Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan:win32/conhook.i


  • This topic is locked This topic is locked
11 replies to this topic

#1 Nuukem

Nuukem

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 03 August 2008 - 06:27 PM

Hello,

I was Infected with Trojan:Win32/Conhook.I. I believe I removed it but if I post the DSS log, can someone confirm that my machine is ok now?

I used Avast! Antivirus, Ad-Aware, Spybot Search and Destroy, Spyware Doctor, HikackThis, OTMoveIt2 and after several hours of scanning and removing, I am no longer receiving pop-up windows in IE or notifications from Windows Defender about Trojan:Win32/Conhook.I.

Thanks,

Phil



---------- LOGS -----------------

KASPERSKY ONLINE SCANNER 7 REPORTKASPERSKY ONLINE SCANNER 7 REPORT
Sunday, August 3, 2008
Operating System: Microsoft Windows Vista Business Edition, 32-bit (build
6000)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 03, 2008 17:03:02
Records in database: 1048675


Scan settings
Scan using the following databaseextended
Scan archivesyes
Scan mail databasesyes

Scan areaCritical Areas
C:\Program Files
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
C:\Users\cc.TNS\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup
C:\Windows

Scan statistics
Files scanned108619
Threat name0
Infected objects0
Suspicious objects0
Duration of the scan01:42:13

No malware has been detected. The scan area is clean.

The selected area was scanned.




Deckard's System Scanner v20071014.68
Run by cc on 2008-08-03 16:08:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as cc.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:08:19 PM, on 8/3/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
c:\xampp\apache\bin\apache.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\gearsec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\xampp\mysql\bin\mysqld-nt.exe
C:\Windows\system32\svchost.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\rserver30\RServer3.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\sttray.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\DSynchronize\DSynchronize.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Program Files\John's Background Switcher\BackgroundSwitcher.exe
C:\Users\cc.TNS\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\rserver30\FamItrfc.Exe
C:\Windows\system32\rserver30\FamItrfc.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe
C:\Users\cc.TNS\AppData\Local\Temp\jkos-cc\binaries\ScanningProcess.exe
C:\Users\cc.TNS\AppData\Local\Temp\jkos-cc\binaries\ScanningProcess.exe
C:\Users\cc.TNS\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\cc.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
O4 - HKLM\..\Run: [DSynchronize] "C:\Program Files\DSynchronize\DSynchronize.exe" /START
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [BackgroundSwitcher] C:\Program Files\John's Background Switcher\BackgroundSwitcher.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\cc.TNS\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E62D1A95-8299-4B94-85D0-731DC125A60D} (IMMP4Control Control) - http://75.32.216.82/ocx/IMMP4Control.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tns.com
O17 - HKLM\Software\..\Telephony: DomainName = tns.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tns.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = genetfamily.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis OS Selector Reinstall Service (AcronisOSSReinstallSvc) - Unknown owner - C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe (file missing)
O23 - Service: Apache2.2 - Apache Software Foundation - c:\xampp\apache\bin\apache.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: gearsec - GEAR Software - C:\Windows\system32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MaxiVista_service_A - Unknown owner - C:\MaxiVistaViewerA.exe
O23 - Service: mysql - Unknown owner - c:\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Radmin Server V3 (RServer3) - Famatech International Corp. - C:\Windows\system32\rserver30\RServer3.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 13557 bytes

-- Files created between 2008-07-03 and 2008-08-03 -----------------------------

2008-08-03 01:08:39 0 d-------- U:\Deckard
2008-08-02 23:26:30 0 d-a------ C:\Users\All Users\TEMP
2008-08-02 23:25:45 0 d-------- C:\Program Files\Spyware Doctor
2008-08-02 23:25:28 0 d-------- C:\Program Files\Norton Security Scan
2008-08-02 23:09:47 0 d-------- C:\Program Files\Trend Micro
2008-08-02 16:16:09 0 d-------- C:\Program Files\Lavasoft
2008-08-02 16:16:03 0 d-------- C:\Users\All Users\Lavasoft
2008-08-02 12:30:20 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-08-02 09:57:39 877466 --ahs---- C:\Windows\system32\nqrYaccf.ini2
2008-08-02 02:16:16 0 d-------- C:\Program Files\Alwil Software
2008-08-01 22:33:40 0 d-------- C:\Users\All Users\Google Updater


-- Find3M Report ---------------------------------------------------------------

2008-08-03 09:22:53 12884 --a------ C:\Users\cc.TNS\AppData\Roaming\nvModes.dat
2008-08-03 09:22:52 12884 --a------ C:\Users\cc.TNS\AppData\Roaming\nvModes.001
2008-08-03 02:09:14 3374 --a------ C:\Windows\bthservsdp.dat
2008-08-03 02:08:55 0 d-------- C:\Program Files\DSynchronize <DSYNCH~1>
2008-08-03 01:23:11 0 d-------- C:\Users\cc.TNS\AppData\Roaming\Orbit
2008-08-03 00:42:20 0 d-------- C:\Program Files\RemoteAdministrator
2008-08-02 23:25:45 0 d-------- C:\Users\cc.TNS\AppData\Roaming\PC Tools
2008-08-02 16:13:04 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-02 04:14:01 174 --ahs---- C:\Program Files\desktop.ini
2008-08-02 04:08:21 0 d-------- C:\Program Files\Windows Mail
2008-08-02 02:07:04 0 d-------- C:\Program Files\Norton AntiVirus
2008-08-02 02:07:04 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-02 01:31:27 0 d-------- C:\Program Files\Symantec
2008-08-02 01:28:16 0 d-------- C:\Program Files\Common Files
2008-08-01 22:41:56 0 d-------- C:\Users\cc.TNS\AppData\Roaming\Google
2008-08-01 22:34:17 0 d-------- C:\Program Files\Google
2008-06-17 19:32:43 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-15 16:45:46 0 d-------- C:\Program Files\Picasa2
2008-06-15 16:19:17 0 d-------- C:\Users\cc.TNS\AppData\Roaming\App Launcher Gadget
2008-06-14 22:49:37 0 d-------- C:\Program Files\Password Safe
2008-06-14 14:59:40 0 d-------- C:\Users\cc.TNS\AppData\Roaming\ZoomBrowser EX
2008-06-08 23:17:57 0 d-------- C:\Users\cc.TNS\AppData\Roaming\johnsadventures.com
2008-06-08 23:17:52 0 d-------- C:\Program Files\John's Background Switcher
2008-06-08 23:03:51 0 d-------- C:\Program Files\Native Instruments
2008-06-08 19:50:40 0 d-------- C:\Program Files\RealVNC
2008-06-08 18:02:06 0 d-------- C:\Program Files\UploadrXL
2008-06-05 20:53:56 0 d-------- C:\Program Files\Canon
2008-06-04 20:14:13 16379392 --a------ C:\Windows\system32\imageres.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-04 19:57:01 0 d-------- C:\Program Files\Stardock
2008-05-05 12:52:02 50 --ahs---- C:\Users\cc.TNS\AppData\Roaming\.zreglib


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [04/11/2007 08:21 PM]
"Windows Mobile-based device management"="%windir%\WindowsMobile\wmdc.exe" []
"SigmatelSysTrayApp"="sttray.exe" [01/12/2007 10:51 AM C:\Windows\sttray.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [12/07/2006 08:25 PM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [12/07/2006 08:25 PM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [12/07/2006 08:25 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [12/10/2006 09:52 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 06:38 PM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe" [12/04/2007 03:07 AM]
"DSynchronize"="C:\Program Files\DSynchronize\DSynchronize.exe" [09/08/2007 12:12 PM]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [03/14/2007 09:01 PM]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01/01/2007 02:22 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07/19/2008 07:38 AM]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [08/08/2007 03:53 PM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [08/03/2008 02:06 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/10/2008 09:51 AM]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [01/30/2007 06:08 PM]
"BackgroundSwitcher"="C:\Program Files\John's Background Switcher\BackgroundSwitcher.exe" [01/22/2008 05:11 AM]
"Google Update"="C:\Users\cc.TNS\AppData\Local\Google\Update\GoogleUpdate.exe" [06/15/2008 11:26 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/01/2008 10:33 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Users\cc.TNS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [8/25/2007 1:16:16 PM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [1/2/2007 9:40:10 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6EB35830-8222-4990-A484-D21FEDD4B033}"= C:\Windows\system32\geBqRlJb.dll [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\Windows\system32\fccaYrqn

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=C:\Windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^cc.TNS^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^BOINC Manager.lnk]
path=C:\Users\cc.TNS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BOINC Manager.lnk
backup=C:\Windows\pss\BOINC Manager.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^cc.TNS^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Users\cc.TNS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\Windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NotebookHardwareControl]
"C:\Program Files\Notebook Hardware Control\nhc.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc CscService TabletInputService UmRdpService wlansvc WPDBusEnum EMDMgmt
LocalServiceNoNetwork PLA DPS BFE mpssvc
LocalServiceNetworkRestricted DHCP eventlog AudioSrv LmHosts wscsvc p2pimsvc PNRPSvc p2psvc PnrpAutoReg
bthsvcs BthServ
WindowsMobile wcescomm rapimgr
LocalServiceRestricted WcesComm RapiMgr
iissvcs w3svc was
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
HPService HPSLPSVC
hpdevmgmt hpqcxs08 hpqddsvc
bthaudiosvc HFGService


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-08-03 16:09:14 ------------

BC AdBot (Login to Remove)

 


m

#2 Nuukem

Nuukem
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 07 August 2008 - 06:37 PM

Can someone review this?

Thank you!

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:37 PM

Posted 09 August 2008 - 11:06 PM

Hello Phil,

Sorry for the delay. We have many logs backed up.

Sad to say you are still infected. :thumbsup:



Please download Malwarebytes' Anti-Malware from Here or Here

Please disable Spyware Doctor, Windows Defender and Spybot Teatimer before using MalwareBytes Anti-Malware, at they will prevent it from working.

To disable Spyware Doctor from running on your system startup:
1. First, disable the OnGuard Tools. This way, when you exit Spyware Doctor, these tools won't stay resident in the background.
2. Click the "Settings" button on the left side.
3. Click the "Startup Settings" link.
4. Uncheck "Run at Windows Startup".
5. Click the "Apply" button.

To disable Windows Defender:
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts




Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire Malwarebytes' Anti-Malware report in your next reply along with a fresh DSS Main.txt log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

Edited by SifuMike, 09 August 2008 - 11:16 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 Nuukem

Nuukem
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 12 August 2008 - 10:06 PM

SifuMike,

Thank you very much for replying. Here are the logs...

=====================================================

Malwarebytes' Anti-Malware 1.24
Database version: 1046
Windows 6.0.6000

7:57:15 PM 8/12/2008
mbam-log-8-12-2008 (19-57-15).txt

Scan type: Quick Scan
Objects scanned: 45685
Time elapsed: 5 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{6eb35830-8222-4990-a484-d21fedd4b033} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6eb35830-8222-4990-a484-d21fedd4b033} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

===================================================

Deckard's System Scanner v20071014.68
Run by cc on 2008-08-12 20:01:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as cc.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:35 PM, on 8/12/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
c:\xampp\apache\bin\apache.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\gearsec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\xampp\mysql\bin\mysqld-nt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\sttray.exe
C:\Windows\system32\svchost.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe
C:\Program Files\DSynchronize\DSynchronize.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\John's Background Switcher\BackgroundSwitcher.exe
C:\Users\cc.TNS\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\cc.TNS\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\cc.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
O4 - HKLM\..\Run: [DSynchronize] "C:\Program Files\DSynchronize\DSynchronize.exe" /START
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [BackgroundSwitcher] C:\Program Files\John's Background Switcher\BackgroundSwitcher.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\cc.TNS\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickSet.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E62D1A95-8299-4B94-85D0-731DC125A60D} (IMMP4Control Control) - http://75.32.216.82/ocx/IMMP4Control.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tns.com
O17 - HKLM\Software\..\Telephony: DomainName = tns.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tns.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = genetfamily.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis OS Selector Reinstall Service (AcronisOSSReinstallSvc) - Unknown owner - C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe (file missing)
O23 - Service: Apache2.2 - Apache Software Foundation - c:\xampp\apache\bin\apache.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: gearsec - GEAR Software - C:\Windows\system32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MaxiVista_service_A - Unknown owner - C:\MaxiVistaViewerA.exe
O23 - Service: mysql - Unknown owner - c:\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Radmin Server V3 (RServer3) - Famatech International Corp. - C:\Windows\system32\rserver30\RServer3.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 13479 bytes

-- Files created between 2008-07-12 and 2008-08-12 -----------------------------

2008-08-12 19:41:53 0 d-------- C:\Users\All Users\Malwarebytes
2008-08-12 19:41:53 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-07 22:20:13 6482 --a------ C:\Windows\system32\SpoonUninstall-Nostalgia, an Intellivision Emulator.dat
2008-08-07 22:20:13 164352 --a------ C:\Windows\system32\SpoonUninstall.exe
2008-08-07 22:19:56 0 d-------- C:\Program Files\Nostalgia
2008-08-04 00:30:10 0 d-------- C:\Program Files\Synaptics
2008-08-03 01:08:39 0 d-------- U:\Deckard
2008-08-02 23:26:30 0 d-a------ C:\Users\All Users\TEMP
2008-08-02 23:25:45 0 d-------- C:\Program Files\Spyware Doctor
2008-08-02 23:25:28 0 d-------- C:\Program Files\Norton Security Scan
2008-08-02 23:09:47 0 d-------- C:\Program Files\Trend Micro
2008-08-02 16:16:09 0 d-------- C:\Program Files\Lavasoft
2008-08-02 16:16:03 0 d-------- C:\Users\All Users\Lavasoft
2008-08-02 12:30:20 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-08-02 09:57:39 877466 --ahs---- C:\Windows\system32\nqrYaccf.ini2
2008-08-02 02:16:16 0 d-------- C:\Program Files\Alwil Software
2008-08-01 22:33:40 0 d-------- C:\Users\All Users\Google Updater


-- Find3M Report ---------------------------------------------------------------

2008-08-12 19:42:00 0 d-------- C:\Users\cc.TNS\AppData\Roaming\Malwarebytes
2008-08-12 19:35:42 12884 --a------ C:\Users\cc.TNS\AppData\Roaming\nvModes.dat
2008-08-12 19:35:42 12884 --a------ C:\Users\cc.TNS\AppData\Roaming\nvModes.001
2008-08-11 22:06:09 0 d-------- C:\Program Files\Password Safe
2008-08-11 21:48:49 0 d-------- C:\Users\cc.TNS\AppData\Roaming\Orbit
2008-08-07 22:28:58 3374 --a------ C:\Windows\bthservsdp.dat
2008-08-07 22:28:35 0 d-------- C:\Program Files\DSynchronize <DSYNCH~1>
2008-08-07 16:33:30 0 d-------- C:\Program Files\Google
2008-08-03 00:42:20 0 d-------- C:\Program Files\RemoteAdministrator
2008-08-02 23:25:45 0 d-------- C:\Users\cc.TNS\AppData\Roaming\PC Tools
2008-08-02 16:13:04 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-02 04:14:01 174 --ahs---- C:\Program Files\desktop.ini
2008-08-02 04:08:21 0 d-------- C:\Program Files\Windows Mail
2008-08-02 02:07:04 0 d-------- C:\Program Files\Norton AntiVirus
2008-08-02 02:07:04 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-02 01:31:27 0 d-------- C:\Program Files\Symantec
2008-08-02 01:28:16 0 d-------- C:\Program Files\Common Files
2008-08-01 22:41:56 0 d-------- C:\Users\cc.TNS\AppData\Roaming\Google
2008-06-17 19:32:43 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-15 16:45:46 0 d-------- C:\Program Files\Picasa2
2008-06-15 16:19:17 0 d-------- C:\Users\cc.TNS\AppData\Roaming\App Launcher Gadget
2008-06-14 14:59:40 0 d-------- C:\Users\cc.TNS\AppData\Roaming\ZoomBrowser EX
2008-06-04 20:14:13 16379392 --a------ C:\Windows\system32\imageres.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [04/11/2007 08:21 PM]
"Windows Mobile-based device management"="%windir%\WindowsMobile\wmdc.exe" []
"SigmatelSysTrayApp"="sttray.exe" [01/12/2007 10:51 AM C:\Windows\sttray.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [12/07/2006 08:25 PM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [12/07/2006 08:25 PM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [12/07/2006 08:25 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [12/10/2006 09:52 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 06:38 PM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe" [12/04/2007 03:07 AM]
"DSynchronize"="C:\Program Files\DSynchronize\DSynchronize.exe" [09/08/2007 12:12 PM]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [03/14/2007 09:01 PM]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01/01/2007 02:22 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07/19/2008 07:38 AM]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [08/08/2007 03:53 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/15/2006 07:06 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/10/2008 09:51 AM]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [01/30/2007 06:08 PM]
"BackgroundSwitcher"="C:\Program Files\John's Background Switcher\BackgroundSwitcher.exe" [01/22/2008 05:11 AM]
"Google Update"="C:\Users\cc.TNS\AppData\Local\Google\Update\GoogleUpdate.exe" [06/15/2008 11:26 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/01/2008 10:33 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Users\cc.TNS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [8/25/2007 1:16:16 PM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [1/2/2007 9:40:10 PM]
QuickSet.lnk - C:\Windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [4/10/2007 8:26:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\Windows\system32\fccaYrqn

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=C:\Windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^cc.TNS^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^BOINC Manager.lnk]
path=C:\Users\cc.TNS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BOINC Manager.lnk
backup=C:\Windows\pss\BOINC Manager.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^cc.TNS^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Users\cc.TNS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\Windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NotebookHardwareControl]
"C:\Program Files\Notebook Hardware Control\nhc.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc CscService TabletInputService UmRdpService wlansvc WPDBusEnum EMDMgmt
LocalServiceNoNetwork PLA DPS BFE mpssvc
LocalServiceNetworkRestricted DHCP eventlog AudioSrv LmHosts wscsvc p2pimsvc PNRPSvc p2psvc PnrpAutoReg
bthsvcs BthServ
WindowsMobile wcescomm rapimgr
LocalServiceRestricted WcesComm RapiMgr
iissvcs w3svc was
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
HPService HPSLPSVC
hpdevmgmt hpqcxs08 hpqddsvc
bthaudiosvc HFGService

*Newly Created Service* - MBAMSWISSARMY
*Newly Created Service* - RSERVER3

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-08-12 20:02:03 ------------

#5 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:37 PM

Posted 12 August 2008 - 10:26 PM

Hi Nuukem,


Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck

      File - Additional Folder Scans

  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. Make sure that the first line is code with brackets around it [] and that the last line is /code with brackets around it [].

If, after posting, the last line is not <End of Report> then the log is too big to fit into a single post and you need to send it to me.

You can upload the new scan log to me here Let me know when you send it.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 Nuukem

Nuukem
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 14 August 2008 - 08:10 PM

Post is too big. Uploading now.

Thanks,

Phil

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:37 PM

Posted 14 August 2008 - 11:21 PM

Hi Phil,

Step #1

Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
%allusersprofile%\bmafeb92dc.xml
%allusersprofile%\pskt.ini
%systemroot%\system32\muuyejya.ini
%systemroot%\system32\nqryaccf.ini
%systemroot%\system32\nqryaccf.ini2
%systemroot%\system32\vnwrkmab.ini

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Click in the window labeled Input Script Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
  • Click the Execute button
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Step #2

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
YY -> C:\Windows\system32\fccaYrqn -> 
< BotCheck > -> 
[Files/Folders - Created Within 30 days]
NY -> muuyejya.ini -> %SystemRoot%\System32\muuyejya.ini
NY -> nqrYaccf.ini -> %SystemRoot%\System32\nqrYaccf.ini
NY -> nqrYaccf.ini2 -> %SystemRoot%\System32\nqrYaccf.ini2
NY -> vnwrkmab.ini -> %SystemRoot%\System32\vnwrkmab.ini
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> BMafeb92dc.xml -> %AllUsersProfile%\BMafeb92dc.xml
NY -> pskt.ini -> %AllUsersProfile%\pskt.ini
[Files/Folders - Modified Within 30 days]
NY -> muuyejya.ini -> %SystemRoot%\System32\muuyejya.ini
NY -> nqrYaccf.ini -> %SystemRoot%\System32\nqrYaccf.ini
NY -> nqrYaccf.ini2 -> %SystemRoot%\System32\nqrYaccf.ini2
NY -> vnwrkmab.ini -> %SystemRoot%\System32\vnwrkmab.ini
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> BMafeb92dc.xml -> %AllUsersProfile%\BMafeb92dc.xml
NY -> pskt.ini -> %AllUsersProfile%\pskt.ini
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #3

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on Online Services and then Online Scanner
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
Step #4

Run a new OTScanIt scan with the following options

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
  • Under Additional Scans click the checkboxes in front of the following items to select them:


    • File - Additional Folder Scans

  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Step #5

Post the following back here:
1. The Avenger report (c:\Avenger.txt). You will be able to post it, as it a small file.

2. The latest OTScanIt fix log (look in the OTScanIt folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. ) You will be able to post it, as it a small file.

3. The new OTScanIt scan log.
If the file is too big to post, then you can upload it to me here.
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 Nuukem

Nuukem
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 15 August 2008 - 02:29 AM

Thanks and here you go...

======================================================

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\ProgramData\bmafeb92dc.xml" deleted successfully.
File "C:\ProgramData\pskt.ini" deleted successfully.
File "C:\Windows\system32\muuyejya.ini" deleted successfully.
File "C:\Windows\system32\nqryaccf.ini" deleted successfully.
File "C:\Windows\system32\nqryaccf.ini2" deleted successfully.
File "C:\Windows\system32\vnwrkmab.ini" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


===================================================
OTS Fix Log

Explorer killed successfully
[Registry - Additional Scans - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages:C:\Windows\system32\fccaYrqn deleted successfully.
File not found.
[Files/Folders - Created Within 30 days]
File C:\Windows\System32\muuyejya.ini not found!
File C:\Windows\System32\nqrYaccf.ini not found!
File C:\Windows\System32\nqrYaccf.ini2 not found!
File C:\Windows\System32\vnwrkmab.ini not found!
[Files Created - Additional Folder Scans - Non-Microsoft Only]
File C:\ProgramData\BMafeb92dc.xml not found!
File C:\ProgramData\pskt.ini not found!
[Files/Folders - Modified Within 30 days]
File C:\Windows\System32\muuyejya.ini not found!
File C:\Windows\System32\nqrYaccf.ini not found!
File C:\Windows\System32\nqrYaccf.ini2 not found!
File C:\Windows\System32\vnwrkmab.ini not found!
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
File C:\ProgramData\BMafeb92dc.xml not found!
File C:\ProgramData\pskt.ini not found!
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\Windows\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
Windows Temp folder emptied.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.16.2 fix logfile created on 08142008_220639

Files moved on Reboot...
File move failed. C:\Windows\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.


=============================================================
F-Secure Online Scanner 3.3.1 - Scanning Report - Friday, August 15, 2008 00:19:57Scanning
Report
Thursday, August 14, 2008 22:16:28 - 00:19:57
Computer name: L3
Scanning type: Scan system for malware, rootkits
Target: C:\ E:\



Result: 8 malware found
RemoteAdmin.Win32.RAdmin (spyware)
System
RemoteAdmin.Win32.WinVNC (spyware)
System
Tracking Cookie (spyware)
System
Trojan.Win32.Monder.cmm (virus)
C:\_OTMOVEIT\MOVEDFILES\08032008_160004\WINDOWS\SYSTEM32\TMPDGOOJ.DLL (Renamed
& Submitted)
C:\_OTMOVEIT\MOVEDFILES\08032008_005557\WINDOWS\SYSTEM32\DBQWKNBN.DLL (Renamed
& Submitted)
Trojan.Win32.Monder.ddd (virus)
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20080802-231740-971.DLL
(Renamed & Submitted)
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20080802-232232-270.DLL
(Renamed & Submitted)
Trojan:W32/Monderb.A (virus)
C:\_OTMOVEIT\MOVEDFILES\08032008_005557\WINDOWS\SYSTEM32\GEBQRLJB.DLL
(Submitted)



Statistics
Scanned:
Files: 77155
System: 5838
Not scanned: 46
Actions:
Disinfected: 0
Renamed: 4
Deleted: 0
None: 4
Submitted: 5
Files not scanned:

=======================================================

OTScanIt logfile created on: 8/15/2008 12:22:22 AM
OTScanIt by OldTimer - Version 1.0.16.2	 Folder = C:\Users\cc.TNS\Desktop\OTScanIt
Windows Vista   (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.16681)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.00 Gb Total Physical Memory | 1.27 Gb Available Physical Memory | 63.63% Memory free
4.00 Gb Paging File | 3.74 Gb Available in Paging File | 93.59% Paging File free
Paging file location(s): c:\pagefile.sys 3067 3067;
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 44.90 Gb Total Space | 7.67 Gb Free Space | 17.08% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 4.89 Gb Total Space | 0.69 Gb Free Space | 14.07% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive R: | 745.00 Gb Total Space | 390.03 Gb Free Space | 52.35% Space Free | Partition Type: NTFS
Drive S: | 745.00 Gb Total Space | 390.03 Gb Free Space | 52.35% Space Free | Partition Type: NTFS
Drive T: | 745.00 Gb Total Space | 390.03 Gb Free Space | 52.35% Space Free | Partition Type: NTFS
Drive U: | 745.00 Gb Total Space | 390.03 Gb Free Space | 52.35% Space Free | Partition Type: NTFS

Computer Name: L3
Current User Name: cc
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user

[Processes - Non-Microsoft Only]
aawservice.exe -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft AB [Ver = 7, 0, 2, 1 | Size = 566616 bytes | Modified Date = 8/27/2007 2:38:50 PM | Attr =	]
aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 8, 1227, 0 | Size = 16056 bytes | Modified Date = 7/19/2008 7:25:06 AM | Attr =	]
ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 8, 1227, 0 | Size = 147640 bytes | Modified Date = 7/19/2008 7:38:28 AM | Attr =	]
apache.exe -> %SystemDrive%\xampp\apache\bin\apache.exe -> Apache Software Foundation [Ver = 2.2.4 | Size = 16896 bytes | Modified Date = 3/5/2007 3:23:04 AM | Attr =	]
aluschedulersvc.exe -> %ProgramFiles%\Symantec\LiveUpdate\AluSchedulerSvc.exe -> Symantec Corporation [Ver = 3.2.0.53 | Size = 554616 bytes | Modified Date = 5/11/2007 5:03:52 PM | Attr =	]
mdnsresponder.exe -> %ProgramFiles%\Bonjour\mDNSResponder.exe -> Apple Computer, Inc. [Ver = 1,0,3,1 | Size = 229376 bytes | Modified Date = 2/28/2006 12:42:38 PM | Attr =	]
gearsec.exe -> %SystemRoot%\System32\gearsec.exe -> GEAR Software [Ver = 1, 0, 0, 6 | Size = 58952 bytes | Modified Date = 11/30/2005 12:43:00 PM | Attr =	]
googleupdaterservice.exe -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.2.1175.1407.beta | Size = 137200 bytes | Modified Date = 8/1/2008 10:33:33 PM | Attr =	]
pifsvc.exe -> %CommonProgramFiles%\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe -> Symantec Corporation [Ver = 1.4.5.83 | Size = 583048 bytes | Modified Date = 1/29/2008 6:38:31 PM | Attr =	]
mysqld-nt.exe -> %SystemDrive%\xampp\mysql\bin\mysqld-nt.exe ->  [Ver =  | Size = 5730304 bytes | Modified Date = 7/6/2007 4:14:02 AM | Attr =	]
richvideo.exe -> %ProgramFiles%\CyberLink\Shared files\RichVideo.exe ->  [Ver = 2.0.0425   | Size = 272024 bytes | Modified Date = 5/14/2007 11:54:36 AM | Attr =	]
stacsv.exe -> %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stacsv.exe -> SigmaTel, Inc. [Ver = 1.0.5343.1  nd544 cp1 | Size = 90112 bytes | Modified Date = 1/12/2007 10:52:10 AM | Attr =	]
winvnc4.exe -> %ProgramFiles%\RealVNC\VNC4\winvnc4.exe -> RealVNC Ltd. [Ver = E4.3.1 | Size = 914160 bytes | Modified Date = 8/14/2007 10:07:44 PM | Attr =	]
winvnc4.exe -> %ProgramFiles%\RealVNC\VNC4\winvnc4.exe -> RealVNC Ltd. [Ver = E4.3.1 | Size = 914160 bytes | Modified Date = 8/14/2007 10:07:44 PM | Attr =	]
sdwinsec.exe -> %ProgramFiles%\Spybot - Search & Destroy\SDWinSec.exe -> Safer Networking Ltd. [Ver = 1, 0, 0, 12 | Size = 809296 bytes | Modified Date = 7/7/2008 9:42:02 AM | Attr =	]
apache.exe -> %SystemDrive%\xampp\apache\bin\apache.exe -> Apache Software Foundation [Ver = 2.2.4 | Size = 16896 bytes | Modified Date = 3/5/2007 3:23:04 AM | Attr =	]
ashmaisv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 8, 1227, 0 | Size = 250040 bytes | Modified Date = 7/19/2008 7:38:04 AM | Attr =	]
ashwebsv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 8, 1229, 0 | Size = 348344 bytes | Modified Date = 7/23/2008 7:25:45 AM | Attr =	]
sttray.exe -> %SystemRoot%\sttray.exe -> SigmaTel, Inc. [Ver = 1.0.5343.1  nd544 cp1 | Size = 303104 bytes | Modified Date = 1/12/2007 10:51:28 AM | Attr =	]
hpwuschd2.exe -> %ProgramFiles%\HP\HP Software Update\hpwuSchd2.exe -> Hewlett-Packard Co. [Ver = 82.0.173.000 | Size = 49152 bytes | Modified Date = 12/10/2006 9:52:38 PM | Attr =	]
pifsvc.exe -> %CommonProgramFiles%\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe -> Symantec Corporation [Ver = 1.4.5.83 | Size = 583048 bytes | Modified Date = 1/29/2008 6:38:31 PM | Attr =	]
apdproxy.exe -> %ProgramFiles%\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe -> Adobe Systems Incorporated [Ver = 3.0.0.66984 | Size = 61440 bytes | Modified Date = 12/4/2007 3:07:00 AM | Attr = R  ]
dsynchronize.exe -> %ProgramFiles%\DSynchronize\DSynchronize.exe -> ND [Ver = 1.00.0103 | Size = 164864 bytes | Modified Date = 9/8/2007 12:12:48 PM | Attr =	]
ashdisp.exe -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 8, 1227, 0 | Size = 78008 bytes | Modified Date = 7/19/2008 7:38:34 AM | Attr =	]
aawtray.exe -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\AAWTray.exe ->  [Ver = 1, 0, 0, 1 | Size = 88024 bytes | Modified Date = 8/8/2007 3:53:16 PM | Attr =	]
syntpenh.exe -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> Synaptics, Inc. [Ver = 9.0.1.3 06Nov06 | Size = 815104 bytes | Modified Date = 11/15/2006 7:06:00 PM | Attr =	]
anydvd.exe -> %ProgramFiles%\SlySoft\AnyDVD\AnyDVD.exe -> SlySoft, Inc. [Ver = 6.1.1.4 | Size = 287077 bytes | Modified Date = 1/30/2007 6:08:16 PM | Attr =	]
backgroundswitcher.exe -> %ProgramFiles%\John's Background Switcher\BackgroundSwitcher.exe -> johnsadventures.com [Ver = 3.3.0.10 | Size = 907152 bytes | Modified Date = 1/22/2008 5:11:36 AM | Attr =	]
googleupdate.exe -> %UserProfile%\AppData\Local\Google\Update\GoogleUpdate.exe -> Google Inc. [Ver = 1.2.57.0 | Size = 119280 bytes | Modified Date = 6/15/2008 11:26:16 AM | Attr =	]
googletoolbarnotifier.exe -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 8/1/2008 10:33:46 PM | Attr =	]
teatimer.exe -> %ProgramFiles%\Spybot - Search & Destroy\TeaTimer.exe -> Safer Networking Limited [Ver = 1, 6, 0, 20 | Size = 2156368 bytes | Modified Date = 7/7/2008 9:42:06 AM | Attr = RHS]
hpqtra08.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqtra08.exe -> Hewlett-Packard Co. [Ver = 82.0.188.000 | Size = 210520 bytes | Modified Date = 1/2/2007 9:40:10 PM | Attr =	]
quickset.exe -> %ProgramFiles%\Dell\QuickSet\quickset.exe -> Dell Inc [Ver = 8, 0, 13, 0 | Size = 1123872 bytes | Modified Date = 4/27/2007 8:34:18 AM | Attr =	]
magicdisc.exe -> %ProgramFiles%\MagicDisc\MagicDisc.exe -> MagicISO, Inc. [Ver = 2.5.0.77 | Size = 557568 bytes | Modified Date = 8/9/2007 6:16:04 PM | Attr =	]
radmin.exe -> %ProgramFiles%\Radmin Viewer 3.0\Radmin.exe -> Famatech International Corp. [Ver = 3, 0, 0, 5 | Size = 931928 bytes | Modified Date = 2/6/2007 10:26:30 PM | Attr =	]
otscanit.exe -> %UserProfile%\Desktop\OTScanIt\OTScanIt.exe -> OldTimer Tools [Ver = 1.0.16.2 | Size = 397312 bytes | Modified Date = 7/12/2008 9:29:54 AM | Attr =	]

[Win32 Services - Non-Microsoft Only]
(aawservice) Ad-Aware 2007 Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft AB [Ver = 7, 0, 2, 1 | Size = 566616 bytes | Modified Date = 8/27/2007 2:38:50 PM | Attr =	]
(AcronisOSSReinstallSvc) Acronis OS Selector Reinstall Service [Win32_Own | Auto | Stopped] -> %CommonProgramFiles%\Acronis\Acronis Disk Director\oss_reinstall_svc.exe -> File not found
(Apache2.2) Apache2.2 [Win32_Own | Auto | Running] -> %SystemDrive%\xampp\apache\bin\apache.exe -> Apache Software Foundation [Ver = 2.2.4 | Size = 16896 bytes | Modified Date = 3/5/2007 3:23:04 AM | Attr =	]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 8, 1227, 0 | Size = 16056 bytes | Modified Date = 7/19/2008 7:25:06 AM | Attr =	]
(Automatic LiveUpdate Scheduler) Automatic LiveUpdate Scheduler [Win32_Own | Auto | Running] -> %ProgramFiles%\Symantec\LiveUpdate\AluSchedulerSvc.exe -> Symantec Corporation [Ver = 3.2.0.53 | Size = 554616 bytes | Modified Date = 5/11/2007 5:03:52 PM | Attr =	]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 8, 1227, 0 | Size = 147640 bytes | Modified Date = 7/19/2008 7:38:28 AM | Attr =	]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 8, 1227, 0 | Size = 250040 bytes | Modified Date = 7/19/2008 7:38:04 AM | Attr =	]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 8, 1229, 0 | Size = 348344 bytes | Modified Date = 7/23/2008 7:25:45 AM | Attr =	]
(Bonjour Service) ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## [Win32_Own | Auto | Running] -> %ProgramFiles%\Bonjour\mDNSResponder.exe -> Apple Computer, Inc. [Ver = 1,0,3,1 | Size = 229376 bytes | Modified Date = 2/28/2006 12:42:38 PM | Attr =	]
(CertPropSvc) Certificate Propagation [Win32_Shared | Unknown | Running] -> %SystemRoot%\system32\svchost.exe -> File not found
(DcomLaunch) DCOM Server Process Launcher [Win32_Shared | Unknown | Running] -> %SystemRoot%\system32\svchost.exe -> File not found
(FLEXnet Licensing Service) FLEXnet Licensing Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -> Macrovision Europe Ltd. [Ver = 11.03.005 | Size = 654848 bytes | Modified Date = 5/28/2007 11:11:12 AM | Attr =	]
(gearsec) gearsec [Win32_Own | Auto | Running] -> %SystemRoot%\System32\gearsec.exe -> GEAR Software [Ver = 1, 0, 0, 6 | Size = 58952 bytes | Modified Date = 11/30/2005 12:43:00 PM | Attr =	]
(gusvc) Google Updater Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.2.1175.1407.beta | Size = 137200 bytes | Modified Date = 8/1/2008 10:33:33 PM | Attr =	]
(idsvc) Windows CardSpace [Win32_Shared | Unknown | Stopped] -> %systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -> File not found
(LiveUpdate) LiveUpdate [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Symantec\LiveUpdate\LuComServer_3_2.EXE -> Symantec Corporation [Ver = 3.2.0.53 | Size = 2983544 bytes | Modified Date = 5/11/2007 5:03:52 PM | Attr =	]
(LiveUpdate Notice Ex) LiveUpdate Notice Service Ex [Win32_Shared | Auto | Stopped] -> %CommonProgramFiles%\Symantec Shared\ccSvcHst.exe -> File not found
(LiveUpdate Notice Service) LiveUpdate Notice Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe -> Symantec Corporation [Ver = 1.4.5.83 | Size = 583048 bytes | Modified Date = 1/29/2008 6:38:31 PM | Attr =	]
(MaxiVista_service_A) MaxiVista_service_A [Win32_Own | On_Demand | Stopped] -> %SystemDrive%\MaxiVistaViewerA.exe ->  [Ver = 3.0.26 | Size = 884744 bytes | Modified Date = 4/9/2007 9:29:24 PM | Attr =	]
(MSDTC) Distributed Transaction Coordinator [Win32_Own | Unknown | Stopped] -> %SystemRoot%\System32\msdtc.exe -> File not found
(mysql) mysql [Win32_Own | Auto | Running] -> %SystemDrive%\xampp\mysql\bin\mysqld-nt.exe ->  [Ver =  | Size = 5730304 bytes | Modified Date = 7/6/2007 4:14:02 AM | Attr =	]
(NBService) NBService [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Nero\Nero 7\Nero BackItUp\NBService.exe -> Nero AG [Ver = 2, 7, 2, 0 | Size = 774144 bytes | Modified Date = 11/10/2006 7:18:02 PM | Attr =	]
(RichVideo) Cyberlink RichVideo Service(CRVS) [Win32_Own | Auto | Running] -> %ProgramFiles%\CyberLink\Shared files\RichVideo.exe ->  [Ver = 2.0.0425   | Size = 272024 bytes | Modified Date = 5/14/2007 11:54:36 AM | Attr =	]
(RServer3) Radmin Server V3 [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\System32\rserver30\rserver3.exe -> Famatech International Corp. [Ver = 3, 2, 0, 0 | Size = 1238344 bytes | Modified Date = 4/24/2008 8:44:26 AM | Attr =	]
(SBSDWSCService) SBSD Security Center Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Spybot - Search & Destroy\SDWinSec.exe -> Safer Networking Ltd. [Ver = 1, 0, 0, 12 | Size = 809296 bytes | Modified Date = 7/7/2008 9:42:02 AM | Attr =	]
(Schedule) Task Scheduler [Win32_Shared | Unknown | Running] -> %systemroot%\system32\svchost.exe -> File not found
(SCPolicySvc) Smart Card Removal Policy [Win32_Shared | Unknown | Stopped] -> %SystemRoot%\system32\svchost.exe -> File not found
(sdAuxService) PC Tools Auxiliary Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Spyware Doctor\pctsAuxs.exe -> PC Tools [Ver = 5, 5, 1, 0 | Size = 337800 bytes | Modified Date = 8/3/2008 2:06:35 AM | Attr =	]
(sdCoreService) PC Tools Security Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Spyware Doctor\pctsSvc.exe -> PC Tools [Ver = 5.5.1.9 | Size = 1017224 bytes | Modified Date = 8/3/2008 2:06:37 AM | Attr =	]
(STacSV) SigmaTel Audio Service [Win32_Own | Auto | Running] -> %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stacsv.exe -> SigmaTel, Inc. [Ver = 1.0.5343.1  nd544 cp1 | Size = 90112 bytes | Modified Date = 1/12/2007 10:52:10 AM | Attr =	]
(TrustedInstaller) Windows Modules Installer [Win32_Own | Unknown | Stopped] -> %SystemRoot%\servicing\TrustedInstaller.exe -> File not found
(WdiServiceHost) Diagnostic Service Host [Win32_Shared | Unknown | Stopped] -> %SystemRoot%\System32\svchost.exe -> File not found
(WdiSystemHost) Diagnostic System Host [Win32_Shared | Unknown | Running] -> %SystemRoot%\System32\svchost.exe -> File not found
(WinVNC4) VNC Server Version 4 [Win32_Own | Auto | Running] -> %ProgramFiles%\RealVNC\VNC4\winvnc4.exe -> RealVNC Ltd. [Ver = E4.3.1 | Size = 914160 bytes | Modified Date = 8/14/2007 10:07:44 PM | Attr =	]

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
AAWTray -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\AAWTray.exe [C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe] ->  [Ver = 1, 0, 0, 1 | Size = 88024 bytes | Modified Date = 8/8/2007 3:53:16 PM | Attr =	]
Adobe Photo Downloader -> %ProgramFiles%\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe ["C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"] -> Adobe Systems Incorporated [Ver = 3.0.0.66984 | Size = 61440 bytes | Modified Date = 12/4/2007 3:07:00 AM | Attr = R  ]
Adobe Reader Speed Launcher -> %ProgramFiles%\Adobe\Reader 8.0\Reader\reader_sl.exe ["C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"] -> Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 39792 bytes | Modified Date = 1/11/2008 10:16:38 PM | Attr =	]
avast! -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe [C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe] -> ALWIL Software [Ver = 4, 8, 1227, 0 | Size = 78008 bytes | Modified Date = 7/19/2008 7:38:34 AM | Attr =	]
DSynchronize -> %ProgramFiles%\DSynchronize\DSynchronize.exe ["C:\Program Files\DSynchronize\DSynchronize.exe" /START] -> ND [Ver = 1.00.0103 | Size = 164864 bytes | Modified Date = 9/8/2007 12:12:48 PM | Attr =	]
googletalk -> %ProgramFiles%\Google\Google Talk\googletalk.exe [C:\Program Files\Google\Google Talk\googletalk.exe /autostart] -> Google [Ver = 1,0,0,104 | Size = 3739648 bytes | Modified Date = 1/1/2007 2:22:02 PM | Attr =	]
HP Software Update -> %ProgramFiles%\HP\HP Software Update\hpwuSchd2.exe [C:\Program Files\HP\HP Software Update\HPWuSchd2.exe] -> Hewlett-Packard Co. [Ver = 82.0.173.000 | Size = 49152 bytes | Modified Date = 12/10/2006 9:52:38 PM | Attr =	]
LanguageShortcut -> %ProgramFiles%\CyberLink\PowerDVD\Language\Language.exe ["C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"] ->  [Ver = 1.00.2405	 | Size = 54832 bytes | Modified Date = 3/14/2007 9:01:52 PM | Attr =	]
NvCplDaemon -> %SystemRoot%\System32\nvcpl.dll [RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup] -> NVIDIA Corporation [Ver = 7.15.10.9746 | Size = 7766016 bytes | Modified Date = 12/7/2006 8:25:00 PM | Attr =	]
NvMediaCenter -> %SystemRoot%\System32\nvmctray.dll [RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit] -> NVIDIA Corporation [Ver = 7.15.10.9746 | Size = 81920 bytes | Modified Date = 12/7/2006 8:25:00 PM | Attr =	]
NvSvc -> %SystemRoot%\System32\nvsvc.dll [RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart] -> NVIDIA Corporation [Ver = 7.15.10.9746 | Size = 90191 bytes | Modified Date = 12/7/2006 8:25:00 PM | Attr =	]
SigmatelSysTrayApp -> %SystemRoot%\sttray.exe [sttray.exe] -> SigmaTel, Inc. [Ver = 1.0.5343.1  nd544 cp1 | Size = 303104 bytes | Modified Date = 1/12/2007 10:51:28 AM | Attr =	]
Symantec PIF AlertEng -> %CommonProgramFiles%\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe ["C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"] -> Symantec Corporation [Ver = 1.4.5.83 | Size = 583048 bytes | Modified Date = 1/29/2008 6:38:31 PM | Attr =	]
SynTPEnh -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [C:\Program Files\Synaptics\SynTP\SynTPEnh.exe] -> Synaptics, Inc. [Ver = 9.0.1.3 06Nov06 | Size = 815104 bytes | Modified Date = 11/15/2006 7:06:00 PM | Attr =	]
< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ -> 
IMAIL-> Installed = 1 -> 
MAPI-> Installed = 1 -> 
MSFS-> Installed = 1 -> 
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
AnyDVD -> %ProgramFiles%\SlySoft\AnyDVD\AnyDVD.exe [C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe] -> SlySoft, Inc. [Ver = 6.1.1.4 | Size = 287077 bytes | Modified Date = 1/30/2007 6:08:16 PM | Attr =	]
BackgroundSwitcher -> %ProgramFiles%\John's Background Switcher\BackgroundSwitcher.exe [C:\Program Files\John's Background Switcher\BackgroundSwitcher.exe] -> johnsadventures.com [Ver = 3.3.0.10 | Size = 907152 bytes | Modified Date = 1/22/2008 5:11:36 AM | Attr =	]
Google Update -> %SystemDrive%\Users\Phil\AppData\Local\Google\Update\GoogleUpdate.exe ["C:\Users\cc.TNS\AppData\Local\Google\Update\GoogleUpdate.exe" /c] -> File not found
SpybotSD TeaTimer -> %ProgramFiles%\Spybot - Search & Destroy\TeaTimer.exe [C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe] -> Safer Networking Limited [Ver = 1, 6, 0, 20 | Size = 2156368 bytes | Modified Date = 7/7/2008 9:42:06 AM | Attr = RHS]
swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe] -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 8/1/2008 10:33:46 PM | Attr =	]
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
explorer.exe -> %SystemRoot%\explorer.exe -> Microsoft Corporation [Ver = 6.0.6000.16386 (vista_rtm.061101-2205) | Size = 2923520 bytes | Modified Date = 11/21/2007 4:05:51 AM | Attr =	]
*MultiFile Done* -> -> 
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit -> 
C:\Windows\system32\userinit.exe -> %SystemRoot%\System32\userinit.exe -> Microsoft Corporation [Ver = 6.0.6000.16386 (vista_rtm.061101-2205) | Size = 24576 bytes | Modified Date = 11/2/2006 2:45:50 AM | Attr =	]
*MultiFile Done* -> -> 
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet -> 
rundll32 shell32 -> %SystemRoot%\System32\shell32.dll -> Microsoft Corporation [Ver = 6.0.6000.16386 (vista_rtm.061101-2205) | Size = 11315712 bytes | Modified Date = 4/23/2008 9:51:39 PM | Attr =	]
Control_RunDLL "sysdm.cpl" -> %SystemRoot%\System32\sysdm.cpl -> Microsoft Corporation [Ver = 6.0.6000.16386 (vista_rtm.061101-2205) | Size = 238080 bytes | Modified Date = 11/2/2006 2:44:42 AM | Attr =	]
*MultiFile Done* -> -> 
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments\\ScanWithAntiVirus -> 3 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ConsentPromptBehaviorAdmin -> 2 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ConsentPromptBehaviorUser -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\EnableInstallerDetection -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\EnableLUA -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\EnableSecureUIAPaths -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\EnableVirtualization -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\PromptOnSecureDesktop -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ValidateAdminCodeSignatures -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\dontdisplaylastusername -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\legalnoticecaption ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\legalnoticetext ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\scforceoption -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\shutdownwithoutlogon -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\undockwithoutlogon -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\FilterAdministratorToken -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats\\CF_TEXT -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats\\CF_BITMAP -> 2 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats\\CF_OEMTEXT -> 7 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats\\CF_DIB -> 8 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats\\CF_PALETTE -> 9 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats\\CF_UNICODETEXT -> 13 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats\\CF_DIBV5 -> 17 -> 
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
< CDROM Autorun Settings > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun -> 1 -> 
*AutoRunAlwaysDisable* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRunAlwaysDisable -> 
TORiSAN CD-ROM CDR_C36 ->  -> File not found
NEC	 MBR-7	->  -> File not found
NEC	 MBR-7.4  ->  -> File not found
PIONEER CHANGR DRM-1804X ->  -> File not found
PIONEER CD-ROM DRM-6324X ->  -> File not found
PIONEER CD-ROM DRM-624X  ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DisplayName -> CD-ROM Driver -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Group -> SCSI CDROM Class -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ImagePath -> %SystemRoot%\System32\drivers\cdrom.sys [system32\DRIVERS\cdrom.sys] -> Microsoft Corporation [Ver = 6.0.6000.16386 (vista_rtm.061101-2205) | Size = 67072 bytes | Modified Date = 11/2/2006 1:51:44 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Start -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Type -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Tag -> 3 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\0 -> IDE\CdRomPIONEER_DVD+-RW_DR-K17Y_________________0.94____\5&3088191d&0&1.0.0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\Count -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\NextInstance -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\1 -> SCSI\CdRom&Ven_MagicISO&Prod_Virtual_DVD-ROM&Rev_1.0A\1&2afd7d61&0&0000 -> 
< Drives - Autoruns > ->  -> 
autoexec.bat [REM Dummy file for NTVDM | ] -> %SystemDrive%\autoexec.bat [ NTFS ] ->  [Ver =  | Size = 24 bytes | Modified Date = 9/18/2006 2:43:36 PM | Attr =	]
< HOSTS File > (761 bytes) -> C:\Windows\System32\drivers\etc\Hosts -> 
::1			 localhost -> -> 
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm -> 
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\Local Page -> C:\Windows\system32\blank.htm -> 
HKEY_CURRENT_USER\: Main\\Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKEY_CURRENT_USER\: Main\\Start Page -> http://www.google.com/ -> 
HKEY_CURRENT_USER\: ProxyEnable -> 0 -> 
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] -> Safer Networking Limited [Ver = 1, 6, 0, 12 | Size = 1562448 bytes | Modified Date = 7/7/2008 9:41:58 AM | Attr =	]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 9/25/2007 2:11:33 AM | Attr =	]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbar1.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1602, 35650 | Size = 2549368 bytes | Modified Date = 8/1/2008 10:34:15 PM | Attr = R  ]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll [Google Toolbar Notifier BHO] -> Google Inc. [Ver = 2, 1, 1119, 1736 | Size = 654320 bytes | Modified Date = 8/1/2008 10:33:46 PM | Attr =	]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 1602, 35650 | Size = 2549368 bytes | Modified Date = 8/1/2008 10:34:15 PM | Attr = R  ]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 1602, 35650 | Size = 2549368 bytes | Modified Date = 8/1/2008 10:34:15 PM | Attr = R  ]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 9/25/2007 2:11:33 AM | Attr =	]
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search && Destroy Configuration] -> Safer Networking Limited [Ver = 1, 6, 0, 12 | Size = 1562448 bytes | Modified Date = 7/7/2008 9:41:58 AM | Attr =	]
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{346B230C-E694-4257-90F8-929D4EF44F6C} ->	(Broadcom 440x 10/100 Integrated Controller) -> 
{51B07A33-733C-430C-BCE8-5B8109EFA545} ->	() -> 
{964A0DD3-0A1C-4CE2-A21E-436B50ABCFCB} ->	(Intel(R) PRO/Wireless 3945ABG Network Connection) -> 
{A7A23DC8-5E6A-406E-A9A1-2FB753B12D3D} ->	(Microsoft Windows Mobile Remote Adapter) -> 
< Winsock2 Catalogs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\ -> 
NameSpace_Catalog5\Catalog_Entries\000000000007 [mdnsNSP] -> %ProgramFiles%\Bonjour\mdnsNSP.dll -> Apple Computer, Inc. [Ver = 1,0,3,1 | Size = 94208 bytes | Modified Date = 2/28/2006 12:42:30 PM | Attr =	]
< Default Protocols [HKEY_LOCAL_MACHINE\] - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults -> 
ldap -> 4 = Restricted sites (Not a Default Protocol) -> 
news -> 4 = Restricted sites (Not a Default Protocol) -> 
nntp -> 4 = Restricted sites (Not a Default Protocol) -> 
oecmd -> 4 = Restricted sites (Not a Default Protocol) -> 
snews -> 4 = Restricted sites (Not a Default Protocol) -> 
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ -> 
msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{17492023-C23A-453E-A040-C7C580BBF700}[HKEY_LOCAL_MACHINE] -> http://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab[Windows Genuine Advantage Validation Tool] -> 
{406B5949-7190-4245-91A9-30A17DE16AD0}[HKEY_LOCAL_MACHINE] -> http://www.costcophotocenter.com/CostcoActivia.cab[Snapfish Activia] -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[Java Plug-in 1.6.0_03] -> 
{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876}[HKEY_LOCAL_MACHINE] -> http://support.f-secure.com/ols/fscax.cab[F-Secure Online Scanner 3.3] -> 
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab[Java Plug-in 1.6.0_01] -> 
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab[Java Plug-in 1.6.0_02] -> 
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[Java Plug-in 1.6.0_03] -> 
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[Java Plug-in 1.6.0_03] -> 
{D27CDB6E-AE6D-11CF-96B8-444553540000}[HKEY_LOCAL_MACHINE] -> http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab[Shockwave Flash Object] -> 
{E62D1A95-8299-4B94-85D0-731DC125A60D}[HKEY_LOCAL_MACHINE] -> http://75.32.216.82/ocx/IMMP4Control.ocx[IMMP4Control Control] -> 
< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/auc_lib.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/auc_lib.dll\\.Owner -> {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/auc_lib.dll\\{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/ca.pub\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/ca.pub\\.Owner -> {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/ca.pub\\{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/daas_s.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/daas_s.dll\\.Owner -> {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/daas_s.dll\\{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/fscax.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/fscax.dll\\.Owner -> {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/fscax.dll\\{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/gatelauncher.exe\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/gatelauncher.exe\\.Owner -> {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/gatelauncher.exe\\{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/IMMP4Control.ocx\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/IMMP4Control.ocx\\.Owner -> {E62D1A95-8299-4B94-85D0-731DC125A60D} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/IMMP4Control.ocx\\{E62D1A95-8299-4B94-85D0-731DC125A60D} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/SnapfishActivia1000.ocx\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/SnapfishActivia1000.ocx\\.Owner -> {406B5949-7190-4245-91A9-30A17DE16AD0} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/SnapfishActivia1000.ocx\\{406B5949-7190-4245-91A9-30A17DE16AD0} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/UploaderX.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/UploaderX.dll\\.Owner -> {474F00F5-3853-492C-AC3A-476512BBC336} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/UploaderX.dll\\{474F00F5-3853-492C-AC3A-476512BBC336} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/System32/LegitCheckControl.DLL\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/System32/LegitCheckControl.DLL\\.Owner -> {17492023-C23A-453E-A040-C7C580BBF700} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/System32/LegitCheckControl.DLL\\{17492023-C23A-453E-A040-C7C580BBF700} ->  -> 



[Files/Folders - Created Within 30 days]
Avenger -> %SystemDrive%\Avenger ->  [Folder | Created Date = 8/14/2008 10:01:44 PM | Attr =	]
1 C:\*.tmp files -> C:\*.tmp -> 
fsaua.data -> %SystemDrive%\fsaua.data ->  [Folder | Created Date = 8/14/2008 10:13:59 PM | Attr =	]
_OTMoveIt -> %SystemDrive%\_OTMoveIt ->  [Folder | Created Date = 8/3/2008 12:55:57 AM | Attr =	]
aswFsBlk.sys -> %SystemRoot%\System32\drivers\aswFsBlk.sys -> ALWIL Software [Ver = 4.8.1227.0 | Size = 20560 bytes | Created Date = 8/2/2008 10:02:48 AM | Attr =	]
aswMonFlt.sys -> %SystemRoot%\System32\drivers\aswMonFlt.sys -> ALWIL Software [Ver = 4.8.1227.0 | Size = 51280 bytes | Created Date = 8/2/2008 2:16:40 AM | Attr =	]
aswRdr.sys -> %SystemRoot%\System32\drivers\aswRdr.sys -> ALWIL Software [Ver = 4.8.1227.0 | Size = 23152 bytes | Created Date = 8/2/2008 2:18:32 AM | Attr =	]
aswSP.sys -> %SystemRoot%\System32\drivers\aswSP.sys -> ALWIL Software [Ver = 4.8.1227.0 | Size = 78416 bytes | Created Date = 8/2/2008 10:02:48 AM | Attr =	]
aswTdi.sys -> %SystemRoot%\System32\drivers\aswTdi.sys -> ALWIL Software [Ver = 4.8.1227.0 | Size = 42912 bytes | Created Date = 8/2/2008 2:18:26 AM | Attr =	]
ikfilesec.sys -> %SystemRoot%\System32\drivers\ikfilesec.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1039 built by: WinDDK | Size = 42376 bytes | Created Date = 8/2/2008 11:25:57 PM | Attr =	]
iksysflt.sys -> %SystemRoot%\System32\drivers\iksysflt.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1029 | Size = 66952 bytes | Created Date = 8/2/2008 11:25:57 PM | Attr =	]
iksyssec.sys -> %SystemRoot%\System32\drivers\iksyssec.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1031 | Size = 81288 bytes | Created Date = 8/2/2008 11:25:57 PM | Attr =	]
kcom.sys -> %SystemRoot%\System32\drivers\kcom.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1008 | Size = 29576 bytes | Created Date = 8/2/2008 11:25:57 PM | Attr =	]
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> Malwarebytes Corporation [Ver = 1, 0, 0, 1 | Size = 17144 bytes | Created Date = 8/12/2008 7:41:55 PM | Attr =	]
mbamswissarmy.sys -> %SystemRoot%\System32\drivers\mbamswissarmy.sys -> Malwarebytes Corporation [Ver = 1.00 | Size = 38472 bytes | Created Date = 8/12/2008 7:41:55 PM | Attr =	]
Msft_Kernel_SynTP_01000.Wdf -> %SystemRoot%\System32\drivers\Msft_Kernel_SynTP_01000.Wdf ->  [Ver =  | Size = 0 bytes | Created Date = 8/4/2008 12:30:59 AM | Attr =  H ]
SynTP.sys -> %SystemRoot%\System32\drivers\SynTP.sys -> Synaptics, Inc. [Ver = 9.0.1.3 06Nov06 | Size = 179256 bytes | Created Date = 8/4/2008 12:28:25 AM | Attr =	]
actskin4.ocx -> %SystemRoot%\System32\actskin4.ocx ->  [Ver = 4, 2, 7, 3 | Size = 380928 bytes | Created Date = 8/2/2008 2:16:40 AM | Attr =	]
aswBoot.exe -> %SystemRoot%\System32\aswBoot.exe -> ALWIL Software [Ver = 4, 8, 1227, 0 | Size = 1163960 bytes | Created Date = 8/2/2008 2:16:40 AM | Attr =	]
AvastSS.scr -> %SystemRoot%\System32\AvastSS.scr -> ALWIL Software [Ver = 4, 8, 1227, 0 | Size = 94392 bytes | Created Date = 8/2/2008 2:17:28 AM | Attr =	]
Default.rdp -> %SystemRoot%\System32\Default.rdp ->  [Ver =  | Size = 1670 bytes | Created Date = 8/14/2008 7:14:43 PM | Attr =  H ]
SpoonUninstall-Nostalgia, an Intellivision Emulator.bmp -> %SystemRoot%\System32\SpoonUninstall-Nostalgia, an Intellivision Emulator.bmp ->  [Ver =  | Size = 28898 bytes | Created Date = 8/7/2008 10:20:13 PM | Attr =	]
SpoonUninstall-Nostalgia, an Intellivision Emulator.dat -> %SystemRoot%\System32\SpoonUninstall-Nostalgia, an Intellivision Emulator.dat ->  [Ver =  | Size = 6482 bytes | Created Date = 8/7/2008 10:20:13 PM | Attr =	]
SpoonUninstall.exe -> %SystemRoot%\System32\SpoonUninstall.exe ->  [Ver =  | Size = 164352 bytes | Created Date = 8/7/2008 10:20:13 PM | Attr =	]
SynCOM.dll -> %SystemRoot%\System32\SynCOM.dll -> Synaptics, Inc. [Ver = 9.0.1.3 06Nov06 | Size = 163840 bytes | Created Date = 8/4/2008 12:28:25 AM | Attr =	]
SynCtrl.dll -> %SystemRoot%\System32\SynCtrl.dll -> Synaptics, Inc. [Ver = 9.0.1.3 06Nov06 | Size = 196608 bytes | Created Date = 8/4/2008 12:28:25 AM | Attr =	]
SynTPAPI.dll -> %SystemRoot%\System32\SynTPAPI.dll -> Synaptics, Inc. [Ver = 9.0.1.3 06Nov06 | Size = 143360 bytes | Created Date = 8/4/2008 12:28:26 AM | Attr =	]
SynTPCo4.dll -> %SystemRoot%\System32\SynTPCo4.dll -> Synaptics, Inc. [Ver = 9.0.1.3 06Nov06 | Size = 110592 bytes | Created Date = 8/4/2008 12:28:26 AM | Attr =	]
WdfCoInstaller01000.dll -> %SystemRoot%\System32\WdfCoInstaller01000.dll ->  [Ver =  | Size = 1060424 bytes | Created Date = 8/4/2008 12:28:27 AM | Attr =	]
ERDNT -> %SystemRoot%\ERDNT ->  [Folder | Created Date = 8/3/2008 1:09:11 AM | Attr =	]
kaillera.ini -> %SystemRoot%\kaillera.ini ->  [Ver =  | Size = 115 bytes | Created Date = 8/11/2008 9:59:14 PM | Attr =	]
[Files Created - Additional Folder Scans - Non-Microsoft Only]
Google Updater -> %AllUsersProfile%\Google Updater ->  [Folder | Created Date = 8/1/2008 10:33:40 PM | Attr =	]
Lavasoft -> %AllUsersProfile%\Lavasoft ->  [Folder | Created Date = 8/2/2008 4:16:03 PM | Attr =	]
LUUnInstall.LiveUpdate -> %AllUsersProfile%\LUUnInstall.LiveUpdate ->  [Ver =  | Size = 2866 bytes | Created Date = 8/2/2008 1:31:35 AM | Attr =	]
Malwarebytes -> %AllUsersProfile%\Malwarebytes ->  [Folder | Created Date = 8/12/2008 7:41:53 PM | Attr =	]
Spybot - Search & Destroy -> %AllUsersProfile%\Spybot - Search & Destroy ->  [Folder | Created Date = 8/2/2008 12:30:20 PM | Attr =	]
TEMP -> %AllUsersProfile%\TEMP ->  [Folder | Created Date = 8/2/2008 11:26:30 PM | Attr =	]
@Alternate Data Stream - 158 bytes -> %AllUsersProfile%\TEMP:DFC5A2B2
FileZilla -> %AppData%\FileZilla ->  [Folder | Created Date = 8/14/2008 7:35:53 PM | Attr =	]
Malwarebytes -> %AppData%\Malwarebytes ->  [Folder | Created Date = 8/12/2008 7:42:00 PM | Attr =	]
PC Tools -> %AppData%\PC Tools ->  [Folder | Created Date = 8/2/2008 11:25:45 PM | Attr =	]
ATF-Cleaner.exe -> %UserProfile%\Desktop\ATF-Cleaner.exe -> Atribune.org [Ver = 3.00.0002 | Size = 50688 bytes | Created Date = 8/14/2008 5:58:26 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\ATF-Cleaner.exe:Zone.Identifier
avenger -> %UserProfile%\Desktop\avenger ->  [Folder | Created Date = 8/14/2008 9:58:39 PM | Attr =	]
avenger.zip -> %UserProfile%\Desktop\avenger.zip ->  [Ver =  | Size = 724952 bytes | Created Date = 8/14/2008 9:58:22 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\avenger.zip:Zone.Identifier
dss.exe -> %UserProfile%\Desktop\dss.exe ->  [Ver = 3, 2, 8, 1 | Size = 686630 bytes | Created Date = 8/3/2008 1:08:29 AM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\dss.exe:Zone.Identifier
HijackThis.lnk -> %UserProfile%\Desktop\HijackThis.lnk ->  [Ver =  | Size = 1874 bytes | Created Date = 8/2/2008 11:09:48 PM | Attr =	]
mbam-setup.exe -> %UserProfile%\Desktop\mbam-setup.exe -> Malwarebytes Corporation									 [Ver = 1.24				 | Size = 1885120 bytes | Created Date = 8/3/2008 12:27:23 AM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\mbam-setup.exe:Zone.Identifier
OTMoveIt2.exe -> %UserProfile%\Desktop\OTMoveIt2.exe -> OldTimer Tools [Ver = 1.0.4.3 | Size = 291840 bytes | Created Date = 8/3/2008 12:25:58 AM | Attr =	]
OTScanIt -> %UserProfile%\Desktop\OTScanIt ->  [Folder | Created Date = 8/14/2008 6:01:04 PM | Attr =	]
OTScanIt.exe -> %UserProfile%\Desktop\OTScanIt.exe ->  [Ver =  | Size = 568477 bytes | Created Date = 8/14/2008 5:59:03 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\OTScanIt.exe:Zone.Identifier
QuickSet.lnk -> %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk ->  [Ver =  | Size = 2485 bytes | Created Date = 8/4/2008 12:28:14 AM | Attr =	]
Alwil Software -> %ProgramFiles%\Alwil Software ->  [Folder | Created Date = 8/2/2008 2:16:16 AM | Attr =	]
FileZilla FTP Client -> %ProgramFiles%\FileZilla FTP Client ->  [Folder | Created Date = 8/14/2008 7:35:31 PM | Attr =	]
Lavasoft -> %ProgramFiles%\Lavasoft ->  [Folder | Created Date = 8/2/2008 4:16:09 PM | Attr =	]
Malwarebytes' Anti-Malware -> %ProgramFiles%\Malwarebytes' Anti-Malware ->  [Folder | Created Date = 8/12/2008 7:41:53 PM | Attr =	]
Norton Security Scan -> %ProgramFiles%\Norton Security Scan ->  [Folder | Created Date = 8/2/2008 11:25:28 PM | Attr =	]
Nostalgia -> %ProgramFiles%\Nostalgia ->  [Folder | Created Date = 8/7/2008 10:19:56 PM | Attr =	]
Spybot - Search & Destroy -> %ProgramFiles%\Spybot - Search & Destroy ->  [Folder | Created Date = 8/2/2008 12:30:20 PM | Attr =	]
Spyware Doctor -> %ProgramFiles%\Spyware Doctor ->  [Folder | Created Date = 8/2/2008 11:25:45 PM | Attr =	]
Synaptics -> %ProgramFiles%\Synaptics ->  [Folder | Created Date = 8/4/2008 12:30:10 AM | Attr =	]
Trend Micro -> %ProgramFiles%\Trend Micro ->  [Folder | Created Date = 8/2/2008 11:09:47 PM | Attr =	]

[Files/Folders - Modified Within 30 days]
Avenger -> %SystemDrive%\Avenger ->  [Folder | Modified Date = 8/14/2008 10:02:56 PM | Attr =	]
1 C:\*.tmp files -> C:\*.tmp -> 
Config.Msi -> %SystemDrive%\Config.Msi ->  [Folder | Modified Date = 8/7/2008 4:34:04 PM | Attr =  H ]
Downloads -> %SystemDrive%\Downloads ->  [Folder | Modified Date = 8/11/2008 9:48:26 PM | Attr =	]
fsaua.data -> %SystemDrive%\fsaua.data ->  [Folder | Modified Date = 8/14/2008 10:13:59 PM | Attr =	]
hiberfil.sys -> %SystemDrive%\hiberfil.sys ->  [Ver =  | Size = 2145849344 bytes | Modified Date = 8/14/2008 10:09:23 PM | Attr =  HS]
Program Files -> %ProgramFiles% ->  [Folder | Modified Date = 8/14/2008 7:35:31 PM | Attr = R  ]
ProgramData -> %AllUsersProfile% ->  [Folder | Modified Date = 8/14/2008 10:01:44 PM | Attr =  H ]
System Volume Information -> %SystemDrive%\System Volume Information ->  [Folder | Modified Date = 8/14/2008 9:09:46 PM | Attr =  HS]
Windows -> %SystemRoot% ->  [Folder | Modified Date = 8/14/2008 10:01:44 PM | Attr =	]
_OTMoveIt -> %SystemDrive%\_OTMoveIt ->  [Folder | Modified Date = 8/3/2008 12:55:57 AM | Attr =	]
aswFsBlk.sys -> %SystemRoot%\System32\drivers\aswFsBlk.sys -> ALWIL Software [Ver = 4.8.1227.0 | Size = 20560 bytes | Modified Date = 7/19/2008 7:37:42 AM | Attr =	]
aswMonFlt.sys -> %SystemRoot%\System32\drivers\aswMonFlt.sys -> ALWIL Software [Ver = 4.8.1227.0 | Size = 51280 bytes | Modified Date = 7/19/2008 7:36:03 AM | Attr =	]
aswRdr.sys -> %SystemRoot%\System32\drivers\aswRdr.sys -> ALWIL Software [Ver = 4.8.1227.0 | Size = 23152 bytes | Modified Date = 7/19/2008 7:33:42 AM | Attr =	]
aswSP.sys -> %SystemRoot%\System32\drivers\aswSP.sys -> ALWIL Software [Ver = 4.8.1227.0 | Size = 78416 bytes | Modified Date = 7/19/2008 7:35:18 AM | Attr =	]
aswTdi.sys -> %SystemRoot%\System32\drivers\aswTdi.sys -> ALWIL Software [Ver = 4.8.1227.0 | Size = 42912 bytes | Modified Date = 7/19/2008 7:32:36 AM | Attr =	]
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> Malwarebytes Corporation [Ver = 1, 0, 0, 1 | Size = 17144 bytes | Modified Date = 7/30/2008 8:07:52 PM | Attr =	]
mbamswissarmy.sys -> %SystemRoot%\System32\drivers\mbamswissarmy.sys -> Malwarebytes Corporation [Ver = 1.00 | Size = 38472 bytes | Modified Date = 7/30/2008 8:07:56 PM | Attr =	]
Msft_Kernel_SynTP_01000.Wdf -> %SystemRoot%\System32\drivers\Msft_Kernel_SynTP_01000.Wdf ->  [Ver =  | Size = 0 bytes | Modified Date = 8/4/2008 12:30:59 AM | Attr =  H ]
7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 -> %SystemRoot%\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 ->  [Ver =  | Size = 4912 bytes | Modified Date = 8/15/2008 12:09:33 AM | Attr =  H ]
7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 -> %SystemRoot%\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 ->  [Ver =  | Size = 4912 bytes | Modified Date = 8/15/2008 12:09:33 AM | Attr =  H ]
aswBoot.exe -> %SystemRoot%\System32\aswBoot.exe -> ALWIL Software [Ver = 4, 8, 1227, 0 | Size = 1163960 bytes | Modified Date = 7/19/2008 7:43:08 AM | Attr =	]
AvastSS.scr -> %SystemRoot%\System32\AvastSS.scr -> ALWIL Software [Ver = 4, 8, 1227, 0 | Size = 94392 bytes | Modified Date = 7/19/2008 7:30:53 AM | Attr =	]
catroot -> %SystemRoot%\System32\catroot ->  [Folder | Modified Date = 8/4/2008 12:29:54 AM | Attr =	]
catroot2 -> %SystemRoot%\System32\catroot2 ->  [Folder | Modified Date = 8/4/2008 12:29:54 AM | Attr =	]
config.nt -> %SystemRoot%\System32\config.nt ->  [Ver =  | Size = 2577 bytes | Modified Date = 8/2/2008 10:02:47 AM | Attr =	]
Default.rdp -> %SystemRoot%\System32\Default.rdp ->  [Ver =  | Size = 1670 bytes | Modified Date = 8/14/2008 7:28:44 PM | Attr =  H ]
drivers -> %SystemRoot%\System32\drivers ->  [Folder | Modified Date = 8/14/2008 10:01:44 PM | Attr =	]
perfc009.dat -> %SystemRoot%\System32\perfc009.dat ->  [Ver =  | Size = 123330 bytes | Modified Date = 8/14/2008 10:16:19 PM | Attr =	]
perfh009.dat -> %SystemRoot%\System32\perfh009.dat ->  [Ver =  | Size = 675088 bytes | Modified Date = 8/14/2008 10:16:19 PM | Attr =	]
PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI ->  [Ver =  | Size = 792362 bytes | Modified Date = 8/14/2008 10:16:18 PM | Attr =	]
rserver30 -> %SystemRoot%\System32\rserver30 ->  [Folder | Modified Date = 7/25/2008 7:23:38 PM | Attr =	]
SpoonUninstall-Nostalgia, an Intellivision Emulator.bmp -> %SystemRoot%\System32\SpoonUninstall-Nostalgia, an Intellivision Emulator.bmp ->  [Ver =  | Size = 28898 bytes | Modified Date = 8/7/2008 10:19:43 PM | Attr =	]
SpoonUninstall-Nostalgia, an Intellivision Emulator.dat -> %SystemRoot%\System32\SpoonUninstall-Nostalgia, an Intellivision Emulator.dat ->  [Ver =  | Size = 6482 bytes | Modified Date = 8/7/2008 10:20:13 PM | Attr =	]
SpoonUninstall.exe -> %SystemRoot%\System32\SpoonUninstall.exe ->  [Ver =  | Size = 164352 bytes | Modified Date = 8/7/2008 10:20:13 PM | Attr =	]
bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 67584 bytes | Modified Date = 8/14/2008 10:09:29 PM | Attr =   S]
bthservsdp.dat -> %SystemRoot%\bthservsdp.dat ->  [Ver =  | Size = 3374 bytes | Modified Date = 8/14/2008 10:08:42 PM | Attr =	]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files ->  [Folder | Modified Date = 8/15/2008 12:20:52 AM | Attr =   S]
ERDNT -> %SystemRoot%\ERDNT ->  [Folder | Modified Date = 8/3/2008 1:09:11 AM | Attr =	]
inf -> %SystemRoot%\inf ->  [Folder | Modified Date = 8/14/2008 10:16:17 PM | Attr =	]
Installer -> %SystemRoot%\Installer ->  [Folder | Modified Date = 8/7/2008 4:34:08 PM | Attr =  HS]
kaillera.ini -> %SystemRoot%\kaillera.ini ->  [Ver =  | Size = 115 bytes | Modified Date = 8/11/2008 9:59:14 PM | Attr =	]
Prefetch -> %SystemRoot%\Prefetch ->  [Folder | Modified Date = 8/14/2008 11:50:25 PM | Attr =	]
System32 -> %SystemRoot%\System32 ->  [Folder | Modified Date = 8/14/2008 10:16:18 PM | Attr =	]
Tasks -> %SystemRoot%\Tasks ->  [Folder | Modified Date = 8/2/2008 1:23:49 AM | Attr =	]
Temp -> %SystemRoot%\Temp ->  [Folder | Modified Date = 8/14/2008 10:25:24 PM | Attr =	]
WindowsShell.Manifest -> %SystemRoot%\WindowsShell.Manifest ->  [Ver =  | Size = 749 bytes | Modified Date = 8/2/2008 4:14:01 AM | Attr = RH ]
winsxs -> %SystemRoot%\winsxs ->  [Folder | Modified Date = 8/2/2008 4:14:17 AM | Attr =	]
SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 8/14/2008 10:09:39 PM | Attr =  H ]
User_Feed_Synchronization-{24DEBBB3-2D2A-4050-ABCB-A074DDCA37EB}.job -> %SystemRoot%\tasks\User_Feed_Synchronization-{24DEBBB3-2D2A-4050-ABCB-A074DDCA37EB}.job ->  [Ver =  | Size = 412 bytes | Modified Date = 8/15/2008 12:19:59 AM | Attr =  H ]
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ -> C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys ->  [Folder | Modified Date = 8/10/2008 1:09:28 PM | Attr =	]
capilock.dat -> C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\capilock.dat ->  [Ver =  | Size = 8 bytes | Modified Date = 4/7/2007 8:28:20 PM | Attr =	]
C:\ProgramData\Microsoft\MSDAIPP\OFFLINE\ -> C:\ProgramData\Microsoft\MSDAIPP\OFFLINE ->  [Folder | Modified Date = 1/27/2008 9:40:29 PM | Attr =	]
HashFile.dat -> C:\ProgramData\Microsoft\MSDAIPP\OFFLINE\HashFile.dat ->  [Ver =  | Size = 102412 bytes | Modified Date = 5/1/2007 9:08:23 PM | Attr =	]
C:\ProgramData\Microsoft\Network\Downloader\ -> C:\ProgramData\Microsoft\Network\Downloader ->  [Folder | Modified Date = 11/2/2006 6:04:24 AM | Attr =	]
qmgr0.dat -> C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat ->  [Ver =  | Size = 12460 bytes | Modified Date = 8/7/2008 10:33:50 PM | Attr =	]
qmgr1.dat -> C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat ->  [Ver =  | Size = 9584 bytes | Modified Date = 8/7/2008 10:33:52 PM | Attr =	]
C:\ProgramData\Microsoft\OFFICE\DATA\ -> C:\ProgramData\Microsoft\OFFICE\DATA ->  [Folder | Modified Date = 4/16/2007 8:44:33 PM | Attr =	]
opa11.dat -> C:\ProgramData\Microsoft\OFFICE\DATA\opa11.dat ->  [Ver =  | Size = 8206 bytes | Modified Date = 4/16/2007 8:44:33 PM | Attr =	]
opa12.dat -> C:\ProgramData\Microsoft\OFFICE\DATA\opa12.dat ->  [Ver =  | Size = 8206 bytes | Modified Date = 4/8/2007 9:36:13 PM | Attr =	]
C:\ProgramData\Microsoft\RAC\PublishedData\ -> C:\ProgramData\Microsoft\RAC\PublishedData ->  [Folder | Modified Date = 4/8/2007 12:24:10 AM | Attr =	]
PublishedRacMonAFLTable.DAT -> C:\ProgramData\Microsoft\RAC\PublishedData\PublishedRacMonAFLTable.DAT ->  [Ver =  | Size = 67344 bytes | Modified Date = 8/14/2008 1:39:02 AM | Attr =	]
PublishedRacMonCLKTable.DAT -> C:\ProgramData\Microsoft\RAC\PublishedData\PublishedRacMonCLKTable.DAT ->  [Ver =  | Size = 0 bytes | Modified Date = 8/14/2008 1:39:02 AM | Attr =	]
PublishedRacMonHFLTable.DAT -> C:\ProgramData\Microsoft\RAC\PublishedData\PublishedRacMonHFLTable.DAT ->  [Ver =  | Size = 0 bytes | Modified Date = 8/14/2008 1:39:02 AM | Attr =	]
PublishedRacMonIndex.DAT -> C:\ProgramData\Microsoft\RAC\PublishedData\PublishedRacMonIndex.DAT ->  [Ver =  | Size = 8760 bytes | Modified Date = 8/14/2008 1:39:02 AM | Attr =	]
PublishedRacMonOSFTable.DAT -> C:\ProgramData\Microsoft\RAC\PublishedData\PublishedRacMonOSFTable.DAT ->  [Ver =  | Size = 2760 bytes | Modified Date = 8/14/2008 1:39:02 AM | Attr =	]
PublishedRacMonSWITable.DAT -> C:\ProgramData\Microsoft\RAC\PublishedData\PublishedRacMonSWITable.DAT ->  [Ver =  | Size = 136036 bytes | Modified Date = 8/14/2008 1:39:02 AM | Attr =	]
C:\ProgramData\Microsoft\User Account Pictures\ -> C:\ProgramData\Microsoft\User Account Pictures ->  [Folder | Modified Date = 6/4/2008 8:15:13 PM | Attr =	]
Admin.dat -> C:\ProgramData\Microsoft\User Account Pictures\Admin.dat ->  [Ver =  | Size = 0 bytes | Modified Date = 4/7/2007 8:04:08 PM | Attr =	]
GENETFAMILY+cc.dat -> C:\ProgramData\Microsoft\User Account Pictures\GENETFAMILY+cc.dat ->  [Ver =  | Size = 31956 bytes | Modified Date = 8/7/2007 2:14:14 PM | Attr =	]
GENETFAMILY+manalle.dat -> C:\ProgramData\Microsoft\User Account Pictures\GENETFAMILY+manalle.dat ->  [Ver =  | Size = 0 bytes | Modified Date = 4/7/2007 10:33:25 PM | Attr =	]
TNS+cc.dat -> C:\ProgramData\Microsoft\User Account Pictures\TNS+cc.dat ->  [Ver =  | Size = 31964 bytes | Modified Date = 6/4/2008 8:15:13 PM | Attr =	]
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
Google Updater -> %AllUsersProfile%\Google Updater ->  [Folder | Modified Date = 8/14/2008 9:11:23 PM | Attr =	]
Lavasoft -> %AllUsersProfile%\Lavasoft ->  [Folder | Modified Date = 8/2/2008 4:16:03 PM | Attr =	]
LUUnInstall.LiveUpdate -> %AllUsersProfile%\LUUnInstall.LiveUpdate ->  [Ver =  | Size = 2866 bytes | Modified Date = 8/2/2008 1:31:38 AM | Attr =	]
Malwarebytes -> %AllUsersProfile%\Malwarebytes ->  [Folder | Modified Date = 8/12/2008 7:41:53 PM | Attr =	]
Microsoft Help -> %AllUsersProfile%\Microsoft Help ->  [Folder | Modified Date = 8/2/2008 4:09:32 AM | Attr =	]
Spybot - Search & Destroy -> %AllUsersProfile%\Spybot - Search & Destroy ->  [Folder | Modified Date = 8/2/2008 4:12:40 PM | Attr =	]
Symantec -> %AllUsersProfile%\Symantec ->  [Folder | Modified Date = 8/2/2008 2:07:04 AM | Attr =	]
TEMP -> %AllUsersProfile%\TEMP ->  [Folder | Modified Date = 8/12/2008 7:39:29 PM | Attr =	]
@Alternate Data Stream - 158 bytes -> %AllUsersProfile%\TEMP:DFC5A2B2
FileZilla -> %AppData%\FileZilla ->  [Folder | Modified Date = 8/14/2008 9:53:06 PM | Attr =	]
Google -> %AppData%\Google ->  [Folder | Modified Date = 8/1/2008 10:41:56 PM | Attr =	]
Malwarebytes -> %AppData%\Malwarebytes ->  [Folder | Modified Date = 8/12/2008 7:42:00 PM | Attr =	]
nvModes.001 -> %AppData%\nvModes.001 ->  [Ver =  | Size = 12884 bytes | Modified Date = 8/14/2008 10:10:41 PM | Attr =	]
nvModes.dat -> %AppData%\nvModes.dat ->  [Ver =  | Size = 12884 bytes | Modified Date = 8/14/2008 10:10:41 PM | Attr =	]
Orbit -> %AppData%\Orbit ->  [Folder | Modified Date = 8/14/2008 10:00:11 PM | Attr =	]
PC Tools -> %AppData%\PC Tools ->  [Folder | Modified Date = 8/2/2008 11:25:45 PM | Attr =	]
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> %UserProfile%\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini ->  [Ver =  | Size = 60928 bytes | Modified Date = 8/11/2008 9:57:21 PM | Attr =	]
Google -> %UserProfile%\AppData\Local\Google ->  [Folder | Modified Date = 8/14/2008 10:10:40 PM | Attr =	]
IconCache.db -> %UserProfile%\AppData\Local\IconCache.db ->  [Ver =  | Size = 2769019 bytes | Modified Date = 8/14/2008 10:08:38 PM | Attr =  H ]
Temp -> %UserProfile%\AppData\Local\Temp ->  [Folder | Modified Date = 8/15/2008 12:21:13 AM | Attr =	]
desktop.ini -> %SystemDrive%\Users\Public\Documents\desktop.ini ->  [Ver =  | Size = 280 bytes | Modified Date = 8/2/2008 4:14:01 AM | Attr =  HS]
desktop.ini -> %SystemDrive%\Users\Public\Desktop\desktop.ini ->  [Ver =  | Size = 174 bytes | Modified Date = 8/2/2008 4:14:01 AM | Attr =  HS]
ATF-Cleaner.exe -> %UserProfile%\Desktop\ATF-Cleaner.exe -> Atribune.org [Ver = 3.00.0002 | Size = 50688 bytes | Modified Date = 8/14/2008 5:58:26 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\ATF-Cleaner.exe:Zone.Identifier
avenger -> %UserProfile%\Desktop\avenger ->  [Folder | Modified Date = 8/14/2008 9:58:39 PM | Attr =	]
avenger.zip -> %UserProfile%\Desktop\avenger.zip ->  [Ver =  | Size = 724952 bytes | Modified Date = 8/14/2008 9:58:25 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\avenger.zip:Zone.Identifier
dss.exe -> %UserProfile%\Desktop\dss.exe ->  [Ver = 3, 2, 8, 1 | Size = 686630 bytes | Modified Date = 8/3/2008 1:08:38 AM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\dss.exe:Zone.Identifier
HijackThis.lnk -> %UserProfile%\Desktop\HijackThis.lnk ->  [Ver =  | Size = 1874 bytes | Modified Date = 8/2/2008 11:09:48 PM | Attr =	]
mbam-setup.exe -> %UserProfile%\Desktop\mbam-setup.exe -> Malwarebytes Corporation									 [Ver = 1.24				 | Size = 1885120 bytes | Modified Date = 8/12/2008 7:36:47 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\mbam-setup.exe:Zone.Identifier
OTMoveIt2.exe -> %UserProfile%\Desktop\OTMoveIt2.exe -> OldTimer Tools [Ver = 1.0.4.3 | Size = 291840 bytes | Modified Date = 8/3/2008 12:25:54 AM | Attr =	]
OTScanIt -> %UserProfile%\Desktop\OTScanIt ->  [Folder | Modified Date = 8/14/2008 6:04:40 PM | Attr =	]
OTScanIt.exe -> %UserProfile%\Desktop\OTScanIt.exe ->  [Ver =  | Size = 568477 bytes | Modified Date = 8/14/2008 5:59:05 PM | Attr =	]
@Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\OTScanIt.exe:Zone.Identifier
desktop.ini -> %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini ->  [Ver =  | Size = 174 bytes | Modified Date = 8/2/2008 4:14:01 AM | Attr =  HS]
QuickSet.lnk -> %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk ->  [Ver =  | Size = 2485 bytes | Modified Date = 8/14/2008 10:10:39 PM | Attr =	]
Symantec Shared -> %CommonProgramFiles%\Symantec Shared ->  [Folder | Modified Date = 8/2/2008 2:07:04 AM | Attr =	]
Wise Installation Wizard -> %CommonProgramFiles%\Wise Installation Wizard ->  [Folder | Modified Date = 8/2/2008 4:13:04 PM | Attr =	]

< End of report >


#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:37 PM

Posted 15 August 2008 - 11:57 AM

Hi Phil,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u7-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.

That log looks fine. :thumbsup:

If there aren't any other issues then go ahead and run the system normally for a day and then get back with me and let me know if there are any continuing issues.

If everything is Ok at that time, then we have some final cleanup to do and you'll be good to go.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Nuukem

Nuukem
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 16 August 2008 - 02:57 AM

SifuMike,

OK. I've updated my Java and everything seems to be going well. Thanks so much for your help!!!

Any suggestions on software to run resident in the hopes to limit this from happening again? Apparently Avast, Windows Defender and Spybot Search & Destroy's TeaTimer didn't do the trick.

Phil

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:37 PM

Posted 16 August 2008 - 09:26 AM

Hi Phil,

Any suggestions on software to run resident in the hopes to limit this from happening again? Apparently Avast, Windows Defender and Spybot Search & Destroy's TeaTimer didn't do the trick.


You had a vundo infection on this computer, and no anitmalware or antivirus tools will prevent it. :)
It was specificly written to go around all antimalware tools, and is very difficult to remove.
BTW, You should not be running two registry protectors, Spybot Teatimer and Windows Defender, at the the same time as the will greatly slow your computer. Disable one of them.


Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes



Now let's do some final cleanup to reset the System Restore points and remove all of the tools we used during the fix and then you are all set.

Step #1

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

Disabling System Restore
http://www.bleepingcomputer.com/tutorials/...43.html#disable


Enabling System Restore
http://www.bleepingcomputer.com/tutorials/...143.html#enable


Step #2


To remove all of the tools we used and the files and folders they created do the following:
  • Start OTScanIt

    Click the CleanUp button
  • OTScanIt will download a small file from the Internet. If a security program or firewall warns you of this allow it to download.
  • OTScanIt will delete any tools downloaded and files/folders created and then ask you to reboot so it can remove itself. Click Yes.
After that you are good to go. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:37 PM

Posted 23 August 2008 - 08:51 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users