/2008 4:00:28 PM | Attr =	]
ATF-Cleaner.exe -> %UserProfile%\Desktop\ATF-Cleaner.exe -> Atribune.org [Ver = 3.00.0002 | Size = 50688 bytes | Modified Date = 6/9/2008 1:50:51 PM | Attr =	]
avenger.zip -> %UserProfile%\Desktop\avenger.zip ->  [Ver =  | Size = 724952 bytes | Modified Date = 6/11/2008 10:53:19 AM | Attr =	]
ccsetup208.exe -> %UserProfile%\Desktop\ccsetup208.exe -> Piriform Ltd [Ver = 2.0.0.0 | Size = 2914296 bytes | Modified Date = 6/5/2008 3:59:47 PM | Attr =	]
cureit.exe -> %UserProfile%\Desktop\cureit.exe -> Doctor Web, Ltd. [Ver = 4, 44, 0, 0 | Size = 10506672 bytes | Modified Date = 6/12/2008 1:02:37 PM | Attr =	]
DrWeb.csv -> %UserProfile%\Desktop\DrWeb.csv ->  [Ver =  | Size = 577 bytes | Modified Date = 6/12/2008 3:06:02 PM | Attr =	]
dss.exe -> %UserProfile%\Desktop\dss.exe ->  [Ver = 3, 2, 8, 1 | Size = 686630 bytes | Modified Date = 6/6/2008 4:42:08 PM | Attr =	]
HijackThis.lnk -> %UserProfile%\Desktop\HijackThis.lnk ->  [Ver =  | Size = 708 bytes | Modified Date = 6/6/2008 4:45:28 PM | Attr =	]
OTScanIt -> %UserProfile%\Desktop\OTScanIt ->  [Folder | Modified Date = 6/11/2008 11:12:57 AM | Attr =	]
OTScanIt.exe -> %UserProfile%\Desktop\OTScanIt.exe ->  [Ver =  | Size = 568544 bytes | Modified Date = 6/9/2008 2:51:42 PM | Attr =	]
PCPC_Setup_Free.exe -> %UserProfile%\Desktop\PCPC_Setup_Free.exe ->  [Ver =  | Size = 61092 bytes | Modified Date = 6/6/2008 12:14:00 PM | Attr =	]
TELUS-eProtect-6_0.exe -> %UserProfile%\Desktop\TELUS-eProtect-6_0.exe -> TELUS [Ver = 6.0.1.22524 | Size = 35405104 bytes | Modified Date = 6/5/2008 1:32:12 PM | Attr =	]
Adobe Reader Speed Launch.lnk -> %AllUsersProfile%\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk ->  [Ver =  | Size = 1575 bytes | Modified Date = 5/24/2008 7:03:12 PM | Attr =	]
Authentium -> %CommonProgramFiles%\Authentium ->  [Folder | Modified Date = 6/5/2008 1:45:16 PM | Attr =	]
Java -> %CommonProgramFiles%\Java ->  [Folder | Modified Date = 6/11/2008 3:33:48 PM | Attr =	]
ODBC -> %CommonProgramFiles%\ODBC ->  [Folder | Modified Date = 11/23/2165 8:53:31 AM | Attr =	]
Scanner -> %CommonProgramFiles%\Scanner ->  [Folder | Modified Date = 6/5/2008 1:43:26 PM | Attr =	]

< End of report >

Cheers,
Trailcreek

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:12 PM

Posted 12 June 2008 - 09:41 PM

Hi trailcreek. Everything looks fine other than the fact that all of the system files/folders have a date of 11/23/2165. What's up with that?

Go ahead and run the system normally for a couple of days and then get back with me and let me know if there are any continuing issues. If everything is Ok at that time, then we have some final cleanup to do and you'll be good to go.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#13 trailcreek

trailcreek
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 12 June 2008 - 10:23 PM

That's great news OT!! Yes I noticed that system date too - I have no idea where that came from and I wouldn't change unless you advise. The computer was so slow yesterday - I thought we might have disturbed something but this morning it was fantastic. I'll keep tabs on what happens over the next couple of days and keep you posted.

Cheers,
Trailcreek

#14 trailcreek

trailcreek
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 16 June 2008 - 09:48 AM

Good morning OT, There have been no issues with the computer...running great!!

Cheers,
Trailcreek

#15 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:12 PM

Posted 16 June 2008 - 10:09 AM

Glad to hear it trailcreek. Then let's do some final cleanup to reset the System Restore points and remove all of the tools we used during the fix and then you are all set.

Step #1

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Step #2

To remove all of the tools we used and the files and folders they created do the following:
  • Start OTScanIt
    Click the CleanUp button
  • OTScanIt will download a small file from the Internet. If a security program or firewall warns you of this allow it to download.
  • OTScanIt will delete any tools downloaded and files/folders created and then ask you to reboot so it can remove itself. Click Yes.
After that you are good to go.

Cheers and Happy Computing!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users