Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.win32.monder.gen (and Maybe Others?)


  • This topic is locked This topic is locked
18 replies to this topic

#1 mzswing

mzswing

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 14 June 2008 - 08:25 PM

First, let me say thank you to everyone who has helped me thus far. Just reading the forum has helped me keep my machine clean enough to keep functioning. However, after many scans I still find problems every time I reboot. I have done so many scans I will try to reproduce here the steps I have taken up to this point, but it might be hard to remember. I am sorry if this is too much information.

1) I got the thing from a .zip file I downloaded with utorrent. I thought my AVG free 7.5 would alert me if I downloaded anything nasty. I was wrong. Maybe because I was still using the older version after being told to upgrade to AVG8, or my settings were bad.

2) When things started to go awry (I could not connect to the internet, bubbles asking me to update java kept popping up, system restore points vanished, "all programs" list would not populate, general sluggishness) I booted into safe mode and ran spybot and ad-aware and AVG. spybot found several instances of virtumonde items. Ad-aware found 11 critical items, and AVG found several problems. Fixing them made my machine clean enough to get a connection in regular mode where I downloaded updates for all those programs, plus: Malwarebytes, superantispyware, vundoFix, Windows defender, CCleaner, SDFix, CWShredder (just in case), HJT, , Kaspersky trial version, and updates for all of them.

3) I then uninstalled AVG free to start using the Kaspersky trial version. In the full system scan it found several Trojan.Win32.Monder.gen files, which I deleted, but it kept showing up (see report below). Then I read that I should disable system restore and scan again, I did and Kasper did not find that file again (see report below...nope... can't make second report. see why below...). I re-enabled system restore. Kasper is running and has not reported any problems recently.

4) I ran all of the above fully-updated programs in turn. Malwarebytes and the Microsoft Windows Malicious Software Removal Tool initially found problems but now report clean. Spybot reported several new WinLogon additions to the start-up menu. I deleted them and all non essential start-up items. They’re BaaAAAAaaaack.

5) Tea Timer (which I disabled when required to perform other scans) reported several attempts to change registry entries, some I recognized the program, some I did not. One change was for regedit.exe, which I allowed and I think I shouldn’t have. (From Spybot report: Allowed (based on user decision) value "" (new data: "regedit.exe "%1"") changed in REG Extension handler!) Then I backed up the registry, changed the file name to “regedit.com” and went in and changed the value back to the default. I returned the file name to “regedit.exe”

6) Which pretty much brings us up to now. Here are my logs:

Deckard's System Scanner v20071014.68
Run by Armando on 2008-06-14 19:33:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2008-06-14 23:34:08 UTC - RP5 - Deckard's System Scanner Restore Point
2: 2008-06-14 22:10:17 UTC - RP4 - ComboFix created restore point
1: 2008-06-14 21:59:29 UTC - RP3 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 383 MiB (512 MiB recommended).


-- HijackThis (run as Armando.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:53 PM, on 6/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Armando\Desktop\virus scanning\antivirus setups\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Armando.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
O2 - BHO: (no name) - {05A82BED-9FF9-411A-88A5-2647C80DE00B} - (no file)
O2 - BHO: (no name) - {07245A0A-4A03-4FB4-ADCA-73B490B8FF4B} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {564F9BAC-1D62-4F2F-A8BD-E0CAE57555BA} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {CB99D17E-A4E0-4BB0-AEE5-5561BD09500D} - (no file)
O2 - BHO: (no name) - {FF5E1249-6BE1-4A5C-9954-18A9E1813A20} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Christine\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175899537015
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: awtrPihf - awtrPihf.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

--
End of file - 8227 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 mdmxsdk - c:\windows\system32\drivers\mdmxsdk.sys <Not Verified; Conexant; Diagnostic Interface>
R3 Afc (PPdus ASPI Shell) - c:\windows\system32\drivers\afc.sys <Not Verified; Arcsoft, Inc.; Arcsoft® ASPI Shell>
R3 CAMCAUD (Conexant AMC Audio) - c:\windows\system32\drivers\camc6aud.sys <Not Verified; Conexant Systems Inc.; Conexant Audio Driver>
R3 CAMCHALA - c:\windows\system32\drivers\camc6hal.sys <Not Verified; Conexant Systems Inc.; Conexant AmcHal Driver>
R3 HSF_DP - c:\windows\system32\drivers\hsf_dp.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
R3 HSFHWATI - c:\windows\system32\drivers\hsfhwati.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
R3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 QBCFMonitorService - "c:\program files\common files\intuit\quickbooks\qbcfmonitorservice.exe" <Not Verified; Intuit; QuickBooks for Windows>

S3 QBFCService (Intuit QuickBooks FCS) - "c:\program files\common files\intuit\quickbooks\fcs\intuit.quickbooks.fcs.exe" <Not Verified; Intuit Inc.; QuickBooks 2007>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-14 18:22:00 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-06-13 12:09:10 244 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
2008-06-12 23:05:13 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-14 and 2008-06-14 -----------------------------

2008-06-14 19:28:24 0 d-------- C:\Program Files\Trend Micro
2008-06-14 18:11:11 0 d-------- C:\cmdcons
2008-06-14 18:04:28 68096 --a------ C:\WINDOWS\zip.exe
2008-06-14 18:04:28 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-14 18:04:28 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-14 18:04:28 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-14 18:04:28 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-14 18:04:28 98816 --a------ C:\WINDOWS\sed.exe
2008-06-14 18:04:28 80412 --a------ C:\WINDOWS\grep.exe
2008-06-14 18:04:28 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-14 12:41:05 0 d-------- C:\VundoFix Backups
2008-06-14 12:31:41 0 d-------- C:\Program Files\Sun
2008-06-13 13:58:29 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-13 13:43:02 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-13 13:38:09 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-13 13:38:09 0 d-------- C:\Documents and Settings\Armando\Application Data\SUPERAntiSpyware.com
2008-06-12 10:44:56 0 d-------- C:\WINDOWS\ERUNT
2008-06-12 10:34:13 262144 --ah----- C:\Documents and Settings\Administrator\ntuser.dat
2008-06-12 09:57:17 262144 --a------ C:\Documents and Settings\Zoe\ntuser.dat
2008-06-12 09:57:16 262144 --a------ C:\Documents and Settings\Christine\ntuser.dat
2008-06-12 09:49:14 0 dr-h----- C:\Documents and Settings\Armando\Recent
2008-06-12 09:48:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-06-12 09:46:57 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-06-12 08:25:40 0 d-------- C:\Program Files\Mozilla Firefox(2)
2008-06-12 08:21:09 0 d-------- C:\a67f6976d7b927588f96283f568f8f
2008-06-12 08:07:50 0 d-------- C:\WINDOWS\system32\drivers\Avg(2)
2008-06-12 08:07:38 0 d-------- C:\Program Files\AVG(2)
2008-06-12 08:07:38 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8(2)
2008-06-11 22:11:09 0 d-------- C:\Documents and Settings\Armando\Application Data\Malwarebytes
2008-06-11 21:40:04 5242880 --a------ C:\Documents and Settings\Armando\ntuser.dat
2008-06-11 21:40:03 1368064 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2008-06-11 19:57:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-11 19:57:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-11 19:57:06 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-11 19:29:01 0 d-------- C:\Updates
2008-06-11 12:12:03 96966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-11 12:12:01 88774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-11 11:57:55 140064 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-11 11:57:55 5505056 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-11 11:57:53 0 d-------- C:\Program Files\Kaspersky Lab
2008-06-11 11:57:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-11 11:34:18 0 d-------- C:\kav
2008-06-11 10:23:56 0 d-------- C:\Program Files\Windows Defender
2008-06-10 16:55:55 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-06-10 16:41:42 0 d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-06-10 16:19:12 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-10 16:19:12 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-06-10 16:19:12 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-10 16:19:12 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-06-10 16:19:12 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-10 16:19:12 0 d--h----- C:\Documents and Settings\Administrator\Cookies
2008-06-10 16:19:12 0 d--h----- C:\Documents and Settings\Administrator\Application Data
2008-06-10 16:19:12 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-10 16:19:12 0 d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-06-10 16:19:12 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-06-10 16:19:11 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-10 16:19:11 0 d-------- C:\Documents and Settings\Administrator\Start Menu
2008-06-10 16:19:11 0 d--h----- C:\Documents and Settings\Administrator\SendTo
2008-06-10 16:19:11 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-10 08:56:25 0 d-------- C:\Program Files\CCleaner
2008-06-09 12:56:48 0 d---s---- C:\Documents and Settings\Armando\UserData
2008-06-06 10:21:47 0 d-------- C:\Program Files\uTorrent
2008-05-18 23:04:41 0 d-------- C:\Program Files\Common Files\supportsoft
2008-05-18 22:59:46 1843200 --a------ C:\WINDOWS\system32\acXMLParser.dll <Not Verified; Apache Software Foundation; Xerces-C Version 2.7.0>
2008-05-18 22:46:04 0 d-------- C:\Program Files\Intuit
2008-05-18 22:40:54 0 d-------- C:\Documents and Settings\All Users\Application Data\COMMON FILES
2008-05-18 22:09:28 0 d-------- C:\Documents and Settings\Armando\Application Data\Download Manager
2008-05-18 22:08:19 0 d-------- C:\Program Files\Akamai
2008-05-18 10:40:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-06-14 12:31:24 0 d-------- C:\Program Files\Java
2008-06-13 13:37:21 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-11 09:42:41 0 d-------- C:\Documents and Settings\Armando\Application Data\Adobe
2008-06-11 08:41:48 0 d-------- C:\Program Files\Quicken
2008-06-10 10:56:15 0 d-------- C:\Program Files\There
2008-06-10 10:15:15 0 d-------- C:\Program Files\InterActual
2008-06-09 12:35:17 0 d-------- C:\Documents and Settings\Armando\Application Data\uTorrent
2008-06-08 12:17:50 0 d-------- C:\Documents and Settings\Armando\Application Data\Skype
2008-05-18 23:04:41 0 d-------- C:\Program Files\Common Files
2008-05-18 23:02:41 0 d-------- C:\Program Files\Google
2008-05-18 22:48:53 0 d-------- C:\Program Files\Common Files\Intuit
2008-05-18 22:04:18 0 d-------- C:\Program Files\Microsoft Money 2006
2008-05-18 10:39:47 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-18 10:35:32 0 d-------- C:\Documents and Settings\Armando\Application Data\AdobeUM


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05A82BED-9FF9-411A-88A5-2647C80DE00B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07245A0A-4A03-4FB4-ADCA-73B490B8FF4B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{564F9BAC-1D62-4F2F-A8BD-E0CAE57555BA}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CB99D17E-A4E0-4BB0-AEE5-5561BD09500D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF5E1249-6BE1-4A5C-9954-18A9E1813A20}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [10/11/2005 01:23 PM]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [12/13/2005 05:45 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrPihf]
awtrPihf.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" -hide
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"




-- End of Deckard's System Scanner: finished at 2008-06-14 19:37:05 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Turion™ 64 Mobile Technology ML-32
Percentage of Memory in Use: 65%
Physical Memory (total/avail): 382.17 MiB / 130.13 MiB
Pagefile Memory (total/avail): 920.45 MiB / 604.1 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1940.56 MiB

C: is Fixed (NTFS) - 67.08 GiB total, 17.51 GiB free.
D: is Fixed (FAT32) - 7.42 GiB total, 1 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST98823A - 74.53 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 67.08 GiB - C:
\PARTITION1 - Unknown - 7.44 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: Bsecure Firewall 2.0 v2.0 (BsecureFirewall)
FW: Kaspersky Internet Security v7.0.1.325 (Kaspersky Lab)
AV: Bsecure AntiVirus 2.0 v2.0 (BsecureAntiVirus) Outdated
AV: Kaspersky Internet Security v7.0.1.325 (Kaspersky Lab)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\iVisit\\iVisit.exe"="C:\\Program Files\\iVisit\\iVisit.exe:*:Disabled: iVisit "
"C:\\Documents and Settings\\Christine\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Christine\\Desktop\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe:*:Enabled:QuickBooks 2008 Data Manager"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\kav\\kis\\setup.exe"="C:\\kav\\kis\\setup.exe:*:Enabled:Kaspersky Internet Security 7.0 Setup"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Disabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Disabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Disabled:Yahoo! FT Server"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Disabled:Yahoo! Messenger"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Armando\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CYALAPTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Armando
LOGONSERVER=\\CYALAPTOP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Common Files\Intuit\QBPOSSDKRuntime
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PCTYPE=PRESARIO
PLATFORM=MCD
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 36 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2402
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Armando\LOCALS~1\Temp
TMP=C:\DOCUME~1\Armando\LOCALS~1\Temp
USERDOMAIN=CYALAPTOP
USERNAME=Armando
USERPROFILE=C:\Documents and Settings\Armando
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI
__PROCESS_HISTORY=C:\DOCUME~1\Armando\LOCALS~1\Temp\7zS4.tmp\setup.exe


-- User Profiles ---------------------------------------------------------------

Christine (admin)
Armando (admin)
Zoe
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> MsiExec.exe /I{8ED4E82B-8CEA-40DE-826C-37AC7B941F81}
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
5 Card Slingo from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\5DE4D54F-AA79-43A4-9C8A-C173E7E2B025\Uninstall.exe"
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
Adobe Download Manager 2.2 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop 5.0 Limited Edition --> C:\WINDOWS\UNINST.EXE -f"C:\Program Files\Adobe\Photoshop 5.0 LE\DeIsL1.isu" -c"C:\Program Files\Adobe\Photoshop 5.0 LE\Uninst.dll"
Adobe Reader 7.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ArcSoft PhotoImpression 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D433ABC3-0CD8-4BB0-B6A9-84501B4B47B7}\Setup.exe" -l0x9
Athlon 64 Processor Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Bejeweled 2 Deluxe from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\6E377D95-DF37-4E67-B64B-68C314600BCB\Uninstall.exe"
Big Kahuna Reef from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\7948472C-423F-4134-B68F-48D660A05D71\Uninstall.exe"
Blackhawk Striker 2 from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\384E0BF4-1E1F-45A6-B60E-42144A3F15CD\Uninstall.exe"
Blasterball 2 from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\9F3399B2-9ED6-4339-84A2-686432638B86\Uninstall.exe"
Boggle Supreme from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\5658FB14-16A4-4DAE-946B-1457BE31572E\Uninstall.exe"
Bookworm Deluxe from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\B0769D17-E72A-4E87-A83F-1F7A3F080008\Uninstall.exe"
Bounce Symphony from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\7A940E33-6993-404B-ABA6-ED62E8FBE615\Uninstall.exe"
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Chuzzle Deluxe from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\382C11F0-1A18-4F76-B8E0-15CA7F209C22\Uninstall.exe"
Codec Pack - All In 1 6.0.3.0 --> C:\WINDOWS\iun6002.exe "C:\Program Files\Codec Pack - All In 1\irunin.ini"
Combined Community Codec Pack 2007-02-22 --> "C:\Program Files\Combined Community Codec Pack\unins001.exe"
Conexant AC-Link Audio --> C:\Program Files\CONEXANT\CNXT_AUDIO\HXFSETUP.EXE -U -ICPL309BA.INF
Crystal Maze from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\E94C7046-2F7D-4D4D-B76F-C412DCCEAAC2\Uninstall.exe"
Customer Experience Enhancement --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{23012310-3E05-46A5-88A9-C6CBCABCAC79} /l1033
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Easy Internet Sign-up --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{8105684D-8CA6-440D-8F58-7E5FD67A499D} /l1033
EPSON CX5000 Series User's Guide --> C:\Program Files\epson\guide\cx5000_e\uninstall.exe
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan --> C:\Program Files\epson\escndv\setup\setup.exe /r
EPSON Stylus CX5000 Scanner Driver Update --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{24ADC0E4-8D3E-40C4-9106-F2DE5E9112F1}\Setup.exe" -l0x9
EZ Macros --> C:\WINDOWS\amuninst.exe -fC:\WINDOWS\unezmac.ini
FATE from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\6ECB6EE6-92E1-4525-AF3B-3CE51A7C5F89\Uninstall.exe"
ffdshow --> "C:\Program Files\ffdshow\uninstall.exe"
Final Drive Nitro from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\320F055A-570F-4335-B026-16A836DB9549\Uninstall.exe"
FLAC 1.1.4b (remove only) --> C:\Program Files\FLAC\uninstall.exe
Flickr Uploadr 2.5.0.14 --> "C:\Program Files\Flickr Uploadr\uninstall.exe"
Flip Words from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\F2566CC2-D4C4-44ED-A838-3F8288D8D3FE\Uninstall.exe"
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
GSpot Codec Information Appliance --> C:\Program Files\GSpot\Uninstall.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP DVD Play 2.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45D707E9-F3C4-11D9-A373-0050BAE317E1}\setup.exe" -uninstall
HP Game Console and games --> C:\Program Files\WildTangent\Apps\hpuninstall.exe
HP Help and Support --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}\setup.exe" -l0x9 -removeonly
HP Imaging Device Functions 6.0 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Premier Software 6.0 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Rhapsody --> C:\PROGRA~1\HPRHAP~1\Unwise32.exe /A C:\PROGRA~1\HPRHAP~1\install.log
HP Software Update --> MsiExec.exe /X{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}
HP User Guides--System Recovery --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BC96BBA7-C634-460E-AD18-A0A994213F80}\Setup.exe" -l0x9 -removeonly
HP User Guides 0025 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{52AE81CB-B786-490E-93CF-240A9891B392}\setup.exe" -l0x9 -removeonly
HP Wireless Assistant 2.00 C1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}\setup.exe" -l0x9 hpquninst
Insaniquarium Deluxe from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\0E5266B4-9069-401A-93AE-5FF9F1712016\Uninstall.exe"
iTunes --> MsiExec.exe /I{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}
iVisit 3.7.4 --> C:\PROGRA~1\iVisit\UNINSTALL.EXE C:\PROGRA~1\iVisit\INSTALL.LOG
Java DB 10.3.1.4 --> MsiExec.exe /X{CD49361E-3FE6-457E-90A1-9C59E29B5D02}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Java™ SE Development Kit 6 Update 6 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160060}
Jewel Quest from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\4C061F83-EE92-445A-A03F-184B0BD59242\Uninstall.exe"
Kaspersky Internet Security 7.0 --> MsiExec.exe /I{C774410D-3EF9-4DE7-AC01-332613163ECF}
Kaspersky Internet Security 7.0 --> MsiExec.exe /I{C774410D-3EF9-4DE7-AC01-332613163ECF}
Lemonade Tycoon 2 from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\E90E3AE9-73E4-4E5C-BB0F-673989A808D0\Uninstall.exe"
Lexibox Deluxe from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\5758A0E8-A112-4A1D-82EC-EC72F7F16B88\Uninstall.exe"
Logitech QuickCam Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C43048A9-742C-4DAD-90D2-E3B53C9DB825}\setup.exe" -l0x9
Logitech® Camera Driver --> "C:\Program Files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
Mah Jong Quest from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\E76A7EFF-7758-49EE-B3FA-9699830A2D6B\Uninstall.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Money 2006 --> "C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
muvee autoProducer 4.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{286F29AF-0BE2-4D5F-AB17-B7631A810553}\setup.exe" -l0x9
Netscape Browser (remove only) --> "C:\Program Files\Netscape\Netscape Browser\NSUninst.exe"
Network Play System (Patching) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Electronic Arts\Network Play System\NPSPatch.isu"
Oasis from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\E332F38A-75F6-4EF2-88CC-246E8A1CB5D7\Uninstall.exe"
Office 2003 Trial Assistant --> MsiExec.exe /I{47D2103B-FD51-4017-9C20-DD408B17D726}
PCFriendly --> C:\Program Files\PCFriendly\inuninst.exe
Perfect Family Tree --> MsiExec.exe /X{A9BC92C2-83BE-474B-96D1-D63A2178AC40}
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
Polar Bowler from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\7F8C5718-1BA9-4AAE-96D2-2B04D05F2D54\Uninstall.exe"
Polar Golfer from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\D2E44AA4-8665-4490-A6C9-2D0744B47B27\Uninstall.exe"
Puzzle Express from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\EF860173-4FB7-4DE1-8BE8-5400F05A0DC5\Uninstall.exe"
Quick Launch Buttons 5.20 G1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CEB326EC-8F40-47B2-BA22-BB092565D66F}\setup.exe" -l0x9 -uninst
QuickBooks Simple Start 2008 --> msiexec.exe /I {8ED4E82B-8CEA-40DE-826C-37AC7B941F81} UNIQUE_NAME="atomlimited" QBFULLNAME="QuickBooks Simple Start 2008" ADDREMOVE=1
Quicken 2006 --> MsiExec.exe /X{2818095F-FB6C-42C8-827E-0A406CC9AFF5}
QuickTime --> MsiExec.exe /I{E0D51394-1D45-460A-B62D-383BC4F8B335}
RadLight 4.0 FINAL --> C:\Program Files\RadLight Company\RadLight 4.0\uninst.exe
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine --> MsiExec.exe /I{30C2FCD0-FF7B-4FFA-8DDE-43A22E01A1E7}
SCRABBLE from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\103EFD47-9F2C-4490-95DD-AE6C442AFB92\Uninstall.exe"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Skype 3.0 --> "C:\Program Files\Skype\Phone\unins000.exe"
Skype Plugin Manager --> MsiExec.exe /I{3D5E5C0A-5B36-4F98-99A7-287F7DBDCE03}
Slingo Deluxe from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\C264D692-8E15-4141-96A2-5621332E5DD0\Uninstall.exe"
Slyder from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\B0202B33-E73D-4FCD-AC88-0B2971AFC116\Uninstall.exe"
Snowboard SuperJam --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\DED8E2B5-BA9F-448F-84E8-0AEF79876F95\Uninstall.exe"
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_1002&DEV_4378\HXFSETUP.EXE -U -Icpl309bk.inf
Sonic Audio Module --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic Copy Module --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic Data Module --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic MyDVD Plus --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
Super Granny from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\7ED8A70C-9597-40BE-AEA0-0573182F1F51\Uninstall.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
SupportSoft Assisted Service --> MsiExec.exe /I{5A3F6A80-7913-475E-8B96-477A952CFA43}
TBS WMP Plug-in --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{4CE88F4D-B74E-4F92-9DA4-ECEB60ED362A}
Texas Instruments PCIxx21/x515/xx12 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{7B6CF9EB-CB2B-4A1A-81A9-BE1A9044690A} /l1033
The Sims --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Maxis\The Sims\Uninst.isu"
TourSetup --> MsiExec.exe /I{A01FC76F-CC09-4658-9E37-5C2F635EE708}
Tradewinds from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\1C3FDBBA-EBF7-4CDB-AD8A-A1125734AF86\Uninstall.exe"
USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C8F7C1E5-0150-11D6-A96C-00D05908F85D}\Setup.exe" -l0x9
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant --> MsiExec.exe /I{22B3CC30-77B8-419C-AA4B-F571FDF5D66D}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Wireless Home Network Setup --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{09D8492A-C8E2-421E-927D-46800FB327A3}\setup.exe" -l0x9 -removeonly
Xvid 1.1.2 final uninstall --> "C:\Program Files\Xvid\unins000.exe"
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Photos Easy Upload Tool 1v7 --> C:\WINDOWS\system32\regsvr32 /u /s "C:\WINDOWS\cache\YDropper.dll"
Zuma Deluxe from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\074EEF5F-3BE8-4112-B253-C5D6CDE2924C\Uninstall.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type6916 / Error
Event Submitted/Written: 06/14/2008 07:35:44 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application notepad.exe, version 5.1.2600.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type6909 / Warning
Event Submitted/Written: 06/14/2008 06:17:23 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type6884 / Warning
Event Submitted/Written: 06/13/2008 01:53:55 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type6881 / Error
Event Submitted/Written: 06/13/2008 01:13:19 PM
Event ID/Source: 5000 / MPSampleSubmission
Event Description:
EventType mptelemetry, P1 80072ee2, P2 endsearch, P3 search, P4 1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Event Record #/Type6879 / Error
Event Submitted/Written: 06/13/2008 11:41:35 AM
Event ID/Source: 5000 / MPSampleSubmission
Event Description:
EventType mptelemetry, P1 80240016, P2 begininstall, P3 install, P4 1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type62633 / Error
Event Submitted/Written: 06/14/2008 06:19:40 PM
Event ID/Source: 30013 / ipnathlp
Event Description:
The DHCP allocator has disabled itself on IP address 192.168.2.4,
since the IP address is outside the 192.168.0.0/255.255.255.0 scope
from which addresses are being allocated to DHCP clients.
To enable the DHCP allocator on this IP address,
please change the scope to include the IP address,
or change the IP address to fall within the scope.

Event Record #/Type62596 / Error
Event Submitted/Written: 06/14/2008 02:47:02 PM
Event ID/Source: 30013 / ipnathlp
Event Description:
The DHCP allocator has disabled itself on IP address 192.168.2.4,
since the IP address is outside the 192.168.0.0/255.255.255.0 scope
from which addresses are being allocated to DHCP clients.
To enable the DHCP allocator on this IP address,
please change the scope to include the IP address,
or change the IP address to fall within the scope.

Event Record #/Type62565 / Warning
Event Submitted/Written: 06/14/2008 00:35:40 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type62561 / Error
Event Submitted/Written: 06/14/2008 00:12:06 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126

Event Record #/Type62558 / Error
Event Submitted/Written: 06/14/2008 00:12:06 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126



-- End of Deckard's System Scanner: finished at 2008-06-14 19:37:05 ------------


Kaspersky:
Older:

Scan My Computer : stopped
--------------------------
Scanned: 22645
Detected: 17
Untreated: 0
Start time: 6/13/2008 9:43:50 PM
Duration: 00:56:21
Finish time: 6/13/2008 10:40:11 PM


Detected
--------
Status Object
------ ------
deleted: Trojan program Trojan.Win32.Monder.gen File: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP426\A0115177.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.ymg File: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP427\A0119163.dll
deleted: Trojan program Trojan.Win32.Monder.gen File: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP427\A0123176.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.ymg File: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP427\A0123177.dll
deleted: Trojan program Trojan.Win32.Monder.gen File: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP431\A0125635.dll
deleted: Trojan program Trojan.Win32.Monder.gen File: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP431\A0125637.dll
deleted: Trojan program Trojan.Win32.Monder.mx File: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP431\A0125640.dll
deleted: Trojan program Trojan.Win32.Monder.gen File: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP431\A0125660.dll
deleted: Trojan program Trojan.Win32.Monder.gen File: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP431\A0125661.dll
deleted: Trojan program Trojan.Win32.Monder.gen File: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP431\A0125662.dll
deleted: Trojan program Trojan.Win32.Monder.gen File: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP431\A0125663.dll
deleted: Trojan program Trojan.Win32.Monder.gen File: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP432\A0125683.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.yhx File: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP432\A0125684.dll
deleted: adware not-a-virus:AdWare.Win32.Agent.aeh File: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP432\A0125759.exe//data0004
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.yhx File: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP434\A0129043.dll
not found: virus Heur.Invader (modification) File: C:\Documents and Settings\Administrator\Desktop\SDFix.exe/SDFix\catchme.exe
not found: virus Heur.Invader (modification) File: C:\Documents and Settings\Armando\Desktop\virus scanning\antivirus setups\SDFix.exe/SDFix\catchme.exe


Events
------
Time Name Status Reason
---- ---- ------ ------


Statistics
----------
Object Scanned Dangerous objects Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
------ ------- ----------------- --------- ------- ------------------- -------- ------------ ------------------ ---------


Settings
--------
Parameter Value
--------- -----
Security Level Recommended
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives all
Scan embedded OLE objects all
Do not scan archives larger than No
Skip if scan takes longer than No
Parse email formats No
Scan password-protected archives No
Use iChecker technology Yes
Use iSwift technology Yes
Register information about dangerous objects in application statistics Yes
Rootkit scan Yes
Extended rootkit scan No
Use heuristic analyser Yes
Heuristic analyser level 3

Kaspersky:
newer:

OK...just now, very weirdly, the kasper report that I saved from within the kaspersky program as "kasper report 2.txt" is showing up as being 87,255 KB, and when I tried to open it, it opened as "Untitled" and cause my virtual memory to clog up...leading me to believe that perhaps this thing has associated itself with .txt files? Not that I know anything about this, but that just isn't right. So...I don't have the second report that says I am almost fine now, which probably doesn't matter now anyway because I get the distinct impression it just seeped in a little more just now.

Help me Obi Wan Kenobi, you're my only hope.

BC AdBot (Login to Remove)

 


#2 mzswing

mzswing
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 14 June 2008 - 08:37 PM

PS: I forgot to say that VundoFix found nothing, I don't really know what SDFix did, but I think it made logs somewhere. I did a combofix scan, but I did not post it since it said not to unless asked. (I was a good girl and read the How-To and Read-This-First stuff.)

PPS: Windows XP Home SP2

Also, the bus isn't coming, my report's not due (I'm a teacher on summer break...Weee-Hoooo!), I don't desperately need this fixed today (but after two days of going it solo I am sure going to appreciate some help!), so, whenever someone has the time, I'll be here. waiting.

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:30 AM

Posted 15 June 2008 - 08:45 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Let's take a look at the log from the combofix scan that you did.
We'll see what it tells us and go from there.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#4 mzswing

mzswing
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 16 June 2008 - 09:51 AM

I just did a new combofix because either the virus or me stupidly removing things with ccleaner led to a complete meltdown and I had to revert to an earlier restore point. Also, is it normal that combo fix change my default browser? It has changed it to explorer both times I've run it. Does that imply there is something wrong with my installation of firefox?
wait... I just realized I reverted to a point before installing the recovery console... brb. :/

#5 mzswing

mzswing
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 16 June 2008 - 10:12 AM

Whomp: Here it is. Thank you Sam.


ComboFix 08-06-12.2 - Armando 2008-06-16 10:55:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.101 [GMT -4:00]
Running from: C:\Documents and Settings\Armando\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Armando\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 )))))))))))))))))))))))))))))))
.

2008-06-14 19:35 . 2008-06-14 23:52 <DIR> d-------- C:\RECYCLER(2)
2008-06-14 19:33 . 2008-06-14 19:33 <DIR> d-------- C:\Deckard
2008-06-14 19:28 . 2008-06-14 19:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-14 12:41 . 2008-06-14 12:41 <DIR> d-------- C:\VundoFix Backups
2008-06-14 12:31 . 2008-06-14 12:31 <DIR> d-------- C:\Program Files\Sun
2008-06-14 12:31 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-13 13:43 . 2008-06-13 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-13 13:38 . 2008-06-13 13:38 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-13 13:38 . 2008-06-13 13:38 <DIR> d-------- C:\Documents and Settings\Armando\Application Data\SUPERAntiSpyware.com
2008-06-12 21:47 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 21:47 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-12 10:44 . 2008-06-12 10:45 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-12 10:22 . 2008-06-13 11:27 <DIR> d-------- C:\SDFix
2008-06-12 08:25 . 2008-06-12 09:47 <DIR> d-------- C:\Program Files\Mozilla Firefox(2)
2008-06-12 08:21 . 2008-06-12 09:48 <DIR> d-------- C:\a67f6976d7b927588f96283f568f8f
2008-06-12 08:08 . 2008-06-12 08:08 10,520 --a------ C:\WINDOWS\system32\avgrsstx(2).dll
2008-06-12 08:07 . 2008-06-12 08:10 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg(2)
2008-06-12 08:07 . 2008-06-12 09:48 <DIR> d-------- C:\Program Files\AVG(2)
2008-06-12 08:07 . 2008-06-12 09:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8(2)
2008-06-11 22:11 . 2008-06-11 22:11 <DIR> d-------- C:\Documents and Settings\Armando\Application Data\Malwarebytes
2008-06-11 19:57 . 2008-06-11 19:57 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-11 19:57 . 2008-06-11 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-11 19:57 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-11 19:57 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-11 19:29 . 2008-06-11 19:35 <DIR> d-------- C:\Updates
2008-06-11 12:12 . 2008-06-11 21:13 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-11 12:12 . 2008-06-11 21:13 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-11 11:57 . 2008-06-11 11:57 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-06-11 11:57 . 2008-06-16 10:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-11 11:57 . 2008-06-16 10:59 5,723,680 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-11 11:57 . 2008-06-16 10:59 154,912 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-11 11:57 . 2008-06-16 10:28 77,300 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-11 11:57 . 2008-06-16 10:28 15,236 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-11 11:34 . 2008-06-11 11:34 <DIR> d-------- C:\kav
2008-06-11 10:50 . 2008-06-11 11:36 0 --a------ C:\WINDOWS\system32\gekkeiqd.tmp
2008-06-11 10:23 . 2008-06-11 10:24 <DIR> d-------- C:\Program Files\Windows Defender
2008-06-10 16:19 . 2008-06-14 23:54 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-10 08:56 . 2008-06-10 08:56 <DIR> d-------- C:\Program Files\CCleaner
2008-06-09 12:56 . 2008-06-09 12:56 <DIR> d---s---- C:\Documents and Settings\Armando\UserData
2008-06-06 10:21 . 2008-06-06 10:21 <DIR> d-------- C:\Program Files\uTorrent
2008-05-18 23:04 . 2008-05-18 23:04 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2008-05-18 22:59 . 2007-07-30 14:44 3,518,464 --a------ C:\WINDOWS\system32\cdintf300.dll
2008-05-18 22:59 . 2007-06-28 14:09 1,843,200 --a------ C:\WINDOWS\system32\acXMLParser.dll
2008-05-18 22:46 . 2008-05-18 22:46 <DIR> d-------- C:\Program Files\Intuit
2008-05-18 22:40 . 2008-05-18 22:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\COMMON FILES
2008-05-18 22:09 . 2008-05-18 22:20 <DIR> d-------- C:\Documents and Settings\Armando\Application Data\Download Manager
2008-05-18 22:08 . 2008-05-18 22:08 <DIR> d-------- C:\Program Files\Akamai

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-16 14:11 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-15 04:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-15 02:15 --------- d-----w C:\Program Files\WildTangent
2008-06-14 16:31 --------- d-----w C:\Program Files\Java
2008-06-13 17:37 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-12 01:22 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-06-11 12:41 --------- d-----w C:\Program Files\Quicken
2008-06-10 14:56 --------- d-----w C:\Program Files\There
2008-06-10 14:15 --------- d-----w C:\Program Files\InterActual
2008-06-09 16:35 --------- d-----w C:\Documents and Settings\Armando\Application Data\uTorrent
2008-06-08 16:17 --------- d-----w C:\Documents and Settings\Armando\Application Data\Skype
2008-05-20 23:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-05-19 03:02 --------- d-----w C:\Program Files\Google
2008-05-19 02:48 --------- d-----w C:\Program Files\Common Files\Intuit
2008-05-19 02:04 --------- d-----w C:\Program Files\Microsoft Money 2006
2008-05-18 14:39 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-18 14:35 --------- d-----w C:\Documents and Settings\Armando\Application Data\AdobeUM
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-21 07:04 659,456 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2008-04-21 07:04 615,936 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2008-04-21 07:04 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2008-04-21 07:04 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-04-17 10:52 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05A82BED-9FF9-411A-88A5-2647C80DE00B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07245A0A-4A03-4FB4-ADCA-73B490B8FF4B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{564F9BAC-1D62-4F2F-A8BD-E0CAE57555BA}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CB99D17E-A4E0-4BB0-AEE5-5561BD09500D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF5E1249-6BE1-4A5C-9954-18A9E1813A20}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 13:23 1187840]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 17:45 507904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrPihf]
awtrPihf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" -hide
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\iVisit\\iVisit.exe"=
"C:\\Documents and Settings\\Christine\\Desktop\\utorrent.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\kav\\kis\\setup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"55555:TCP"= 55555:TCP:DC++1
"55555:UDP"= 55555:UDP:DC++2

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 05:06]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-13 03:05:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-16 14:32:17 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-06-13 16:09:10 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-16 10:59:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-16 11:01:58
ComboFix-quarantined-files.txt 2008-06-16 15:01:48
ComboFix2.txt 2008-06-16 14:38:00
ComboFix3.txt 2008-06-14 22:29:47

Pre-Run: 18,533,318,656 bytes free
Post-Run: 18,507,104,256 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

176 --- E O F --- 2008-06-13 15:44:38

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:30 AM

Posted 16 June 2008 - 11:00 AM

Combofix doesn't show any signs of an active infection. So let's clean up your log just a bit.

First you must disable Spybot's Teatimer function before proceeding with this fix. Otherwise it will intefere with hijackthis.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

=================


Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: (no name) - {05A82BED-9FF9-411A-88A5-2647C80DE00B} - (no file)
O2 - BHO: (no name) - {07245A0A-4A03-4FB4-ADCA-73B490B8FF4B} - (no file)
O2 - BHO: (no name) - {564F9BAC-1D62-4F2F-A8BD-E0CAE57555BA} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {CB99D17E-A4E0-4BB0-AEE5-5561BD09500D} - (no file)
O2 - BHO: (no name) - {FF5E1249-6BE1-4A5C-9954-18A9E1813A20} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)



Reboot your computer and post a new log from DSS.
Let me know what problems, if any, that you are still having.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 mzswing

mzswing
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 16 June 2008 - 11:50 AM

I had to download dss again and while I was opening my browser Kaspersky came up with some "suspicious action" alerts. one is: "Attempt to load new or modified module" for vundoFix.exe, then a separate one for mpas-fe.exe. Both kasper alerts reported the running process C:\WINDOWS\explorer.exe. I had started neither of those programs, and I am fairly certain I do not have any automatic updates set up for BEFORE I open the programs. What do you make of that?

#8 mzswing

mzswing
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 16 June 2008 - 12:05 PM

here are the new dss logs.

Deckard's System Scanner v20071014.68
Run by Armando on 2008-06-16 12:56:44
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
7: 2008-06-16 16:56:53 UTC - RP9 - Deckard's System Scanner Restore Point
6: 2008-06-16 14:53:11 UTC - RP8 - ComboFix created restore point
5: 2008-06-15 03:51:56 UTC - RP7 - Restore Operation
4: 2008-06-15 01:50:15 UTC - RP6 - Restore Operation
3: 2008-06-14 23:34:08 UTC - RP5 - Deckard's System Scanner Restore Point


-- First Restore Point --
1: 2008-06-14 21:59:29 UTC - RP3 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 383 MiB (512 MiB recommended).


-- HijackThis (run as Armando.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:06 PM, on 6/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Armando\Desktop\virus scanning\antivirus setups\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Armando.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Christine\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175899537015
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: awtrPihf - awtrPihf.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

--
End of file - 7525 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080616-122922-126 O2 - BHO: (no name) - {564F9BAC-1D62-4F2F-A8BD-E0CAE57555BA} - (no file)
backup-20080616-122922-158 O2 - BHO: (no name) - {FF5E1249-6BE1-4A5C-9954-18A9E1813A20} - (no file)
backup-20080616-122922-336 O2 - BHO: (no name) - {CB99D17E-A4E0-4BB0-AEE5-5561BD09500D} - (no file)
backup-20080616-122922-346 O2 - BHO: (no name) - {07245A0A-4A03-4FB4-ADCA-73B490B8FF4B} - (no file)
backup-20080616-122922-425 O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
backup-20080616-122922-492 O2 - BHO: (no name) - {05A82BED-9FF9-411A-88A5-2647C80DE00B} - (no file)
backup-20080616-122922-521 O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 mdmxsdk - c:\windows\system32\drivers\mdmxsdk.sys <Not Verified; Conexant; Diagnostic Interface>
R3 Afc (PPdus ASPI Shell) - c:\windows\system32\drivers\afc.sys <Not Verified; Arcsoft, Inc.; Arcsoft® ASPI Shell>
R3 CAMCAUD (Conexant AMC Audio) - c:\windows\system32\drivers\camc6aud.sys <Not Verified; Conexant Systems Inc.; Conexant Audio Driver>
R3 CAMCHALA - c:\windows\system32\drivers\camc6hal.sys <Not Verified; Conexant Systems Inc.; Conexant AmcHal Driver>
R3 HSF_DP - c:\windows\system32\drivers\hsf_dp.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
R3 HSFHWATI - c:\windows\system32\drivers\hsfhwati.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
R3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 QBCFMonitorService - "c:\program files\common files\intuit\quickbooks\qbcfmonitorservice.exe" <Not Verified; Intuit; QuickBooks for Windows>

S3 QBFCService (Intuit QuickBooks FCS) - "c:\program files\common files\intuit\quickbooks\fcs\intuit.quickbooks.fcs.exe" <Not Verified; Intuit Inc.; QuickBooks 2007>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-16 12:35:15 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-06-13 12:09:10 244 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
2008-06-12 23:05:13 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-16 and 2008-06-16 -----------------------------

2008-06-16 10:53:53 0 d-------- C:\cmdcons
2008-06-14 23:52:19 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-06-14 23:41:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-06-14 19:35:33 0 d-------- C:\RECYCLER(2)
2008-06-14 19:28:24 0 d-------- C:\Program Files\Trend Micro
2008-06-14 18:10:08 5107712 --a------ C:\Documents and Settings\Armando\ntuser.dat
2008-06-14 18:10:07 1368064 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2008-06-14 18:04:28 68096 --a------ C:\WINDOWS\zip.exe
2008-06-14 18:04:28 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-14 18:04:28 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-14 18:04:28 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-14 18:04:28 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-14 18:04:28 98816 --a------ C:\WINDOWS\sed.exe
2008-06-14 18:04:28 80412 --a------ C:\WINDOWS\grep.exe
2008-06-14 18:04:28 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-14 12:41:05 0 d-------- C:\VundoFix Backups
2008-06-14 12:31:41 0 d-------- C:\Program Files\Sun
2008-06-13 13:58:29 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-13 13:43:02 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-13 13:38:09 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-13 13:38:09 0 d-------- C:\Documents and Settings\Armando\Application Data\SUPERAntiSpyware.com
2008-06-12 10:44:56 0 d-------- C:\WINDOWS\ERUNT
2008-06-12 10:34:13 262144 --ah----- C:\Documents and Settings\Administrator\ntuser.dat
2008-06-12 09:57:17 262144 --a------ C:\Documents and Settings\Zoe\ntuser.dat
2008-06-12 09:57:16 262144 --a------ C:\Documents and Settings\Christine\ntuser.dat
2008-06-12 09:49:14 0 dr-h----- C:\Documents and Settings\Armando\Recent
2008-06-12 09:48:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-06-12 08:25:40 0 d-------- C:\Program Files\Mozilla Firefox(2)
2008-06-12 08:21:09 0 d-------- C:\a67f6976d7b927588f96283f568f8f
2008-06-12 08:07:50 0 d-------- C:\WINDOWS\system32\drivers\Avg(2)
2008-06-12 08:07:38 0 d-------- C:\Program Files\AVG(2)
2008-06-12 08:07:38 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8(2)
2008-06-11 22:11:09 0 d-------- C:\Documents and Settings\Armando\Application Data\Malwarebytes
2008-06-11 19:57:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-11 19:57:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-11 19:57:06 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-11 19:29:01 0 d-------- C:\Updates
2008-06-11 12:12:03 96966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-11 12:12:01 88774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-11 11:57:55 157984 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-11 11:57:55 5754144 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-11 11:57:53 0 d-------- C:\Program Files\Kaspersky Lab
2008-06-11 11:57:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-11 11:34:18 0 d-------- C:\kav
2008-06-11 10:23:56 0 d-------- C:\Program Files\Windows Defender
2008-06-10 16:55:55 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-06-10 16:41:42 0 d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-06-10 16:19:12 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-10 16:19:12 0 d-------- C:\Documents and Settings\Administrator\My Documents <MYDOCU~1>
2008-06-10 16:19:12 0 d--h----- C:\Documents and Settings\Administrator\Local Settings <LOCALS~1>
2008-06-10 16:19:12 0 d-------- C:\Documents and Settings\Administrator\Favorites <FAVORI~1>
2008-06-10 16:19:12 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-10 16:19:12 0 d--h----- C:\Documents and Settings\Administrator\Cookies
2008-06-10 16:19:12 0 d--h----- C:\Documents and Settings\Administrator\Application Data <APPLIC~1>
2008-06-10 16:19:12 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-10 16:19:12 0 d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-06-10 16:19:12 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-06-10 16:19:11 0 d--h----- C:\Documents and Settings\Administrator\Templates <TEMPLA~1>
2008-06-10 16:19:11 0 d-------- C:\Documents and Settings\Administrator\Start Menu <STARTM~1>
2008-06-10 16:19:11 0 d--h----- C:\Documents and Settings\Administrator\SendTo
2008-06-10 16:19:11 0 d--h----- C:\Documents and Settings\Administrator\PrintHood <PRINTH~1>
2008-06-10 08:56:25 0 d-------- C:\Program Files\CCleaner
2008-06-09 12:56:48 0 d---s---- C:\Documents and Settings\Armando\UserData
2008-06-06 10:21:47 0 d-------- C:\Program Files\uTorrent
2008-05-18 23:04:41 0 d-------- C:\Program Files\Common Files\supportsoft
2008-05-18 22:59:46 1843200 --a------ C:\WINDOWS\system32\acXMLParser.dll <Not Verified; Apache Software Foundation; Xerces-C Version 2.7.0>
2008-05-18 22:46:04 0 d-------- C:\Program Files\Intuit
2008-05-18 22:40:54 0 d-------- C:\Documents and Settings\All Users\Application Data\COMMON FILES
2008-05-18 22:09:28 0 d-------- C:\Documents and Settings\Armando\Application Data\Download Manager
2008-05-18 22:08:19 0 d-------- C:\Program Files\Akamai
2008-05-18 10:40:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-06-14 22:15:21 0 d-------- C:\Program Files\WildTangent
2008-06-14 12:31:24 0 d-------- C:\Program Files\Java
2008-06-13 13:37:21 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-11 09:42:41 0 d-------- C:\Documents and Settings\Armando\Application Data\Adobe
2008-06-11 08:41:48 0 d-------- C:\Program Files\Quicken
2008-06-10 10:56:15 0 d-------- C:\Program Files\There
2008-06-10 10:15:15 0 d-------- C:\Program Files\InterActual
2008-06-09 12:35:17 0 d-------- C:\Documents and Settings\Armando\Application Data\uTorrent
2008-06-08 12:17:50 0 d-------- C:\Documents and Settings\Armando\Application Data\Skype
2008-05-18 23:04:41 0 d-------- C:\Program Files\Common Files
2008-05-18 23:02:41 0 d-------- C:\Program Files\Google
2008-05-18 22:48:53 0 d-------- C:\Program Files\Common Files\Intuit
2008-05-18 22:04:18 0 d-------- C:\Program Files\Microsoft Money 2006
2008-05-18 10:39:47 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-18 10:35:32 0 d-------- C:\Documents and Settings\Armando\Application Data\AdobeUM


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [10/11/2005 01:23 PM]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [12/13/2005 05:45 PM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [02/08/2008 06:36 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrPihf]
awtrPihf.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" -hide
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8724 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-16 12:58:49 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Turion™ 64 Mobile Technology ML-32
Percentage of Memory in Use: 69%
Physical Memory (total/avail): 382.17 MiB / 117.54 MiB
Pagefile Memory (total/avail): 918.68 MiB / 678.95 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1928.04 MiB

C: is Fixed (NTFS) - 67.08 GiB total, 17.19 GiB free.
D: is Fixed (FAT32) - 7.42 GiB total, 1 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST98823A - 74.53 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 67.08 GiB - C:
\PARTITION1 - Unknown - 7.44 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Bsecure Firewall 2.0 v2.0 (BsecureFirewall)
FW: Kaspersky Internet Security v7.0.1.325 (Kaspersky Lab) Disabled
AV: Bsecure AntiVirus 2.0 v2.0 (BsecureAntiVirus) Outdated
AV: Kaspersky Internet Security v7.0.1.325 (Kaspersky Lab) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\iVisit\\iVisit.exe"="C:\\Program Files\\iVisit\\iVisit.exe:*:Disabled: iVisit "
"C:\\Documents and Settings\\Christine\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Christine\\Desktop\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe:*:Enabled:QuickBooks 2008 Data Manager"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\kav\\kis\\setup.exe"="C:\\kav\\kis\\setup.exe:*:Enabled:Kaspersky Internet Security 7.0 Setup"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Armando\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CYALAPTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Armando
LOGONSERVER=\\CYALAPTOP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Common Files\Intuit\QBPOSSDKRuntime
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PCTYPE=PRESARIO
PLATFORM=MCD
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 36 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2402
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Armando\LOCALS~1\Temp
TMP=C:\DOCUME~1\Armando\LOCALS~1\Temp
USERDOMAIN=CYALAPTOP
USERNAME=Armando
USERPROFILE=C:\Documents and Settings\Armando
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Christine (admin)
Armando (admin)
Zoe
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> MsiExec.exe /I{8ED4E82B-8CEA-40DE-826C-37AC7B941F81}
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
5 Card Slingo from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\5DE4D54F-AA79-43A4-9C8A-C173E7E2B025\Uninstall.exe"
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
Adobe Download Manager 2.2 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop 5.0 Limited Edition --> C:\WINDOWS\UNINST.EXE -f"C:\Program Files\Adobe\Photoshop 5.0 LE\DeIsL1.isu" -c"C:\Program Files\Adobe\Photoshop 5.0 LE\Uninst.dll"
Adobe Reader 7.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ArcSoft PhotoImpression 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D433ABC3-0CD8-4BB0-B6A9-84501B4B47B7}\Setup.exe" -l0x9
Athlon 64 Processor Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Bejeweled 2 Deluxe from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\6E377D95-DF37-4E67-B64B-68C314600BCB\Uninstall.exe"
Big Kahuna Reef from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\7948472C-423F-4134-B68F-48D660A05D71\Uninstall.exe"
Blackhawk Striker 2 from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\384E0BF4-1E1F-45A6-B60E-42144A3F15CD\Uninstall.exe"
Blasterball 2 from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\9F3399B2-9ED6-4339-84A2-686432638B86\Uninstall.exe"
Boggle Supreme from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\5658FB14-16A4-4DAE-946B-1457BE31572E\Uninstall.exe"
Bookworm Deluxe from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\B0769D17-E72A-4E87-A83F-1F7A3F080008\Uninstall.exe"
Bounce Symphony from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\7A940E33-6993-404B-ABA6-ED62E8FBE615\Uninstall.exe"
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Chuzzle Deluxe from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\382C11F0-1A18-4F76-B8E0-15CA7F209C22\Uninstall.exe"
Codec Pack - All In 1 6.0.3.0 --> C:\WINDOWS\iun6002.exe "C:\Program Files\Codec Pack - All In 1\irunin.ini"
Combined Community Codec Pack 2007-02-22 --> "C:\Program Files\Combined Community Codec Pack\unins001.exe"
Conexant AC-Link Audio --> C:\Program Files\CONEXANT\CNXT_AUDIO\HXFSETUP.EXE -U -ICPL309BA.INF
Crystal Maze from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\E94C7046-2F7D-4D4D-B76F-C412DCCEAAC2\Uninstall.exe"
Customer Experience Enhancement --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{23012310-3E05-46A5-88A9-C6CBCABCAC79} /l1033
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Easy Internet Sign-up --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{8105684D-8CA6-440D-8F58-7E5FD67A499D} /l1033
EPSON CX5000 Series User's Guide --> C:\Program Files\epson\guide\cx5000_e\uninstall.exe
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan --> C:\Program Files\epson\escndv\setup\setup.exe /r
EPSON Stylus CX5000 Scanner Driver Update --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{24ADC0E4-8D3E-40C4-9106-F2DE5E9112F1}\Setup.exe" -l0x9
EZ Macros --> C:\WINDOWS\amuninst.exe -fC:\WINDOWS\unezmac.ini
FATE from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\6ECB6EE6-92E1-4525-AF3B-3CE51A7C5F89\Uninstall.exe"
ffdshow --> "C:\Program Files\ffdshow\uninstall.exe"
Final Drive Nitro from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\320F055A-570F-4335-B026-16A836DB9549\Uninstall.exe"
FLAC 1.1.4b (remove only) --> C:\Program Files\FLAC\uninstall.exe
Flickr Uploadr 2.5.0.14 --> "C:\Program Files\Flickr Uploadr\uninstall.exe"
Flip Words from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\F2566CC2-D4C4-44ED-A838-3F8288D8D3FE\Uninstall.exe"
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
GSpot Codec Information Appliance --> C:\Program Files\GSpot\Uninstall.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP DVD Play 2.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45D707E9-F3C4-11D9-A373-0050BAE317E1}\setup.exe" -uninstall
HP Game Console and games --> C:\Program Files\WildTangent\Apps\hpuninstall.exe
HP Help and Support --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}\setup.exe" -l0x9 -removeonly
HP Imaging Device Functions 6.0 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Premier Software 6.0 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Rhapsody --> C:\PROGRA~1\HPRHAP~1\Unwise32.exe /A C:\PROGRA~1\HPRHAP~1\install.log
HP Software Update --> MsiExec.exe /X{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}
HP User Guides--System Recovery --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BC96BBA7-C634-460E-AD18-A0A994213F80}\Setup.exe" -l0x9 -removeonly
HP User Guides 0025 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{52AE81CB-B786-490E-93CF-240A9891B392}\setup.exe" -l0x9 -removeonly
HP Wireless Assistant 2.00 C1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}\setup.exe" -l0x9 hpquninst
Insaniquarium Deluxe from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\0E5266B4-9069-401A-93AE-5FF9F1712016\Uninstall.exe"
iTunes --> MsiExec.exe /I{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}
iVisit 3.7.4 --> C:\PROGRA~1\iVisit\UNINSTALL.EXE C:\PROGRA~1\iVisit\INSTALL.LOG
Java DB 10.3.1.4 --> MsiExec.exe /X{CD49361E-3FE6-457E-90A1-9C59E29B5D02}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Java™ SE Development Kit 6 Update 6 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160060}
Jewel Quest from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\4C061F83-EE92-445A-A03F-184B0BD59242\Uninstall.exe"
Kaspersky Internet Security 7.0 --> MsiExec.exe /I{C774410D-3EF9-4DE7-AC01-332613163ECF}
Kaspersky Internet Security 7.0 --> MsiExec.exe /I{C774410D-3EF9-4DE7-AC01-332613163ECF}
Lemonade Tycoon 2 from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\E90E3AE9-73E4-4E5C-BB0F-673989A808D0\Uninstall.exe"
Lexibox Deluxe from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\5758A0E8-A112-4A1D-82EC-EC72F7F16B88\Uninstall.exe"
Logitech QuickCam Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C43048A9-742C-4DAD-90D2-E3B53C9DB825}\setup.exe" -l0x9
Logitech® Camera Driver --> "C:\Program Files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
Mah Jong Quest from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\E76A7EFF-7758-49EE-B3FA-9699830A2D6B\Uninstall.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Money 2006 --> "C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
muvee autoProducer 4.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{286F29AF-0BE2-4D5F-AB17-B7631A810553}\setup.exe" -l0x9
Netscape Browser (remove only) --> "C:\Program Files\Netscape\Netscape Browser\NSUninst.exe"
Network Play System (Patching) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Electronic Arts\Network Play System\NPSPatch.isu"
Oasis from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\E332F38A-75F6-4EF2-88CC-246E8A1CB5D7\Uninstall.exe"
Office 2003 Trial Assistant --> MsiExec.exe /I{47D2103B-FD51-4017-9C20-DD408B17D726}
PCFriendly --> C:\Program Files\PCFriendly\inuninst.exe
Perfect Family Tree --> MsiExec.exe /X{A9BC92C2-83BE-474B-96D1-D63A2178AC40}
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
Polar Bowler from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\7F8C5718-1BA9-4AAE-96D2-2B04D05F2D54\Uninstall.exe"
Polar Golfer from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\D2E44AA4-8665-4490-A6C9-2D0744B47B27\Uninstall.exe"
Puzzle Express from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\EF860173-4FB7-4DE1-8BE8-5400F05A0DC5\Uninstall.exe"
Quick Launch Buttons 5.20 G1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CEB326EC-8F40-47B2-BA22-BB092565D66F}\setup.exe" -l0x9 -uninst
QuickBooks Simple Start 2008 --> msiexec.exe /I {8ED4E82B-8CEA-40DE-826C-37AC7B941F81} UNIQUE_NAME="atomlimited" QBFULLNAME="QuickBooks Simple Start 2008" ADDREMOVE=1
Quicken 2006 --> MsiExec.exe /X{2818095F-FB6C-42C8-827E-0A406CC9AFF5}
QuickTime --> MsiExec.exe /I{E0D51394-1D45-460A-B62D-383BC4F8B335}
RadLight 4.0 FINAL --> C:\Program Files\RadLight Company\RadLight 4.0\uninst.exe
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine --> MsiExec.exe /I{30C2FCD0-FF7B-4FFA-8DDE-43A22E01A1E7}
SCRABBLE from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\103EFD47-9F2C-4490-95DD-AE6C442AFB92\Uninstall.exe"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Skype 3.0 --> "C:\Program Files\Skype\Phone\unins000.exe"
Skype Plugin Manager --> MsiExec.exe /I{3D5E5C0A-5B36-4F98-99A7-287F7DBDCE03}
Slingo Deluxe from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\C264D692-8E15-4141-96A2-5621332E5DD0\Uninstall.exe"
Slyder from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\B0202B33-E73D-4FCD-AC88-0B2971AFC116\Uninstall.exe"
Snowboard SuperJam --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\DED8E2B5-BA9F-448F-84E8-0AEF79876F95\Uninstall.exe"
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_1002&DEV_4378\HXFSETUP.EXE -U -Icpl309bk.inf
Sonic Audio Module --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic Copy Module --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic Data Module --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic MyDVD Plus --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Super Granny from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\7ED8A70C-9597-40BE-AEA0-0573182F1F51\Uninstall.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
SupportSoft Assisted Service --> MsiExec.exe /I{5A3F6A80-7913-475E-8B96-477A952CFA43}
TBS WMP Plug-in --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{4CE88F4D-B74E-4F92-9DA4-ECEB60ED362A}
Texas Instruments PCIxx21/x515/xx12 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{7B6CF9EB-CB2B-4A1A-81A9-BE1A9044690A} /l1033
The Sims --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Maxis\The Sims\Uninst.isu"
TourSetup --> MsiExec.exe /I{A01FC76F-CC09-4658-9E37-5C2F635EE708}
Tradewinds from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\1C3FDBBA-EBF7-4CDB-AD8A-A1125734AF86\Uninstall.exe"
USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C8F7C1E5-0150-11D6-A96C-00D05908F85D}\Setup.exe" -l0x9
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant --> MsiExec.exe /I{22B3CC30-77B8-419C-AA4B-F571FDF5D66D}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Wireless Home Network Setup --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{09D8492A-C8E2-421E-927D-46800FB327A3}\setup.exe" -l0x9 -removeonly
Xvid 1.1.2 final uninstall --> "C:\Program Files\Xvid\unins000.exe"
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Photos Easy Upload Tool 1v7 --> C:\WINDOWS\system32\regsvr32 /u /s "C:\WINDOWS\cache\YDropper.dll"
Zuma Deluxe from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\074EEF5F-3BE8-4112-B253-C5D6CDE2924C\Uninstall.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type6994 / Error
Event Submitted/Written: 06/16/2008 00:38:15 PM
Event ID/Source: 473 / ESENT
Event Description:
wuauclt (1744) Database C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb was partially detached. Error -1032 encountered updating database headers.

Event Record #/Type6993 / Error
Event Submitted/Written: 06/16/2008 00:38:10 PM
Event ID/Source: 439 / ESENT
Event Description:
wuauclt (1744) Unable to write a shadowed header for file C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb. Error -1032.

Event Record #/Type6992 / Error
Event Submitted/Written: 06/16/2008 00:38:10 PM
Event ID/Source: 490 / ESENT
Event Description:
wuauclt (1744) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).

Event Record #/Type6988 / Error
Event Submitted/Written: 06/16/2008 00:16:40 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application SDUpdate.exe, version 1.0.8.8, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type6987 / Error
Event Submitted/Written: 06/16/2008 00:15:47 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application SDUpdate.exe, version 1.0.8.8, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type62881 / Error
Event Submitted/Written: 06/16/2008 00:32:31 PM
Event ID/Source: 30013 / ipnathlp
Event Description:
The DHCP allocator has disabled itself on IP address 192.168.2.4,
since the IP address is outside the 192.168.0.0/255.255.255.0 scope
from which addresses are being allocated to DHCP clients.
To enable the DHCP allocator on this IP address,
please change the scope to include the IP address,
or change the IP address to fall within the scope.

Event Record #/Type62865 / Error
Event Submitted/Written: 06/16/2008 00:13:29 PM
Event ID/Source: 30013 / ipnathlp
Event Description:
The DHCP allocator has disabled itself on IP address 192.168.2.4,
since the IP address is outside the 192.168.0.0/255.255.255.0 scope
from which addresses are being allocated to DHCP clients.
To enable the DHCP allocator on this IP address,
please change the scope to include the IP address,
or change the IP address to fall within the scope.

Event Record #/Type62815 / Error
Event Submitted/Written: 06/16/2008 10:29:48 AM
Event ID/Source: 30013 / ipnathlp
Event Description:
The DHCP allocator has disabled itself on IP address 192.168.2.4,
since the IP address is outside the 192.168.0.0/255.255.255.0 scope
from which addresses are being allocated to DHCP clients.
To enable the DHCP allocator on this IP address,
please change the scope to include the IP address,
or change the IP address to fall within the scope.

Event Record #/Type62789 / Error
Event Submitted/Written: 06/16/2008 10:13:39 AM
Event ID/Source: 30013 / ipnathlp
Event Description:
The DHCP allocator has disabled itself on IP address 192.168.2.4,
since the IP address is outside the 192.168.0.0/255.255.255.0 scope
from which addresses are being allocated to DHCP clients.
To enable the DHCP allocator on this IP address,
please change the scope to include the IP address,
or change the IP address to fall within the scope.

Event Record #/Type62763 / Error
Event Submitted/Written: 06/15/2008 00:27:45 AM
Event ID/Source: 30013 / ipnathlp
Event Description:
The DHCP allocator has disabled itself on IP address 192.168.2.4,
since the IP address is outside the 192.168.0.0/255.255.255.0 scope
from which addresses are being allocated to DHCP clients.
To enable the DHCP allocator on this IP address,
please change the scope to include the IP address,
or change the IP address to fall within the scope.



-- End of Deckard's System Scanner: finished at 2008-06-16 12:58:49 ------------

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:30 AM

Posted 16 June 2008 - 03:50 PM

Both of those are false positives by Kaspersky. You can disregard them.

I had to download dss again and while I was opening my browser Kaspersky came up with some "suspicious action" alerts. one is: "Attempt to load new or modified module" for vundoFix.exe, then a separate one for mpas-fe.exe. Both kasper alerts reported the running process C:\WINDOWS\explorer.exe. I had started neither of those programs, and I am fairly certain I do not have any automatic updates set up for BEFORE I open the programs. What do you make of that?


Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:30 AM

Posted 16 June 2008 - 03:54 PM

Go ahead and fix these lines with Hijackthis also.

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
OO20 - Winlogon Notify: awtrPihf - awtrPihf.dll (file missing)



Otherwise your log looks clean to me.
Are your scans coming up clean now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:30 AM

Posted 27 June 2008 - 11:02 AM

Topic reopened.

Edited by Buckeye_Sam, 27 June 2008 - 02:21 PM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 mzswing

mzswing
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 27 June 2008 - 01:43 PM

Go ahead and fix these lines with Hijackthis also.

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
OO20 - Winlogon Notify: awtrPihf - awtrPihf.dll (file missing)



Otherwise your log looks clean to me.
Are your scans coming up clean now?


Sorry, something went wrong. I posted a response that things seem to be mostly clean, then waited for you to respond, but it seems my response never posted and I was not notified of a response from you until you closed the thread.

I am running into some weird stuff with Kaspersky blocking suspicious activity, like when trying to install the most recent version of movie maker something was blocked and I think it didn't install correctly...and I am inclined to turn off the extreme protection, but I am afraid that if I do a virus will take hold again. And, just yesterday Kasper reported finding Heur.Invader but neutralized it. Perhaps now that a few days have passed it would be good to run another scan? My trial period is about to run out anyway and I think I will go back to AVG free 8. Opinion? Should I invest in Kaspersky?

#13 mzswing

mzswing
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 27 June 2008 - 01:53 PM

and, I almost forgot to mention, Kaspersky reported that "Process (PID 1244) tried to access Kaspersky Internet Security process" but it was blocked. Then it said the blacklist file was missing or corrupt and I had to update to get a new one.

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:30 AM

Posted 27 June 2008 - 02:23 PM

Can you post the log from Kaspersky?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 mzswing

mzswing
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 27 June 2008 - 03:23 PM

I am running a full system scan right now, I'll post that log when it is done, but here is the txt file for recent activity in kaspersky "proactive defense". Some of the entries were repeated 5-10 times so I took out repeat entries that occurred within 1 second of each other. I will post the whole thing if you think that would be helpful, but I just thought it would take up too much space.

Proactive Defense : running
---------------------------
Events monitored: 84
Blocked: 3
Start time: 6/26/2008 10:38:11 PM
Duration: 17:26:55


Detected
--------
Status Object
------ ------


Events
------
Time Name Event
---- ---- -----
6/26/2008 10:38:36 PM C:\WINDOWS\system32\wuauclt.exe Attempt to run process as a child of C:\WINDOWS\System32\svchost.exe (PID: 1692).
6/26/2008 10:38:36 PM C:\WINDOWS\system32\wuauclt.exe Action allowed.
6/26/2008 10:45:10 PM C:\WINDOWS\system32\wuauclt.exe Attempt to run process as a child of C:\WINDOWS\System32\svchost.exe (PID: 1692).
6/26/2008 10:45:10 PM C:\WINDOWS\system32\wuauclt.exe Action allowed.
6/26/2008 11:08:06 PM C:\WINDOWS\system32\userinit.exe Attempt to run process as a child of \\?\C:\WINDOWS\system32\winlogon.exe (PID: 1244).
6/26/2008 11:08:06 PM C:\WINDOWS\system32\userinit.exe Action allowed.
6/26/2008 11:08:08 PM C:\WINDOWS\explorer.exe Attempt to run process as a child of C:\WINDOWS\system32\userinit.exe (PID: 1436).
6/26/2008 11:08:08 PM C:\WINDOWS\explorer.exe Action allowed.
6/26/2008 11:08:30 PM C:\WINDOWS\explorer.exe Attempt to load a new or modified module C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe into process.
6/26/2008 11:08:30 PM C:\WINDOWS\explorer.exe Action allowed (by exclusions).
6/26/2008 11:10:44 PM C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe Process is trying to inject module C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe into all processes. This behavior is typical of some malicious programs.
6/26/2008 11:10:44 PM C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe Action allowed (by exclusions).
6/27/2008 1:16:30 AM C:\WINDOWS\System32\svchost.exe Attempt to load a new or modified module C:\WINDOWS\system32\rasautou.exe into process.
6/27/2008 1:16:30 AM C:\WINDOWS\System32\svchost.exe Action allowed.

6/27/2008 1:16:31 AM C:\WINDOWS\system32\wuauclt.exe Attempt to run process as a child of C:\WINDOWS\System32\svchost.exe (PID: 1692).
6/27/2008 1:16:31 AM C:\WINDOWS\system32\wuauclt.exe Action allowed.
6/27/2008 1:16:32 AM C:\WINDOWS\System32\svchost.exe Attempt to load a new or modified module C:\WINDOWS\system32\wbem\wbemcons.dll into process.
6/27/2008 1:16:32 AM C:\WINDOWS\System32\svchost.exe Action allowed.
6/27/2008 1:16:33 AM C:\WINDOWS\system32\winlogon.exe Attempt to load a new or modified module C:\WINDOWS\system32\drivers\atapi.sys into process.
6/27/2008 1:16:33 AM C:\WINDOWS\system32\winlogon.exe Action allowed.
6/27/2008 1:16:33 AM C:\WINDOWS\System32\svchost.exe Attempt to load a new or modified module C:\WINDOWS\system32\wbem\wbemcons.dll into process.
6/27/2008 1:16:33 AM C:\WINDOWS\System32\svchost.exe Action allowed.
6/27/2008 1:16:33 AM C:\WINDOWS\System32\svchost.exe Attempt to load a new or modified module C:\WINDOWS\system32\wbem\wbemcons.dll into process.
6/27/2008 1:16:33 AM C:\WINDOWS\System32\svchost.exe Action allowed.
6/27/2008 1:16:33 AM C:\WINDOWS\system32\winlogon.exe Attempt to load a new or modified module C:\WINDOWS\system32\drivers\wmilib.sys into process.
6/27/2008 1:16:33 AM C:\WINDOWS\system32\winlogon.exe Action allowed.
6/27/2008 1:16:37 AM C:\WINDOWS\System32\svchost.exe Attempt to load a new or modified module C:\WINDOWS\system32\wbem\wbemprox.dll into process.
6/27/2008 1:16:37 AM C:\WINDOWS\System32\svchost.exe Action allowed.


6/27/2008 2:47:12 PM C:\WINDOWS\System32\svchost.exe Attempt to load a new or modified module C:\WINDOWS\system32\wuapi.dll into process.
6/27/2008 2:47:12 PM C:\WINDOWS\System32\svchost.exe Action allowed.

6/27/2008 2:47:18 PM C:\WINDOWS\System32\svchost.exe Attempt to load a new or modified module C:\WINDOWS\system32\xmlprovi.dll into process.
6/27/2008 2:47:18 PM C:\WINDOWS\System32\svchost.exe Action allowed.

6/27/2008 3:22:58 PM C:\WINDOWS\system32\rundll32.exe Attempt to load a new or modified module C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\msvcr80.dll into process.
6/27/2008 3:22:58 PM C:\WINDOWS\system32\rundll32.exe Action blocked.
6/27/2008 3:22:58 PM C:\WINDOWS\system32\rundll32.exe Attempt to load a new or modified module C:\WINDOWS\system32\appwiz.cpl into process.
6/27/2008 3:22:58 PM C:\WINDOWS\system32\rundll32.exe Action allowed.

6/27/2008 3:22:59 PM C:\WINDOWS\system32\rundll32.exe Attempt to load a new or modified module C:\WINDOWS\system32\moricons.dll into process.
6/27/2008 3:22:59 PM C:\WINDOWS\system32\rundll32.exe Action allowed.

6/27/2008 3:23:00 PM C:\WINDOWS\system32\rundll32.exe Attempt to load a new or modified module C:\WINDOWS\system32\wuapi.dll into process.
6/27/2008 3:23:00 PM C:\WINDOWS\system32\rundll32.exe Action allowed.

6/27/2008 3:23:02 PM C:\WINDOWS\system32\wuauclt.exe Attempt to run process as a child of C:\WINDOWS\System32\svchost.exe (PID: 1692).
6/27/2008 3:23:02 PM C:\WINDOWS\system32\wuauclt.exe Action allowed.
6/27/2008 3:27:10 PM C:\WINDOWS\System32\svchost.exe Attempt to load a new or modified module C:\WINDOWS\system32\wbem\wbemcons.dll into process.
6/27/2008 3:27:10 PM C:\WINDOWS\System32\svchost.exe Action allowed.

6/27/2008 3:27:27 PM C:\WINDOWS\system32\rundll32.exe Attempt to load a new or modified module C:\PROGRA~1\WINDOW~4\MpShHook.dll into process.
6/27/2008 3:27:27 PM C:\WINDOWS\system32\rundll32.exe Action allowed.
6/27/2008 3:27:32 PM C:\WINDOWS\system32\rundll32.exe Attempt to load a new or modified module C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\msvcr80.dll into process.
6/27/2008 3:27:32 PM C:\WINDOWS\system32\rundll32.exe Action blocked.
6/27/2008 3:27:32 PM C:\WINDOWS\system32\rundll32.exe Attempt to load a new or modified module C:\Program Files\SUPERAntiSpyware\SASSEH.DLL into process.
6/27/2008 3:27:32 PM C:\WINDOWS\system32\rundll32.exe Action allowed.

6/27/2008 3:27:35 PM C:\WINDOWS\system32\rundll32.exe Attempt to load a new or modified module C:\WINDOWS\system32\sysocmgr.exe into process.
6/27/2008 3:27:35 PM C:\WINDOWS\system32\rundll32.exe Action allowed.

6/27/2008 3:28:55 PM C:\WINDOWS\system32\rundll32.exe Attempt to load a new or modified module C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\msvcr80.dll into process.
6/27/2008 3:28:55 PM C:\WINDOWS\system32\rundll32.exe Action blocked.
6/27/2008 3:28:55 PM C:\WINDOWS\system32\rundll32.exe Attempt to load a new or modified module C:\WINDOWS\system32\sysocmgr.exe into process.
6/27/2008 3:28:55 PM C:\WINDOWS\system32\rundll32.exe Action allowed.

6/27/2008 3:28:56 PM C:\WINDOWS\System32\svchost.exe Attempt to load a new or modified module C:\WINDOWS\system32\xmlprovi.dll into process.
6/27/2008 3:28:56 PM C:\WINDOWS\System32\svchost.exe Action allowed.
6/27/2008 3:36:33 PM C:\WINDOWS\system32\dwwin.exe Attempt to run process as a child of C:\Program Files\Movie Maker\moviemk.exe (PID: 3588).
6/27/2008 3:36:33 PM C:\WINDOWS\system32\dwwin.exe Action allowed.
6/27/2008 3:41:22 PM C:\WINDOWS\System32\svchost.exe Attempt to load a new or modified module C:\WINDOWS\system32\wbem\wbemcons.dll into process.
6/27/2008 3:41:22 PM C:\WINDOWS\System32\svchost.exe Action allowed.

6/27/2008 3:41:22 PM C:\WINDOWS\System32\svchost.exe Action allowed.
6/27/2008 3:42:37 PM C:\WINDOWS\System32\svchost.exe Attempt to load a new or modified module C:\WINDOWS\system32\xmlprovi.dll into process.
6/27/2008 3:42:37 PM C:\WINDOWS\System32\svchost.exe Action allowed.

6/27/2008 3:52:13 PM C:\WINDOWS\System32\svchost.exe Action allowed.
6/27/2008 3:52:13 PM C:\WINDOWS\System32\svchost.exe Attempt to load a new or modified module C:\WINDOWS\system32\wbem\wbemcons.dll into process.
6/27/2008 3:52:13 PM C:\WINDOWS\System32\svchost.exe Action allowed.
6/27/2008 3:53:09 PM C:\WINDOWS\System32\svchost.exe Attempt to load a new or modified module C:\WINDOWS\system32\xmlprovi.dll into process.
6/27/2008 3:53:09 PM C:\WINDOWS\System32\svchost.exe Action allowed.
6/27/2008 3:53:09 PM C:\WINDOWS\System32\svchost.exe Attempt to load a new or modified module C:\WINDOWS\system32\xmlprovi.dll into process.

6/27/2008 3:54:14 PM C:\WINDOWS\System32\svchost.exe Action allowed.


Registry
--------
Time Application Key name Value name Data Data type Operation type Status
---- ----------- -------- ---------- ---- --------- -------------- ------
6/27/2008 3:41:12 PM C:\Documents and Settings\Armando\Desktop\mm20enu.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\Armando\LOCALS~1\Temp\IXP000.TMP\" Unicode null-terminated string Create detected
6/27/2008 3:41:12 PM C:\Documents and Settings\Armando\Desktop\mm20enu.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\Armando\LOCALS~1\Temp\IXP000.TMP\" Unicode null-terminated string Create allowed
6/27/2008 3:42:10 PM C:\Documents and Settings\Armando\Desktop\mm20enu.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\Armando\LOCALS~1\Temp\IXP000.TMP\" Unicode null-terminated string Delete detected
6/27/2008 3:42:10 PM C:\Documents and Settings\Armando\Desktop\mm20enu.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\Armando\LOCALS~1\Temp\IXP000.TMP\" Unicode null-terminated string Delete allowed




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users