Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Weird Taskbar-crashing Cmd Virus


  • This topic is locked This topic is locked
32 replies to this topic

#1 Elaminopy

Elaminopy

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 30 July 2008 - 02:38 PM

Hi all. I am infected with something that makes my taskbar continually come up and go away in an endless cycle. My icons on my desktop appear and disappear at the same time and any Explorer windows I am able to open in the split second that my icons are visible like "My Computer" go away with my icons and taskbar. Sometimes a minimized CMD or DOS window will constantly come up and go away rapidly, in an endless loop as well, but it goes away too fast for me to click on it and close it and then another one comes up in its place. It only does this sometimes.

I'm running a fully updated Windows XP Pro SP3. I have the newest version of CCleaner and I analyzed and fixed everything it found. I have Symantec AntiVirus 10.1.7.7000 that I updated the virus definitions today and ran a full system scan that found nothing. I also have the newest SUPERAntiSpyware that I updated today and ran a full system scan. It only found a tracking cookie. I also have the newest Malwarebytes AntiMalware that I updated today and ran a full system scan. It found nothing.

In accordance with the Preparation Guide, I ran the Kaspersky online scan and all it found was my VNC program, which I use to access my work computer from home sometimes. It is password-protected. I also downloaded and ran Deckard's System Scanner.

Here's main.txt:

Deckard's System Scanner v20071014.68
Run by jason.reed on 2008-07-30 11:59:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-07-30 18:59:03 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as jason.reed.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:41 AM, on 7/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\jason.reed\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\jason.reed.exe
C:\WINDOWS\explorer.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/microsoftupdate
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.mncdealer.com
O15 - Trusted Zone: *.monacocoach.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1211212180234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1211212175250
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rvcenters.net
O17 - HKLM\Software\..\Telephony: DomainName = rvcenters.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rvcenters.net
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7869 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: PS/2 Compatible Mouse
Device ID: ACPI\PNP0F13\4&EDE93E0&0
Manufacturer: Microsoft
Name: PS/2 Compatible Mouse
PNP Device ID: ACPI\PNP0F13\4&EDE93E0&0
Service: i8042prt


-- Scheduled Tasks -------------------------------------------------------------

2008-07-25 10:58:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-06-30 and 2008-07-30 -----------------------------

2008-07-30 11:02:53 0 d-------- C:\WINDOWS\Sun
2008-07-30 11:01:53 0 d-------- C:\Program Files\Java
2008-07-30 11:01:04 0 d-------- C:\Documents and Settings\jason.reed\Application Data\Sun
2008-07-30 10:12:34 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-07-30 10:02:51 0 dr-h----- C:\Documents and Settings\jason.reed\Recent
2008-07-30 09:47:14 0 d-------- C:\Program Files\Trend Micro
2008-07-30 09:43:36 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-30 09:43:33 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-30 09:43:33 0 d-------- C:\Documents and Settings\jason.reed\Application Data\SUPERAntiSpyware.com
2008-07-30 09:43:18 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-28 16:46:59 0 d-------- C:\Documents and Settings\jason.reed\Application Data\Malwarebytes
2008-07-28 16:46:56 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-28 16:46:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-25 21:34:00 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-25 20:40:11 0 d-------- C:\Program Files\DivX
2008-07-25 20:35:40 0 d-------- C:\Program Files\WinAVI Video Converter
2008-07-25 11:12:51 0 d-------- C:\Program Files\iPod
2008-07-25 11:12:48 0 d-------- C:\Program Files\iTunes
2008-07-25 11:12:23 0 d-------- C:\Program Files\Common Files\Apple
2008-07-25 11:01:05 0 d-------- C:\Program Files\QuickTime
2008-07-25 11:01:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-16 23:36:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-07-16 17:37:18 0 d-------- C:\Program Files\Yahoo!
2008-07-16 17:37:06 0 d-------- C:\Program Files\CCleaner
2008-07-16 15:35:54 0 d-------- C:\Documents and Settings\jason.reed\Application Data\Opera
2008-07-16 15:35:48 0 d-------- C:\Program Files\Opera
2008-07-16 08:32:47 0 d-------- C:\Documents and Settings\jason.reed\Application Data\WinRAR
2008-07-15 16:47:40 0 d-------- C:\Documents and Settings\jason.reed\Application Data\Apple Computer
2008-07-15 16:47:27 0 d-------- C:\Program Files\Safari
2008-07-15 16:47:15 0 d-------- C:\Program Files\Bonjour
2008-07-15 16:47:09 0 d-------- C:\Program Files\Apple Software Update
2008-07-15 16:47:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-15 16:36:31 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-15 16:36:29 0 d-------- C:\Documents and Settings\jason.reed\Application Data\Mozilla
2008-07-15 15:42:45 0 d-------- C:\Documents and Settings\jason.reed\Application Data\Google
2008-07-15 15:42:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-07-15 15:42:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-15 15:42:26 0 d-------- C:\Program Files\Google
2008-07-11 16:41:09 0 d-------- C:\Program Files\RealVNC
2008-07-11 12:41:13 0 d-------- C:\Documents and Settings\Administrator.JASONREED\Application Data\Media Player Classic
2008-07-11 12:41:11 0 d--h----- C:\Documents and Settings\Administrator.JASONREED\Templates
2008-07-11 12:41:11 0 dr------- C:\Documents and Settings\Administrator.JASONREED\Start Menu
2008-07-11 12:41:11 0 dr-h----- C:\Documents and Settings\Administrator.JASONREED\SendTo
2008-07-11 12:41:11 0 d--h----- C:\Documents and Settings\Administrator.JASONREED\Recent
2008-07-11 12:41:11 0 d--h----- C:\Documents and Settings\Administrator.JASONREED\PrintHood
2008-07-11 12:41:11 0 d--h----- C:\Documents and Settings\Administrator.JASONREED\NetHood
2008-07-11 12:41:11 0 d-------- C:\Documents and Settings\Administrator.JASONREED\My Documents
2008-07-11 12:41:11 0 d--h----- C:\Documents and Settings\Administrator.JASONREED\Local Settings
2008-07-11 12:41:11 0 d-------- C:\Documents and Settings\Administrator.JASONREED\Favorites
2008-07-11 12:41:11 0 d-------- C:\Documents and Settings\Administrator.JASONREED\Desktop
2008-07-11 12:41:11 0 d---s---- C:\Documents and Settings\Administrator.JASONREED\Cookies
2008-07-11 12:41:11 0 dr-h----- C:\Documents and Settings\Administrator.JASONREED\Application Data
2008-07-11 12:41:11 0 d---s---- C:\Documents and Settings\Administrator.JASONREED\Application Data\Microsoft
2008-07-11 12:41:10 524288 --ah----- C:\Documents and Settings\Administrator.JASONREED\NTUSER.DAT
2008-07-10 13:13:25 0 d--h----- C:\Documents and Settings\administrator\Templates
2008-07-10 13:13:25 0 dr------- C:\Documents and Settings\administrator\Start Menu
2008-07-10 13:13:25 0 dr-h----- C:\Documents and Settings\administrator\SendTo
2008-07-10 13:13:25 0 d--h----- C:\Documents and Settings\administrator\Recent
2008-07-10 13:13:25 0 d--h----- C:\Documents and Settings\administrator\PrintHood
2008-07-10 13:13:25 524288 --ah----- C:\Documents and Settings\administrator\NTUSER.DAT
2008-07-10 13:13:25 0 d--h----- C:\Documents and Settings\administrator\NetHood
2008-07-10 13:13:25 0 d-------- C:\Documents and Settings\administrator\My Documents
2008-07-10 13:13:25 0 d--h----- C:\Documents and Settings\administrator\Local Settings
2008-07-10 13:13:25 0 d-------- C:\Documents and Settings\administrator\Favorites
2008-07-10 13:13:25 0 d-------- C:\Documents and Settings\administrator\Desktop
2008-07-10 13:13:25 0 d---s---- C:\Documents and Settings\administrator\Cookies
2008-07-10 13:13:25 0 dr-h----- C:\Documents and Settings\administrator\Application Data
2008-07-10 13:13:25 0 d---s---- C:\Documents and Settings\administrator\Application Data\Microsoft
2008-07-08 09:21:39 719872 --a------ C:\WINDOWS\system32\devil.dll <Not Verified; Abysmal Software; Developer's Image Library (DevIL)>
2008-07-08 09:21:39 318976 --a------ C:\WINDOWS\system32\avisynth.dll <Not Verified; The Public; Avisynth 2.5>
2008-07-08 09:21:38 70656 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2008-07-08 09:21:38 70656 --a------ C:\WINDOWS\system32\i420vfw.dll <Not Verified; www.helixcommunity.org; Helix I420 YUV Codec>
2008-07-08 09:21:38 27648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2008-07-08 09:21:38 66560 --a------ C:\WINDOWS\MOTA113.exe
2008-07-08 09:21:38 217073 --a------ C:\WINDOWS\meta4.exe
2008-07-08 09:21:37 0 d-------- C:\Program Files\AviSynth 2.5
2008-07-08 09:21:02 216064 -r-hs---- C:\WINDOWS\system32\nbDX.dll <Not Verified; MONOGRAM Multimedia, s.r.o.; MONOGRAM AMR Filter Pack>
2008-07-08 09:21:02 31232 -r-hs---- C:\WINDOWS\system32\msfDX.dll <Not Verified; Hans Mayerl; msfDX.dll>
2008-07-08 09:21:02 163328 -r-hs---- C:\WINDOWS\system32\flvDX.dll <Not Verified; Gabest; FLV Splitter>
2008-07-08 09:20:43 0 d-------- C:\Program Files\eRightSoft
2008-07-08 09:04:11 81920 --a------ C:\Documents and Settings\jason.reed\Application Data\ezpinst.exe
2008-07-08 09:04:10 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-07-08 09:04:10 0 d-------- C:\Documents and Settings\jason.reed\Application Data\Vso
2008-07-08 09:04:10 47360 --a------ C:\Documents and Settings\jason.reed\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>


-- Find3M Report ---------------------------------------------------------------

2008-07-30 10:09:57 0 d-------- C:\Program Files\Symantec AntiVirus
2008-07-30 09:43:27 0 d-------- C:\Documents and Settings\jason.reed\Application Data\U3
2008-07-30 09:43:18 0 d-------- C:\Program Files\Common Files
2008-07-25 20:37:54 0 d-------- C:\Program Files\Xvid
2008-07-08 09:04:17 34 --a------ C:\Documents and Settings\jason.reed\Application Data\pcouffin.log
2008-07-08 09:04:11 1144 --a------ C:\Documents and Settings\jason.reed\Application Data\pcouffin.inf
2008-07-08 09:04:11 7176 --a------ C:\Documents and Settings\jason.reed\Application Data\pcouffin.cat
2008-06-24 12:25:11 0 d-------- C:\Program Files\MSXML 4.0
2008-06-23 11:50:17 33021 --a------ C:\WINDOWS\system32\CoreVorbis-uninstall.exe
2008-06-23 11:43:59 0 d-------- C:\Program Files\illiminable
2008-05-16 17:26:15 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-05-16 08:58:31 0 -rahs---- C:\MSDOS.SYS
2008-05-16 08:58:31 0 -rahs---- C:\IO.SYS
2008-05-16 08:58:31 0 --a------ C:\CONFIG.SYS
2008-05-16 08:58:31 0 --a------ C:\AUTOEXEC.BAT
2008-05-16 08:55:47 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-05-16 01:49:16 62 --ahs---- C:\Documents and Settings\jason.reed\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------



-- End of Deckard's System Scanner: finished at 2008-07-30 12:56:04 ------------

Here's extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU 6300 @ 1.86GHz
Percentage of Memory in Use: 52%
Physical Memory (total/avail): 1023.32 MiB / 484.61 MiB
Pagefile Memory (total/avail): 2460.39 MiB / 1988.48 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1950.7 MiB

C: is Fixed (NTFS) - 149.04 GiB total, 138.99 GiB free.
D: is CDROM (CDFS)
F: is Network (NTFS)
G: is Network (NTFS)
I: is Network (NTFS)
J: is Network (NTFS)
K: is Network (NTFS)
N: is Network (NTFS)
O: is Network (NTFS)
P: is Network (NTFS)
Q: is Network (NTFS)
R: is Network (NTFS)
S: is Network (NTFS)
V: is Network (NTFS)
W: is Network (NTFS)
X: is Network (NTFS)
Y: is Network (NTFS)

\\.\PHYSICALDRIVE0 - ST3160812AS - 149.05 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 149.04 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------



-- User Profiles ---------------------------------------------------------------

jason.reed (admin)
administrator (admin)
user (admin)
Administrator.JASONREED (admin)


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type1159 / Warning
Event Submitted/Written: 07/30/2008 10:14:30 AM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 8 files inside C:\MSOCache\All Users\{90120000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab due to extraction errors encountered by the Decomposer Engines.

Event Record #/Type1157 / Warning
Event Submitted/Written: 07/30/2008 10:14:24 AM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 14 files inside C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab due to extraction errors encountered by the Decomposer Engines.

Event Record #/Type1155 / Warning
Event Submitted/Written: 07/30/2008 10:14:22 AM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 4 files inside C:\MSOCache\All Users\{90120000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab due to extraction errors encountered by the Decomposer Engines.

Event Record #/Type1152 / Warning
Event Submitted/Written: 07/30/2008 10:14:14 AM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 2 files inside C:\MSOCache\All Users\{90120000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab due to extraction errors encountered by the Decomposer Engines.

Event Record #/Type1150 / Warning
Event Submitted/Written: 07/30/2008 10:14:10 AM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 3 files inside C:\MSOCache\All Users\{90120000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab due to extraction errors encountered by the Decomposer Engines.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1628 / Error
Event Submitted/Written: 07/29/2008 02:20:15 PM
Event ID/Source: 8003 / MRxSmb
Event Description:
The master browser has received a server announcement from the computer GUARANTY-196B23
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{1D5F3AD6-D14.
The master browser is stopping or an election is being forced.

Event Record #/Type1627 / Error
Event Submitted/Written: 07/29/2008 02:15:53 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.

Event Record #/Type1626 / Warning
Event Submitted/Written: 07/29/2008 02:15:53 PM
Event ID/Source: 14 / W32Time
Event Description:
The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 15 minutes.

Event Record #/Type1625 / Error
Event Submitted/Written: 07/29/2008 02:15:51 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Event Record #/Type1624 / Warning
Event Submitted/Written: 07/29/2008 02:15:51 PM
Event ID/Source: 14 / W32Time
Event Description:
The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 15 minutes.



-- End of Deckard's System Scanner: finished at 2008-07-30 12:56:04 ------------

Here's the Kaspersky log (it's in HTML format so I just copied the "threats" it found):
C:\Program Files\RealVNC\VNC4\WinVNC4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

Edited by Elaminopy, 30 July 2008 - 07:49 PM.


BC AdBot (Login to Remove)

 


#2 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:04:09 PM

Posted 10 August 2008 - 08:46 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Harry

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#3 Elaminopy

Elaminopy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 12 August 2008 - 06:53 PM

Thank you for getting to me. Sorry my response was so delayed as well. I was going to post a new HijackThis log anyway since the original problem is quite different now. I think what I had brought something else along.

Anyway, I downloaded dss.exe to my desktop like you said. I double-clicked it and it got to the point of saying "Examining Registry" or something similar, then a bunch of minimized windows came up on the bottom of the screen and just kept stacking on eachother. They all said "=_=..." on them. A box came up in front of the Deckard's System Scanner window that said "ERROR: 18600 Virus Infections Found!" When I clicked OK, another one was there, only it said 18603. Each time I clicked OK, the number climbed. Right now there is one that says 18995. DSS said (not responding), but then the minimized windows all disappeared and DSS continued, then the minimized windows came up again. DSS finally finished.

Here's main.txt:

Deckard's System Scanner v20071014.68
Run by user on 2008-08-12 14:59:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-08-12 21:59:32 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2008-08-12 21:56:10 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as user.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:00:31 PM, on 8/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\user\Desktop\dss.exe
C:\WINDOWS\system32\imapi.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JASONR~1.EXE
C:\WINDOWS\system32\cmd.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/microsoftupdate
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\Run.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Don't Delete] C:\Documents and Settings\All Users\DontDelete\TrialVer\DontDelete.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - .DEFAULT User Startup: Startup.lnk = C:\Documents and Settings\All Users\DontDelete\TrialVer\DontDelete.exe (User 'Default user')
O4 - .DEFAULT User Startup: Startup.lnk = C:\Documents and Settings\All Users\DontDelete\TrialVer\DontDelete.exe (User 'Default user')
O4 - Startup: Startup.lnk = C:\Documents and Settings\All Users\DontDelete\TrialVer\DontDelete.exe
O4 - Startup: Startup.lnk = C:\Documents and Settings\All Users\DontDelete\TrialVer\DontDelete.exe
O4 - Global Startup: Startup.lnk = C:\Documents and Settings\All Users\DontDelete\TrialVer\DontDelete.exe
O4 - Global Startup: Disk Cleanup.lnk = C:\WINDOWS\system32\cleanmgr.exe
O4 - Global Startup: Startup.lnk = C:\Documents and Settings\All Users\DontDelete\TrialVer\DontDelete.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.mncdealer.com
O15 - Trusted Zone: *.monacocoach.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1211212180234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1211212175250
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 9632 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: PS/2 Compatible Mouse
Device ID: ACPI\PNP0F13\4&EDE93E0&0
Manufacturer: Microsoft
Name: PS/2 Compatible Mouse
PNP Device ID: ACPI\PNP0F13\4&EDE93E0&0
Service: i8042prt


-- Scheduled Tasks -------------------------------------------------------------

2008-08-08 10:58:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-07-12 and 2008-08-12 -----------------------------

2008-08-12 14:52:40 0 dr-h----- C:\Documents and Settings\user\Recent
2008-08-12 08:41:35 105346 --a------ C:\Run.exe
2008-08-07 10:52:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-05 09:00:26 0 dr-h----- C:\Documents and Settings\user.JASONREED\Recent
2008-08-05 08:59:24 0 d-------- C:\Documents and Settings\user.JASONREED\Application Data\Opera
2008-08-05 08:58:49 0 d-------- C:\Documents and Settings\user.JASONREED\Application Data\Identities
2008-08-02 12:51:50 0 d-------- C:\Program Files\Common Files\Java
2008-08-01 13:43:47 0 d-------- C:\Program Files\iPod
2008-08-01 13:43:25 0 d-------- C:\Program Files\iTunes
2008-07-30 11:02:53 0 d-------- C:\WINDOWS\Sun
2008-07-30 11:01:53 0 d-------- C:\Program Files\Java
2008-07-30 11:01:04 0 d-------- C:\Documents and Settings\user\Application Data\Sun
2008-07-30 10:12:34 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-07-30 09:47:14 0 d-------- C:\Program Files\Trend Micro
2008-07-30 09:43:36 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-30 09:43:33 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-30 09:43:33 0 d-------- C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
2008-07-30 09:43:18 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-28 16:46:59 0 d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
2008-07-28 16:46:56 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-28 16:46:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-25 21:34:00 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-25 20:40:11 0 d-------- C:\Program Files\DivX
2008-07-25 20:35:40 0 d-------- C:\Program Files\WinAVI Video Converter
2008-07-25 11:12:23 0 d-------- C:\Program Files\Common Files\Apple
2008-07-25 11:01:05 0 d-------- C:\Program Files\QuickTime
2008-07-25 11:01:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-16 23:36:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-07-16 17:37:18 0 d-------- C:\Program Files\Yahoo!
2008-07-16 17:37:06 0 d-------- C:\Program Files\CCleaner
2008-07-16 15:35:54 0 d-------- C:\Documents and Settings\user\Application Data\Opera
2008-07-16 15:35:48 0 d-------- C:\Program Files\Opera
2008-07-16 08:32:47 0 d-------- C:\Documents and Settings\user\Application Data\WinRAR
2008-07-15 16:47:40 0 d-------- C:\Documents and Settings\user\Application Data\Apple Computer
2008-07-15 16:47:27 0 d-------- C:\Program Files\Safari
2008-07-15 16:47:15 0 d-------- C:\Program Files\Bonjour
2008-07-15 16:47:09 0 d-------- C:\Program Files\Apple Software Update
2008-07-15 16:47:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-15 16:36:31 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-15 16:36:29 0 d-------- C:\Documents and Settings\user\Application Data\Mozilla
2008-07-15 15:42:45 0 d-------- C:\Documents and Settings\user\Application Data\Google
2008-07-15 15:42:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-07-15 15:42:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-15 15:42:26 0 d-------- C:\Program Files\Google


-- Find3M Report ---------------------------------------------------------------

2008-08-12 14:49:19 0 d-------- C:\Program Files\Symantec AntiVirus
2008-08-08 15:24:30 0 d-------- C:\Program Files\Common Files\VPSoft
2008-08-08 15:24:30 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-08 15:24:30 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-08-08 15:24:30 0 d-------- C:\Program Files\Common Files\ODBC
2008-08-08 15:24:30 0 d-------- C:\Program Files\Common Files\MSSoap
2008-08-08 15:24:30 0 d-------- C:\Program Files\Common Files\InstallShield
2008-08-08 15:24:30 0 d-------- C:\Program Files\Common Files\Ahead
2008-08-08 15:24:30 0 d-------- C:\Program Files\Common Files\Adobe
2008-08-08 15:24:21 0 d-------- C:\Program Files\Xvid
2008-08-08 15:24:21 0 d-------- C:\Program Files\Windows NT
2008-08-08 15:24:21 0 d-------- C:\Program Files\Windows Media Connect 2
2008-08-08 15:24:21 0 d-------- C:\Program Files\Symantec
2008-08-08 15:24:20 0 d-------- C:\Program Files\RealVNC
2008-08-08 15:24:20 0 d-------- C:\Program Files\Realtek
2008-08-08 15:24:20 0 d-------- C:\Program Files\Online Services
2008-08-08 15:24:20 0 d-------- C:\Program Files\Nero
2008-08-08 15:24:20 0 d-------- C:\Program Files\MSXML 4.0
2008-08-08 15:24:20 0 d-------- C:\Program Files\MSN Gaming Zone
2008-08-08 15:24:20 0 d-------- C:\Program Files\MSBuild
2008-08-08 15:24:20 0 d-------- C:\Program Files\Movie Maker
2008-08-08 15:24:20 0 d-------- C:\Program Files\Microsoft Works
2008-08-08 15:24:20 0 d-------- C:\Program Files\Microsoft Silverlight
2008-08-08 15:24:20 0 d-------- C:\Program Files\microsoft frontpage
2008-08-08 15:24:20 0 d-------- C:\Program Files\Messenger
2008-08-08 15:24:18 0 d-------- C:\Program Files\illiminable
2008-08-08 15:24:18 0 d-------- C:\Program Files\eRightSoft
2008-08-08 15:24:18 0 d-------- C:\Program Files\Common Files
2008-08-08 15:24:18 0 d-------- C:\Program Files\Broadcom
2008-08-08 15:24:18 0 d-------- C:\Program Files\AviSynth 2.5
2008-08-08 15:24:18 0 d-------- C:\Program Files\atwin
2008-08-08 15:23:48 0 d-------- C:\Documents and Settings\user\Application Data\Vso
2008-08-08 15:23:48 0 d-------- C:\Documents and Settings\user\Application Data\U3
2008-08-08 15:23:47 0 d-------- C:\Documents and Settings\user\Application Data\Media Player Classic
2008-08-08 15:23:47 0 d-------- C:\Documents and Settings\user\Application Data\Macromedia
2008-08-08 15:23:47 0 d-------- C:\Documents and Settings\user\Application Data\Identities
2008-08-08 15:23:47 0 d-------- C:\Documents and Settings\user\Application Data\Ahead
2008-08-08 15:23:47 0 d-------- C:\Documents and Settings\user\Application Data\Adobe
2008-08-08 14:59:53 0 d--h----- C:\Program Files\WindowsUpdate
2008-08-08 14:58:21 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-08-03 12:21:59 869 -ra------ C:\Program Files\Common Files\ Common Files.lnk
2008-08-03 12:21:59 869 -ra------ C:\Program Files\ Program Files.lnk
2008-08-03 12:20:08 869 -ra------ C:\Program Files\Program Files.lnk
2008-08-03 12:20:08 869 -ra------ C:\Program Files\Common Files\Common Files.lnk
2008-07-08 09:04:17 34 --a------ C:\Documents and Settings\user\Application Data\pcouffin.log
2008-07-08 09:04:11 47360 --a------ C:\Documents and Settings\user\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-07-08 09:04:11 1144 --a------ C:\Documents and Settings\user\Application Data\pcouffin.inf
2008-07-08 09:04:11 7176 --a------ C:\Documents and Settings\user\Application Data\pcouffin.cat
2008-07-08 09:04:11 81920 --a------ C:\Documents and Settings\user\Application Data\ezpinst.exe
2008-06-23 11:50:17 33021 --a------ C:\WINDOWS\system32\CoreVorbis-uninstall.exe
2008-05-16 17:26:15 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-05-16 08:58:31 0 -rahs---- C:\MSDOS.SYS
2008-05-16 08:58:31 0 -rahs---- C:\IO.SYS
2008-05-16 08:58:31 0 --a------ C:\CONFIG.SYS
2008-05-16 08:58:31 0 --a------ C:\AUTOEXEC.BAT
2008-05-16 08:55:47 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-05-16 01:49:16 62 --ahs---- C:\Documents and Settings\user\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8972 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-12 15:07:18 ------------

Here's extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU 6300 @ 1.86GHz
Percentage of Memory in Use: 42%
Physical Memory (total/avail): 1023.32 MiB / 588.85 MiB
Pagefile Memory (total/avail): 2972.39 MiB / 2670.06 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1941.91 MiB

C: is Fixed (NTFS) - 149.04 GiB total, 139.06 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST3160812AS - 149.05 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 149.04 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------



-- User Profiles ---------------------------------------------------------------

Administrator (admin)
user (admin)
user.JASONREED (admin)


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type9093 / Warning
Event Submitted/Written: 08/09/2008 02:08:03 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type8111 / Warning
Event Submitted/Written: 08/07/2008 03:58:40 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type6817 / Warning
Event Submitted/Written: 08/06/2008 01:46:36 PM
Event ID/Source: 4353 / EventSystem
Event Description:
The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.

Event Record #/Type6816 / Warning
Event Submitted/Written: 08/06/2008 01:46:36 PM
Event ID/Source: 4356 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject returned HRESULT 80080005.

Event Record #/Type6815 / Warning
Event Submitted/Written: 08/06/2008 01:44:36 PM
Event ID/Source: 4353 / EventSystem
Event Description:
The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type5902 / Error
Event Submitted/Written: 08/12/2008 00:26:26 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type5901 / Error
Event Submitted/Written: 08/12/2008 00:26:24 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type5900 / Error
Event Submitted/Written: 08/12/2008 00:26:22 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type5899 / Error
Event Submitted/Written: 08/12/2008 00:26:20 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type5898 / Error
Event Submitted/Written: 08/12/2008 00:26:18 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.



-- End of Deckard's System Scanner: finished at 2008-08-12 15:07:18 ------------

I tried the Kaspersky scan and it said it failed and there was also an insufficient memory error for something else. I'll try again after rebooting.

#4 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:04:09 PM

Posted 12 August 2008 - 08:10 PM

Hey Elaminopy,
I am seeing a bunch of things to cause some concern, and this might be difficult to remove.
Please be advised that you have a severly infected machine, and cleaning it out will take some work.
If you are willing to give it a try, follow the instructions as listed below.
If you have any problems during this process, stop and ask questions.
NOTE: my replies may be spotty for the next couple of days, please bear with me.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#5 Elaminopy

Elaminopy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 12 August 2008 - 09:25 PM

Okay, I installed the Recovery Console successfully. However, when I ran ComboFix.exe after turning off my antivirus and saving ComboFix.exe to my desktop, it showed a tiny progress bar and said ComboFix above it, then once the progess bar was full, it went away and the little minimized windows filled up the bottom of the screen again. The messages popped up and this time said I had 3557 infections.

I did get Kaspersky to run this time. Here's that log:

KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, July 30, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, July 30, 2008 18:33:58
Records in database: 1030144

Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area Critical Areas
C:\Documents and Settings\All Users\start menu\programs\startup
C:\Documents and Settings\user\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics
Files scanned 30504
Threat name 1
Infected objects 5
Suspicious objects 0
Duration of the scan 00:26:17

File name Threat name Threats count
C:\Program Files\RealVNC\VNC4\WinVNC4.exe/C:\Program Files\RealVNC\VNC4\WinVNC4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

The selected area was scanned.

And here's the new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:24:55 PM, on 8/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\cmd.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: Shell=Explorer.exe, C:\Run.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Don't Delete] C:\Documents and Settings\All Users\DontDelete\TrialVer\DontDelete.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Startup.lnk = C:\Documents and Settings\All Users\DontDelete\TrialVer\DontDelete.exe (User 'Default user')
O4 - .DEFAULT User Startup: Startup.lnk = C:\Documents and Settings\All Users\DontDelete\TrialVer\DontDelete.exe (User 'Default user')
O4 - Startup: Startup.lnk = C:\Documents and Settings\All Users\DontDelete\TrialVer\DontDelete.exe
O4 - Startup: Startup.lnk = C:\Documents and Settings\All Users\DontDelete\TrialVer\DontDelete.exe
O4 - Global Startup: Startup.lnk = C:\Documents and Settings\All Users\DontDelete\TrialVer\DontDelete.exe
O4 - Global Startup: Disk Cleanup.lnk = C:\WINDOWS\system32\cleanmgr.exe
O4 - Global Startup: Startup.lnk = C:\Documents and Settings\All Users\DontDelete\TrialVer\DontDelete.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1211212180234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1211212175250
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7890 bytes

Edited by Elaminopy, 12 August 2008 - 09:27 PM.


#6 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:04:09 PM

Posted 13 August 2008 - 05:10 AM

Hi Elaminopy

Combofix should have produced a report, it will be located in one of 2 spots.
Look in C:\ComboFix.txt, if not there look for a file named like this:ComboFix2.txt located in the C:\Qoobox folder. The number after Combofix indicate which run it was, and if it did not complete its run it may be named C:\QooBox\LastRun\Combofix.txt
I need to see that report, please copy and paste that in a reply here.

I am curious about this line:
C:\Documents and Settings\All Users\DontDelete\TrialVer\DontDelete.exe
Did you download some trial version of a program recently?

You have a remote access program running: RealVNC
Are you currently using this for something?

Lets see if we can clean up some space:
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Reagardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

I know its a lot of work, lets see if we can get that Combofix report and the results from MBAM
Harry

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#7 Elaminopy

Elaminopy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 15 August 2008 - 06:26 PM

Sorry for the delay again. Things have gotten really busy for me, but it's done now so I can concentrate on this, thank goodness. I've also been having a new error message come up every once in a while, but I can't get it to come up right now to show the exact text. It says something about trouble running (something)wizard.dll and it says RunDLL on it.

I have no idea what that Don't Delete thing is. I haven't installed any trial version of anything lately. The last one I installed was Winrar (who's going to pay for that?) I hate trial things. Also, that VNC thing is something I used to connect to my work computer but I haven't used it in quite some time. Oh, and I have ATF Cleaner and I run it regularly.

Sorry again, but there is no ComboFix.txt file in C:\. There is only one .txt file in there called 2.txt and it didn't have anything in it. There is also no QooBox folder anywhere on the C-drive.

I already had Malwarebytes and I checked and it is the latest version. I updated it and ran a scan. Here are those results:

Malwarebytes' Anti-Malware 1.24
Database version: 1056
Windows 5.1.2600 Service Pack 3

4:03:26 PM 8/15/2008
mbam-log-8-15-2008 (16-03-26).txt

Scan type: Quick Scan
Objects scanned: 45792
Time elapsed: 46 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Elaminopy, 15 August 2008 - 06:31 PM.


#8 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:04:09 PM

Posted 15 August 2008 - 08:01 PM

OK,
lets take a look at this in a different way:
download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Allow the program to complete its run, this may take a couple of minutes
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
This report will be quite large, you may have to split it into multiple posts in order for the whole log to be posted.

Lets see the results from that :thumbsup:
Harry

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#9 Elaminopy

Elaminopy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 16 August 2008 - 03:11 AM

There we go. I finally got that to scan all the way through. The first 2 times I tried it, the OTScanIt window would turn all white pretty soon after starting the scan and I'd leave it that way for several hours and come back and it would still be like that. I had closed out of any open windows I saw, but the computer still goes slow and the hard drive light is constantly blinking so I know it's doing something.

So I just rebooted and tried the scan as soon as I could and it went through really quickly and gave me this log file:

OTScanIt logfile created on: 8/16/2008 1:02:39 AM
OTScanIt by OldTimer - Version 1.0.16.2	 Folder = C:\Documents and Settings\user\Desktop\OTScanIt
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1023.32 Mb Total Physical Memory | 596.94 Mb Available Physical Memory | 58.33% Memory free
2.90 Gb Paging File | 2.60 Gb Available in Paging File | 89.49% Paging File free
Paging file location(s): C:\pagefile.sys 2048 2048;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 138.73 Gb Free Space | 93.08% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: REED
Current User Name: user
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user

[Processes - Non-Microsoft Only]
ccsetmgr.exe -> %CommonProgramFiles%\Symantec Shared\ccSetMgr.exe -> Symantec Corporation [Ver = 104.0.15.2 | Size = 169576 bytes | Modified Date = 5/29/2007 4:33:36 PM | Attr =	]
ccevtmgr.exe -> %CommonProgramFiles%\Symantec Shared\ccEvtMgr.exe -> Symantec Corporation [Ver = 104.0.15.2 | Size = 192104 bytes | Modified Date = 5/29/2007 4:33:26 PM | Attr =	]
spbbcsvc.exe -> %CommonProgramFiles%\Symantec Shared\SPBBC\SPBBCSvc.exe -> Symantec Corporation [Ver = 2.4.1.1 | Size = 1181016 bytes | Modified Date = 7/26/2007 7:25:20 PM | Attr =	]
applemobiledeviceservice.exe -> %CommonProgramFiles%\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -> Apple Inc. [Ver = 2.1.29.0 | Size = 116040 bytes | Modified Date = 7/22/2008 8:42:12 PM | Attr =	]
defwatch.exe -> %ProgramFiles%\Symantec AntiVirus\DefWatch.exe -> Symantec Corporation [Ver = 10.1.7.7000 | Size = 31160 bytes | Modified Date = 10/7/2007 8:48:24 PM | Attr =	]
googleupdaterservice.exe -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.2.1175.1407.beta | Size = 137200 bytes | Modified Date = 7/15/2008 3:42:26 PM | Attr =	]
nvsvc32.exe -> %SystemRoot%\system32\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.11.6939 | Size = 155716 bytes | Modified Date = 2/1/2008 3:32:00 PM | Attr =	]
rtvscan.exe -> %ProgramFiles%\Symantec AntiVirus\Rtvscan.exe -> Symantec Corporation [Ver = 10.1.7.7000 | Size = 1822648 bytes | Modified Date = 10/7/2007 8:48:32 PM | Attr =	]
winvnc4.exe -> %ProgramFiles%\RealVNC\VNC4\winvnc4.exe -> RealVNC Ltd. [Ver = 4.1.2 | Size = 439248 bytes | Modified Date = 5/12/2006 3:04:08 PM | Attr =	]
com1.exe -> \.\%SystemRoot%\system32\com1.exe -> File not found
con.exe -> \.\%SystemRoot%\system32\con.exe -> File not found
lpt1.exe -> \.\%SystemRoot%\system32\lpt1.exe -> File not found
otscanit.exe -> %UserProfile%\Desktop\OTScanIt\OTScanIt.exe -> OldTimer Tools [Ver = 1.0.16.2 | Size = 397312 bytes | Modified Date = 7/12/2008 9:29:54 AM | Attr =	]
otscanit.exe -> %UserProfile%\Desktop\OTScanIt\OTScanIt.exe -> OldTimer Tools [Ver = 1.0.16.2 | Size = 397312 bytes | Modified Date = 7/12/2008 9:29:54 AM | Attr =	]

[Win32 Services - Non-Microsoft Only]
(Apple Mobile Device) Apple Mobile Device [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -> Apple Inc. [Ver = 2.1.29.0 | Size = 116040 bytes | Modified Date = 7/22/2008 8:42:12 PM | Attr =	]
(ccEvtMgr) Symantec Event Manager [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\ccEvtMgr.exe -> Symantec Corporation [Ver = 104.0.15.2 | Size = 192104 bytes | Modified Date = 5/29/2007 4:33:26 PM | Attr =	]
(ccSetMgr) Symantec Settings Manager [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\ccSetMgr.exe -> Symantec Corporation [Ver = 104.0.15.2 | Size = 169576 bytes | Modified Date = 5/29/2007 4:33:36 PM | Attr =	]
(DefWatch) Symantec AntiVirus Definition Watcher [Win32_Own | Auto | Running] -> %ProgramFiles%\Symantec AntiVirus\DefWatch.exe -> Symantec Corporation [Ver = 10.1.7.7000 | Size = 31160 bytes | Modified Date = 10/7/2007 8:48:24 PM | Attr =	]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %SystemRoot%\system32\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.5512.503.0 | Size = 224768 bytes | Modified Date = 4/13/2008 5:12:17 PM | Attr =	]
(gusvc) Google Updater Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.2.1175.1407.beta | Size = 137200 bytes | Modified Date = 7/15/2008 3:42:26 PM | Attr =	]
(iPod Service) iPod Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Inc. [Ver = 7.7.1.11 | Size = 532264 bytes | Modified Date = 7/30/2008 10:47:48 AM | Attr =	]
(LiveUpdate) LiveUpdate [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Symantec\LiveUpdate\LuComServer_3_2.EXE -> Symantec Corporation [Ver = 3.2.0.67 | Size = 2999664 bytes | Modified Date = 8/28/2007 7:04:25 PM | Attr =	]
(MBAMService) MBAMService [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Malwarebytes' Anti-Malware\mbamservice.exe -> Malwarebytes Corporation [Ver = 1, 0, 0, 0 | Size = 110200 bytes | Modified Date = 7/30/2008 8:07:52 PM | Attr =	]
(NBService) NBService [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Nero\Nero 7\Nero BackItUp\NBService.exe -> Nero AG [Ver = 2, 10, 3, 2 | Size = 800040 bytes | Modified Date = 6/29/2007 7:16:56 PM | Attr =	]
(NMIndexingService) NMIndexingService [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Ahead\Lib\NMIndexingService.exe -> Nero AG [Ver = 2,0,16,0 | Size = 279848 bytes | Modified Date = 6/27/2007 7:04:00 PM | Attr =	]
(NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Running] -> %SystemRoot%\system32\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.11.6939 | Size = 155716 bytes | Modified Date = 2/1/2008 3:32:00 PM | Attr =	]
(SavRoam) SavRoam [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Symantec AntiVirus\SavRoam.exe -> symantec [Ver = 10.1.7.7000 | Size = 116664 bytes | Modified Date = 10/7/2007 8:48:36 PM | Attr =	]
(SNDSrvc) Symantec Network Drivers Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Symantec Shared\SNDSrvc.exe -> Symantec Corporation [Ver = 6.0.7.703 | Size = 214408 bytes | Modified Date = 8/27/2007 5:14:00 PM | Attr =	]
(SPBBCSvc) Symantec SPBBCSvc [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\SPBBC\SPBBCSvc.exe -> Symantec Corporation [Ver = 2.4.1.1 | Size = 1181016 bytes | Modified Date = 7/26/2007 7:25:20 PM | Attr =	]
(Symantec AntiVirus) Symantec AntiVirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Symantec AntiVirus\Rtvscan.exe -> Symantec Corporation [Ver = 10.1.7.7000 | Size = 1822648 bytes | Modified Date = 10/7/2007 8:48:32 PM | Attr =	]
(WinVNC4) VNC Server Version 4 [Win32_Own | Auto | Running] -> %ProgramFiles%\RealVNC\VNC4\winvnc4.exe -> RealVNC Ltd. [Ver = 4.1.2 | Size = 439248 bytes | Modified Date = 5/12/2006 3:04:08 PM | Attr =	]

[Driver Services - Non-Microsoft Only]
(b57w2k) Broadcom NetXtreme Gigabit Ethernet [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\b57xp32.sys -> Broadcom Corporation [Ver = 10.62.0.0 (cbuild.09172007-1258,b57nd5x-main-lhdepot1106.CL-2346) | Size = 161792 bytes | Modified Date = 9/17/2007 1:00:12 PM | Attr =	]
(Blfp) Broadcom Advanced Server Program Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\baspxp32.sys -> Broadcom Corporation [Ver = 6.2.30 built by: WinDDK | Size = 98304 bytes | Modified Date = 9/11/2007 2:06:10 PM | Attr =	]
(dmboot) dmboot [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\dmboot.sys -> Microsoft Corp., Veritas Software [Ver = 2600.5512.503.0 | Size = 799744 bytes | Modified Date = 4/13/2008 11:44:48 AM | Attr =	]
(dmio) Logical Disk Manager Driver [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\dmio.sys -> Microsoft Corp., Veritas Software [Ver = 2600.5512.503.0 | Size = 153344 bytes | Modified Date = 4/13/2008 11:44:46 AM | Attr =	]
(dmload) dmload [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\dmload.sys -> Microsoft Corp., Veritas Software. [Ver = 2600.0.503.0 | Size = 5888 bytes | Modified Date = 2/28/2006 5:00:00 AM | Attr =	]
(eeCtrl) Symantec Eraser Control driver [Kernel | System | Running] -> %CommonProgramFiles%\Symantec Shared\EENGINE\eeCtrl.sys -> Symantec Corporation [Ver = 108.2.0.128 | Size = 371248 bytes | Modified Date = 8/15/2008 1:00:00 AM | Attr =	]
(EraserUtilRebootDrv) EraserUtilRebootDrv [Kernel | On_Demand | Running] -> %CommonProgramFiles%\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -> Symantec Corporation [Ver = 108.2.0.128 | Size = 99376 bytes | Modified Date = 8/15/2008 1:00:00 AM | Attr =	]
(GEARAspiWDM) GEARAspiWDM [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\GEARAspiWDM.sys -> GEAR Software Inc. [Ver = 2.00.07.03 | Size = 16168 bytes | Modified Date = 1/29/2008 12:01:28 PM | Attr =	]
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\hdaudbus.sys -> Windows (R) Server 2003 DDK provider [Ver = 5.10.01.5013 built by: WinDDK | Size = 144384 bytes | Modified Date = 4/13/2008 9:36:05 AM | Attr =	]
(IntcAzAudAddService) Service for Realtek HD Audio (WDM) [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\RtkHDAud.sys -> Realtek Semiconductor Corp. [Ver = 5.10.0.5433 built by: WinDDK | Size = 4429312 bytes | Modified Date = 6/14/2007 5:41:00 PM | Attr =	]
(NAVENG) NAVENG [Kernel | On_Demand | Running] -> %CommonProgramFiles%\Symantec Shared\VirusDefs\20080815.007\NAVENG.SYS -> Symantec Corporation [Ver = 20081.1.1.13 | Size = 89936 bytes | Modified Date = 6/18/2008 1:00:00 AM | Attr =	]
(NAVEX15) NAVEX15 [Kernel | On_Demand | Running] -> %CommonProgramFiles%\Symantec Shared\VirusDefs\20080815.007\NAVEX15.SYS -> Symantec Corporation [Ver = 20081.1.1.13 | Size = 856336 bytes | Modified Date = 6/18/2008 1:00:00 AM | Attr =	]
(nv) nv [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\nv4_mini.sys -> NVIDIA Corporation [Ver = 6.14.11.6939 | Size = 7434720 bytes | Modified Date = 2/1/2008 3:32:00 PM | Attr =	]
(pcouffin) VSO Software pcouffin [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\pcouffin.sys -> VSO Software [Ver = 1.36 | Size = 47360 bytes | Modified Date = 7/8/2008 9:04:11 AM | Attr =	]
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ptilink.sys -> Parallel Technologies, Inc. [Ver = 1.10 (XPClient.010817-1148) | Size = 17792 bytes | Modified Date = 2/28/2006 5:00:00 AM | Attr =	]
(SASDIFSV) SASDIFSV [Kernel | System | Running] -> %ProgramFiles%\SUPERAntiSpyware\sasdifsv.sys -> SUPERAdBlocker.com and SUPERAntiSpyware.com [Ver = 1, 0, 0, 1010 | Size = 8944 bytes | Modified Date = 5/28/2008 10:33:36 AM | Attr =	]
(SASENUM) SASENUM [Kernel | On_Demand | Stopped] -> %ProgramFiles%\SUPERAntiSpyware\SASENUM.SYS ->  SUPERAdBlocker.com and SUPERAntiSpyware.com [Ver = 1, 0, 0, 1004 | Size = 7408 bytes | Modified Date = 5/28/2008 10:33:38 AM | Attr = R  ]
(SASKUTIL) SASKUTIL [Kernel | System | Running] -> %ProgramFiles%\SUPERAntiSpyware\SASKUTIL.SYS -> SUPERAdBlocker.com and SUPERAntiSpyware.com [Ver = 1, 0, 0, 1062 | Size = 55024 bytes | Modified Date = 5/28/2008 10:33:36 AM | Attr =	]
(SAVRT) SAVRT [Kernel | System | Running] -> %ProgramFiles%\Symantec AntiVirus\savrt.sys -> Symantec Corporation [Ver = 9.7.2.3 | Size = 337592 bytes | Modified Date = 9/6/2006 2:41:20 PM | Attr =	]
(SAVRTPEL) SAVRTPEL [Kernel | System | Running] -> %ProgramFiles%\Symantec AntiVirus\Savrtpel.sys -> Symantec Corporation [Ver = 9.7.2.3 | Size = 54968 bytes | Modified Date = 9/6/2006 2:41:20 PM | Attr =	]
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\secdrv.sys -> Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. [Ver = 4.03.086 | Size = 20480 bytes | Modified Date = 4/13/2008 9:39:15 AM | Attr =	]
(SPBBCDrv) SPBBCDrv [Kernel | System | Running] -> %CommonProgramFiles%\Symantec Shared\SPBBC\SPBBCDrv.sys -> Symantec Corporation [Ver = 2.4.1.1 | Size = 400216 bytes | Modified Date = 7/26/2007 7:25:18 PM | Attr =	]
(SymEvent) SymEvent [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\SYMEVENT.SYS -> Symantec Corporation [Ver = 12.2.1.1 | Size = 110952 bytes | Modified Date = 5/19/2008 5:09:08 PM | Attr =	]
(SYMREDRV) SYMREDRV [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\symredrv.sys -> Symantec Corporation [Ver = 6.0.7.703 | Size = 23944 bytes | Modified Date = 8/27/2007 5:13:32 PM | Attr =	]
(SYMTDI) SYMTDI [Kernel | System | Running] -> %SystemRoot%\system32\drivers\symtdi.sys -> Symantec Corporation [Ver = 6.0.7.703 | Size = 189320 bytes | Modified Date = 8/27/2007 5:13:36 PM | Attr =	]

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
Adobe Reader Speed Launcher -> %ProgramFiles%\Adobe\Reader 8.0\Reader\reader_sl.exe ["C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"] -> Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 39792 bytes | Modified Date = 1/11/2008 10:16:38 PM | Attr =	]
AppleSyncNotifier -> %CommonProgramFiles%\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe] -> Apple Inc. [Ver = 1, 0, 0, 9 | Size = 116040 bytes | Modified Date = 7/10/2008 9:47:28 AM | Attr =	]
ccApp -> %CommonProgramFiles%\Symantec Shared\ccApp.exe ["C:\Program Files\Common Files\Symantec Shared\ccApp.exe"] -> Symantec Corporation [Ver = 104.0.15.2 | Size = 52840 bytes | Modified Date = 5/29/2007 4:33:22 PM | Attr =	]
Don't Delete -> %AllUsersProfile%\DontDelete\TrialVer\DontDelete.exe [C:\Documents and Settings\All Users\DontDelete\TrialVer\DontDelete.exe] -> File not found
iTunesHelper -> %ProgramFiles%\iTunes\iTunesHelper.exe ["C:\Program Files\iTunes\iTunesHelper.exe"] -> Apple Inc. [Ver = 7.7.1.11 | Size = 289064 bytes | Modified Date = 7/30/2008 10:47:56 AM | Attr =	]
NeroFilterCheck -> %CommonProgramFiles%\Ahead\Lib\NeroCheck.exe [C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe] -> Nero AG [Ver = 1, 0, 0, 6 | Size = 153136 bytes | Modified Date = 3/1/2007 3:57:24 PM | Attr =	]
NvCplDaemon -> %SystemRoot%\system32\nvcpl.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup] -> NVIDIA Corporation [Ver = 6.14.11.6939 | Size = 8523776 bytes | Modified Date = 2/1/2008 3:32:00 PM | Attr =	]
nwiz -> %SystemRoot%\system32\nwiz.exe [nwiz.exe /installquiet] ->  [Ver =  | Size = 1626112 bytes | Modified Date = 2/1/2008 3:32:00 PM | Attr =	]
QuickTime Task -> %ProgramFiles%\QuickTime\QTTask.exe ["C:\Program Files\QuickTime\QTTask.exe" -atboottime] -> Apple Inc. [Ver = 7.5 (861) | Size = 413696 bytes | Modified Date = 5/27/2008 10:50:30 AM | Attr =	]
RTHDCPL -> %SystemRoot%\RTHDCPL.exe [RTHDCPL.EXE] -> Realtek Semiconductor Corp. [Ver = 2.1.3.9 | Size = 16377344 bytes | Modified Date = 6/13/2007 3:49:00 PM | Attr =	]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_07\bin\jusched.exe ["C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 144784 bytes | Modified Date = 6/10/2008 4:27:04 AM | Attr =	]
UserFaultCheck ->  [%systemroot%\system32\dumprep 0 -u] -> File not found
vptray -> %ProgramFiles%\Symantec AntiVirus\VPTray.exe [C:\PROGRA~1\SYMANT~1\VPTray.exe] -> Symantec Corporation [Ver = 10.1.7.7000 | Size = 125368 bytes | Modified Date = 10/7/2007 8:48:40 PM | Attr =	]
< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ -> 
IMAIL-> Installed = 1 -> 
MAPI-> Installed = 1 -> 
MSFS-> Installed = 1 -> 
< All Users Startup Folder > -> C:\Documents and Settings\All Users\start menu\programs\startup -> 
%AllUsersProfile%\start menu\programs\startup\ Startup.lnk -> %AllUsersProfile%\Start Menu\Programs\_-_-_-_-_- -> File not found
%AllUsersProfile%\start menu\programs\startup\Startup.lnk -> %AllUsersProfile%\Start Menu\Programs\-_-_-_-_-_ -> File not found
< user Startup Folder > -> C:\Documents and Settings\user\start menu\programs\startup -> 
%UserProfile%\start menu\programs\startup\ Startup.lnk -> %AllUsersProfile%\Start Menu\Programs\_-_-_-_-_- -> File not found
%UserProfile%\start menu\programs\startup\Startup.lnk -> %AllUsersProfile%\Start Menu\Programs\-_-_-_-_-_ -> File not found
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks -> 
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1012 | Size = 77824 bytes | Modified Date = 5/13/2008 10:13:36 AM | Attr =	]
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
Explorer.exe -> %SystemRoot%\explorer.exe -> Microsoft Corporation [Ver = 6.00.2900.5512 (xpsp.080413-2105) | Size = 1033728 bytes | Modified Date = 4/13/2008 5:12:19 PM | Attr =	]
 C:\Run.exe -> %SystemDrive%\Run.exe ->  [Ver =  | Size = 106664 bytes | Modified Date = 8/15/2008 8:50:17 PM | Attr =	]
*MultiFile Done* -> -> 
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit -> 
C:\WINDOWS\system32\userinit.exe -> %SystemRoot%\system32\userinit.exe -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 26112 bytes | Modified Date = 4/13/2008 5:12:38 PM | Attr =	]
*MultiFile Done* -> -> 
*UIHost* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost -> 
logonui.exe -> %SystemRoot%\system32\logonui.exe -> Microsoft Corporation [Ver = 6.00.2900.5512 (xpsp.080413-2105) | Size = 514560 bytes | Modified Date = 4/13/2008 5:12:24 PM | Attr =	]
*MultiFile Done* -> -> 
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet -> 
rundll32 shell32 -> %SystemRoot%\system32\shell32.dll -> Microsoft Corporation [Ver = 6.00.2900.5512 (xpsp.080413-2105) | Size = 8461312 bytes | Modified Date = 4/13/2008 5:12:05 PM | Attr =	]
Control_RunDLL "sysdm.cpl" -> %SystemRoot%\system32\sysdm.cpl -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2105) | Size = 300544 bytes | Modified Date = 4/13/2008 5:12:41 PM | Attr =	]
*MultiFile Done* -> -> 
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 
!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1046 | Size = 294912 bytes | Modified Date = 4/19/2007 1:41:36 PM | Attr =	]
NavLogon -> %SystemRoot%\system32\NavLogon.dll -> Symantec Corporation [Ver = 10.1.7.7000 | Size = 43448 bytes | Modified Date = 10/7/2007 8:48:46 PM | Attr =	]
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 -> 
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 -> 
< CDROM Autorun Settings > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\ -> ->
*DependOnGroup* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DependOnGroup -> 
SCSI miniport ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Group -> SCSI CDROM Class -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Start -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Tag -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Type -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DisplayName -> CD-ROM Driver -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ImagePath -> %SystemRoot%\system32\drivers\cdrom.sys [system32\DRIVERS\cdrom.sys] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2108) | Size = 62976 bytes | Modified Date = 4/13/2008 11:40:46 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun -> 1 -> 
*AutoRunAlwaysDisable* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRunAlwaysDisable -> 
NEC	 MBR-7	->  -> File not found
NEC	 MBR-7.4  ->  -> File not found
PIONEER CHANGR DRM-1804X ->  -> File not found
PIONEER CD-ROM DRM-6324X ->  -> File not found
PIONEER CD-ROM DRM-624X  ->  -> File not found
TORiSAN CD-ROM CDR_C36 ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\0 -> IDE\CdRomPIONEER_DVD-RW__DVR-105_________________1.21____\43204442314c373134365737204c202020202020 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\Count -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\NextInstance -> 1 -> 
< Drives - Autoruns > ->  -> 
AUTOEXEC.BAT [] -> %SystemDrive%\AUTOEXEC.BAT [ NTFS ] ->  [Ver =  | Size = 0 bytes | Modified Date = 5/16/2008 8:58:31 AM | Attr =	]
< HOSTS File > (257735 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts -> 
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm -> 
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 -> 
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://www.google.com/ie -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOWS\system32\blank.htm -> 
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_CURRENT_USER\: Main\\Start Page -> http://google.com/ -> 
HKEY_CURRENT_USER\: ProxyEnable -> 0 -> 
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4717 domain(s) found. -> 
42 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{02478D38-C3F9-4EFB-9B51-7695ECA05670} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar Helper] -> Yahoo! Inc. [Ver = 2006, 10, 26, 1 | Size = 440384 bytes | Modified Date = 10/26/2006 10:28:40 AM | Attr =	]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKEY_LOCAL_MACHINE] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes | Modified Date = 10/22/2006 11:08:42 PM | Attr =	]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_07\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 509328 bytes | Modified Date = 6/10/2008 4:27:02 AM | Attr =	]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbar1.dll [Google Toolbar Helper] -> Google Inc. [Ver = 2, 0, 111, 0 | Size = 770048 bytes | Modified Date = 7/25/2008 8:40:16 PM | Attr = R  ]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll [Google Toolbar Notifier BHO] -> Google Inc. [Ver = 3, 0, 1225, 9868 | Size = 734704 bytes | Modified Date = 7/25/2008 4:15:52 PM | Attr =	]
{DBC80044-A445-435b-BC74-9C25C1C588A9} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbar1.dll [&Google] -> Google Inc. [Ver = 2, 0, 111, 0 | Size = 770048 bytes | Modified Date = 7/25/2008 8:40:16 PM | Attr = R  ]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2006, 10, 26, 1 | Size = 440384 bytes | Modified Date = 10/26/2006 10:28:40 AM | Attr =	]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbar1.dll [&Google] -> Google Inc. [Ver = 2, 0, 111, 0 | Size = 770048 bytes | Modified Date = 7/25/2008 8:40:16 PM | Attr = R  ]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 132496 bytes | Modified Date = 6/10/2008 4:27:02 AM | Attr =	]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} [HKEY_CURRENT_USER] -> %ProgramFiles%\Java\jre1.6.0_07\bin\ssv.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 509328 bytes | Modified Date = 6/10/2008 4:27:02 AM | Attr =	]
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{1D5F3AD6-D14D-4577-B637-767E01EECC06} ->	(Broadcom NetXtreme Gigabit Ethernet) -> 
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ -> 
ipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{166B1BCA-3F9C-11CF-8075-444553540000}[HKEY_LOCAL_MACHINE] -> http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab[Shockwave ActiveX Control] -> 
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}[HKEY_LOCAL_MACHINE] -> C:\Program Files\Yahoo!\Common\yinsthelper.dll[YInstStarter Class] -> 
{6414512B-B978-451D-A0D8-FCFDF33E833C}[HKEY_LOCAL_MACHINE] -> http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1211212180234[WUWebControl Class] -> 
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}[HKEY_LOCAL_MACHINE] -> http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1211212175250[MUWebControl Class] -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab[Java Plug-in 1.6.0_07] -> 
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}[HKEY_LOCAL_MACHINE] -> http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab[Reg Error: Key does not exist or could not be opened.] -> 
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab[Java Plug-in 1.6.0_07] -> 
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab[Java Plug-in 1.6.0_07] -> 
< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/atl.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/atl.dll\\.Owner -> Unknown Owner -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/atl.dll\\{CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/muweb.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/muweb.dll\\.Owner -> {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/muweb.dll\\{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/wuweb.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/wuweb.dll\\.Owner -> Unknown Owner -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/wuweb.dll\\{6414512B-B978-451D-A0D8-FCFDF33E833C} ->  -> 



[Files/Folders - Created Within 30 days]
327882R2FWJFW -> %SystemDrive%\327882R2FWJFW ->  [Folder | Created Date = 8/12/2008 7:18:58 PM | Attr =	]
BOOT.BAK -> %SystemDrive%\BOOT.BAK ->  [Ver =  | Size = 211 bytes | Created Date = 8/12/2008 7:14:00 PM | Attr =  HS]
cmdcons -> %SystemDrive%\cmdcons ->  [Folder | Created Date = 8/12/2008 7:13:26 PM | Attr = RHS]
cmldr -> %SystemDrive%\cmldr ->  [Ver =  | Size = 260272 bytes | Created Date = 8/12/2008 7:13:53 PM | Attr = RHS]
Deckard -> %SystemDrive%\Deckard ->  [Folder | Created Date = 8/12/2008 2:59:12 PM | Attr =	]
lpt1.exe -> %SystemDrive%\lpt1.exe ->  [Ver =  | Size = 0 bytes | Created Date = 1/1/1900 12:00:00 PM | Attr =	]
Run.exe -> %SystemDrive%\Run.exe ->  [Ver =  | Size = 106664 bytes | Created Date = 8/15/2008 8:50:49 PM | Attr =	]
 drivers.lnk -> %SystemRoot%\System32\drivers\ drivers.lnk ->  [Ver =  | Size = 869 bytes | Created Date = 8/8/2008 3:23:14 PM | Attr = R  ]
drivers.lnk -> %SystemRoot%\System32\drivers\drivers.lnk ->  [Ver =  | Size = 869 bytes | Created Date = 8/8/2008 3:26:50 PM | Attr = R  ]
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> Malwarebytes Corporation [Ver = 1, 0, 0, 1 | Size = 17144 bytes | Created Date = 7/28/2008 4:46:57 PM | Attr =	]
mbamswissarmy.sys -> %SystemRoot%\System32\drivers\mbamswissarmy.sys -> Malwarebytes Corporation [Ver = 1.00 | Size = 38472 bytes | Created Date = 7/28/2008 4:46:57 PM | Attr =	]
 system32.lnk -> %SystemRoot%\System32\ system32.lnk ->  [Ver =  | Size = 869 bytes | Created Date = 8/8/2008 3:22:56 PM | Attr = R  ]
cmd.rar -> %SystemRoot%\System32\cmd.rar ->  [Ver =  | Size = 94862 bytes | Created Date = 8/11/2008 7:17:11 PM | Attr =	]
com1.bat -> %SystemRoot%\System32\com1.bat ->  [Ver =  | Size = 0 bytes | Created Date = 1/1/1900 12:00:00 PM | Attr =	]
com1.exe -> %SystemRoot%\System32\com1.exe ->  [Ver =  | Size = 0 bytes | Created Date = 1/1/1900 12:00:00 PM | Attr =	]
com2.exe -> %SystemRoot%\System32\com2.exe ->  [Ver =  | Size = 0 bytes | Created Date = 1/1/1900 12:00:00 PM | Attr =	]
con.bat -> %SystemRoot%\System32\con.bat ->  [Ver =  | Size = 0 bytes | Created Date = 1/1/1900 12:00:00 PM | Attr =	]
con.exe -> %SystemRoot%\System32\con.exe ->  [Ver =  | Size = 0 bytes | Created Date = 1/1/1900 12:00:00 PM | Attr =	]
d3d9caps.dat -> %SystemRoot%\System32\d3d9caps.dat ->  [Ver =  | Size = 664 bytes | Created Date = 7/25/2008 9:34:00 PM | Attr =	]
deploytk.dll -> %SystemRoot%\System32\deploytk.dll -> Sun Microsystems, Inc. [Ver = 6.0.100.25 | Size = 410976 bytes | Created Date = 7/30/2008 11:01:58 AM | Attr =	]
java.exe -> %SystemRoot%\System32\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 135168 bytes | Created Date = 8/2/2008 12:52:19 PM | Attr =	]
javacpl.cpl -> %SystemRoot%\System32\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 73728 bytes | Created Date = 8/2/2008 12:52:19 PM | Attr =	]
javaw.exe -> %SystemRoot%\System32\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 135168 bytes | Created Date = 8/2/2008 12:52:19 PM | Attr =	]
javaws.exe -> %SystemRoot%\System32\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 139264 bytes | Created Date = 8/2/2008 12:52:19 PM | Attr =	]
lpt1.bat -> %SystemRoot%\System32\lpt1.bat ->  [Ver =  | Size = 0 bytes | Created Date = 1/1/1900 12:00:00 PM | Attr =	]
lpt1.exe -> %SystemRoot%\System32\lpt1.exe ->  [Ver =  | Size = 0 bytes | Created Date = 1/1/1900 12:00:00 PM | Attr =	]
system32.lnk -> %SystemRoot%\System32\system32.lnk ->  [Ver =  | Size = 869 bytes | Created Date = 8/11/2008 11:37:35 AM | Attr = R  ]
 system.lnk -> %SystemRoot%\System\ system.lnk ->  [Ver =  | Size = 869 bytes | Created Date = 8/8/2008 3:22:56 PM | Attr = R  ]
system.lnk -> %SystemRoot%\System\system.lnk ->  [Ver =  | Size = 869 bytes | Created Date = 8/8/2008 3:26:25 PM | Attr = R  ]
 WINDOWS.lnk -> %SystemRoot%\ WINDOWS.lnk ->  [Ver =  | Size = 869 bytes | Created Date = 8/8/2008 3:20:23 PM | Attr = R  ]
cmd.lnk -> %SystemRoot%\cmd.lnk ->  [Ver =  | Size = 1553 bytes | Created Date = 8/15/2008 7:50:00 PM | Attr =	]
ERDNT -> %SystemRoot%\ERDNT ->  [Folder | Created Date = 7/30/2008 11:59:07 AM | Attr =	]
19 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
Eudcedit.ini -> %SystemRoot%\Eudcedit.ini ->  [Ver =  | Size = 145 bytes | Created Date = 8/13/2008 9:32:15 AM | Attr =	]
Minidump -> %SystemRoot%\Minidump ->  [Folder | Created Date = 8/15/2008 4:09:40 PM | Attr =	]
setup.pss -> %SystemRoot%\setup.pss ->  [Folder | Created Date = 8/12/2008 7:13:23 PM | Attr =	]
setupupd -> %SystemRoot%\setupupd ->  [Folder | Created Date = 8/12/2008 7:12:59 PM | Attr =	]
Sun -> %SystemRoot%\Sun ->  [Folder | Created Date = 7/30/2008 11:02:53 AM | Attr =	]
System32.lnk -> %SystemRoot%\System32.lnk ->  [Ver =  | Size = 1625 bytes | Created Date = 8/14/2008 5:55:04 PM | Attr = R  ]
vpc32.INI -> %SystemRoot%\vpc32.INI ->  [Ver =  | Size = 0 bytes | Created Date = 7/28/2008 1:45:48 PM | Attr =	]
WINDOWS.lnk -> %SystemRoot%\WINDOWS.lnk ->  [Ver =  | Size = 869 bytes | Created Date = 8/8/2008 3:23:30 PM | Attr = R  ]
 Tasks.lnk -> %SystemRoot%\tasks\ Tasks.lnk ->  [Ver =  | Size = 869 bytes | Created Date = 8/8/2008 2:12:00 PM | Attr = R  ]
Tasks.lnk -> %SystemRoot%\tasks\Tasks.lnk ->  [Ver =  | Size = 869 bytes | Created Date = 8/8/2008 2:28:29 PM | Attr = R  ]
áTasks.lnk -> %SystemRoot%\tasks\áTasks.lnk ->  [Ver =  | Size = 869 bytes | Created Date = 8/8/2008 2:15:13 PM | Attr = R  ]
[Files Created - Additional Folder Scans - Non-Microsoft Only]
Apple Computer -> %AllUsersProfile%\Application Data\Apple Computer ->  [Folder | Created Date = 7/25/2008 11:01:03 AM | Attr =	]
Malwarebytes -> %AllUsersProfile%\Application Data\Malwarebytes ->  [Folder | Created Date = 7/28/2008 4:46:56 PM | Attr =	]
Spybot - Search & Destroy -> %AllUsersProfile%\Application Data\Spybot - Search & Destroy ->  [Folder | Created Date = 8/7/2008 10:52:02 AM | Attr =	]
SUPERAntiSpyware.com -> %AllUsersProfile%\Application Data\SUPERAntiSpyware.com ->  [Folder | Created Date = 7/30/2008 9:43:36 AM | Attr =	]
Adobe -> %AppData%\Adobe ->  [Folder | Created Date = 8/12/2008 5:06:25 PM | Attr =	]
ezpinst.exe -> %AppData%\ezpinst.exe ->  [Ver =  | Size = 81920 bytes | Created Date = 8/12/2008 3:27:14 PM | Attr =	]
Macromedia -> %AppData%\Macromedia ->  [Folder | Created Date = 8/13/2008 8:38:39 AM | Attr =	]
Malwarebytes -> %AppData%\Malwarebytes ->  [Folder | Created Date = 8/13/2008 10:10:09 AM | Attr =	]
Opera -> %AppData%\Opera ->  [Folder | Created Date = 8/12/2008 5:02:18 PM | Attr =	]
pcouffin.cat -> %AppData%\pcouffin.cat ->  [Ver =  | Size = 7176 bytes | Created Date = 8/12/2008 3:27:14 PM | Attr =	]
pcouffin.inf -> %AppData%\pcouffin.inf ->  [Ver =  | Size = 1144 bytes | Created Date = 8/12/2008 3:27:14 PM | Attr =	]
pcouffin.sys -> %AppData%\pcouffin.sys -> VSO Software [Ver = 1.36 | Size = 47360 bytes | Created Date = 8/12/2008 3:27:14 PM | Attr =	]
Sun -> %AppData%\Sun ->  [Folder | Created Date = 8/12/2008 5:07:32 PM | Attr =	]
Vso -> %AppData%\Vso ->  [Folder | Created Date = 8/12/2008 3:27:14 PM | Attr =	]
WinRAR -> %AppData%\WinRAR ->  [Folder | Created Date = 8/12/2008 3:27:14 PM | Attr =	]
Asent -> %UserProfile%\Local Settings\Application Data\Asent ->  [Folder | Created Date = 8/14/2008 3:01:12 PM | Attr =	]
Google -> %UserProfile%\Local Settings\Application Data\Google ->  [Folder | Created Date = 8/12/2008 5:04:32 PM | Attr =	]
Opera -> %UserProfile%\Local Settings\Application Data\Opera ->  [Folder | Created Date = 8/12/2008 5:02:18 PM | Attr =	]
Symantec -> %UserProfile%\Local Settings\Application Data\Symantec ->  [Folder | Created Date = 8/12/2008 6:40:01 PM | Attr =	]
 Documents.lnk -> %AllUsersProfile%\Documents\ Documents.lnk ->  [Ver =  | Size = 869 bytes | Created Date = 8/8/2008 3:20:28 PM | Attr = R  ]
Documents.lnk -> %AllUsersProfile%\Documents\Documents.lnk ->  [Ver =  | Size = 869 bytes | Created Date = 8/8/2008 3:23:36 PM | Attr = R  ]
 My Documents.lnk -> %UserProfile%\My Documents\ My Documents.lnk ->  [Ver =  | Size = 869 bytes | Created Date = 8/8/2008 3:20:53 PM | Attr = R  ]
My Documents.lnk -> %UserProfile%\My Documents\My Documents.lnk ->  [Ver =  | Size = 869 bytes | Created Date = 8/8/2008 3:24:13 PM | Attr = R  ]
 Desktop.lnk -> %AllUsersProfile%\desktop\ Desktop.lnk ->  [Ver =  | Size = 869 bytes | Created Date = 8/8/2008 3:20:28 PM | Attr = R  ]
Desktop.lnk -> %AllUsersProfile%\desktop\Desktop.lnk ->  [Ver =  | Size = 869 bytes | Created Date = 8/8/2008 3:23:36 PM | Attr = R  ]
iTunes.lnk -> %AllUsersProfile%\desktop\iTunes.lnk ->  [Ver =  | Size = 1804 bytes | Created Date = 8/1/2008 1:44:02 PM | Attr =	]
Malwarebytes.lnk -> %AllUsersProfile%\desktop\Malwarebytes.lnk ->  [Ver =  | Size = 784 bytes | Created Date = 7/30/2008 9:46:22 AM | Attr =	]
SUPERAntiSpyware Free Edition.lnk -> %AllUsersProfile%\desktop\SUPERAntiSpyware Free Edition.lnk ->  [Ver =  | Size = 780 bytes | Created Date = 7/30/2008 9:43:34 AM | Attr =	]
 Desktop.lnk -> %UserProfile%\Desktop\ Desktop.lnk ->  [Ver =  | Size = 869 bytes | Created Date = 8/8/2008 3:20:53 PM | Attr = R  ]
ATF-Cleaner.exe -> %UserProfile%\Desktop\ATF-Cleaner.exe -> Atribune.org [Ver = 3.00.0002 | Size = 50688 bytes | Created Date = 8/12/2008 3:28:45 PM | Attr =	]
CCleaner.lnk -> %UserProfile%\Desktop\CCleaner.lnk ->  [Ver =  | Size = 1548 bytes | Created Date = 8/12/2008 3:28:45 PM | Attr =	]
ComboFix.exe -> %UserProfile%\Desktop\ComboFix.exe ->  [Ver =  | Size = 2711055 bytes | Created Date = 8/12/2008 7:06:26 PM | Attr =	]
Desktop.lnk -> %UserProfile%\Desktop\Desktop.lnk ->  [Ver =  | Size = 869 bytes | Created Date = 8/8/2008 3:24:13 PM | Attr = R  ]
dss.exe -> %UserProfile%\Desktop\dss.exe ->  [Ver = 3, 2, 8, 1 | Size = 686630 bytes | Created Date = 8/12/2008 3:28:45 PM | Attr =	]
HijackThis.lnk -> %UserProfile%\Desktop\HijackThis.lnk ->  [Ver =  | Size = 1734 bytes | Created Date = 8/12/2008 3:28:45 PM | Attr =	]
Internet Explorer.lnk -> %UserProfile%\Desktop\Internet Explorer.lnk ->  [Ver =  | Size = 704 bytes | Created Date = 8/12/2008 5:05:43 PM | Attr =	]
jre-6u7-windows-i586-p.exe -> %UserProfile%\Desktop\jre-6u7-windows-i586-p.exe ->  [Ver =  | Size = 15984024 bytes | Created Date = 8/12/2008 3:28:45 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\jre-6u7-windows-i586-p.exe:Zone.Identifier
kaspersky scan log.html -> %UserProfile%\Desktop\kaspersky scan log.html ->  [Ver =  | Size = 3924 bytes | Created Date = 8/12/2008 7:03:55 PM | Attr =	]
mplayerc.exe -> %UserProfile%\Desktop\mplayerc.exe -> Gabest [Ver = 6, 4, 9, 0 | Size = 5689344 bytes | Created Date = 8/12/2008 3:28:46 PM | Attr =	]
New Shortcut -> %UserProfile%\Desktop\New Shortcut ->  [Ver =  | Size = 0 bytes | Created Date = 8/12/2008 7:08:55 PM | Attr =	]
OTScanIt -> %UserProfile%\Desktop\OTScanIt ->  [Folder | Created Date = 8/15/2008 8:58:41 PM | Attr =	]
OTScanIt.exe -> %UserProfile%\Desktop\OTScanIt.exe ->  [Ver =  | Size = 568477 bytes | Created Date = 8/15/2008 8:57:53 PM | Attr =	]
Spybot - Search & Destroy.lnk -> %UserProfile%\Desktop\Spybot - Search & Destroy.lnk ->  [Ver =  | Size = 970 bytes | Created Date = 8/12/2008 3:28:46 PM | Attr =	]
VirtualDubMod -> %UserProfile%\Desktop\VirtualDubMod ->  [Folder | Created Date = 8/12/2008 3:28:46 PM | Attr =	]
WINNT32.lnk -> %UserProfile%\Desktop\WINNT32.lnk ->  [Ver =  | Size = 443 bytes | Created Date = 8/12/2008 7:09:12 PM | Attr =	]
WKIX32.EXE.lnk -> %UserProfile%\Desktop\WKIX32.EXE.lnk ->  [Ver =  | Size = 533 bytes | Created Date = 8/12/2008 3:28:46 PM | Attr =	]
 Startup.lnk -> %AllUsersProfile%\start menu\programs\startup\ Startup.lnk ->  [Ver =  | Size = 869 bytes | Created Date = 8/8/2008 3:20:33 PM | Attr = R  ]
Startup.lnk -> %AllUsersProfile%\start menu\programs\startup\Startup.lnk ->  [Ver =  | Size = 869 bytes | Created Date = 8/8/2008 3:23:43 PM | Attr = R  ]
 Startup.lnk -> %UserProfile%\Start Menu\Programs\Startup\ Startup.lnk ->  [Ver =  | Size = 869 bytes | Created Date = 8/8/2008 3:20:55 PM | Attr = R  ]
Startup.lnk -> %UserProfile%\Start Menu\Programs\Startup\Startup.lnk ->  [Ver =  | Size = 869 bytes | Created Date = 8/8/2008 3:24:17 PM | Attr = R  ]
 Common Files.lnk -> %CommonProgramFiles%\ Common Files.lnk ->  [Ver =  | Size = 869 bytes | Created Date = 8/8/2008 3:20:57 PM | Attr = R  ]
Apple -> %CommonProgramFiles%\Apple ->  [Folder | Created Date = 7/25/2008 11:12:23 AM | Attr =	]
Common Files.lnk -> %CommonProgramFiles%\Common Files.lnk ->  [Ver =  | Size = 869 bytes | Created Date = 8/8/2008 3:24:18 PM | Attr = R  ]
Java -> %CommonProgramFiles%\Java ->  [Folder | Created Date = 8/2/2008 12:51:50 PM | Attr =	]
Wise Installation Wizard -> %CommonProgramFiles%\Wise Installation Wizard ->  [Folder | Created Date = 7/30/2008 9:43:18 AM | Attr =	]
 Program Files.lnk -> %ProgramFiles%\ Program Files.lnk ->  [Ver =  | Size = 869 bytes | Created Date = 8/8/2008 3:20:23 PM | Attr = R  ]
DivX -> %ProgramFiles%\DivX ->  [Folder | Created Date = 7/25/2008 8:40:11 PM | Attr =	]
iPod -> %ProgramFiles%\iPod ->  [Folder | Created Date = 8/1/2008 1:43:47 PM | Attr =	]
iTunes -> %ProgramFiles%\iTunes ->  [Folder | Created Date = 8/1/2008 1:43:25 PM | Attr =	]
Java -> %ProgramFiles%\Java ->  [Folder | Created Date = 7/30/2008 11:01:53 AM | Attr =	]
Malwarebytes' Anti-Malware -> %ProgramFiles%\Malwarebytes' Anti-Malware ->  [Folder | Created Date = 7/28/2008 4:46:56 PM | Attr =	]
Program Files.lnk -> %ProgramFiles%\Program Files.lnk ->  [Ver =  | Size = 869 bytes | Created Date = 8/8/2008 3:23:29 PM | Attr = R  ]
QuickTime -> %ProgramFiles%\QuickTime ->  [Folder | Created Date = 7/25/2008 11:01:05 AM | Attr =	]
Spybot - Search & Destroy -> %ProgramFiles%\Spybot - Search & Destroy ->  [Folder | Created Date = 8/5/2008 10:10:52 AM | Attr =	]
SUPERAntiSpyware -> %ProgramFiles%\SUPERAntiSpyware ->  [Folder | Created Date = 7/30/2008 9:43:33 AM | Attr =	]
Trend Micro -> %ProgramFiles%\Trend Micro ->  [Folder | Created Date = 7/30/2008 9:47:14 AM | Attr =	]
WinAVI Video Converter -> %ProgramFiles%\WinAVI Video Converter ->  [Folder | Created Date = 7/25/2008 8:35:40 PM | Attr =	]

[Files/Folders - Modified Within 30 days]
327882R2FWJFW -> %SystemDrive%\327882R2FWJFW ->  [Folder | Modified Date = 8/15/2008 1:42:11 PM | Attr =	]
BOOT.BAK -> %SystemDrive%\BOOT.BAK ->  [Ver =  | Size = 211 bytes | Modified Date = 8/12/2008 2:47:39 PM | Attr =  HS]
boot.ini -> %SystemDrive%\boot.ini ->  [Ver =  | Size = 282 bytes | Modified Date = 8/12/2008 7:14:02 PM | Attr = RHS]
cmdcons -> %SystemDrive%\cmdcons ->  [Folder | Modified Date = 8/12/2008 7:14:02 PM | Attr = RHS]
Deckard -> %SystemDrive%\Deckard ->  [Folder | Modified Date = 8/12/2008 6:34:45 PM | Attr =	]
Documents and Settings -> %SystemDrive%\Documents and Settings ->  [Folder | Modified Date = 8/11/2008 11:08:34 AM | Attr =	]
lj1010 series -> %SystemDrive%\lj1010 series ->  [Folder | Modified Date = 8/8/2008 3:23:29 PM | Attr =	]
Program Files -> %ProgramFiles% ->  [Folder | Modified Date = 8/8/2008 3:23:29 PM | Attr = R  ]
RECYCLER -> %SystemDrive%\RECYCLER ->  [Folder | Modified Date = 8/12/2008 6:44:04 PM | Attr =  HS]
Run.exe -> %SystemDrive%\Run.exe ->  [Ver =  | Size = 106664 bytes | Modified Date = 8/15/2008 8:50:17 PM | Attr =	]
SWSETUP -> %SystemDrive%\SWSETUP ->  [Folder | Modified Date = 8/8/2008 3:23:29 PM | Attr =	]
System Volume Information -> %SystemDrive%\System Volume Information ->  [Folder | Modified Date = 8/15/2008 2:56:59 PM | Attr =  HS]
WINDOWS -> %SystemRoot% ->  [Folder | Modified Date = 8/12/2008 11:03:12 AM | Attr =	]
 drivers.lnk -> %SystemRoot%\System32\drivers\ drivers.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:21:59 PM | Attr = R  ]
disdn -> %SystemRoot%\System32\drivers\disdn ->  [Folder | Modified Date = 8/8/2008 3:26:54 PM | Attr =	]
 disdn.lnk -> %SystemRoot%\System32\drivers\disdn\ disdn.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:21:59 PM | Attr = R  ]
disdn.lnk -> %SystemRoot%\System32\drivers\disdn\disdn.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:20:08 PM | Attr = R  ]
drivers.lnk -> %SystemRoot%\System32\drivers\drivers.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:20:08 PM | Attr = R  ]
etc -> %SystemRoot%\System32\drivers\etc ->  [Folder | Modified Date = 8/8/2008 3:26:54 PM | Attr =	]
 etc.lnk -> %SystemRoot%\System32\drivers\etc\ etc.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:21:59 PM | Attr = R  ]
etc.lnk -> %SystemRoot%\System32\drivers\etc\etc.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:20:08 PM | Attr = R  ]
hosts -> %SystemRoot%\System32\drivers\etc\hosts ->  [Ver =  | Size = 257735 bytes | Modified Date = 8/7/2008 11:01:29 AM | Attr = R  ]
hosts.20080807-110129.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080807-110129.backup ->  [Ver =  | Size = 744 bytes | Modified Date = 7/31/2008 3:09:04 PM | Attr =	]
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> Malwarebytes Corporation [Ver = 1, 0, 0, 1 | Size = 17144 bytes | Modified Date = 7/30/2008 8:07:52 PM | Attr =	]
mbamswissarmy.sys -> %SystemRoot%\System32\drivers\mbamswissarmy.sys -> Malwarebytes Corporation [Ver = 1.00 | Size = 38472 bytes | Modified Date = 7/30/2008 8:07:56 PM | Attr =	]
UMDF -> %SystemRoot%\System32\drivers\UMDF ->  [Folder | Modified Date = 8/8/2008 3:26:54 PM | Attr =	]
 UMDF.lnk -> %SystemRoot%\System32\drivers\UMDF\ UMDF.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:21:59 PM | Attr = R  ]
UMDF.lnk -> %SystemRoot%\System32\drivers\UMDF\UMDF.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:20:08 PM | Attr = R  ]
 system32.lnk -> %SystemRoot%\System32\ system32.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:21:59 PM | Attr = R  ]
1025 -> %SystemRoot%\System32\1025 ->  [Folder | Modified Date = 8/8/2008 3:26:48 PM | Attr =	]
1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 
1028 -> %SystemRoot%\System32\1028 ->  [Folder | Modified Date = 8/8/2008 3:26:48 PM | Attr =	]
1031 -> %SystemRoot%\System32\1031 ->  [Folder | Modified Date = 8/8/2008 3:26:49 PM | Attr =	]
1033 -> %SystemRoot%\System32\1033 ->  [Folder | Modified Date = 8/8/2008 3:26:49 PM | Attr =	]
1037 -> %SystemRoot%\System32\1037 ->  [Folder | Modified Date = 8/8/2008 3:26:49 PM | Attr =	]
1041 -> %SystemRoot%\System32\1041 ->  [Folder | Modified Date = 8/8/2008 3:26:49 PM | Attr =	]
1042 -> %SystemRoot%\System32\1042 ->  [Folder | Modified Date = 8/8/2008 3:26:49 PM | Attr =	]
1054 -> %SystemRoot%\System32\1054 ->  [Folder | Modified Date = 8/8/2008 3:26:50 PM | Attr =	]
2052 -> %SystemRoot%\System32\2052 ->  [Folder | Modified Date = 8/8/2008 3:26:50 PM | Attr =	]
3076 -> %SystemRoot%\System32\3076 ->  [Folder | Modified Date = 8/8/2008 3:26:50 PM | Attr =	]
3com_dmi -> %SystemRoot%\System32\3com_dmi ->  [Folder | Modified Date = 8/8/2008 3:26:50 PM | Attr =	]
Adobe -> %SystemRoot%\System32\Adobe ->  [Folder | Modified Date = 8/8/2008 3:26:50 PM | Attr =	]
bits -> %SystemRoot%\System32\bits ->  [Folder | Modified Date = 8/8/2008 3:26:50 PM | Attr =	]
CatRoot -> %SystemRoot%\System32\CatRoot ->  [Folder | Modified Date = 8/8/2008 3:26:50 PM | Attr =	]
CatRoot2 -> %SystemRoot%\System32\CatRoot2 ->  [Folder | Modified Date = 8/16/2008 1:01:21 AM | Attr =	]
cmd.rar -> %SystemRoot%\System32\cmd.rar ->  [Ver =  | Size = 94862 bytes | Modified Date = 8/11/2008 7:17:11 PM | Attr =	]
Com -> %SystemRoot%\System32\Com ->  [Folder | Modified Date = 8/8/2008 3:26:50 PM | Attr =	]
com1.bat -> %SystemRoot%\System32\com1.bat ->  [Ver =  | Size = 0 bytes | Modified Date = 1/1/1900 12:00:00 PM | Attr =	]
con.bat -> %SystemRoot%\System32\con.bat ->  [Ver =  | Size = 0 bytes | Modified Date = 1/1/1900 12:00:00 PM | Attr =	]
config -> %SystemRoot%\System32\config ->  [Folder | Modified Date = 8/8/2008 3:26:50 PM | Attr =	]
d3d9caps.dat -> %SystemRoot%\System32\d3d9caps.dat ->  [Ver =  | Size = 664 bytes | Modified Date = 7/25/2008 9:34:00 PM | Attr =	]
deploytk.dll -> %SystemRoot%\System32\deploytk.dll -> Sun Microsystems, Inc. [Ver = 6.0.100.25 | Size = 410976 bytes | Modified Date = 7/30/2008 11:01:54 AM | Attr =	]
dhcp -> %SystemRoot%\System32\dhcp ->  [Folder | Modified Date = 8/8/2008 3:26:50 PM | Attr =	]
DirectX -> %SystemRoot%\System32\DirectX ->  [Folder | Modified Date = 8/8/2008 3:26:50 PM | Attr =	]
dllcache -> %SystemRoot%\System32\dllcache ->  [Folder | Modified Date = 8/16/2008 1:02:03 AM | Attr = RHS]
drivers -> %SystemRoot%\System32\drivers ->  [Folder | Modified Date = 8/8/2008 3:26:50 PM | Attr =	]
DRVSTORE -> %SystemRoot%\System32\DRVSTORE ->  [Folder | Modified Date = 8/8/2008 3:26:50 PM | Attr =	]
en -> %SystemRoot%\System32\en ->  [Folder | Modified Date = 8/8/2008 3:26:50 PM | Attr =	]
en-us -> %SystemRoot%\System32\en-us ->  [Folder | Modified Date = 8/8/2008 3:26:50 PM | Attr =	]
export -> %SystemRoot%\System32\export ->  [Folder | Modified Date = 8/8/2008 3:26:50 PM | Attr =	]
FNTCACHE.DAT -> %SystemRoot%\System32\FNTCACHE.DAT ->  [Ver =  | Size = 265416 bytes | Modified Date = 8/8/2008 3:29:43 PM | Attr =	]
ias -> %SystemRoot%\System32\ias ->  [Folder | Modified Date = 8/8/2008 3:26:50 PM | Attr =	]
icsxml -> %SystemRoot%\System32\icsxml ->  [Folder | Modified Date = 8/8/2008 3:26:50 PM | Attr =	]
IME -> %SystemRoot%\System32\IME ->  [Folder | Modified Date = 8/8/2008 3:26:50 PM | Attr =	]
inetsrv -> %SystemRoot%\System32\inetsrv ->  [Folder | Modified Date = 8/8/2008 3:26:50 PM | Attr =	]
Lang -> %SystemRoot%\System32\Lang ->  [Folder | Modified Date = 8/8/2008 3:26:50 PM | Attr =	]
LogFiles -> %SystemRoot%\System32\LogFiles ->  [Folder | Modified Date = 8/8/2008 3:26:50 PM | Attr =	]
lpt1.bat -> %SystemRoot%\System32\lpt1.bat ->  [Ver =  | Size = 0 bytes | Modified Date = 1/1/1900 12:00:00 PM | Attr =	]
Macromed -> %SystemRoot%\System32\Macromed ->  [Folder | Modified Date = 8/8/2008 3:26:50 PM | Attr =	]
Microsoft -> %SystemRoot%\System32\Microsoft ->  [Folder | Modified Date = 8/8/2008 3:26:51 PM | Attr =   S]
MsDtc -> %SystemRoot%\System32\MsDtc ->  [Folder | Modified Date = 8/8/2008 3:26:51 PM | Attr =	]
mui -> %SystemRoot%\System32\mui ->  [Folder | Modified Date = 8/8/2008 3:26:51 PM | Attr =	]
npp -> %SystemRoot%\System32\npp ->  [Folder | Modified Date = 8/8/2008 3:26:51 PM | Attr =	]
oobe -> %SystemRoot%\System32\oobe ->  [Folder | Modified Date = 8/8/2008 3:26:51 PM | Attr =	]
perfc009.dat -> %SystemRoot%\System32\perfc009.dat ->  [Ver =  | Size = 63392 bytes | Modified Date = 8/15/2008 7:48:02 PM | Attr =	]
perfh009.dat -> %SystemRoot%\System32\perfh009.dat ->  [Ver =  | Size = 404298 bytes | Modified Date = 8/15/2008 7:48:02 PM | Attr =	]
PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI ->  [Ver =  | Size = 475330 bytes | Modified Date = 8/15/2008 7:48:02 PM | Attr =	]
PreInstall -> %SystemRoot%\System32\PreInstall ->  [Folder | Modified Date = 8/8/2008 3:26:51 PM | Attr =	]
ras -> %SystemRoot%\System32\ras ->  [Folder | Modified Date = 8/8/2008 3:26:51 PM | Attr =	]
ReinstallBackups -> %SystemRoot%\System32\ReinstallBackups ->  [Folder | Modified Date = 8/8/2008 3:26:51 PM | Attr =	]
Restore -> %SystemRoot%\System32\Restore ->  [Folder | Modified Date = 8/15/2008 2:56:59 PM | Attr =	]
RTCOM -> %SystemRoot%\System32\RTCOM ->  [Folder | Modified Date = 8/8/2008 3:26:51 PM | Attr =	]
scripting -> %SystemRoot%\System32\scripting ->  [Folder | Modified Date = 8/8/2008 3:26:51 PM | Attr =	]
services.msc -> %SystemRoot%\System32\services.msc ->  [Ver =  | Size = 92748 bytes | Modified Date = 8/5/2008 10:43:38 AM | Attr =	]
Setup -> %SystemRoot%\System32\Setup ->  [Folder | Modified Date = 8/8/2008 3:26:51 PM | Attr =	]
ShellExt -> %SystemRoot%\System32\ShellExt ->  [Folder | Modified Date = 8/8/2008 3:26:51 PM | Attr =	]
SoftwareDistribution -> %SystemRoot%\System32\SoftwareDistribution ->  [Folder | Modified Date = 8/8/2008 3:26:51 PM | Attr =	]
spool -> %SystemRoot%\System32\spool ->  [Folder | Modified Date = 8/8/2008 3:26:51 PM | Attr =	]
system32.lnk -> %SystemRoot%\System32\system32.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:20:10 PM | Attr = R  ]
URTTemp -> %SystemRoot%\System32\URTTemp ->  [Folder | Modified Date = 8/8/2008 3:26:51 PM | Attr =	]
usmt -> %SystemRoot%\System32\usmt ->  [Folder | Modified Date = 8/8/2008 3:26:51 PM | Attr =	]
wbem -> %SystemRoot%\System32\wbem ->  [Folder | Modified Date = 8/8/2008 3:26:51 PM | Attr =	]
wins -> %SystemRoot%\System32\wins ->  [Folder | Modified Date = 8/8/2008 3:26:51 PM | Attr =	]
wpa.dbl -> %SystemRoot%\System32\wpa.dbl ->  [Ver =  | Size = 2206 bytes | Modified Date = 8/14/2008 5:57:20 PM | Attr =	]
xircom -> %SystemRoot%\System32\xircom ->  [Folder | Modified Date = 8/8/2008 3:26:51 PM | Attr =	]
 system.lnk -> %SystemRoot%\System\ system.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:21:59 PM | Attr = R  ]
system.lnk -> %SystemRoot%\System\system.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:20:08 PM | Attr = R  ]
 WINDOWS.lnk -> %SystemRoot%\ WINDOWS.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:21:59 PM | Attr = R  ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ ->  [Folder | Modified Date = 8/8/2008 3:05:39 PM | Attr =  H ]
19 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
$NtServicePackUninstall$ -> %SystemRoot%\$NtServicePackUninstall$ ->  [Folder | Modified Date = 8/8/2008 3:05:39 PM | Attr =  H ]
$NtServicePackUninstallIDNMitigationAPIs$ -> %SystemRoot%\$NtServicePackUninstallIDNMitigationAPIs$ ->  [Folder | Modified Date = 8/8/2008 3:05:54 PM | Attr =  H ]
$NtServicePackUninstallNLSDownlevelMapping$ -> %SystemRoot%\$NtServicePackUninstallNLSDownlevelMapping$ ->  [Folder | Modified Date = 8/8/2008 3:05:54 PM | Attr =  H ]
addins -> %SystemRoot%\addins ->  [Folder | Modified Date = 8/8/2008 3:26:23 PM | Attr =	]
AppPatch -> %SystemRoot%\AppPatch ->  [Folder | Modified Date = 8/8/2008 3:26:23 PM | Attr =	]
assembly -> %SystemRoot%\assembly ->  [Folder | Modified Date = 8/11/2008 8:58:47 AM | Attr =	]
bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 2048 bytes | Modified Date = 8/16/2008 1:00:28 AM | Attr =   S]
cmd.lnk -> %SystemRoot%\cmd.lnk ->  [Ver =  | Size = 1553 bytes | Modified Date = 8/15/2008 7:51:31 PM | Attr =	]
Config -> %SystemRoot%\Config ->  [Folder | Modified Date = 8/8/2008 3:26:23 PM | Attr =	]
Connection Wizard -> %SystemRoot%\Connection Wizard ->  [Folder | Modified Date = 8/8/2008 3:26:23 PM | Attr =	]
CSC -> %SystemRoot%\CSC ->  [Folder | Modified Date = 8/16/2008 1:00:34 AM | Attr =  HS]
Cursors -> %SystemRoot%\Cursors ->  [Folder | Modified Date = 8/8/2008 3:26:23 PM | Attr =	]
Debug -> %SystemRoot%\Debug ->  [Folder | Modified Date = 8/8/2008 3:26:23 PM | Attr =	]
Downloaded Installations -> %SystemRoot%\Downloaded Installations ->  [Folder | Modified Date = 8/8/2008 3:26:23 PM | Attr =	]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files ->  [Folder | Modified Date = 8/8/2008 2:28:27 PM | Attr =   S]
Driver Cache -> %SystemRoot%\Driver Cache ->  [Folder | Modified Date = 8/8/2008 3:26:24 PM | Attr =	]
ehome -> %SystemRoot%\ehome ->  [Folder | Modified Date = 8/8/2008 3:26:24 PM | Attr =	]
ERDNT -> %SystemRoot%\ERDNT ->  [Folder | Modified Date = 8/8/2008 3:26:24 PM | Attr =	]
Eudcedit.ini -> %SystemRoot%\Eudcedit.ini ->  [Ver =  | Size = 145 bytes | Modified Date = 8/13/2008 9:32:15 AM | Attr =	]
Fonts -> %SystemRoot%\Fonts ->  [Folder | Modified Date = 8/13/2008 9:31:39 AM | Attr = R S]
Help -> %SystemRoot%\Help ->  [Folder | Modified Date = 8/8/2008 3:26:24 PM | Attr =	]
ie7 -> %SystemRoot%\ie7 ->  [Folder | Modified Date = 8/8/2008 3:05:54 PM | Attr =  H ]
ie7updates -> %SystemRoot%\ie7updates ->  [Folder | Modified Date = 8/8/2008 3:26:24 PM | Attr =	]
ime -> %SystemRoot%\ime ->  [Folder | Modified Date = 8/8/2008 3:26:24 PM | Attr =	]
inf -> %SystemRoot%\inf ->  [Folder | Modified Date = 8/8/2008 3:05:54 PM | Attr =  H ]
Installer -> %SystemRoot%\Installer ->  [Folder | Modified Date = 8/12/2008 4:56:42 PM | Attr =  HS]
java -> %SystemRoot%\java ->  [Folder | Modified Date = 8/8/2008 3:26:24 PM | Attr =	]
l2schemas -> %SystemRoot%\l2schemas ->  [Folder | Modified Date = 8/8/2008 3:26:24 PM | Attr =	]
Media -> %SystemRoot%\Media ->  [Folder | Modified Date = 8/8/2008 3:26:24 PM | Attr =	]
Microsoft.NET -> %SystemRoot%\Microsoft.NET ->  [Folder | Modified Date = 8/8/2008 3:26:24 PM | Attr =	]
Minidump -> %SystemRoot%\Minidump ->  [Folder | Modified Date = 8/15/2008 4:21:30 PM | Attr =	]
msagent -> %SystemRoot%\msagent ->  [Folder | Modified Date = 8/8/2008 3:26:24 PM | Attr =	]
msapps -> %SystemRoot%\msapps ->  [Folder | Modified Date = 8/8/2008 3:26:24 PM | Attr =	]
mui -> %SystemRoot%\mui ->  [Folder | Modified Date = 8/8/2008 3:26:24 PM | Attr =	]
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini ->  [Ver =  | Size = 69 bytes | Modified Date = 7/25/2008 10:04:00 PM | Attr =	]
network diagnostic -> %SystemRoot%\network diagnostic ->  [Folder | Modified Date = 8/8/2008 3:26:24 PM | Attr =	]
nview -> %SystemRoot%\nview ->  [Folder | Modified Date = 8/8/2008 3:26:24 PM | Attr =	]
Offline Web Pages -> %SystemRoot%\Offline Web Pages ->  [Folder | Modified Date = 8/8/2008 2:28:28 PM | Attr = R  ]
pchealth -> %SystemRoot%\pchealth ->  [Folder | Modified Date = 8/14/2008 5:42:32 PM | Attr =	]
PeerNet -> %SystemRoot%\PeerNet ->  [Folder | Modified Date = 8/8/2008 3:26:24 PM | Attr =	]
Prefetch -> %SystemRoot%\Prefetch ->  [Folder | Modified Date = 8/16/2008 1:02:02 AM | Attr =	]
Provisioning -> %SystemRoot%\Provisioning ->  [Folder | Modified Date = 8/8/2008 3:26:24 PM | Attr =	]
pss -> %SystemRoot%\pss ->  [Folder | Modified Date = 8/12/2008 2:18:03 PM | Attr =	]
Registration -> %SystemRoot%\Registration ->  [Folder | Modified Date = 8/8/2008 3:26:24 PM | Attr =	]
repair -> %SystemRoot%\repair ->  [Folder | Modified Date = 8/8/2008 3:26:24 PM | Attr =	]
Resources -> %SystemRoot%\Resources ->  [Folder | Modified Date = 8/8/2008 3:26:24 PM | Attr =	]
SchCache -> %SystemRoot%\SchCache ->  [Folder | Modified Date = 8/8/2008 3:26:25 PM | Attr =	]
security -> %SystemRoot%\security ->  [Folder | Modified Date = 8/14/2008 6:17:17 PM | Attr =	]
ServicePackFiles -> %SystemRoot%\ServicePackFiles ->  [Folder | Modified Date = 8/8/2008 3:26:25 PM | Attr =	]
setup.pss -> %SystemRoot%\setup.pss ->  [Folder | Modified Date = 8/15/2008 1:42:27 PM | Attr =	]
setupupd -> %SystemRoot%\setupupd ->  [Folder | Modified Date = 8/15/2008 1:42:27 PM | Attr =	]
SHELLNEW -> %SystemRoot%\SHELLNEW ->  [Folder | Modified Date = 8/8/2008 3:26:25 PM | Attr =	]
SoftwareDistribution -> %SystemRoot%\SoftwareDistribution ->  [Folder | Modified Date = 8/8/2008 3:26:25 PM | Attr =	]
srchasst -> %SystemRoot%\srchasst ->  [Folder | Modified Date = 8/8/2008 3:26:25 PM | Attr =	]
Sun -> %SystemRoot%\Sun ->  [Folder | Modified Date = 8/8/2008 3:26:25 PM | Attr =	]
system -> %SystemRoot%\system ->  [Folder | Modified Date = 8/8/2008 3:26:25 PM | Attr =	]
system.ini -> %SystemRoot%\system.ini ->  [Ver =  | Size = 227 bytes | Modified Date = 8/12/2008 2:47:39 PM | Attr =	]
system32 -> %SystemRoot%\system32 ->  [Folder | Modified Date = 8/16/2008 1:01:19 AM | Attr =	]
System32.lnk -> %SystemRoot%\System32.lnk ->  [Ver =  | Size = 1625 bytes | Modified Date = 8/14/2008 6:18:48 PM | Attr = R  ]
Tasks -> %SystemRoot%\Tasks ->  [Folder | Modified Date = 8/8/2008 2:28:29 PM | Attr =   S]
Temp -> %SystemRoot%\Temp ->  [Folder | Modified Date = 8/16/2008 1:01:53 AM | Attr =	]
twain_32 -> %SystemRoot%\twain_32 ->  [Folder | Modified Date = 8/8/2008 3:26:25 PM | Attr =	]
vpc32.INI -> %SystemRoot%\vpc32.INI ->  [Ver =  | Size = 0 bytes | Modified Date = 7/28/2008 1:45:48 PM | Attr =	]
WBEM -> %SystemRoot%\WBEM ->  [Folder | Modified Date = 8/8/2008 3:26:26 PM | Attr =	]
Web -> %SystemRoot%\Web ->  [Folder | Modified Date = 8/8/2008 3:26:26 PM | Attr = R  ]
win.ini -> %SystemRoot%\win.ini ->  [Ver =  | Size = 582 bytes | Modified Date = 8/12/2008 2:47:39 PM | Attr =	]
WINDOWS.lnk -> %SystemRoot%\WINDOWS.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:20:08 PM | Attr = R  ]
WinSxS -> %SystemRoot%\WinSxS ->  [Folder | Modified Date = 8/8/2008 3:26:26 PM | Attr =	]
 Tasks.lnk -> %SystemRoot%\tasks\ Tasks.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:21:59 PM | Attr = R  ]
AppleSoftwareUpdate.job -> %SystemRoot%\tasks\AppleSoftwareUpdate.job ->  [Ver =  | Size = 284 bytes | Modified Date = 8/15/2008 10:58:00 AM | Attr =	]
SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 8/16/2008 1:00:42 AM | Attr =  H ]
Tasks.lnk -> %SystemRoot%\tasks\Tasks.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:20:08 PM | Attr = R  ]
áTasks.lnk -> %SystemRoot%\tasks\áTasks.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:20:08 PM | Attr = R  ]
C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help ->  [Folder | Modified Date = 8/8/2008 3:23:39 PM | Attr =	]
hhcolreg.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help\hhcolreg.dat ->  [Ver =  | Size = 184 bytes | Modified Date = 8/5/2008 10:41:57 AM | Attr =	]
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader ->  [Folder | Modified Date = 8/8/2008 3:23:40 PM | Attr =	]
qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat ->  [Ver =  | Size = 5844 bytes | Modified Date = 8/7/2008 8:24:36 AM | Attr =	]
qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat ->  [Ver =  | Size = 4232 bytes | Modified Date = 8/7/2008 8:24:36 AM | Attr =	]
C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA ->  [Folder | Modified Date = 8/8/2008 3:23:40 PM | Attr =	]
opa12.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa12.dat ->  [Ver =  | Size = 8206 bytes | Modified Date = 5/19/2008 6:03:07 PM | Attr =	]
C:\Documents and Settings\user\Local Settings\Temp\jkos-user\binaries\ -> C:\Documents and Settings\user\Local Settings\Temp\jkos-user\binaries ->  [Folder | Modified Date = 8/12/2008 6:35:13 PM | Attr =	]
ScanningProcess.exe -> C:\Documents and Settings\user\Local Settings\Temp\jkos-user\binaries\ScanningProcess.exe -> Kaspersky Lab. [Ver = 5, 0, 1, 86 | Size = 139264 bytes | Modified Date = 8/12/2008 5:08:48 PM | Attr =	]
C:\Documents and Settings\user\Local Settings\Temp\jkos-user\binaries\ -> C:\Documents and Settings\user\Local Settings\Temp\jkos-user\binaries ->  [Folder | Modified Date = 8/12/2008 6:35:13 PM | Attr =	]
FSSync.dll -> C:\Documents and Settings\user\Local Settings\Temp\jkos-user\binaries\FSSync.dll -> Kaspersky Lab [Ver = 6.0.5.678 | Size = 38400 bytes | Modified Date = 8/12/2008 5:08:47 PM | Attr =	]
ikave.dll -> C:\Documents and Settings\user\Local Settings\Temp\jkos-user\binaries\ikave.dll ->  [Ver = 5, 0, 1, 83 | Size = 65536 bytes | Modified Date = 8/12/2008 5:08:48 PM | Attr =	]
kave.dll -> C:\Documents and Settings\user\Local Settings\Temp\jkos-user\binaries\kave.dll -> Kaspersky Lab. [Ver = 5, 0, 1, 86 | Size = 282624 bytes | Modified Date = 8/12/2008 5:08:48 PM | Attr =	]
kosglue-7.0.25.0.dll -> C:\Documents and Settings\user\Local Settings\Temp\jkos-user\binaries\kosglue-7.0.25.0.dll -> Kaspersky Lab [Ver = 7.0.25.0 | Size = 729152 bytes | Modified Date = 8/12/2008 5:08:48 PM | Attr =	]
msvcm80.dll -> C:\Documents and Settings\user\Local Settings\Temp\jkos-user\binaries\msvcm80.dll -> Microsoft Corporation [Ver = 8.00.50727.42 | Size = 479232 bytes | Modified Date = 8/12/2008 5:08:47 PM | Attr =	]
msvcp80.dll -> C:\Documents and Settings\user\Local Settings\Temp\jkos-user\binaries\msvcp80.dll -> Microsoft Corporation [Ver = 8.00.50727.42 | Size = 548864 bytes | Modified Date = 8/12/2008 5:08:48 PM | Attr =	]
msvcr80.dll -> C:\Documents and Settings\user\Local Settings\Temp\jkos-user\binaries\msvcr80.dll -> Microsoft Corporation [Ver = 8.00.50727.42 | Size = 626688 bytes | Modified Date = 8/12/2008 5:08:48 PM | Attr =	]
prLoader.dll -> C:\Documents and Settings\user\Local Settings\Temp\jkos-user\binaries\prLoader.dll -> Kaspersky Lab [Ver = 6.0.2.678 | Size = 184320 bytes | Modified Date = 8/12/2008 5:08:48 PM | Attr =	]
prremote.dll -> C:\Documents and Settings\user\Local Settings\Temp\jkos-user\binaries\prremote.dll -> Kaspersky Lab [Ver = 6.0.2.678 | Size = 90112 bytes | Modified Date = 8/12/2008 5:08:48 PM | Attr =	]
C:\Documents and Settings\user\Local Settings\Temp\jkos-user\engine\bases\ -> C:\Documents and Settings\user\Local Settings\Temp\jkos-user\engine\bases ->  [Folder | Modified Date = 8/12/2008 6:35:14 PM | Attr =	]
sfdb.dat -> C:\Documents and Settings\user\Local Settings\Temp\jkos-user\engine\bases\sfdb.dat ->  [Ver =  | Size = 84 bytes | Modified Date = 8/12/2008 5:37:27 PM | Attr =	]
C:\Documents and Settings\user\Local Settings\Temp\jkos-user\binaries\ -> C:\Documents and Settings\user\Local Settings\Temp\jkos-user\binaries ->  [Folder | Modified Date = 8/12/2008 6:35:13 PM | Attr =	]
_kave.ini -> C:\Documents and Settings\user\Local Settings\Temp\jkos-user\binaries\_kave.ini ->  [Ver =  | Size = 102 bytes | Modified Date = 8/12/2008 5:08:48 PM | Attr =	]
C:\Documents and Settings\user\Local Settings\Temp\jkos-user\engine\bases\ -> C:\Documents and Settings\user\Local Settings\Temp\jkos-user\engine\bases ->  [Folder | Modified Date = 8/12/2008 6:35:14 PM | Attr =	]
verdicts.ini -> C:\Documents and Settings\user\Local Settings\Temp\jkos-user\engine\bases\verdicts.ini ->  [Ver =  | Size = 4181 bytes | Modified Date = 8/12/2008 5:36:16 PM | Attr =	]
C:\WINDOWS\Temp\slu1ac2.tmp\ -> C:\WINDOWS\Temp\slu1ac2.tmp\ ->  [Folder | Modified Date = 8/15/2008 8:55:51 PM | Attr =	]
cceraser.dll -> C:\WINDOWS\Temp\slu1ac2.tmp\cceraser.dll -> Symantec Corporation [Ver = 107.4.1.2 | Size = 2561072 bytes | Modified Date = 5/15/2008 1:00:00 AM | Attr =	]
ecmsvr32.dll -> C:\WINDOWS\Temp\slu1ac2.tmp\ecmsvr32.dll -> Symantec Corporation [Ver = 81.1.0.13 | Size = 259440 bytes | Modified Date = 6/18/2008 1:00:00 AM | Attr =	]
naveng32.dll -> C:\WINDOWS\Temp\slu1ac2.tmp\naveng32.dll -> Symantec Corporation [Ver = 20081.1.1.13 | Size = 177520 bytes | Modified Date = 6/18/2008 1:00:00 AM | Attr =	]
navex32a.dll -> C:\WINDOWS\Temp\slu1ac2.tmp\navex32a.dll -> Symantec Corporation [Ver = 20081.1.1.13 | Size = 1164656 bytes | Modified Date = 6/18/2008 1:00:00 AM | Attr =	]
C:\WINDOWS\Temp\slu1ac2.tmp\ -> C:\WINDOWS\Temp\slu1ac2.tmp\ ->  [Folder | Modified Date = 8/15/2008 8:55:51 PM | Attr =	]
catalog.dat -> C:\WINDOWS\Temp\slu1ac2.tmp\catalog.dat ->  [Ver =  | Size = 3432 bytes | Modified Date = 8/20/2007 2:00:00 AM | Attr =	]
scrauth.dat -> C:\WINDOWS\Temp\slu1ac2.tmp\scrauth.dat ->  [Ver =  | Size = 97776 bytes | Modified Date = 5/15/2008 1:00:00 AM | Attr =	]
tcdefs.dat -> C:\WINDOWS\Temp\slu1ac2.tmp\tcdefs.dat ->  [Ver =  | Size = 412477 bytes | Modified Date = 7/16/2008 1:00:00 AM | Attr =	]
tcscan7.dat -> C:\WINDOWS\Temp\slu1ac2.tmp\tcscan7.dat ->  [Ver =  | Size = 4046958 bytes | Modified Date = 7/16/2008 1:00:00 AM | Attr =	]
tcscan8.dat -> C:\WINDOWS\Temp\slu1ac2.tmp\tcscan8.dat ->  [Ver =  | Size = 156668 bytes | Modified Date = 7/16/2008 1:00:00 AM | Attr =	]
tcscan9.dat -> C:\WINDOWS\Temp\slu1ac2.tmp\tcscan9.dat ->  [Ver =  | Size = 449172 bytes | Modified Date = 7/16/2008 1:00:00 AM | Attr =	]
tinf.dat -> C:\WINDOWS\Temp\slu1ac2.tmp\tinf.dat ->  [Ver =  | Size = 453 bytes | Modified Date = 7/16/2008 1:00:00 AM | Attr =	]
tinfidx.dat -> C:\WINDOWS\Temp\slu1ac2.tmp\tinfidx.dat ->  [Ver =  | Size = 148 bytes | Modified Date = 8/20/2007 2:00:00 AM | Attr =	]
tinfl.dat -> C:\WINDOWS\Temp\slu1ac2.tmp\tinfl.dat ->  [Ver =  | Size = 1957 bytes | Modified Date = 7/16/2008 1:00:00 AM | Attr =	]
tscan1.dat -> C:\WINDOWS\Temp\slu1ac2.tmp\tscan1.dat ->  [Ver =  | Size = 71751 bytes | Modified Date = 7/16/2008 1:00:00 AM | Attr =	]
tscan1hd.dat -> C:\WINDOWS\Temp\slu1ac2.tmp\tscan1hd.dat ->  [Ver =  | Size = 3760 bytes | Modified Date = 5/15/2008 1:00:00 AM | Attr =	]
virscan1.dat -> C:\WINDOWS\Temp\slu1ac2.tmp\virscan1.dat ->  [Ver =  | Size = 1008753 bytes | Modified Date = 7/16/2008 1:00:00 AM | Attr =	]
virscan2.dat -> C:\WINDOWS\Temp\slu1ac2.tmp\virscan2.dat ->  [Ver =  | Size = 571362 bytes | Modified Date = 7/16/2008 1:00:00 AM | Attr =	]
virscan3.dat -> C:\WINDOWS\Temp\slu1ac2.tmp\virscan3.dat ->  [Ver =  | Size = 152120 bytes | Modified Date = 7/16/2008 1:00:00 AM | Attr =	]
virscan4.dat -> C:\WINDOWS\Temp\slu1ac2.tmp\virscan4.dat ->  [Ver =  | Size = 320253 bytes | Modified Date = 7/16/2008 1:00:00 AM | Attr =	]
virscan5.dat -> C:\WINDOWS\Temp\slu1ac2.tmp\virscan5.dat ->  [Ver =  | Size = 8350046 bytes | Modified Date = 7/16/2008 1:00:00 AM | Attr =	]
virscan6.dat -> C:\WINDOWS\Temp\slu1ac2.tmp\virscan6.dat ->  [Ver =  | Size = 394543 bytes | Modified Date = 7/16/2008 1:00:00 AM | Attr =	]
virscan7.dat -> C:\WINDOWS\Temp\slu1ac2.tmp\virscan7.dat ->  [Ver =  | Size = 27769229 bytes | Modified Date = 7/16/2008 1:00:00 AM | Attr =	]
virscan8.dat -> C:\WINDOWS\Temp\slu1ac2.tmp\virscan8.dat ->  [Ver =  | Size = 1009711 bytes | Modified Date = 7/16/2008 1:00:00 AM | Attr =	]
virscan9.dat -> C:\WINDOWS\Temp\slu1ac2.tmp\virscan9.dat ->  [Ver =  | Size = 4854215 bytes | Modified Date = 7/16/2008 1:00:00 AM | Attr =	]
zdone.dat -> C:\WINDOWS\Temp\slu1ac2.tmp\zdone.dat ->  [Ver =  | Size = 224 bytes | Modified Date = 8/20/2007 2:00:00 AM | Attr =	]
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
Adobe -> %AllUsersProfile%\Application Data\Adobe ->  [Folder | Modified Date = 8/8/2008 3:23:36 PM | Attr =	]
Ahead -> %AllUsersProfile%\Application Data\Ahead ->  [Folder | Modified Date = 8/8/2008 3:23:36 PM | Attr =	]
Apple -> %AllUsersProfile%\Application Data\Apple ->  [Folder | Modified Date = 8/8/2008 3:23:37 PM | Attr =	]
Apple Computer -> %AllUsersProfile%\Application Data\Apple Computer ->  [Folder | Modified Date = 8/8/2008 3:23:37 PM | Attr =	]
Google -> %AllUsersProfile%\Application Data\Google ->  [Folder | Modified Date = 8/8/2008 3:23:37 PM | Attr =	]
Google Updater -> %AllUsersProfile%\Application Data\Google Updater ->  [Folder | Modified Date = 8/15/2008 8:29:54 PM | Attr =	]
Malwarebytes -> %AllUsersProfile%\Application Data\Malwarebytes ->  [Folder | Modified Date = 8/8/2008 3:23:37 PM | Attr =	]
Microsoft -> %AllUsersProfile%\Application Data\Microsoft ->  [Folder | Modified Date = 8/8/2008 3:23:37 PM | Attr =   S]
Microsoft Help -> %AllUsersProfile%\Application Data\Microsoft Help ->  [Folder | Modified Date = 8/8/2008 3:23:37 PM | Attr =	]
Nero -> %AllUsersProfile%\Application Data\Nero ->  [Folder | Modified Date = 8/8/2008 3:23:37 PM | Attr =	]
nView_Profiles -> %AllUsersProfile%\Application Data\nView_Profiles ->  [Folder | Modified Date = 8/8/2008 3:23:37 PM | Attr =	]
Spybot - Search & Destroy -> %AllUsersProfile%\Application Data\Spybot - Search & Destroy ->  [Folder | Modified Date = 8/12/2008 3:46:37 PM | Attr =	]
SUPERAntiSpyware.com -> %AllUsersProfile%\Application Data\SUPERAntiSpyware.com ->  [Folder | Modified Date = 8/8/2008 3:23:37 PM | Attr =	]
Symantec -> %AllUsersProfile%\Application Data\Symantec ->  [Folder | Modified Date = 8/8/2008 3:23:37 PM | Attr =	]
Windows Genuine Advantage -> %AllUsersProfile%\Application Data\Windows Genuine Advantage ->  [Folder | Modified Date = 8/8/2008 3:23:37 PM | Attr =	]
Yahoo! Companion -> %AllUsersProfile%\Application Data\Yahoo! Companion ->  [Folder | Modified Date = 8/8/2008 3:23:37 PM | Attr =	]
Adobe -> %AppData%\Adobe ->  [Folder | Modified Date = 8/12/2008 6:35:03 PM | Attr =	]
Identities -> %AppData%\Identities ->  [Folder | Modified Date = 8/8/2008 3:24:13 PM | Attr =	]
Macromedia -> %AppData%\Macromedia ->  [Folder | Modified Date = 8/15/2008 1:42:18 PM | Attr =	]
Malwarebytes -> %AppData%\Malwarebytes ->  [Folder | Modified Date = 8/15/2008 1:42:18 PM | Attr =	]
Microsoft -> %AppData%\Microsoft ->  [Folder | Modified Date = 8/12/2008 6:33:53 PM | Attr =   S]
Opera -> %AppData%\Opera ->  [Folder | Modified Date = 8/12/2008 6:35:03 PM | Attr =	]
Sun -> %AppData%\Sun ->  [Folder | Modified Date = 8/12/2008 6:35:03 PM | Attr =	]
U3 -> %AppData%\U3 ->  [Folder | Modified Date = 8/12/2008 7:02:44 PM | Attr =	]
Vso -> %AppData%\Vso ->  [Folder | Modified Date = 8/12/2008 3:27:14 PM | Attr =	]
WinRAR -> %AppData%\WinRAR ->  [Folder | Modified Date = 8/12/2008 3:27:14 PM | Attr =	]
Asent -> %UserProfile%\Local Settings\Application Data\Asent ->  [Folder | Modified Date = 8/15/2008 1:42:22 PM | Attr =	]
Google -> %UserProfile%\Local Settings\Application Data\Google ->  [Folder | Modified Date = 8/12/2008 6:35:11 PM | Attr =	]
Microsoft -> %UserProfile%\Local Settings\Application Data\Microsoft ->  [Folder | Modified Date = 8/12/2008 7:06:36 PM | Attr =	]
Microsoft Help -> %UserProfile%\Local Settings\Application Data\Microsoft Help ->  [Folder | Modified Date = 8/8/2008 3:24:15 PM | Attr =	]
Opera -> %UserProfile%\Local Settings\Application Data\Opera ->  [Folder | Modified Date = 8/12/2008 6:35:11 PM | Attr =	]
Symantec -> %UserProfile%\Local Settings\Application Data\Symantec ->  [Folder | Modified Date = 8/15/2008 1:42:22 PM | Attr =	]
 Documents.lnk -> %AllUsersProfile%\Documents\ Documents.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:21:59 PM | Attr = R  ]
Documents.lnk -> %AllUsersProfile%\Documents\Documents.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:20:08 PM | Attr = R  ]
My Music -> %AllUsersProfile%\Documents\My Music ->  [Folder | Modified Date = 8/8/2008 3:23:41 PM | Attr = R  ]
My Pictures -> %AllUsersProfile%\Documents\My Pictures ->  [Folder | Modified Date = 8/8/2008 3:23:41 PM | Attr = R  ]
My Videos -> %AllUsersProfile%\Documents\My Videos ->  [Folder | Modified Date = 8/8/2008 3:23:42 PM | Attr = R  ]
 My Documents.lnk -> %UserProfile%\My Documents\ My Documents.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:21:59 PM | Attr = R  ]
desktop.ini -> %UserProfile%\My Documents\desktop.ini ->  [Ver =  | Size = 75 bytes | Modified Date = 8/12/2008 4:56:42 PM | Attr =  HS]
My Documents.lnk -> %UserProfile%\My Documents\My Documents.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:20:08 PM | Attr = R  ]
My Music -> %UserProfile%\My Documents\My Music ->  [Folder | Modified Date = 8/12/2008 4:56:42 PM | Attr = R  ]
My Pictures -> %UserProfile%\My Documents\My Pictures ->  [Folder | Modified Date = 8/12/2008 4:56:42 PM | Attr = R  ]
 Desktop.lnk -> %AllUsersProfile%\desktop\ Desktop.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:21:59 PM | Attr = R  ]
Desktop.lnk -> %AllUsersProfile%\desktop\Desktop.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:20:08 PM | Attr = R  ]
iTunes.lnk -> %AllUsersProfile%\desktop\iTunes.lnk ->  [Ver =  | Size = 1804 bytes | Modified Date = 8/1/2008 1:44:02 PM | Attr =	]
Malwarebytes.lnk -> %AllUsersProfile%\desktop\Malwarebytes.lnk ->  [Ver =  | Size = 784 bytes | Modified Date = 7/30/2008 9:46:22 AM | Attr =	]
SUPERAntiSpyware Free Edition.lnk -> %AllUsersProfile%\desktop\SUPERAntiSpyware Free Edition.lnk ->  [Ver =  | Size = 780 bytes | Modified Date = 7/30/2008 9:43:34 AM | Attr =	]
 Desktop.lnk -> %UserProfile%\Desktop\ Desktop.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:21:59 PM | Attr = R  ]
ATF-Cleaner.exe -> %UserProfile%\Desktop\ATF-Cleaner.exe -> Atribune.org [Ver = 3.00.0002 | Size = 50688 bytes | Modified Date = 8/5/2008 8:54:29 AM | Attr =	]
CCleaner.lnk -> %UserProfile%\Desktop\CCleaner.lnk ->  [Ver =  | Size = 1548 bytes | Modified Date = 7/30/2008 9:56:49 AM | Attr =	]
ComboFix.exe -> %UserProfile%\Desktop\ComboFix.exe ->  [Ver =  | Size = 2711055 bytes | Modified Date = 8/12/2008 7:06:33 PM | Attr =	]
Desktop.lnk -> %UserProfile%\Desktop\Desktop.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:20:08 PM | Attr = R  ]
dss.exe -> %UserProfile%\Desktop\dss.exe ->  [Ver = 3, 2, 8, 1 | Size = 686630 bytes | Modified Date = 8/12/2008 2:55:36 PM | Attr =	]
HijackThis.lnk -> %UserProfile%\Desktop\HijackThis.lnk ->  [Ver =  | Size = 1734 bytes | Modified Date = 7/30/2008 9:47:15 AM | Attr =	]
Internet Explorer.lnk -> %UserProfile%\Desktop\Internet Explorer.lnk ->  [Ver =  | Size = 704 bytes | Modified Date = 8/12/2008 5:05:43 PM | Attr =	]
jre-6u7-windows-i586-p.exe -> %UserProfile%\Desktop\jre-6u7-windows-i586-p.exe ->  [Ver =  | Size = 15984024 bytes | Modified Date = 8/2/2008 12:51:13 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\jre-6u7-windows-i586-p.exe:Zone.Identifier
kaspersky scan log.html -> %UserProfile%\Desktop\kaspersky scan log.html ->  [Ver =  | Size = 3924 bytes | Modified Date = 7/30/2008 11:55:35 AM | Attr =	]
New Shortcut -> %UserProfile%\Desktop\New Shortcut ->  [Ver =  | Size = 0 bytes | Modified Date = 8/12/2008 7:08:55 PM | Attr =	]
OTScanIt -> %UserProfile%\Desktop\OTScanIt ->  [Folder | Modified Date = 8/15/2008 9:02:58 PM | Attr =	]
OTScanIt.exe -> %UserProfile%\Desktop\OTScanIt.exe ->  [Ver =  | Size = 568477 bytes | Modified Date = 8/15/2008 8:57:53 PM | Attr =	]
Spybot - Search & Destroy.lnk -> %UserProfile%\Desktop\Spybot - Search & Destroy.lnk ->  [Ver =  | Size = 970 bytes | Modified Date = 8/7/2008 10:52:08 AM | Attr =	]
VirtualDubMod -> %UserProfile%\Desktop\VirtualDubMod ->  [Folder | Modified Date = 8/12/2008 3:28:50 PM | Attr =	]
WINNT32.lnk -> %UserProfile%\Desktop\WINNT32.lnk ->  [Ver =  | Size = 443 bytes | Modified Date = 8/12/2008 7:12:06 PM | Attr =	]
 Startup.lnk -> %AllUsersProfile%\start menu\programs\startup\ Startup.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:21:59 PM | Attr = R  ]
Startup.lnk -> %AllUsersProfile%\start menu\programs\startup\Startup.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:20:08 PM | Attr = R  ]
 Startup.lnk -> %UserProfile%\Start Menu\Programs\Startup\ Startup.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:21:59 PM | Attr = R  ]
Startup.lnk -> %UserProfile%\Start Menu\Programs\Startup\Startup.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:20:08 PM | Attr = R  ]
 Common Files.lnk -> %CommonProgramFiles%\ Common Files.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:21:59 PM | Attr = R  ]
Adobe -> %CommonProgramFiles%\Adobe ->  [Folder | Modified Date = 8/8/2008 3:24:30 PM | Attr =	]
Ahead -> %CommonProgramFiles%\Ahead ->  [Folder | Modified Date = 8/8/2008 3:24:30 PM | Attr =	]
Apple -> %CommonProgramFiles%\Apple ->  [Folder | Modified Date = 8/8/2008 3:24:30 PM | Attr =	]
Common Files.lnk -> %CommonProgramFiles%\Common Files.lnk ->  [Ver =  | Size = 869 bytes | Modified Date = 8/3/2008 12:20:08 PM | Attr = R  ]
DESIGNER -> %CommonProgramFiles%\DESIGNER ->  [Folder | Modified Date = 8/8/2008 3:24:30 PM | Attr =	]
InstallShield -> %CommonProgramFiles%\InstallShield ->  [Folder | Modified Date = 8/8/2008 3:24:30 PM | Attr =	]
Java -> %CommonProgramFiles%\Java ->  [Folder | Modified Date = 8/8/2008 3:24:30 PM | Attr =	]
Microsoft Shared -> %CommonProgramFiles%\Microsoft Shared ->  [Folder | Modified Date = 8/8/2008 3:24:30 PM | Attr =	]
MSSoap -> %CommonProgramFiles%\MSSoap ->  [Folder | Modified Date = 8/8/2008 3:24:30 PM | Attr =	]
ODBC -> %CommonProgramFiles%\ODBC ->  [Folder | Modified Date = 8/8/2008 3:24:30 PM | Attr =	]
Services -> %CommonProgramFiles%\Services ->  [Folder | Modified Date = 8/8/2008 3:24:30 PM | Attr =	]
SpeechEngines -> %CommonProgramFiles%\SpeechEngines ->  [Folder | Modified Date = 8/8/2008 3:24:30 PM | Attr =	]
Symantec Shared -> %CommonProgramFiles%\Symantec Shared ->  [Folder | Modified Date = 8/8/2008 3:24:30 PM | Attr =	]
System -> %CommonProgramFiles%\System ->  [Folder | Modified Date = 8/8/2008 3:24:30 PM | Attr =	]
VPSoft -> %CommonProgramFiles%\VPSoft ->  [Folder | Modified Date = 8/8/2008 3:24:30 PM | Attr =	]
Wise Installation Wizard -> %CommonProgramFiles%\Wise Installation Wizard ->  [Folder | Modified Date = 8/8/2008 3:24:30 PM | Attr =	]

< End of report >


#10 Elaminopy

Elaminopy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 16 August 2008 - 03:24 AM

Oh hey, that error message came up. The title bar says RUNDLL and the message says: An exception occurred while trying to run "fldrclnr.dll,Wizard_RunDLL"

#11 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:04:09 PM

Posted 16 August 2008 - 07:53 AM

Hey Elaminopy,
That error is created from having a problem with your desktop cleanup wizzard, part of the original OS. It may be related to the problem we are having here.

I am reviewing the results of the OTScanIt log, and have a couple of questions. Seems like a lot of files were created/modified on 8/8/2008 around 3:30 PM, also the same thing on a smaller scale on 8/3/2008 around 12:20 PM. Do you remember downloading or running a new program around that time? When did your problems begin on this machine?

Lets see if we can take a peek at one of those files created.
Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\windows\tasks\áTasks.lnk
  • Click on the submit button
  • Please post the results in your next reply.
If that is busy, try:
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
    • C:\windows\tasks\áTasks.lnk
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
Next lets try to run a differtent tool. This one, if it runs to completion it will reset your hosts file, which I think is out of sorts right now...
Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

Report back with all the results please.

Harry

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#12 Elaminopy

Elaminopy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 16 August 2008 - 12:37 PM

Hey there. I don't remember downloading anything, but I do remember my problems changing probably around that time. I haven't been letting anyone use the computer since then. I hope they didn't download anything new.

I submitted that file and have the results. I'm going to do that other thing but I wanted to post the scan results while I still have it copied. I'll post the other ones in my next reply.

Scan taken on 16 Aug 2008 17:29:51 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

#13 Elaminopy

Elaminopy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 16 August 2008 - 01:00 PM

Okay, so here is my report:

I printed the instructions. I downloaded SDFix.exe to my desktop and installed it to the default destination of C:\. I rebooted into Safe Mode and the message came up letting me know that I'm in Safe Mode. It asked me if I want to continue running in there or launch the system restore by pressing No. I pressed Yes, then the taskbar and icons flashed up, then went away and the message came back telling me I'm in Safe Mode and asking me what to do. I pressed Yes again and the same thing happened. I was able to open a .txt file I had on the desktop before the icons disappeared and from there I was able to click Open and navigate to C:\SDFix and then I ran RunThis.bat from there. As soon as I did, a window came up. I found a screenshot of it.
Posted Image

Then it rebooted and I wasn't able to do any more. It did the same thing when I tried it again. I looked through the common problems and solutions in the beginning of the SDFix instruction page, but this wasn't on there. I don't know if I should have done any of those.

EDIT: Sorry, I went back and re-read your post and I saw what to do if it doesn't run in Safe Mode. I tried it again in Normal Mode but it did the same thing. Also, I looked in the SDFix folder and there is no file called Report in there.

Edited by Elaminopy, 16 August 2008 - 08:27 PM.


#14 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:04:09 PM

Posted 17 August 2008 - 07:23 PM

Ok Elaminopy,
One last time befoe we start removing things manually. I would like you to try Combofix again, let it run even if there is nothing showin on the screen. It may take some time for the tool to run. I am going to develope a fix based on the OTScanit log, we may have to do that in a couple of steps. Lets see if Combofix will run first.

Harry

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#15 Elaminopy

Elaminopy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 18 August 2008 - 02:45 AM

It's doing the same exact thing that it did for SDFix. That Remote Procedure Call screen comes up each time the little ComboFix progress bar is done and then it reboots on its own. I haven't seen the little minimized windows at all for several days, though. I guess we got rid of those at least.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users