Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Klone.t And Basefdrn32.dll


  • This topic is locked This topic is locked
41 replies to this topic

#1 capt.frito

capt.frito

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 28 June 2008 - 06:24 PM

I have been asked by a friend to look at his Windows machine. When I got it, it was ridden with viruses and trojans and keyloggers and adware of all sorts (including "System Antivirus 2008" and "Vista Antivirus 2008"). Anyway I believe I got rid of most of it, but there is one persistent problem: there is a file in the \windows\system32 directory called "basefdrn32.dll". AVG keeps removing it after boot, reporting that it is infected with the Klone.T virus. Once that happens, a short time later the machine reboots itself (even when idling) and then won't reboot unless I put the "basefdrn32.dll" file back in the \windows\system32 folder.

There are a few other suspicious files in the system32 directory that have the same file date as the original install files (8/4/2004 date) but are not signed by Microsoft (basefdrn32.dll being one example). I have checked a few other Windows XP machines and none have this file. I myself am a Linux guy (Gentoo) so my knowledge here is a bit limited. I do not have this machine hooked up to a network yet; I'd like to be reasonably sure it is no longer "Typhoid Mary" first.

I have Googled for this basefdrn32.dll file but there's nothing written about it (that I can find). So I am posting here the ComboFix log and the HJT log. It took some effort to get ComboFix to complete (in safe mode). I can post the basefdrn32.dll file, if it would be helpful. I am grateful for any advice.

Here is the Deckard's log outputs (main.txt, extra.txt and moved.txt:

Deckard's System Scanner v20071014.68
Run by Compaq_Owner on 2008-06-28 16:01:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
73: 2008-06-28 22:01:38 UTC - RP179 - Deckard's System Scanner Restore Point
72: 2008-06-27 13:30:33 UTC - RP178 - Configured AVG Free 8.0
71: 2008-06-27 04:16:21 UTC - RP177 - Spyware Doctor: Cleaning Threats
70: 2008-06-27 04:13:47 UTC - RP176 - Spyware Doctor: Cleaning Threats
69: 2008-06-26 14:12:22 UTC - RP175 - Spyware Doctor: Cleaning Threats


-- First Restore Point --
1: 2008-05-27 16:43:01 UTC - RP107 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-28 16:06:05
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\avgwdsvc.exe
C:\Program Files\QwestInternetSecurity\ISS\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\IRIS Desktop Search\IRISDesktopSearch.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.myidentitydefender.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\QwestInternetSecurity\ISS\app\AuthBHO.dll
O3 - Toolbar: I.R.I.S. Desktop Search - {577EBCA9-8ED3-45FC-A514-55B3817D4BCF} - C:\Program Files\IRIS Desktop Search\IRISDesktopSearchIntegration910.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file)
O3 - Toolbar: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\CyberDefender\cdmyidd.dll
O3 - Toolbar: Qwest Internet Security Services Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\QwestInternetSecurity\ISS\app\AuthBHO.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [I.R.I.S. Desktop Search] "C:\Program Files\IRIS Desktop Search\IRISDesktopSearch.exe" /tray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://turbotax.com (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...director/sw.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1186008886843
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - C:\Program Files\QwestInternetSecurity\ISS\app\CurtainsSysSvcNt.exe
O23 - Service: dvpapi - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe


--
End of file - 8003 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 GRTdiMon (GR TDI Mon) - c:\windows\system32\drivers\grtdimon.sys <Not Verified; Global RISC; NSX>
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>

S3 PcdrNdisuio (PCDRNDISUIO Usermode I/O Protocol) - c:\windows\system32\drivers\pcdrndisuio.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CurtainsSysSvc (Curtains for Windows System Service) - c:\program files\qwestinternetsecurity\iss\app\curtainssyssvcnt.exe <Not Verified; Authentium, Inc.; Curtains for Windows>
R2 dvpapi - "c:\program files\common files\command software\dvpapi.exe" <Not Verified; Command Software Systems, Inc.; Command AntiVirus for Windows>
R2 QBCFMonitorService (QuickBooks Database Manager Service) - "c:\program files\common files\intuit\quickbooks\qbcfmonitorservice.exe" <Not Verified; Intuit; QuickBooks for Windows>

S3 gusvc (Google Updater Service) - "c:\program files\google\common\google updater\googleupdaterservice.exe" (file missing)
S3 QBFCService (Intuit QuickBooks FCS) - "c:\program files\common files\intuit\quickbooks\fcs\intuit.quickbooks.fcs.exe" <Not Verified; Intuit Inc.; QuickBooks 2007>
S4 Automatic LiveUpdate Scheduler - "c:\program files\symantec\liveupdate\aluschedulersvc.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-08 22:21:11 256 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-03-22 12:10:43 386 --a------ C:\WINDOWS\Tasks\rpc.job


-- Files created between 2008-05-28 and 2008-06-28 -----------------------------

2008-06-28 07:18:11 0 d-------- C:\327882R2FWJFW
2008-06-27 06:09:55 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Talkback
2008-06-27 06:09:29 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-27 06:09:22 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla
2008-06-26 21:58:19 0 dr-hs---- C:\cmdcons
2008-06-26 21:58:06 0 d-------- C:\WINDOWS\setup.pss
2008-06-26 10:27:11 68096 --a------ C:\WINDOWS\zip.exe
2008-06-26 10:27:11 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-26 10:27:11 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-26 10:27:11 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-26 10:27:11 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-26 10:27:11 98816 --a------ C:\WINDOWS\sed.exe
2008-06-26 10:27:11 80412 --a------ C:\WINDOWS\grep.exe
2008-06-26 10:27:11 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-26 08:07:07 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Help
2008-06-25 23:24:07 0 d-------- C:\Program Files\Enigma Software Group
2008-06-25 12:26:36 0 d--h----- C:\$AVG8.VAULT$
2008-06-25 12:24:13 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-25 12:24:12 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\AVGTOOLBAR
2008-06-25 12:23:52 0 d-------- C:\Program Files\AVG
2008-06-25 12:23:51 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-15 21:44:21 28672 --a------ C:\a
2008-06-10 22:23:03 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-10 22:23:03 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-10 22:23:03 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-10 22:23:03 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-06-10 22:23:03 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-10 22:23:03 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-10 22:23:03 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-06-10 22:23:03 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-10 22:23:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-06-10 22:23:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-06-10 22:23:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-06-10 22:23:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-06-10 22:22:58 0 d-------- C:\Program Files\NetFilter
2008-06-10 16:56:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-06-10 16:56:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\InterMute
2008-06-10 16:56:19 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-10 16:56:19 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-10 16:56:19 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-06-10 16:56:19 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-06-10 16:56:19 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-10 16:56:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-06-10 16:56:19 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-10 16:56:18 733184 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-09 22:38:39 0 d-------- C:\WINDOWS\system32\NtmsData
2008-06-07 22:40:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Authentium
2008-06-07 22:33:30 0 d-------- C:\Program Files\QwestInternetSecurity
2008-06-07 22:31:43 0 d-------- C:\Program Files\Common Files\Command Software
2008-06-07 22:29:23 0 d--h----- C:\Program Files\Common Files\Authentium Shared
2008-06-05 22:37:01 0 dr-h----- C:\Documents and Settings\Compaq_Owner\Recent
2008-06-05 17:34:59 0 d-------- C:\Program Files\History Clean
2008-06-02 20:45:10 0 d-------- C:\Program Files\Panicware


-- Find3M Report ---------------------------------------------------------------

2008-06-26 07:43:25 0 d-------- C:\Program Files\Common Files
2008-06-17 10:27:07 0 d-------- C:\Program Files\Spyware Doctor
2008-04-13 18:12:36 14336 --a------ C:\WINDOWS\system32\svchost.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
06/25/2008 12:24 PM 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\CyberDefender\cdmyidd.dll [06/07/2008 03:22 PM 3794248]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [06/25/2008 12:24 PM 2050816]

[-HKEY_CLASSES_ROOT\CLSID\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [02/01/2008 12:55 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/25/2008 12:23 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"I.R.I.S. Desktop Search"="C:\Program Files\IRIS Desktop Search\IRISDesktopSearch.exe" [01/11/2006 07:37 AM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [9/24/2005 1:28:44 AM]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [9/24/2005 2:39:30 AM]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [6/10/2007 2:09:14 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)
"disabletaskmgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe




-- End of Deckard's System Scanner: finished at 2008-06-28 16:08:30 ------------


Deckard's System Scanner v20071014.68

Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.80GHz
Percentage of Memory in Use: 69%
Physical Memory (total/avail): 503.48 MiB / 155.93 MiB
Pagefile Memory (total/avail): 1230.25 MiB / 829.07 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1943.59 MiB

C: is Fixed (NTFS) - 68.56 GiB total, 53.37 GiB free.
D: is Fixed (FAT32) - 5.99 GiB total, 1.48 GiB free.
E: is CDROM (CDFS)
F: is CDROM (CDFS)
G: is Removable (FAT)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)
K: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD1200JB-00GVA0 - 111.79 GiB - 2 partitions
\PARTITION0 - Unknown - 6 GiB - D:
\PARTITION1 (bootable) - Installable File System - 68.56 GiB - C:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device

\\.\PHYSICALDRIVE5 - SanDisk U3 Cruzer Micro USB Device - 478.5 MiB - 1 partition
\PARTITION0 - MS-DOS V4 Huge - 483.21 MiB - G:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG Anti-Virus Free v8.0 (AVG Technologies) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%ProgramFiles%\\iTunes\\iTunes.exe"="%ProgramFiles%\\iTunes\\iTunes.exe:*:enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe:*:Enabled:QuickBooks 2007 Data Manager"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Compaq_Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-F78BF48CE2
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Compaq_Owner
LOGONSERVER=\\YOUR-F78BF48CE2
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=c:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp
USERDOMAIN=YOUR-F78BF48CE2
USERNAME=Compaq_Owner
USERPROFILE=C:\Documents and Settings\Compaq_Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Compaq_Owner (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> MsiExec.exe /I{71EEA108-09C9-4D81-8FA2-D48C70681242}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AnswerWorks 4.0 Runtime - English --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}\setup.exe" -l0x9 -removeonly
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Blackhawk Striker 2 from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\BFAF1EEC-E987-415B-BCB8-80CDB0BC6CDF\Uninstall.exe"
Blasterball 2 from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\75528D5F-DD82-402E-BA7C-045B7DC6A712\Uninstall.exe"
Blasterball 2 Holidays from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\D06AB82F-D68E-405A-9886-AB8804291B6D\Uninstall.exe"
Blasterball 2 Remix from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\9D7E7CDA-051E-4B0D-8CEE-58F41F449CF9\Uninstall.exe"
Bounce Symphony from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\29FF6D07-4A15-41F1-9D5E-E0F3A58012C6\Uninstall.exe"
Crystal Maze from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\C43D84CD-EBFC-48D3-A330-7868C8AD415A\Uninstall.exe"
Data Fax SoftModem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2702&SUBSYS_8D88A259\HXFSETUP.EXE -U -IVEN_14F1&DEV_2702&SUBSYS_8D88A259
Easy Internet Sign-up --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{8105684D-8CA6-440D-8F58-7E5FD67A499D} /l1033
Final Drive Nitro from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\657A0149-EEC7-4FB2-AB4F-CB7AA027748E\Uninstall.exe"
Form Fill (Windows Live Toolbar) --> MsiExec.exe /X{548B3DC6-2300-47E1-BA7B-74AD25F8DEBF}
GoToMeeting/GoToWebinar 3.0.0.198 --> C:\Program Files\Citrix\GoToMeeting\198\G2MUninstall.exe /uninstall
Help and Support Additions --> WScript.exe C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\eHelpSetup.jse eHelpUninstall
HijackThis 2.0.0 --> "C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Boot Optimizer --> MsiExec.exe /I{3BA95526-6AE0-4B87-A62D-17187EF565FC}
HP Imaging Device Functions 6.0 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Cameras 6.0 --> C:\Program Files\HP\Digital Imaging\{61CF89F5-5175-4b3b-ABB8-C89821252D50}\setup\hpzscr01.exe -datfile hpiscr01.dat
HP Photosmart Premier Software 6.0 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 3.5 --> "C:\Program Files\HP\Digital Imaging\{18E0918E-1060-48f3-925C-56C82E88551B}\setup\hpzscr01.exe" -datfile hposcr03.dat
HP Software Update --> MsiExec.exe /X{ECFDD6BD-E0C0-41CC-A171-E6D6AF4C0E93}
HP Solution Center and Imaging Support Tools 6.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
I.R.I.S. Desktop Search --> C:\Program Files\IRIS Desktop Search\uninst.exe
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
iTunes --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BE20E2F5-1903-4AAE-B1AF-2046E586C925}
J2SE Runtime Environment 5.0 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150000}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
JumpStart World Presents Pet Playground --> C:\Program Files\Common Files\Knowledge Adventure\Uninstall\PetPlaygroundUn.exe
Lexibox Deluxe from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\F05A08BF-E600-4FBD-A53A-3D47296B1275\Uninstall.exe"
Map Button (Windows Live Toolbar) --> MsiExec.exe /X{7745B7A9-F323-4BB9-9811-01BF57A028DA}
Memories Disc Creator 2.0 --> MsiExec.exe /X{2E132061-C78A-48D4-A899-1D13B9D189FA}
MetaFrame Presentation Server Web Client for Win32 --> C:\WINDOWS\system32\ctxsetup.exe /uninst C:\PROGRA~1\Citrix\icaweb32\uninst.inf
Metaphor Player Version 1.0 --> "C:\Program Files\Metaphor\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! Dancer LE --> MsiExec.exe /X{1A103D70-5C9B-4E1A-B306-5106C68F9914}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MyIdentityDefender Toolbar (CyberDefender Corporation) --> C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\CyberDefender\cdinstx.exe /u
OneCare Advisor (Windows Live Toolbar) --> MsiExec.exe /X{53B2CFE9-A508-4457-B2CA-5D253536BFB7}
Overball from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\FA7F5211-C629-4711-BD82-7DFFB08CB518\Uninstall.exe"
PC-Doctor for Windows --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{19C989C4-50AE-43A4-B06E-8C70FFFF852F} /l1033
Phoenix Assault from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\CCCDE323-C76D-44DA-BB5B-B8ABE767756E\Uninstall.exe"
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
Polar Bowler from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\05E21449-3BA3-42BF-BBDA-95205F4EA40A\Uninstall.exe"
Polar Golfer from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\3330A279-CC39-4A17-AE19-DA464B26AD9A\Uninstall.exe"
Popup Blocker (Windows Live Toolbar) --> MsiExec.exe /X{66A7A386-6F35-41A7-A731-101F0C0153C8}
Python 2.2 pywin32 extensions (build 203) --> "C:\Python22\Removepywin32.exe" -u "C:\Python22\pywin32-wininst.log"
Python 2.2.3 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
QuickBooks Product Listing Service --> MsiExec.exe /I{91208A47-5D08-4C79-986F-1931940F51BB}
QuickBooks Simple Start Free Starter Edition --> msiexec.exe /I {71EEA108-09C9-4D81-8FA2-D48C70681242} UNIQUE_NAME="atomlimited" QBFULLNAME="QuickBooks Simple Start Free Starter Edition" ADDREMOVE=1 OEMVENDOR=DIRECT
Quicken 2005 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2DBE41DD-2129-4C65-A3D3-5647236A60F3} anything
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
Qwest Internet Security Services --> "C:\Program Files\QwestInternetSecurity\ISS\app\Repair.exe" -REMOVE
Readiris Pro 11 --> MsiExec.exe /I{8CE0B1C5-15E9-4027-92F4-F63C57FEFD87}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Remove Adobe Photoshop Album 2.0 Starter Edition installer --> c:\\hp\\bin\\cloaker.exe commands /ww /lw:c:\\hp\\bin\\ifc\\Adobe_PhotoShop_Album\\lg.ini /c c:\\hp\\bin\\cloaker.exe c:\\hp\\bin\\ifc\\uninst.cmd ar
Remove Microsoft Money 2005 installer --> c:\\hp\\bin\\cloaker.exe commands /ww /lw:c:\\hp\\bin\\ifc\\Money\\lg.ini /c c:\\hp\\bin\\cloaker.exe c:\\hp\\bin\\ifc\\uninst.cmd ar
Remove WeatherBug installer --> c:\\hp\\bin\\cloaker.exe commands /ww /lw:c:\\hp\\bin\\ifc\\WeatherBug\\lg.ini /c c:\\hp\\bin\\cloaker.exe c:\\hp\\bin\\ifc\\uninst.cmd ar
Rhapsody --> C:\PROGRA~1\Rhapsody\Unwise32.exe /A C:\PROGRA~1\Rhapsody\install.log
Rhapsody Player Engine --> MsiExec.exe /I{8A62A068-3FD6-495A-9F66-26FE94F32EC9}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shooting Stars Pool from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\045C89A0-CA37-443C-8826-F750227DE69C\Uninstall.exe"
Slyder from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\8BA6F58B-7A91-461F-95F8-E34F8BD8AA4E\Uninstall.exe"
Smart Menus (Windows Live Toolbar) --> MsiExec.exe /X{F084395C-40FB-4DB3-981C-B51E74E1E83D}
Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
Super Granny from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\DE87FA96-7840-420C-86F9-33F3B7B3CED1\Uninstall.exe"
SupportSoft Assisted Service --> MsiExec.exe /I{5A3F6A80-7913-475E-8B96-477A952CFA43}
Tradewinds from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\66195170-D19D-46C5-8FB7-8A4630071ADC\Uninstall.exe"
TurboTax Home & Business 2007 --> C:\Program Files\TurboTax\Home & Business 2007\TaxUnst.EXE "C:\Program Files\TurboTax\Home & Business 2007\Uninstall.log" -NoGui
Watchtower Library 2006 - English Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{42EED331-936C-446E-9374-077F7B028518}\Setup.exe"
Watchtower Library 2007 - English --> C:\Program Files\Watchtower\Watchtower Library 2007\E\uninst.exe
Windows Live Favorites for Windows Live Toolbar --> MsiExec.exe /X{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Outlook Toolbar (Windows Live Toolbar) --> MsiExec.exe /X{35E1A8C8-6646-4101-B0AA-42D1EB2AB3AE}
Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar --> MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{341201D4-4F61-4ADB-987E-9CCE4D83A58D}
Windows Live Toolbar Feed Detector (Windows Live Toolbar) --> MsiExec.exe /X{68108E66-D13A-4EE8-A6F4-40E4B90C2A26}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type8938 / Error
Event Submitted/Written: 06/26/2008 10:16:17 AM
Event ID/Source: 4614 / EventSystem
Event Description:
The COM+ Event System detected an inconsistency in its internal state. The assertion "GetLastError() == 122L" failed at line 201 of d:\qxp_slp\com\com1x\src\events\shared\sectools.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type8920 / Error
Event Submitted/Written: 06/26/2008 07:28:32 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application compaq connections.exe, version 2.0.0.1, faulting module backweb.dll, version 6.3.2.62, fault address 0x0017c313.
Processing media-specific event for [compaq connections.exe!ws!]

Event Record #/Type8913 / Error
Event Submitted/Written: 06/26/2008 06:07:37 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type8865 / Error
Event Submitted/Written: 06/17/2008 10:30:03 PM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 686628912.

Event Record #/Type8864 / Error
Event Submitted/Written: 06/17/2008 10:29:50 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type38354 / Error
Event Submitted/Written: 06/28/2008 01:30:21 PM
Event ID/Source: 16 / Windows Update Agent
Event Description:
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Event Record #/Type37009 / Error
Event Submitted/Written: 06/27/2008 07:12:08 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Automatic LiveUpdate Scheduler service failed to start due to the following error:
%%3

Event Record #/Type36971 / Error
Event Submitted/Written: 06/27/2008 01:55:20 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Automatic LiveUpdate Scheduler service failed to start due to the following error:
%%3

Event Record #/Type36946 / Error
Event Submitted/Written: 06/27/2008 01:27:37 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Automatic LiveUpdate Scheduler service failed to start due to the following error:
%%3

Event Record #/Type36924 / Error
Event Submitted/Written: 06/27/2008 00:59:53 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Automatic LiveUpdate Scheduler service failed to start due to the following error:
%%3



-- End of Deckard's System Scanner: finished at 2008-06-28 16:08:30 ------------

Directories/Files moved to C:\Deckard\System Scanner\backup

2008-06-27 07:31:04 8431 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\avg8inst.log
2008-06-27 07:11:56 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR1.tmp
2008-06-27 14:11:00 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR10.tmp
2008-06-27 14:38:51 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR11.tmp
2008-06-27 15:06:38 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR12.tmp
2008-06-27 15:34:30 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR13.tmp
2008-06-27 16:02:17 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR14.tmp
2008-06-27 16:30:04 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR15.tmp
2008-06-27 16:57:52 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR16.tmp
2008-06-27 17:25:38 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR17.tmp
2008-06-27 17:53:30 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR18.tmp
2008-06-27 19:05:51 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR19.tmp
2008-06-27 19:31:23 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR1A.tmp
2008-06-27 19:56:56 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR1B.tmp
2008-06-27 20:24:29 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR1C.tmp
2008-06-27 20:50:01 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR1D.tmp
2008-06-27 21:15:34 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR1E.tmp
2008-06-27 21:41:12 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR1F.tmp
2008-06-27 07:57:53 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR2.tmp
2008-06-27 22:06:42 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR20.tmp
2008-06-27 22:32:16 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR21.tmp
2008-06-27 22:57:54 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR22.tmp
2008-06-27 23:23:23 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR23.tmp
2008-06-27 23:49:12 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR24.tmp
2008-06-28 00:14:50 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR25.tmp
2008-06-28 00:40:17 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR26.tmp
2008-06-28 01:05:49 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR27.tmp
2008-06-28 01:31:25 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR28.tmp
2008-06-28 01:56:58 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR29.tmp
2008-06-28 07:17:33 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR2A.tmp
2008-06-28 07:46:42 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR2B.tmp
2008-06-28 08:13:12 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR2C.tmp
2008-06-28 08:38:44 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR2D.tmp
2008-06-28 09:04:16 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR2E.tmp
2008-06-28 09:31:36 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR2F.tmp
2008-06-27 08:25:21 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR3.tmp
2008-06-28 09:57:11 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR30.tmp
2008-06-28 10:25:00 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR31.tmp
2008-06-28 10:50:29 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR32.tmp
2008-06-28 11:16:09 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR33.tmp
2008-06-28 11:41:58 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR34.tmp
2008-06-28 12:07:34 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR35.tmp
2008-06-28 12:33:06 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR36.tmp
2008-06-28 12:58:59 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR37.tmp
2008-06-28 13:24:11 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR38.tmp
2008-06-28 13:49:44 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR39.tmp
2008-06-28 14:15:34 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR3A.tmp
2008-06-28 14:41:06 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR3B.tmp
2008-06-28 15:06:40 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR3C.tmp
2008-06-28 15:33:55 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR3D.tmp
2008-06-28 15:57:48 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR3E.tmp
2008-06-27 08:53:00 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR4.tmp
2008-06-27 09:20:30 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR5.tmp
2008-06-27 09:33:28 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR6.tmp
2008-06-27 10:01:02 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR7.tmp
2008-06-27 10:28:37 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR8.tmp
2008-06-27 10:56:28 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MAR9.tmp
2008-06-27 11:24:13 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MARA.tmp
2008-06-27 11:52:01 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MARB.tmp
2008-06-27 12:19:51 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MARC.tmp
2008-06-27 12:47:37 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MARD.tmp
2008-06-27 13:15:25 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MARE.tmp
2008-06-27 13:43:15 1285 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\MARF.tmp
2008-06-28 07:29:23 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_104.dat
2008-06-28 09:36:16 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_12c.dat
2008-06-28 11:46:45 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_140.dat
2008-06-28 09:09:04 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_144.dat
2008-06-28 14:20:14 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_154.dat
2008-06-28 15:38:44 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_160.dat
2008-06-28 11:20:59 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_164.dat
2008-06-28 10:55:18 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_16c.dat
2008-06-28 13:54:32 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_170.dat
2008-06-28 13:03:25 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_1c4.dat
2008-06-27 20:54:43 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_1c8.dat
2008-06-27 12:52:20 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_1ec.dat
2008-06-28 01:10:33 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_1f0.dat
2008-06-27 19:10:32 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_1f4.dat
2008-06-27 11:01:08 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_1f8.dat
2008-06-27 10:05:46 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_204.dat
2008-06-27 22:36:58 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_210.dat
2008-06-27 14:15:46 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_214.dat
2008-06-27 17:02:34 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_218.dat
2008-06-27 22:11:25 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_258.dat
2008-06-27 23:02:32 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_270.dat
2008-06-28 00:44:59 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_310.dat
2008-06-27 20:29:12 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_334.dat
2008-06-27 20:01:43 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_360.dat
2008-06-27 13:47:58 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_36c.dat
2008-06-27 12:24:34 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_3b8.dat
2008-06-27 17:58:11 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_3cc.dat
2008-06-27 09:25:14 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_3fc.dat
2008-06-27 17:30:22 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_454.dat
2008-06-27 21:45:51 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_468.dat
2008-06-28 01:36:07 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_504.dat
2008-06-27 15:39:11 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_5e0.dat
2008-06-28 02:01:45 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_5f4.dat
2008-06-27 13:20:12 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_618.dat
2008-06-27 08:30:03 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_630.dat
2008-06-27 21:20:17 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_67c.dat
2008-06-27 08:02:34 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_680.dat
2008-06-27 11:56:45 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_694.dat
2008-06-27 09:38:12 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_6b8.dat
2008-06-28 00:19:30 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_6ec.dat
2008-06-27 11:28:55 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_6f8.dat
2008-06-27 14:43:35 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_6fc.dat
2008-06-27 23:53:53 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_708.dat
2008-06-27 23:28:05 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_710.dat
2008-06-27 16:07:00 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_74c.dat
2008-06-27 10:33:19 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_768.dat
2008-06-27 07:27:50 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_778.dat
2008-06-27 15:11:22 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_7a0.dat
2008-06-27 08:57:44 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_7c.dat
2008-06-28 15:11:20 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_7d4.dat
2008-06-28 14:45:46 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_7dc.dat
2008-06-28 10:01:50 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_bc.dat
2008-06-28 07:52:30 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_c0.dat
2008-06-28 08:43:32 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_cc.dat
2008-06-27 16:34:46 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_dc.dat
2008-06-28 12:12:13 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_e4.dat
2008-06-28 13:28:53 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_f4.dat
2008-06-28 10:29:38 16384 --a-----t C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdata_f8.dat
2008-06-27 07:31:06 0 d-------- C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\RarSFX0
2008-06-28 16:01:00 0 d-------- C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\WPDNSE
2008-06-27 16:30:17 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF102D.tmp
2008-06-27 12:20:04 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF10BF.tmp
2008-06-28 01:06:03 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF12F0.tmp
2008-06-27 21:41:27 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF13F5.tmp
2008-06-27 07:58:05 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF14B1.tmp
2008-06-28 07:17:44 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF17B0.tmp
2008-06-27 11:24:26 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF17B6.tmp
2008-06-28 00:40:32 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF17D4.tmp
2008-06-27 23:49:26 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF25EB.tmp
2008-06-27 19:57:11 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF267B.tmp
2008-06-28 01:57:11 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF267C.tmp
2008-06-27 23:23:38 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF26C7.tmp
2008-06-27 20:50:16 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF27A0.tmp
2008-06-28 01:31:40 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF27C5.tmp
2008-06-27 11:52:16 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF280A.tmp
2008-06-27 08:25:35 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF281C.tmp
2008-06-27 09:33:42 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF2E1.tmp
2008-06-28 00:15:04 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF2F0F.tmp
2008-06-28 14:16:07 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF3071.tmp
2008-06-28 09:04:53 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF386B.tmp
2008-06-28 15:34:33 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF3AE3.tmp
2008-06-28 10:51:06 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF3EA8.tmp
2008-06-27 15:34:42 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF40B6.tmp
2008-06-28 11:42:36 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF4172.tmp
2008-06-27 10:56:41 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF4204.tmp
2008-06-27 16:02:31 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF4480.tmp
2008-06-28 13:24:46 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF4EB3.tmp
2008-06-27 14:39:07 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF517D.tmp
2008-06-28 12:33:40 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF565.tmp
2008-06-28 08:39:20 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF572F.tmp
2008-06-27 07:12:18 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF594D.tmp
2008-06-28 11:16:47 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF5E40.tmp
2008-06-28 09:32:12 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF6668.tmp
2008-06-28 15:06:57 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF7DDC.tmp
2008-06-27 14:11:12 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DF981.tmp
2008-06-28 13:50:20 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DFA45.tmp
2008-06-27 22:32:29 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DFB3F.tmp
2008-06-28 12:59:16 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DFBE5B.tmp
2008-06-28 12:08:03 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DFDBE4.tmp
2008-06-28 07:47:10 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DFDC7A.tmp
2008-06-28 14:41:37 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DFE443.tmp
2008-06-28 09:57:43 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DFE9B2.tmp
2008-06-28 08:13:45 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DFEA9D.tmp
2008-06-28 10:25:31 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DFEE41.tmp
2008-06-27 19:06:02 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DFF0E3.tmp
2008-06-27 17:25:52 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DFF13F.tmp
2008-06-27 09:20:43 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DFF1F3.tmp
2008-06-27 16:58:02 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DFF2D1.tmp
2008-06-27 17:53:42 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DFF35E.tmp
2008-06-27 15:06:50 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DFF3C6.tmp
2008-06-27 21:15:46 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DFF3E5.tmp
2008-06-27 10:28:48 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DFF42F.tmp
2008-06-27 12:47:50 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DFF505.tmp
2008-06-27 19:31:35 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DFF636.tmp
2008-06-27 13:15:38 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DFF677.tmp
2008-06-27 10:01:16 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DFF73C.tmp
2008-06-27 13:43:27 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DFF79F.tmp
2008-06-27 22:58:03 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DFF85D.tmp
2008-06-27 22:06:54 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DFFA27.tmp
2008-06-27 20:24:41 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DFFB18.tmp
2008-06-27 08:53:14 16384 --a------ C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\~DFFC82.tmp
2008-06-28 15:56:41 5030 --a------ C:\WINDOWS\temp\SysSvcNullTrace.txt
2007-11-27 18:45:08 45064 --a------ C:\WINDOWS\Downloaded Program Files\PerformanceOptimizerPre_Installer.exe <Verified; ; microinstaller>

-*- End of Logfile -*-

BC AdBot (Login to Remove)

 


m

#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:30 AM

Posted 21 July 2008 - 10:10 AM

Hello, capt.frito.
Under NO CIRCUMSTANCES should ComboFix be run unsupervised. CF can cause severe damage to systems when used improperty and in some instances can prevent machines from ever starting again!! Please don't use this tool unless under the guidance of a trained helper.

:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
We need to create a Deckard's System Scanner (DSS) Log
Please download Deckard's System Scanner (DSS) from one of the links below and save to your Desktop.

Primary Mirror
Secondary Mirror

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
Note: You must be logged onto an account with administrator privileges when using Deckard's System Scanner.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <-- Will be maximized
    • extra.txt <-- Will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (<Control>+C) and paste (<Control>+V) the contents of main.txt and extra.txt in your next reply.
Note: When running DSS, some firewalls may warn that DSS is trying to access the Internet; especially if you are asked to download the most current version of HijackThis. Please ensure that DSS is given permission to access the internet.
Note: If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.


In your next reply, please include the following:
  • DSS's Main.txt
  • DSS's Extra.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 capt.frito

capt.frito
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 21 July 2008 - 03:22 PM

Hi Billy,

Thanks for helping me with this. It's not my computer either, it belongs to a buddy who only knows how to click everything that says "click me" ;-)

A few things: I'm a Linux guy so I dd'd the entire drive before I did anything, so I wasn't too worried about breaking things (I have a dd'd copy as of the posting I made). Anyway, clearly you guys are very busy and I figured that if I could get some things out of the way, the better for everyone. But you run the show from here on out.

I did run Deckert's and I have all the files. I'll post them shortly, I don't have access to them atm :-| I do remember that it didn't like the version of HJT I had (it was too new apparently) and so it used it's own "internal" version, whatever that means. But we can give it another try if you like.

Have you heard of this particular problem before, this basefdrn32.dll thing?

Ppl call me "Frito"

best,
Capt. Frito

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:30 AM

Posted 21 July 2008 - 03:27 PM

I have not heard of any specific DLL by that name. Make sure DSS is run again; several parts of it's log are time sensitive :thumbsup:

Have a nice day,
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:30 AM

Posted 28 July 2008 - 08:29 AM

Hello, capt.frito.
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:30 AM

Posted 28 July 2008 - 10:04 AM

Topic Re-Opened. Please post your logs below :thumbsup:

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 capt.frito

capt.frito
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 28 July 2008 - 10:40 AM

Hi Billy

This machine is not connected to my internal network. DSS wants to d/l HJT (I have 2.02 installed but I guess it's not the right version). Where can I d/l the correct HJT version so i can install it on the infected machine manually?

Alternatively I can just post the files that were just now produced by DSS's "internal scanner"

best,
Frito

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:30 AM

Posted 28 July 2008 - 10:43 AM

Use the internal scanner -- we can install HJT if we need it later :thumbsup:

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 capt.frito

capt.frito
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 28 July 2008 - 10:58 AM

Here's the output from main.txt (the only file produced by the internal scanner)


Deckard's System Scanner v20071014.68
Run by Compaq_Owner on 2008-07-28 09:47:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-28 09:48:47
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\avgwdsvc.exe
C:\Program Files\QwestInternetSecurity\ISS\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG8\avgemc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.myidentitydefender.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\QwestInternetSecurity\ISS\app\AuthBHO.dll
O3 - Toolbar: I.R.I.S. Desktop Search - {577EBCA9-8ED3-45FC-A514-55B3817D4BCF} - C:\Program Files\IRIS Desktop Search\IRISDesktopSearchIntegration910.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file)
O3 - Toolbar: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\CyberDefender\cdmyidd.dll
O3 - Toolbar: Qwest Internet Security Services Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\QwestInternetSecurity\ISS\app\AuthBHO.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [I.R.I.S. Desktop Search] "C:\Program Files\IRIS Desktop Search\IRISDesktopSearch.exe" /tray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://turbotax.com (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...director/sw.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1186008886843
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - C:\Program Files\QwestInternetSecurity\ISS\app\CurtainsSysSvcNt.exe
O23 - Service: dvpapi - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe


--
End of file - 7964 bytes

-- Files created between 2008-06-28 and 2008-07-28 -----------------------------

2008-06-28 07:18:11 0 d-------- C:\327882R2FWJFW


-- Find3M Report ---------------------------------------------------------------

2008-07-24 10:45:11 0 d-------- C:\Program Files\Spyware Doctor
2008-07-03 22:42:59 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\AVGTOOLBAR
2008-06-27 06:15:07 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla
2008-06-27 06:09:55 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Talkback
2008-06-27 06:09:29 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-26 08:07:07 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Help
2008-06-26 07:43:25 0 d-------- C:\Program Files\Common Files
2008-06-25 23:24:07 0 d-------- C:\Program Files\Enigma Software Group
2008-06-25 12:23:52 0 d-------- C:\Program Files\AVG
2008-06-17 10:15:31 0 d-------- C:\Program Files\Common Files\Command Software
2008-06-15 21:44:17 28672 --a------ C:\a
2008-06-10 22:22:58 0 d-------- C:\Program Files\NetFilter
2008-06-07 22:33:39 0 d--h----- C:\Program Files\Common Files\Authentium Shared
2008-06-07 22:33:30 0 d-------- C:\Program Files\QwestInternetSecurity
2008-06-05 22:37:04 0 d-------- C:\Program Files\History Clean
2008-06-02 20:45:10 0 d-------- C:\Program Files\Panicware


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
06/25/2008 12:24 PM 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\CyberDefender\cdmyidd.dll [06/07/2008 03:22 PM 3794248]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [06/25/2008 12:24 PM 2050816]

[-HKEY_CLASSES_ROOT\CLSID\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [02/01/2008 12:55 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/25/2008 12:23 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"I.R.I.S. Desktop Search"="C:\Program Files\IRIS Desktop Search\IRISDesktopSearch.exe" [01/11/2006 07:37 AM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [03/01/2007 11:37 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [9/24/2005 1:28:44 AM]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [9/24/2005 2:39:30 AM]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [6/10/2007 2:09:14 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)
"disabletaskmgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b72c2855-5cb9-11dd-b0c3-0011d8e623c2}]
AutoRun\command- F:\LaunchU3.exe




-- End of Deckard's System Scanner: finished at 2008-07-28 09:49:43 ------------

Reason for edit: Deactivated hot link ~ Billy3

Edited by Billy O'Neal, 28 July 2008 - 01:07 PM.


#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:30 AM

Posted 28 July 2008 - 01:34 PM

Hello, capt.frito.
We need to move some files
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    HKEY_CLASSES_ROOT\CLSID\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}
    HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1
    HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}
    HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}
    C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\CyberDefender
    HKEY_CLASSES_ROOT\CLSID\{07AA283A-43D7-4CBE-A064-32A21112D94D}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{07AA283A-43D7-4CBE-A064-32A21112D94D}
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

We need to uninstall one or more programs
Please click on Start > Control Panel > Add/Remove Programs and uninstall the following programs(if present):
Cyber Defender

Your log shows that you have never used HiJack This. To ensure that backups made when items are fixed are secure, we need to get HijackThis set up properly.
  • Please download the self-extracting version of HijackThis from here: HijackThis Installer Download
  • Save HJTInstall.exe to your desktop.
  • Double-click the file then click the Install button.
    • The file will be extracted to C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
  • A shortcut for future use will also be created on your desktop and the Intro Frame of HijackThis will open.
    Please use the shortcut to run the extracted HijackThis.exe from now on.
We have to remove some entries in HiJack This
  • Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (note: I have changed http to hxxp because I don't want to have a hot link on this page :thumbsup:):
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.myidentitydefender.com
  • Close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
Please run Deckard's System Scanner again, this time using these instructions:
(In the event you lost your copy, you can download a new one from here: Deckard's System Scanner)
  • Click on Start, click on Run
  • Copy and paste the following in the open window and then click OK:
    "%userprofile%\desktop\dss.exe" /config
  • This will open up DSS configuration
  • Click on Check All.
  • Click Scan.
    DSS will now run again.
  • Please post back both logs that open in notepad.
    Main.txt and Extra.txt
In your next reply, please include the following:
  • OTMoveIt2's Log
  • A HiJack This log
  • DSS's Main.txt
  • DSS's Extra.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 capt.frito

capt.frito
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 29 July 2008 - 07:32 AM

Hi Billy,

One note: I could not find "cyber defender " installed on this machine. I checked via control panel and also did a cursory review of the C: filesystem looking for it.

Here are the logs..

* OTMoveIt2's Log


< HKEY_CLASSES_ROOT\CLSID\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} >
Registry key HKEY_CLASSES_ROOT\CLSID\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}\\ deleted successfully.
< HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1 >
Registry key HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1\\ deleted successfully.
< HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328} >
Registry key HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}\\ deleted successfully.
< HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar >
Registry key HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar\\ deleted successfully.
< HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} >
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}\ not found.
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\CyberDefender\Virus Alert moved successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\CyberDefender\UserGuide moved successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\CyberDefender\Spyware Alert moved successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\CyberDefender\Scam Alert\images moved successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\CyberDefender\Scam Alert moved successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\CyberDefender\Patch Alert moved successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\CyberDefender\Password Alert moved successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\CyberDefender\Includes moved successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\CyberDefender\Download\tmp moved successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\CyberDefender\Download moved successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\CyberDefender\Ads Blocker moved successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\CyberDefender moved successfully.
< HKEY_CLASSES_ROOT\CLSID\{07AA283A-43D7-4CBE-A064-32A21112D94D} >
Registry key HKEY_CLASSES_ROOT\CLSID\{07AA283A-43D7-4CBE-A064-32A21112D94D}\\ not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{07AA283A-43D7-4CBE-A064-32A21112D94D} >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{07AA283A-43D7-4CBE-A064-32A21112D94D} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{07AA283A-43D7-4CBE-A064-32A21112D94D}\ not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07292008_055948



* A HiJack This log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:16:31 AM, on 7/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\program files\qwestinternetsecurity\iss\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Compaq_Owner\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Compaq_Owner.exe

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\QwestInternetSecurity\ISS\app\AuthBHO.dll
O3 - Toolbar: I.R.I.S. Desktop Search - {577EBCA9-8ED3-45FC-A514-55B3817D4BCF} - C:\Program Files\IRIS Desktop Search\IRISDesktopSearchIntegration910.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
O3 - Toolbar: Qwest Internet Security Services Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\QwestInternetSecurity\ISS\app\AuthBHO.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [I.R.I.S. Desktop Search] "C:\Program Files\IRIS Desktop Search\IRISDesktopSearch.exe" /tray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1186008886843
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\qwestinternetsecurity\iss\app\CurtainsSysSvcNt.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6755 bytes


* DSS's Main.txt


Deckard's System Scanner v20071014.68
Run by Compaq_Owner on 2008-07-29 06:16:02
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
76: 2008-07-29 12:16:14 UTC - RP182 - Deckard's System Scanner Restore Point
75: 2008-07-09 00:26:30 UTC - RP181 - Software Distribution Service 3.0
74: 2008-07-04 04:47:07 UTC - RP180 - Software Distribution Service 3.0
73: 2008-06-28 22:01:38 UTC - RP179 - Deckard's System Scanner Restore Point
72: 2008-06-27 13:30:33 UTC - RP178 - Configured AVG Free 8.0


-- First Restore Point --
1: 2008-05-27 16:43:01 UTC - RP107 - System Checkpoint


Performed disk cleanup.

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as Compaq_Owner.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:16:31 AM, on 7/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\program files\qwestinternetsecurity\iss\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Compaq_Owner\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Compaq_Owner.exe

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\QwestInternetSecurity\ISS\app\AuthBHO.dll
O3 - Toolbar: I.R.I.S. Desktop Search - {577EBCA9-8ED3-45FC-A514-55B3817D4BCF} - C:\Program Files\IRIS Desktop Search\IRISDesktopSearchIntegration910.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
O3 - Toolbar: Qwest Internet Security Services Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\QwestInternetSecurity\ISS\app\AuthBHO.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [I.R.I.S. Desktop Search] "C:\Program Files\IRIS Desktop Search\IRISDesktopSearch.exe" /tray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1186008886843
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\qwestinternetsecurity\iss\app\CurtainsSysSvcNt.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6755 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080729-061242-765 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.myidentitydefender.com

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 GRTdiMon (GR TDI Mon) - c:\windows\system32\drivers\grtdimon.sys <Not Verified; Global RISC; NSX>
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>

S3 PcdrNdisuio (PCDRNDISUIO Usermode I/O Protocol) - c:\windows\system32\drivers\pcdrndisuio.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CurtainsSysSvc (Curtains for Windows System Service) - c:\program files\qwestinternetsecurity\iss\app\curtainssyssvcnt.exe <Not Verified; Authentium, Inc.; Curtains for Windows>
R2 dvpapi - "c:\program files\common files\command software\dvpapi.exe" <Not Verified; Command Software Systems, Inc.; Command AntiVirus for Windows>

S2 QBCFMonitorService (QuickBooks Database Manager Service) - "c:\program files\common files\intuit\quickbooks\qbcfmonitorservice.exe" <Not Verified; Intuit; QuickBooks for Windows>
S3 gusvc (Google Updater Service) - "c:\program files\google\common\google updater\googleupdaterservice.exe" (file missing)
S3 QBFCService (Intuit QuickBooks FCS) - "c:\program files\common files\intuit\quickbooks\fcs\intuit.quickbooks.fcs.exe" <Not Verified; Intuit Inc.; QuickBooks 2007>
S4 Automatic LiveUpdate Scheduler - "c:\program files\symantec\liveupdate\aluschedulersvc.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

All modules okay.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-08 22:21:11 256 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-03-22 12:10:43 386 --a------ C:\WINDOWS\Tasks\rpc.job


-- Files created between 2008-06-29 and 2008-07-29 -----------------------------

2008-07-29 06:07:52 0 d-------- C:\Program Files\Trend Micro


-- Find3M Report ---------------------------------------------------------------

2008-07-24 10:45:11 0 d-------- C:\Program Files\Spyware Doctor
2008-07-03 22:42:59 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\AVGTOOLBAR
2008-06-27 06:15:07 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla
2008-06-27 06:09:55 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Talkback
2008-06-27 06:09:29 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-26 08:07:07 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Help
2008-06-26 07:43:25 0 d-------- C:\Program Files\Common Files
2008-06-25 23:24:07 0 d-------- C:\Program Files\Enigma Software Group
2008-06-25 12:23:52 0 d-------- C:\Program Files\AVG
2008-06-17 10:15:31 0 d-------- C:\Program Files\Common Files\Command Software
2008-06-15 21:44:17 28672 --a------ C:\a
2008-06-10 22:22:58 0 d-------- C:\Program Files\NetFilter
2008-06-07 22:33:39 0 d--h----- C:\Program Files\Common Files\Authentium Shared
2008-06-07 22:33:30 0 d-------- C:\Program Files\QwestInternetSecurity
2008-06-05 22:37:04 0 d-------- C:\Program Files\History Clean
2008-06-02 20:45:10 0 d-------- C:\Program Files\Panicware


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
06/25/2008 12:24 PM 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [06/25/2008 12:24 PM 2050816]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [02/01/2008 12:55 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/25/2008 12:23 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"I.R.I.S. Desktop Search"="C:\Program Files\IRIS Desktop Search\IRISDesktopSearch.exe" [01/11/2006 07:37 AM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [03/01/2007 11:37 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [9/24/2005 1:28:44 AM]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [9/24/2005 2:39:30 AM]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [6/10/2007 2:09:14 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)
"disabletaskmgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b72c2855-5cb9-11dd-b0c3-0011d8e623c2}]
AutoRun\command- F:\LaunchU3.exe




-- End of Deckard's System Scanner: finished at 2008-07-29 06:19:22 ------------


* DSS's Extra.txt


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.80GHz
Percentage of Memory in Use: 71%
Physical Memory (total/avail): 503.48 MiB / 141.52 MiB
Pagefile Memory (total/avail): 1230.25 MiB / 822.79 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1917.88 MiB

C: is Fixed (NTFS) - 68.56 GiB total, 53.05 GiB free.
D: is Fixed (FAT32) - 5.99 GiB total, 1.48 GiB free.
E: is CDROM (CDFS)
F: is CDROM (CDFS)
G: is Removable (FAT)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)
K: is Removable (No Media)

\\.\PHYSICALDRIVE0 - SAMSUNG SP0802N - 74.56 GiB - 2 partitions
\PARTITION0 - Unknown - 6 GiB - D:
\PARTITION1 (bootable) - Installable File System - 68.56 GiB - C:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device

\\.\PHYSICALDRIVE5 - SanDisk U3 Cruzer Micro USB Device - 478.5 MiB - 1 partition
\PARTITION0 - MS-DOS V4 Huge - 483.7 MiB - G:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG Anti-Virus Free v8.0 (AVG Technologies)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%ProgramFiles%\\iTunes\\iTunes.exe"="%ProgramFiles%\\iTunes\\iTunes.exe:*:enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe:*:Enabled:QuickBooks 2007 Data Manager"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Compaq_Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-F78BF48CE2
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Compaq_Owner
LOGONSERVER=\\YOUR-F78BF48CE2
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=c:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp
USERDOMAIN=YOUR-F78BF48CE2
USERNAME=Compaq_Owner
USERPROFILE=C:\Documents and Settings\Compaq_Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Compaq_Owner (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> MsiExec.exe /I{71EEA108-09C9-4D81-8FA2-D48C70681242}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AnswerWorks 4.0 Runtime - English --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}\setup.exe" -l0x9 -removeonly
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Blackhawk Striker 2 from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\BFAF1EEC-E987-415B-BCB8-80CDB0BC6CDF\Uninstall.exe"
Blasterball 2 from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\75528D5F-DD82-402E-BA7C-045B7DC6A712\Uninstall.exe"
Blasterball 2 Holidays from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\D06AB82F-D68E-405A-9886-AB8804291B6D\Uninstall.exe"
Blasterball 2 Remix from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\9D7E7CDA-051E-4B0D-8CEE-58F41F449CF9\Uninstall.exe"
Bounce Symphony from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\29FF6D07-4A15-41F1-9D5E-E0F3A58012C6\Uninstall.exe"
Crystal Maze from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\C43D84CD-EBFC-48D3-A330-7868C8AD415A\Uninstall.exe"
Data Fax SoftModem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2702&SUBSYS_8D88A259\HXFSETUP.EXE -U -IVEN_14F1&DEV_2702&SUBSYS_8D88A259
Easy Internet Sign-up --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{8105684D-8CA6-440D-8F58-7E5FD67A499D} /l1033
Final Drive Nitro from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\657A0149-EEC7-4FB2-AB4F-CB7AA027748E\Uninstall.exe"
Form Fill (Windows Live Toolbar) --> MsiExec.exe /X{548B3DC6-2300-47E1-BA7B-74AD25F8DEBF}
GoToMeeting/GoToWebinar 3.0.0.198 --> C:\Program Files\Citrix\GoToMeeting\198\G2MUninstall.exe /uninstall
Help and Support Additions --> WScript.exe C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\eHelpSetup.jse eHelpUninstall
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Boot Optimizer --> MsiExec.exe /I{3BA95526-6AE0-4B87-A62D-17187EF565FC}
HP Imaging Device Functions 6.0 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Cameras 6.0 --> C:\Program Files\HP\Digital Imaging\{61CF89F5-5175-4b3b-ABB8-C89821252D50}\setup\hpzscr01.exe -datfile hpiscr01.dat
HP Photosmart Premier Software 6.0 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 3.5 --> "C:\Program Files\HP\Digital Imaging\{18E0918E-1060-48f3-925C-56C82E88551B}\setup\hpzscr01.exe" -datfile hposcr03.dat
HP Software Update --> MsiExec.exe /X{ECFDD6BD-E0C0-41CC-A171-E6D6AF4C0E93}
HP Solution Center and Imaging Support Tools 6.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
I.R.I.S. Desktop Search --> C:\Program Files\IRIS Desktop Search\uninst.exe
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
iTunes --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BE20E2F5-1903-4AAE-B1AF-2046E586C925}
J2SE Runtime Environment 5.0 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150000}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
JumpStart World Presents Pet Playground --> C:\Program Files\Common Files\Knowledge Adventure\Uninstall\PetPlaygroundUn.exe
Lexibox Deluxe from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\F05A08BF-E600-4FBD-A53A-3D47296B1275\Uninstall.exe"
Map Button (Windows Live Toolbar) --> MsiExec.exe /X{7745B7A9-F323-4BB9-9811-01BF57A028DA}
Memories Disc Creator 2.0 --> MsiExec.exe /X{2E132061-C78A-48D4-A899-1D13B9D189FA}
MetaFrame Presentation Server Web Client for Win32 --> C:\WINDOWS\system32\ctxsetup.exe /uninst C:\PROGRA~1\Citrix\icaweb32\uninst.inf
Metaphor Player Version 1.0 --> "C:\Program Files\Metaphor\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! Dancer LE --> MsiExec.exe /X{1A103D70-5C9B-4E1A-B306-5106C68F9914}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MyIdentityDefender Toolbar (CyberDefender Corporation) --> C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\CyberDefender\cdinstx.exe /u
OneCare Advisor (Windows Live Toolbar) --> MsiExec.exe /X{53B2CFE9-A508-4457-B2CA-5D253536BFB7}
Overball from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\FA7F5211-C629-4711-BD82-7DFFB08CB518\Uninstall.exe"
PC-Doctor for Windows --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{19C989C4-50AE-43A4-B06E-8C70FFFF852F} /l1033
Phoenix Assault from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\CCCDE323-C76D-44DA-BB5B-B8ABE767756E\Uninstall.exe"
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
Polar Bowler from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\05E21449-3BA3-42BF-BBDA-95205F4EA40A\Uninstall.exe"
Polar Golfer from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\3330A279-CC39-4A17-AE19-DA464B26AD9A\Uninstall.exe"
Popup Blocker (Windows Live Toolbar) --> MsiExec.exe /X{66A7A386-6F35-41A7-A731-101F0C0153C8}
Python 2.2 pywin32 extensions (build 203) --> "C:\Python22\Removepywin32.exe" -u "C:\Python22\pywin32-wininst.log"
Python 2.2.3 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
QuickBooks Product Listing Service --> MsiExec.exe /I{91208A47-5D08-4C79-986F-1931940F51BB}
QuickBooks Simple Start Free Starter Edition --> msiexec.exe /I {71EEA108-09C9-4D81-8FA2-D48C70681242} UNIQUE_NAME="atomlimited" QBFULLNAME="QuickBooks Simple Start Free Starter Edition" ADDREMOVE=1 OEMVENDOR=DIRECT
Quicken 2005 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2DBE41DD-2129-4C65-A3D3-5647236A60F3} anything
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
Qwest Internet Security Services --> "C:\Program Files\QwestInternetSecurity\ISS\app\Repair.exe" -REMOVE
Readiris Pro 11 --> MsiExec.exe /I{8CE0B1C5-15E9-4027-92F4-F63C57FEFD87}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Remove Adobe Photoshop Album 2.0 Starter Edition installer --> c:\\hp\\bin\\cloaker.exe commands /ww /lw:c:\\hp\\bin\\ifc\\Adobe_PhotoShop_Album\\lg.ini /c c:\\hp\\bin\\cloaker.exe c:\\hp\\bin\\ifc\\uninst.cmd ar
Remove Microsoft Money 2005 installer --> c:\\hp\\bin\\cloaker.exe commands /ww /lw:c:\\hp\\bin\\ifc\\Money\\lg.ini /c c:\\hp\\bin\\cloaker.exe c:\\hp\\bin\\ifc\\uninst.cmd ar
Remove WeatherBug installer --> c:\\hp\\bin\\cloaker.exe commands /ww /lw:c:\\hp\\bin\\ifc\\WeatherBug\\lg.ini /c c:\\hp\\bin\\cloaker.exe c:\\hp\\bin\\ifc\\uninst.cmd ar
Rhapsody --> C:\PROGRA~1\Rhapsody\Unwise32.exe /A C:\PROGRA~1\Rhapsody\install.log
Rhapsody Player Engine --> MsiExec.exe /I{8A62A068-3FD6-495A-9F66-26FE94F32EC9}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shooting Stars Pool from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\045C89A0-CA37-443C-8826-F750227DE69C\Uninstall.exe"
Slyder from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\8BA6F58B-7A91-461F-95F8-E34F8BD8AA4E\Uninstall.exe"
Smart Menus (Windows Live Toolbar) --> MsiExec.exe /X{F084395C-40FB-4DB3-981C-B51E74E1E83D}
Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
Super Granny from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\DE87FA96-7840-420C-86F9-33F3B7B3CED1\Uninstall.exe"
SupportSoft Assisted Service --> MsiExec.exe /I{5A3F6A80-7913-475E-8B96-477A952CFA43}
Tradewinds from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\66195170-D19D-46C5-8FB7-8A4630071ADC\Uninstall.exe"
TurboTax Home & Business 2007 --> C:\Program Files\TurboTax\Home & Business 2007\TaxUnst.EXE "C:\Program Files\TurboTax\Home & Business 2007\Uninstall.log" -NoGui
Watchtower Library 2006 - English Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{42EED331-936C-446E-9374-077F7B028518}\Setup.exe"
Watchtower Library 2007 - English --> C:\Program Files\Watchtower\Watchtower Library 2007\E\uninst.exe
Windows Live Favorites for Windows Live Toolbar --> MsiExec.exe /X{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Outlook Toolbar (Windows Live Toolbar) --> MsiExec.exe /X{35E1A8C8-6646-4101-B0AA-42D1EB2AB3AE}
Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar --> MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{341201D4-4F61-4ADB-987E-9CCE4D83A58D}
Windows Live Toolbar Feed Detector (Windows Live Toolbar) --> MsiExec.exe /X{68108E66-D13A-4EE8-A6F4-40E4B90C2A26}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type9407 / Error
Event Submitted/Written: 07/16/2008 09:47:15 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application ta1ks.exe, version 1.0.0.4, faulting module ta1ks.exe, version 1.0.0.4, fault address 0x0001b494.
Processing media-specific event for [ta1ks.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type39666 / Warning
Event Submitted/Written: 07/28/2008 10:57:41 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type39628 / Error
Event Submitted/Written: 07/28/2008 09:19:03 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the QuickBooks Database Manager Service service to connect.

Event Record #/Type39606 / Error
Event Submitted/Written: 07/24/2008 09:42:42 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the QuickBooks Database Manager Service service to connect.

Event Record #/Type39584 / Error
Event Submitted/Written: 07/24/2008 10:22:21 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the QuickBooks Database Manager Service service to connect.

Event Record #/Type39562 / Error
Event Submitted/Written: 07/23/2008 08:39:39 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the QuickBooks Database Manager Service service to connect.



-- End of Deckard's System Scanner: finished at 2008-07-29 06:19:22 ------------



Thanks again for all the help :thumbsup:
-Frito

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:30 AM

Posted 29 July 2008 - 08:18 AM

Hello, capt.frito.

No problem :thumbsup:

We have to remove some entries in HiJack This
  • Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:
    O3 - Toolbar: (no name) - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
  • Close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
I need to see the contents of a directory to continue helping.
  • Go to Start -> Run, and type "notepad" into the box.
  • Press ok.
  • Copy and paste the following code into notepad:
    set FILEPATH="C:\Program Files\History Clean"
    dir %FILEPATH% /C /N /O:-D /S  /4 > "%USERPROFILE%\Desktop\DirectoryList.txt"
    "%USERPROFILE%\Desktop\DirectoryList.txt"
    del "%USERPROFILE%\Desktop\DirectoryList.txt"
    del fix.bat
  • Go to File -> Save
  • To the right of "Save as Type:" in the bottom of the window, change the ComboBox to "All Files"
  • Enter fix.bat into the "File name:" box just above the "Save as Type" box.
  • Double click fix.bat on your desktop.
  • Copy and paste the logfile that opens back here.
We need to find some information in your registry
  • Please download Regsearch from here: http://www.xs4all.nl/~fstaal01/downloads/regsearch.zip
  • Extract the contents of that archive to your desktop
  • Double click regsearch.exe to start the program
  • In the top box of the program, for the first line, enter "MyIdentityDefender" (without quotes)
  • For the next line, enter "CyberDefender" (without quotes)
  • Push the OK button.
  • Paste the resultant log back here :)
Just an FYI... I don't need a new HJT Log -- the dss log contains that information.

In your next reply, please include the following:
  • Log produced when running the file to list the directory.
  • The regsearch report
  • A new DSS Main.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 capt.frito

capt.frito
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 29 July 2008 - 08:52 AM

Hi Billy,

Here goes:

* Log produced when running the file to list the directory.


Volume in drive C is PRESARIO
Volume Serial Number is 7C85-3D6A

Directory of C:\Program Files\History Clean

06/05/2008 10:37 PM <DIR> ..
06/05/2008 10:37 PM <DIR> .
06/05/2008 05:44 PM 0 SafeHistory.dat
06/05/2008 05:44 PM 0 SafeCookie.dat
06/05/2008 05:44 PM 0 SafeURLs.dat
06/05/2008 05:35 PM 5,118 unins000.dat
06/05/2008 05:35 PM <DIR> Help
06/05/2008 05:35 PM <DIR> plugins
08/18/2004 04:09 PM 1,530 readme.rtf
08/18/2004 03:56 PM 5,054 License.rtf
01/05/2004 09:41 PM 6,638 pad_file.xml
7 File(s) 18,340 bytes

Directory of C:\Program Files\History Clean\Help

06/05/2008 05:35 PM <DIR> ..
06/05/2008 05:35 PM <DIR> .
08/16/2004 05:50 PM 1,457 stealth.htm
08/16/2004 05:46 PM 4,167 purchasing.htm
08/16/2004 05:34 PM 5,787 history.htm
08/16/2004 05:33 PM 4,153 delopts.htm
08/16/2004 05:32 PM 4,923 startup.htm
08/16/2004 05:31 PM 3,643 plugins.htm
08/16/2004 05:30 PM 3,405 killpopup.htm
08/16/2004 05:30 PM 3,403 deletion.htm
08/16/2004 05:28 PM 3,543 scheduling.htm
08/16/2004 05:28 PM 4,195 nav.htm
08/16/2004 05:27 PM 1,713 hotkeyopts.htm
08/16/2004 05:26 PM 3,939 gettingstarted.htm
08/16/2004 05:25 PM 4,549 welcome.htm
08/16/2004 05:23 PM 1,004 contact.htm
08/16/2004 04:51 PM 16,745 logo2.gif
04/21/2003 02:55 PM 435 help.htm
04/01/2003 06:28 PM 21,448 logo2.jpg
17 File(s) 88,509 bytes

Directory of C:\Program Files\History Clean\plugins

06/05/2008 05:44 PM 246 Winzip.plg
06/05/2008 05:44 PM 135 Yahoo! Messenger.plg
06/05/2008 05:44 PM 129 The Playe.plg
06/05/2008 05:44 PM 148 SWiSH 2.0.plg
06/05/2008 05:44 PM 151 WinRar 2.x.plg
06/05/2008 05:44 PM 228 sonique.plg
06/05/2008 05:44 PM 262 RealPlayer.plg
06/05/2008 05:44 PM 105 PowerDVD.plg
06/05/2008 05:44 PM 801 Office2000.plg
06/05/2008 05:44 PM 790 Office XP.plg
06/05/2008 05:44 PM 179 Office97.plg
06/05/2008 05:44 PM 274 NetCaptor.plg
06/05/2008 05:44 PM 151 MSN Messenger.plg
06/05/2008 05:44 PM 243 Morpheus.plg
06/05/2008 05:44 PM 241 Net Vampire 3.x.plg
06/05/2008 05:44 PM 280 ICQ2000B.plg
06/05/2008 05:44 PM 224 KaZaA.plg
06/05/2008 05:44 PM 239 Mediaplayer.plg
06/05/2008 05:44 PM 143 Google Tool Bar.plg
06/05/2008 05:44 PM 711 GO!ZLLA.plg
06/05/2008 05:44 PM 245 Hotbar 3.0.plg
06/05/2008 05:44 PM 276 GetRight 4.x.plg
06/05/2008 05:44 PM 241 Download Accelerator (DAP).plg
06/05/2008 05:44 PM 133 Divx Player.plg
06/05/2008 05:44 PM 252 FlashGet.plg
06/05/2008 05:44 PM 220 CuteFTP 4.0.plg
06/05/2008 05:44 PM 145 AOL Instant Messenger.plg
06/05/2008 05:44 PM 166 Acrobat Reader 5.plg
06/05/2008 05:44 PM 165 Acrobat Reader 4.x.plg
06/05/2008 05:44 PM 270 ACDsee 4.0.plg
06/05/2008 05:35 PM <DIR> ..
06/05/2008 05:35 PM <DIR> .
04/15/2002 11:59 PM 279 ACDSee 3.x.plg
31 File(s) 8,072 bytes

Total Files Listed:
55 File(s) 114,921 bytes
8 Dir(s) 56,959,004,672 bytes free



* The regsearch report


Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 7/29/2008 7:43:43 AM for strings:
; 'myidentitydefender'
; 'cyberdefender'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\CDSPN\Install Information]
"Path"="C:\\Program Files\\CyberDefender\\AntiSpyware"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{83682B4C-B98C-4BEB-97CC-8EAD2AF9E4C6}]
"UninstallString"="C:\\Documents and Settings\\Compaq_Owner\\Local Settings\\Application Data\\CyberDefender\\cdinstx.exe /u"
"InstallLocation"="C:\\Documents and Settings\\Compaq_Owner\\Local Settings\\Application Data\\CyberDefender"
"DisplayName"="MyIdentityDefender Toolbar (CyberDefender Corporation)"
"Publisher"="CyberDefender Corp."
"URLInfoAbout"="http://www.cyberdefender.com"
"HelpLink"="http://support.cyberdefender.com/cgi-bin/support/kb.cgi"
"DisplayIcon"="C:\\Documents and Settings\\Compaq_Owner\\Local Settings\\Application Data\\CyberDefender\\st.ico"

[HKEY_CURRENT_USER\Software\CDSPN\Install Information]
"Path"="C:\\Program Files\\CyberDefender\\AntiSpyware"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}]
"URL"="http://ws.infospace.com/cyberdefender_EDC/ws/results/Web/{searchTerms}/1/417/TopNavigation/Relevance/iq=true/zoom=off/_iceUrlFlag=7?_IceUrl=true"

[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\Internet\Server Cache\http://search.myidentitydefender.com/]

; End Of The Log...



* A new DSS Main.txt


Deckard's System Scanner v20071014.68
Run by Compaq_Owner on 2008-07-29 07:45:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as Compaq_Owner.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:45:54 AM, on 7/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\program files\qwestinternetsecurity\iss\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\COMPAQ~1.EXE

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\QwestInternetSecurity\ISS\app\AuthBHO.dll
O3 - Toolbar: I.R.I.S. Desktop Search - {577EBCA9-8ED3-45FC-A514-55B3817D4BCF} - C:\Program Files\IRIS Desktop Search\IRISDesktopSearchIntegration910.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Qwest Internet Security Services Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\QwestInternetSecurity\ISS\app\AuthBHO.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [I.R.I.S. Desktop Search] "C:\Program Files\IRIS Desktop Search\IRISDesktopSearch.exe" /tray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1186008886843
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\qwestinternetsecurity\iss\app\CurtainsSysSvcNt.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6673 bytes

-- Files created between 2008-06-29 and 2008-07-29 -----------------------------

2008-07-29 06:07:52 0 d-------- C:\Program Files\Trend Micro


-- Find3M Report ---------------------------------------------------------------

2008-07-24 10:45:11 0 d-------- C:\Program Files\Spyware Doctor
2008-07-03 22:42:59 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\AVGTOOLBAR
2008-06-27 06:15:07 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla
2008-06-27 06:09:55 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Talkback
2008-06-27 06:09:29 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-26 08:07:07 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Help
2008-06-26 07:43:25 0 d-------- C:\Program Files\Common Files
2008-06-25 23:24:07 0 d-------- C:\Program Files\Enigma Software Group
2008-06-25 12:23:52 0 d-------- C:\Program Files\AVG
2008-06-17 10:15:31 0 d-------- C:\Program Files\Common Files\Command Software
2008-06-15 21:44:17 28672 --a------ C:\a
2008-06-10 22:22:58 0 d-------- C:\Program Files\NetFilter
2008-06-07 22:33:39 0 d--h----- C:\Program Files\Common Files\Authentium Shared
2008-06-07 22:33:30 0 d-------- C:\Program Files\QwestInternetSecurity
2008-06-05 22:37:04 0 d-------- C:\Program Files\History Clean
2008-06-02 20:45:10 0 d-------- C:\Program Files\Panicware


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
06/25/2008 12:24 PM 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [06/25/2008 12:24 PM 2050816]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [02/01/2008 12:55 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/25/2008 12:23 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"I.R.I.S. Desktop Search"="C:\Program Files\IRIS Desktop Search\IRISDesktopSearch.exe" [01/11/2006 07:37 AM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [03/01/2007 11:37 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [9/24/2005 1:28:44 AM]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [9/24/2005 2:39:30 AM]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [6/10/2007 2:09:14 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)
"disabletaskmgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b72c2855-5cb9-11dd-b0c3-0011d8e623c2}]
AutoRun\command- F:\LaunchU3.exe




-- End of Deckard's System Scanner: finished at 2008-07-29 07:46:46 ------------


...okay for this part

best,
Frito

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:30 AM

Posted 29 July 2008 - 12:19 PM

Hello, capt.frito.
We need to move some files
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    HKEY_LOCAL_MACHINE\SOFTWARE\CDSPN
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{83682B4C-B98C-4BEB-97CC-8EAD2AF9E4C6}
    HKEY_CURRENT_USER\Software\CDSPN
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}
    HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\Internet\Server Cache\http://search.myidentitydefender.com/
    C:\Program Files\CyberDefender
    C:\a
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 7...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-Language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe
  • Follow the on screen instructions to install the latest Java version.
I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use +A)
  • Right-click again and chose "Copy" (or +C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

Your Microsoft Windows installation is out of date.
Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
Go here to check for & install updates to Microsoft applications.
Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.

Please let me know of any problems you may have encountered.

In your next reply, please include the following:
  • OTMoveIt2's Log
  • ESET OnlineScan's Log
  • A New HiJack This log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 capt.frito

capt.frito
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 30 July 2008 - 12:19 AM

Hi Billy,

Here are the MoveIt log ad the HJT log (via dss). This machine does not yet have access to the Internet I have a bunch of windows machines on this side of my firewall and I prefer it if they were not compromised inadvertently. So I will upgrade Windows when the box is rid of these viruses.

Here are the logs:

OTMoveIt2

< HKEY_LOCAL_MACHINE\SOFTWARE\CDSPN >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\CDSPN\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{83682B4C-B98C-4BEB-97CC-8EAD2AF9E4C6} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{83682B4C-B98C-4BEB-97CC-8EAD2AF9E4C6}\\ deleted successfully.
< HKEY_CURRENT_USER\Software\CDSPN >
Registry key HKEY_CURRENT_USER\Software\CDSPN\\ deleted successfully.
< HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} >
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}\\ deleted successfully.
< HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\Internet\Server Cache\http://search.myidentitydefender.com/ >
Registry key HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\Internet\Server Cache\http://search.myidentitydefender.com/\ deleted successfully.
File/Folder C:\Program Files\CyberDefender not found.
C:\a moved successfully.


OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07292008_224857


DSS's main.txt:

-- HijackThis (run as Compaq_Owner.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:49 PM, on 7/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\program files\qwestinternetsecurity\iss\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\COMPAQ~1.EXE

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\QwestInternetSecurity\ISS\app\AuthBHO.dll
O3 - Toolbar: I.R.I.S. Desktop Search - {577EBCA9-8ED3-45FC-A514-55B3817D4BCF} - C:\Program Files\IRIS Desktop Search\IRISDesktopSearchIntegration910.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Qwest Internet Security Services Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\QwestInternetSecurity\ISS\app\AuthBHO.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [I.R.I.S. Desktop Search] "C:\Program Files\IRIS Desktop Search\IRISDesktopSearch.exe" /tray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1186008886843
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\qwestinternetsecurity\iss\app\CurtainsSysSvcNt.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6981 bytes

-- Files created between 2008-06-29 and 2008-07-29 -----------------------------

2008-07-29 23:00:58 0 d-------- C:\Program Files\Java
2008-07-29 23:00:56 0 d-------- C:\Program Files\Common Files\Java
2008-07-29 06:07:52 0 d-------- C:\Program Files\Trend Micro


-- Find3M Report ---------------------------------------------------------------

2008-07-29 23:00:56 0 d-------- C:\Program Files\Common Files
2008-07-24 10:45:11 0 d-------- C:\Program Files\Spyware Doctor
2008-07-03 22:42:59 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\AVGTOOLBAR
2008-06-27 06:15:07 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla
2008-06-27 06:09:55 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Talkback
2008-06-27 06:09:29 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-26 08:07:07 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Help
2008-06-25 23:24:07 0 d-------- C:\Program Files\Enigma Software Group
2008-06-25 12:23:52 0 d-------- C:\Program Files\AVG
2008-06-17 10:15:31 0 d-------- C:\Program Files\Common Files\Command Software
2008-06-10 22:22:58 0 d-------- C:\Program Files\NetFilter
2008-06-07 22:33:39 0 d--h----- C:\Program Files\Common Files\Authentium Shared
2008-06-07 22:33:30 0 d-------- C:\Program Files\QwestInternetSecurity
2008-06-05 22:37:04 0 d-------- C:\Program Files\History Clean
2008-06-02 20:45:10 0 d-------- C:\Program Files\Panicware


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
06/25/2008 12:24 PM 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [06/25/2008 12:24 PM 2050816]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [02/01/2008 12:55 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/25/2008 12:23 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"I.R.I.S. Desktop Search"="C:\Program Files\IRIS Desktop Search\IRISDesktopSearch.exe" [01/11/2006 07:37 AM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [03/01/2007 11:37 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [9/24/2005 1:28:44 AM]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [9/24/2005 2:39:30 AM]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [6/10/2007 2:09:14 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)
"disabletaskmgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b72c2855-5cb9-11dd-b0c3-0011d8e623c2}]
AutoRun\command- F:\LaunchU3.exe




-- End of Deckard's System Scanner: finished at 2008-07-29 23:08:14 ------------



that's it for now

best,
Frito




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users