Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Exremely Slow And Malfunctioning Computer


  • Please log in to reply
18 replies to this topic

#1 dobk

dobk

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 15 August 2008 - 08:06 PM

My computer began operating very slowly and I am unable to open files or even copy them. I had been trying to eliminate a Trojan and this affect may be the result of the Trojan or my efforts to purge it.
I checked my windows task manager, I have 2 avp.exe one of which has over 50,000 I/O Reads, System Idle Process and BackupNotify.exe are both between 40 & 50 on CPU.
Here is my HJT and Smitfraudfix logs. Please help me fix this.

Scan saved at 11:38, on 2008-08-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
C:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/info/hho-hp-music-hpdesktop-icon
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CenturyTel
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AVP] "C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe"
O4 - HKUS\S-1-5-21-616463319-1446196164-2083373994-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-616463319-1446196164-2083373994-500\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe (User '?')
O4 - HKUS\S-1-5-21-616463319-1446196164-2083373994-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-616463319-1446196164-2083373994-500\..\Run: [AVP] "C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe" (User '?')
O4 - S-1-5-21-616463319-1446196164-2083373994-500 Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE (User '?')
O4 - S-1-5-21-616463319-1446196164-2083373994-500 Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE (User '?')
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss/sa...abs/tgctlsr.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 9392 bytes

***********************************************************************************************************

SmitFraudFix v2.337

Scan done at 16:07:20.98, Fri 08/15/2008
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process


hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\Administrator


C:\Documents and Settings\Administrator\Application Data


Start Menu





Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="dbi102.dll"


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


RK



DNS



Scanning for wininet.dll infection


End

Edited by dobk, 16 August 2008 - 12:12 PM.


BC AdBot (Login to Remove)

 


#2 dark messenger

dark messenger

  • Members
  • 1,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Auckland NZ
  • Local time:11:39 AM

Posted 29 August 2008 - 05:20 PM

Hello


Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
DM

#3 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:12:39 AM

Posted 04 September 2008 - 04:45 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Thank you :thumbsup:
SNOWHITE
Posted Image

#4 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:12:39 AM

Posted 04 September 2008 - 08:01 PM

Topic reopened per request :thumbsup:
SNOWHITE
Posted Image

#5 dobk

dobk
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 04 September 2008 - 09:16 PM

Hi, I cannot access the internet with my computer that is messed up (my desktop unit) so I cannot do a Kapersky scan. I downloaded the random's system information tool (RSIT) to a jump drive using my laptop and tried to run it on my desktop but I got an error message.

#6 dark messenger

dark messenger

  • Members
  • 1,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Auckland NZ
  • Local time:11:39 AM

Posted 04 September 2008 - 09:20 PM

Hi, what was the error message please :thumbsup:

#7 dobk

dobk
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 05 September 2008 - 09:46 PM

When I run RSIT fron the jump drive the Disclaimer of warranty pops up and I hit continue. Then I see the Writing header information window and at the same time and error window that says...

AutoIt Error
Line -1:
Error: Variable must be of type "Object"

I ran this program from the jump drive on my laptop and it worked fine.

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:39 PM

Posted 16 September 2008 - 08:43 AM

Hello dobk, :thumbsup:

Dark Messenger is having Internet problems and asked if someone would take over the logs he is working. I will be taking over this one is it is OK with you.

Would you please advise me whether or not you still need assistance?


Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 dobk

dobk
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 17 September 2008 - 06:31 AM

Hi,
Yes my computer is still down and the HJT log and other info I posted is still relevant.

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:39 PM

Posted 17 September 2008 - 08:33 AM

See if you can get either one of these transfered over to the infected machine and run them. If you can get both that is even better. Please post either one or both reports depending on your success running them if any.




Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.








Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 dobk

dobk
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 18 September 2008 - 04:58 AM

Thanks. I am out of town right now (posting this on my laptop from my motel room) and will give it a try when I get home Thursday afternoon.

Edited by dobk, 18 September 2008 - 04:59 AM.


#12 dobk

dobk
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 23 September 2008 - 05:04 AM

OK, I installed Malwarebytes' Anti-Malware on my jump drive and updated it using my laptop as I cannot get an internet connction on the infercted machine. Worked great on the laptop but got a runtime error on the infected machine as soon as it started. I have Adaware on it and it will not run either. Best I've been able to get is a HJT log and the Smitfraudfix. Can you make out anything from the HJT log and other information in my original post as that data is still relevant.

#13 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:06:39 PM

Posted 25 September 2008 - 08:17 PM

Hey dobk,
Thewall was called away suddenly, so I will try to help you out for now. I would like you to follow these instructions, but where it says download to your machine put the tools on the flash drive please. When you have executed the scans (I hope it works) copy the results back to your flash drive and post them here.
Note: this is going to create a lot of data, multiple trips with the flash drive may be needed.
First lets see if we can clean out some files to prepare for this scan.
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Now download OTScanIt from here or here to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

Close ALL OTHER PROGRAMS.
Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).

In the Drivers section click on Non-Microsoft.

Do not change any other settings.

Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Save the file to your desktop or other location where you can find it back.

Lets see if you can get that to run and post the results :thumbsup:

Harry

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#14 dobk

dobk
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 27 September 2008 - 05:53 AM

Hi Harry,
The OTScanIt seemed to work and here is the report.

OTScanIt logfile created on: 2008-09-27 05:48:03
OTScanIt by OldTimer - Version 1.0.19.0	 Folder = K:\OTScanIt
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy-MM-dd
 
2.00 Gb Total Physical Memory | 1.64 Gb Available Physical Memory | 82.01% Memory free
2.60 Gb Paging File | 2.35 Gb Available in Paging File | 90.41% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 180.95 Gb Total Space | 12.75 Gb Free Space | 7.05% Space Free | Partition Type: NTFS
Drive D: | 5.34 Gb Total Space | 0.67 Gb Free Space | 12.46% Space Free | Partition Type: FAT32
Drive E: | 4.38 Gb Total Space | 4.07 Gb Free Space | 93.01% Space Free | Partition Type: UDF2.00
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive K: | 998.03 Mb Total Space | 943.13 Mb Free Space | 94.50% Space Free | Partition Type: FAT32

Computer Name: DESKTOP1
Current User Name: Administrator
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On

[Processes - Non-Microsoft Only]
avp.exe -> %ProgramFiles%\PCSecurityShield\The Shield Deluxe 2008\avp.exe -> PCSecurityShield [Ver = 6.0.2.621 | Size = 200768 bytes | Modified Date = 2007-08-23 14:16:26 | Attr =	]
jusched.exe -> %ProgramFiles%\Java\j2re1.4.2_03\bin\jusched.exe ->  [Ver =  | Size = 32881 bytes | Modified Date = 2004-05-11 05:33:06 | Attr =	]
atiptaxx.exe -> %ProgramFiles%\ATI Technologies\ATI Control Panel\atiptaxx.exe -> ATI Technologies, Inc. [Ver = 6.14.10.5102 | Size = 335872 bytes | Modified Date = 2004-04-21 23:00:00 | Attr =	]
totrecsched.exe -> %ProgramFiles%\HighCriteria\TotalRecorder\TotRecSched.exe -> High Criteria inc. [Ver = 5, 0, 0, 1 | Size = 81920 bytes | Modified Date = 2004-10-26 20:35:04 | Attr =	]
alcwzrd.exe -> %SystemRoot%\ALCWZRD.EXE -> RealTek Semicoductor Corp. [Ver = 1.1.0.19 | Size = 2805248 bytes | Modified Date = 2005-04-06 18:53:00 | Attr =	]
ltmsg.exe -> %SystemRoot%\ltmsg.exe -> Agere Systems [Ver = 3, 0, 0, 4 | Size = 40960 bytes | Modified Date = 2003-07-14 10:52:44 | Attr =	]
drgtodsc.exe -> %ProgramFiles%\Roxio\Drag-to-Disc\DrgToDsc.exe -> Roxio [Ver = 9.0.5.25 | Size = 1121016 bytes | Modified Date = 2006-11-15 10:05:00 | Attr =	]
avp.exe -> %ProgramFiles%\PCSecurityShield\The Shield Deluxe 2008\avp.exe -> PCSecurityShield [Ver = 6.0.2.621 | Size = 200768 bytes | Modified Date = 2007-08-23 14:16:26 | Attr =	]
getright.exe -> %ProgramFiles%\GetRight\GetRight.exe -> Headlight Software, Inc. [Ver = 6.3d | Size = 4539456 bytes | Modified Date = 2008-03-04 21:18:14 | Attr =	]
setpoint.exe -> %ProgramFiles%\Logitech\SetPoint\SetPoint.exe -> Logitech, Inc. [Ver = 4.60.122 | Size = 805392 bytes | Modified Date = 2008-05-02 02:44:08 | Attr =	]
findfast.exe -> %ProgramFiles%\Microsoft Office\Office\FINDFAST.EXE ->  [Ver =  | Size = 111376 bytes | Modified Date = 1996-11-17 01:00:00 | Attr =	]
osa.exe -> %ProgramFiles%\Microsoft Office\Office\OSA.EXE ->  [Ver =  | Size = 51984 bytes | Modified Date = 1996-11-17 01:00:00 | Attr =	]
khalmnpr.exe -> %CommonProgramFiles%\Logishrd\KHAL2\KHALMNPR.exe -> Logitech, Inc. [Ver = 4.60.42 | Size = 76304 bytes | Modified Date = 2008-05-02 02:40:56 | Attr =	]

[Win32 Services - Non-Microsoft Only]
(AVP) The Shield Deluxe 2008 [Win32_Own | Auto | Running] -> %ProgramFiles%\PCSecurityShield\The Shield Deluxe 2008\avp.exe -> PCSecurityShield [Ver = 6.0.2.621 | Size = 200768 bytes | Modified Date = 2007-08-23 14:16:26 | Attr =	]
(LBTServ) Logitech Bluetooth Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Logishrd\Bluetooth\LBTServ.exe -> Logitech, Inc. [Ver = 4.60.122 | Size = 121360 bytes | Modified Date = 2008-05-02 02:42:06 | Attr =	]
(stllssvr) stllssvr [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\SureThing Shared\stllssvr.exe -> MicroVision Development, Inc. [Ver = 1.2.455 | Size = 73728 bytes | Modified Date = 2007-01-15 09:05:30 | Attr = R  ]

[Driver Services - Non-Microsoft Only]
(AgereSoftModem) Agere Systems Soft Modem [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\AGRSM.sys -> Agere Systems [Ver = 2.1.41.10 2.1.41.10 06/29/2004 09:07:15 | Size = 1268204 bytes | Modified Date = 2004-06-29 10:07:18 | Attr =	]
(catchme) catchme [Kernel | On_Demand | Stopped] -> %SystemDrive%\ComboFix\catchme.sys -> File not found
(DLABMFSM) DLABMFSM [File_System | Auto | Running] -> %SystemRoot%\system32\DLA\DLABMFSM.SYS -> Roxio [Ver = 9.05.10a | Size = 35064 bytes | Modified Date = 2006-11-01 09:59:10 | Attr =	]
(DLABOIOM) DLABOIOM [File_System | Auto | Running] -> %SystemRoot%\system32\DLA\DLABOIOM.SYS -> Roxio [Ver = 9.05.10a | Size = 32472 bytes | Modified Date = 2006-11-01 09:59:04 | Attr =	]
(DLACDBHM) DLACDBHM [File_System | System | Running] -> %SystemRoot%\system32\drivers\DLACDBHM.SYS -> Roxio [Ver = local_build | Size = 12920 bytes | Modified Date = 2006-09-15 10:45:24 | Attr =	]
(DLADResM) DLADResM [File_System | Auto | Running] -> %SystemRoot%\system32\DLA\DLADResM.SYS -> Roxio [Ver = 9.05.10a | Size = 9400 bytes | Modified Date = 2006-11-01 09:59:36 | Attr =	]
(DLAIFS_M) DLAIFS_M [File_System | Auto | Running] -> %SystemRoot%\system32\DLA\DLAIFS_M.SYS -> Roxio [Ver = 9.05.10a | Size = 104760 bytes | Modified Date = 2006-11-01 09:59:02 | Attr =	]
(DLAOPIOM) DLAOPIOM [File_System | Auto | Running] -> %SystemRoot%\system32\DLA\DLAOPIOM.SYS -> Roxio [Ver = 9.05.10a | Size = 26744 bytes | Modified Date = 2006-11-01 09:59:06 | Attr =	]
(DLAPoolM) DLAPoolM [File_System | Auto | Running] -> %SystemRoot%\system32\DLA\DLAPoolM.SYS -> Roxio [Ver = 9.05.10a | Size = 14520 bytes | Modified Date = 2006-11-01 09:59:02 | Attr =	]
(DLARTL_M) DLARTL_M [File_System | System | Running] -> %SystemRoot%\system32\drivers\DLARTL_M.SYS -> Roxio [Ver = local_build | Size = 28184 bytes | Modified Date = 2006-09-15 10:45:22 | Attr =	]
(DLAUDFAM) DLAUDFAM [File_System | Auto | Running] -> %SystemRoot%\system32\DLA\DLAUDFAM.SYS -> Roxio [Ver = 9.05.10a | Size = 94648 bytes | Modified Date = 2006-11-01 09:59:10 | Attr =	]
(DLAUDF_M) DLAUDF_M [File_System | Auto | Running] -> %SystemRoot%\system32\DLA\DLAUDF_M.SYS -> Roxio [Ver = 9.05.10a | Size = 98104 bytes | Modified Date = 2006-11-01 09:59:08 | Attr =	]
(DRVNDDM) DRVNDDM [File_System | Auto | Running] -> %SystemRoot%\system32\drivers\DRVNDDM.SYS -> Roxio [Ver = 9.05.01a | Size = 51768 bytes | Modified Date = 2006-09-15 10:42:52 | Attr =	]
(Iviaspi) IVI ASPI Shell [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\iviaspi.sys -> InterVideo, Inc. [Ver = 1, 0, 0, 0 | Size = 21060 bytes | Modified Date = 2003-09-11 01:36:54 | Attr =	]
(kl1) kl1 [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\kl1.sys -> Kaspersky Lab [Ver = 6.1.18.0 | Size = 110360 bytes | Modified Date = 2007-03-03 21:39:06 | Attr =	]
(klif) klif [Kernel | System | Running] -> %SystemRoot%\system32\drivers\klif.sys -> Kaspersky Lab [Ver = 6.12.10.261 | Size = 175888 bytes | Modified Date = 2007-01-27 18:52:46 | Attr =	]
(LHidFilt) Logitech SetPoint KMDF HID Filter Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\LHidFilt.Sys -> Logitech, Inc. [Ver = 4.60.42.00 | Size = 35344 bytes | Modified Date = 2008-02-29 03:13:16 | Attr =	]
(LMouFilt) Logitech SetPoint KMDF Mouse Filter Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\LMouFilt.Sys -> Logitech, Inc. [Ver = 4.60.42.00 | Size = 36880 bytes | Modified Date = 2008-02-29 03:13:24 | Attr =	]
(ltmodem5) Agere Modem Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ltmdmnt.sys -> Agere Systems [Ver = 8.31 | Size = 652689 bytes | Modified Date = 2003-12-12 19:03:10 | Attr =	]
(LUsbFilt) Logitech SetPoint KMDF USB Filter [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\LUsbFilt.sys -> Logitech, Inc. [Ver = 4.60.42.00 | Size = 28944 bytes | Modified Date = 2008-02-29 03:13:46 | Attr =	]
(rtl8139) Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\R8139n51.sys -> Realtek Semiconductor Corporation		[Ver = 5.505.1004.2002 built by: WinDDK | Size = 46976 bytes | Modified Date = 2002-10-04 19:04:10 | Attr =	]
(SaiH0461) SaiH0461 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\SaiH0461.sys -> Saitek [Ver = 5.6.0.54 | Size = 182528 bytes | Modified Date = 2006-08-08 12:25:06 | Attr = R  ]
(SaiH075C) SaiH075C [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\SaiH075C.sys -> Saitek [Ver = 5.5.0.82 | Size = 176640 bytes | Modified Date = 2006-07-27 06:49:27 | Attr = R  ]
(SaiMini) SaiMini [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\SaiMini.sys -> Saitek [Ver = 5.5.0.82 | Size = 13824 bytes | Modified Date = 2006-07-27 06:49:34 | Attr = R  ]
(SaiNtBus) SaiNtBus [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\SaiBus.sys -> Saitek [Ver = 5.5.0.82 | Size = 35200 bytes | Modified Date = 2006-07-27 06:49:34 | Attr = R  ]
(WmBEnum) Logitech Virtual Bus Enumerator Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\WmBEnum.sys -> Logitech Inc. [Ver = 4.25.161 | Size = 10144 bytes | Modified Date = 2003-03-25 04:37:30 | Attr =	]
(WmFilter) Logitech WingMan HID Filter Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\WmFilter.sys -> Logitech Inc. [Ver = 4.25.161 | Size = 21216 bytes | Modified Date = 2003-03-25 04:37:34 | Attr =	]
(WmVirHid) Logitech Virtual Hid Device Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\WmVirHid.sys -> Logitech Inc. [Ver = 4.25.161 | Size = 5728 bytes | Modified Date = 2003-03-25 04:37:30 | Attr =	]
(WmXlCore) Logitech WingMan Translation Layer Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\WmXlCore.sys -> Logitech Inc. [Ver = 4.25.161 | Size = 40256 bytes | Modified Date = 2003-03-25 04:37:28 | Attr =	]

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
AlcWzrd -> %SystemRoot%\ALCWZRD.EXE [ALCWZRD.EXE] -> RealTek Semicoductor Corp. [Ver = 1.1.0.19 | Size = 2805248 bytes | Modified Date = 2005-04-06 18:53:00 | Attr =	]
ATIPTA -> %ProgramFiles%\ATI Technologies\ATI Control Panel\atiptaxx.exe [C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe] -> ATI Technologies, Inc. [Ver = 6.14.10.5102 | Size = 335872 bytes | Modified Date = 2004-04-21 23:00:00 | Attr =	]
AVP -> %ProgramFiles%\PCSecurityShield\The Shield Deluxe 2008\avp.exe ["C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe"] -> PCSecurityShield [Ver = 6.0.2.621 | Size = 200768 bytes | Modified Date = 2007-08-23 14:16:26 | Attr =	]
HP Component Manager -> %ProgramFiles%\HP\hpcoretech\hpcmpmgr.exe ["C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"] -> Hewlett-Packard Company [Ver = 2.1.1.0 | Size = 241664 bytes | Modified Date = 2003-12-22 08:38:42 | Attr =	]
HPDJ Taskbar Utility -> %SystemRoot%\system32\spool\drivers\w32x86\3\hpztsb10.exe [C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe] -> HP [Ver = 2.323.0.0 | Size = 172032 bytes | Modified Date = 2004-03-04 10:46:24 | Attr =	]
HPHmon05 -> %SystemRoot%\system32\hphmon05.exe [C:\WINDOWS\System32\hphmon05.exe] -> Hewlett-Packard [Ver = 5,1,7 | Size = 483328 bytes | Modified Date = 2003-08-21 05:15:48 | Attr =	]
HPHUPD05 -> %ProgramFiles%\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe [c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe] -> Hewlett-Packard [Ver = 5,1,7 | Size = 49152 bytes | Modified Date = 2003-08-21 05:23:08 | Attr =	]
hpsysdrv -> %SystemRoot%\system\hpsysdrv.exe [c:\windows\system\hpsysdrv.exe] -> Hewlett-Packard Company [Ver = 1, 7, 0, 0 | Size = 52736 bytes | Modified Date = 1998-05-07 18:04:38 | Attr =	]
KBD -> %SystemDrive%\hp\KBD\kbd.exe [C:\HP\KBD\KBD.EXE] -> Hewlett-Packard Company [Ver = 1.0.2.0 | Size = 61440 bytes | Modified Date = 2003-02-11 21:02:48 | Attr =	]
Kernel and Hardware Abstraction Layer -> %SystemRoot%\KHALMNPR.Exe [KHALMNPR.EXE] -> Logitech, Inc. [Ver = 4.60.42 | Size = 76304 bytes | Modified Date = 2008-02-29 03:12:38 | Attr =	]
LTMSG -> %SystemRoot%\ltmsg.exe [LTMSG.exe 7] -> Agere Systems [Ver = 3, 0, 0, 4 | Size = 40960 bytes | Modified Date = 2003-07-14 10:52:44 | Attr =	]
PS2 -> %SystemRoot%\system32\ps2.EXE [C:\WINDOWS\system32\ps2.exe] -> Hewlett-Packard Company [Ver = 1.0.2.1 | Size = 81920 bytes | Modified Date = 2002-10-16 17:57:10 | Attr =	]
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe ["C:\Program Files\QuickTime\qttask.exe" -atboottime] -> Apple Inc. [Ver = 7.1.6 | Size = 282624 bytes | Modified Date = 2007-04-27 09:41:54 | Attr =	]
Recguard -> %SystemRoot%\SMINST\Recguard.exe [C:\WINDOWS\SMINST\RECGUARD.EXE] ->  [Ver = 5, 0, 44, 2 | Size = 233472 bytes | Modified Date = 2004-04-14 15:43:46 | Attr =	]
RoxioDragToDisc -> %ProgramFiles%\Roxio\Drag-to-Disc\DrgToDsc.exe ["C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"] -> Roxio [Ver = 9.0.5.25 | Size = 1121016 bytes | Modified Date = 2006-11-15 10:05:00 | Attr =	]
SoundMan -> %SystemRoot%\SOUNDMAN.EXE [SOUNDMAN.EXE] -> Realtek Semiconductor Corp. [Ver = 1, 0, 0, 14 | Size = 90112 bytes | Modified Date = 2005-04-06 18:57:12 | Attr =	]
SunJavaUpdateSched -> %ProgramFiles%\Java\j2re1.4.2_03\bin\jusched.exe [C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe] ->  [Ver =  | Size = 32881 bytes | Modified Date = 2004-05-11 05:33:06 | Attr =	]
TotalRecorderScheduler -> %ProgramFiles%\HighCriteria\TotalRecorder\TotRecSched.exe ["C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"] -> High Criteria inc. [Ver = 5, 0, 0, 1 | Size = 81920 bytes | Modified Date = 2004-10-26 20:35:04 | Attr =	]
UpdateManager -> %CommonProgramFiles%\Sonic\Update Manager\sgtray.exe ["c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r] -> Sonic Solutions [Ver = 1.01.32a | Size = 110592 bytes | Modified Date = 2003-08-19 02:01:00 | Attr =	]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
AVP -> %ProgramFiles%\PCSecurityShield\The Shield Deluxe 2008\avp.exe ["C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe"] -> PCSecurityShield [Ver = 6.0.2.621 | Size = 200768 bytes | Modified Date = 2007-08-23 14:16:26 | Attr =	]
BackupNotify -> %ProgramFiles%\HP\Digital Imaging\bin\BackupNotify.exe [c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe] -> Hewlett-Packard Company [Ver = 2004.01.08.0 | Size = 32768 bytes | Modified Date = 2004-01-09 03:34:10 | Attr =	]
< Administrator Startup Folder > -> C:\Documents and Settings\Administrator\Start Menu\Programs\Startup -> 
%UserProfile%\Start Menu\Programs\Startup\Microsoft Find Fast.lnk -> %ProgramFiles%\Microsoft Office\Office\FINDFAST.EXE ->  [Ver =  | Size = 111376 bytes | Modified Date = 1996-11-17 01:00:00 | Attr =	]
%UserProfile%\Start Menu\Programs\Startup\Office Startup.lnk -> %ProgramFiles%\Microsoft Office\Office\OSA.EXE ->  [Ver =  | Size = 51984 bytes | Modified Date = 1996-11-17 01:00:00 | Attr =	]
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
%AllUsersProfile%\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.1.0.2008042300 | Size = 29696 bytes | Modified Date = 2008-04-23 03:38:16 | Attr =	]
%AllUsersProfile%\Start Menu\Programs\Startup\GetRight - Tray Icon.lnk -> %ProgramFiles%\GetRight\GetRight.exe -> Headlight Software, Inc. [Ver = 6.3d | Size = 4539456 bytes | Modified Date = 2008-03-04 21:18:14 | Attr =	]
%AllUsersProfile%\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk -> %ProgramFiles%\HP\Digital Imaging\bin\hpqtra08.exe -> Hewlett-Packard Co. [Ver = 5.35.0.035 | Size = 237568 bytes | Modified Date = 2003-09-16 14:19:24 | Attr =	]
%AllUsersProfile%\Start Menu\Programs\Startup\Logitech SetPoint.lnk -> %ProgramFiles%\Logitech\SetPoint\SetPoint.exe -> Logitech, Inc. [Ver = 4.60.122 | Size = 805392 bytes | Modified Date = 2008-05-02 02:44:08 | Attr =	]
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
Explorer.exe -> %SystemRoot%\explorer.exe -> Microsoft Corporation [Ver = 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234) | Size = 1033216 bytes | Modified Date = 2007-06-13 05:23:07 | Attr =	]
*MultiFile Done* -> -> 
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit -> 
C:\WINDOWS\system32\userinit.exe -> %SystemRoot%\system32\userinit.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 24576 bytes | Modified Date = 2004-08-04 02:56:57 | Attr =	]
*MultiFile Done* -> -> 
*UIHost* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost -> 
logonui.exe -> %SystemRoot%\system32\logonui.exe -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 514560 bytes | Modified Date = 2004-08-04 02:56:50 | Attr =	]
*MultiFile Done* -> -> 
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet -> 
rundll32 shell32 -> %SystemRoot%\system32\shell32.dll -> Microsoft Corporation [Ver = 6.00.2900.3241 (xpsp_sp2_qfe.071025-1245) | Size = 8460288 bytes | Modified Date = 2007-10-25 22:34:01 | Attr =	]
Control_RunDLL "sysdm.cpl" -> %SystemRoot%\system32\sysdm.cpl -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 298496 bytes | Modified Date = 2004-08-04 02:56:57 | Attr =	]
*MultiFile Done* -> -> 
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 
AtiExtEvent -> %SystemRoot%\system32\ati2evxx.dll -> ATI Technologies Inc. [Ver = 6.14.10.4107 | Size = 90112 bytes | Modified Date = 2004-09-09 19:11:16 | Attr =	]
igfxcui -> %SystemRoot%\system32\igfxsrvc.dll -> Intel Corporation [Ver = 3.0.0.3818 | Size = 344064 bytes | Modified Date = 2004-04-20 19:42:56 | Attr =	]
klogon -> %SystemRoot%\system32\klogon.dll -> PCSecurityShield [Ver = 6.0.2.621 | Size = 204864 bytes | Modified Date = 2007-08-23 14:03:48 | Attr =	]
LBTWlgn -> %CommonProgramFiles%\Logishrd\Bluetooth\LBTWLgn.dll -> Logitech, Inc. [Ver = 4.60.122 | Size = 72208 bytes | Modified Date = 2008-05-02 02:42:30 | Attr =	]
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\dontdisplaylastusername -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\legalnoticecaption ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\legalnoticetext ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\shutdownwithoutlogon -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\undockwithoutlogon -> 1 -> 
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\disableregistrytools -> 0 -> 
< CDROM Autorun Setting > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\ -> ->
*DependOnGroup* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DependOnGroup -> 
SCSI miniport ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Group -> SCSI CDROM Class -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Start -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Tag -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Type -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DisplayName -> CD-ROM Driver -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ImagePath -> %SystemRoot%\system32\drivers\cdrom.sys [System32\DRIVERS\cdrom.sys] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 49536 bytes | Modified Date = 2004-08-04 00:59:52 | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun -> 1 -> 
*AutoRunAlwaysDisable* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRunAlwaysDisable -> 
NEC	 MBR-7	->  -> File not found
NEC	 MBR-7.4  ->  -> File not found
PIONEER CHANGR DRM-1804X ->  -> File not found
PIONEER CD-ROM DRM-6324X ->  -> File not found
PIONEER CD-ROM DRM-624X  ->  -> File not found
TORiSAN CD-ROM CDR_C36 ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\ -> -> 
< Drives with AutoRun files > ->  -> 
AUTOEXEC.BAT [] -> %SystemDrive%\AUTOEXEC.BAT [ NTFS ] ->  [Ver =  | Size = 0 bytes | Modified Date = 2004-05-11 04:30:04 | Attr =	]
AUTOEXEC.BAT [] -> D:\AUTOEXEC.BAT [ FAT32 ] ->  [Ver =  | Size = 0 bytes | Modified Date = 2001-07-27 14:07:38 | Attr =  HS]
Autorun.inf [[AUTORUN] | OPEN=Info.exe folder.htt 480 480 | ] -> D:\Autorun.inf [ FAT32 ] ->  [Ver =  | Size = 45 bytes | Modified Date = 2002-09-10 11:02:32 | Attr =  HS]
< HOSTS File > (258527 bytes and 9029 lines) -> C:\WINDOWS\System32\drivers\etc\Hosts -> 
First 25 entries...
127.0.0.1	   localhost
127.0.0.1	www.007guard.com
127.0.0.1	007guard.com
127.0.0.1	008i.com
127.0.0.1	www.008k.com
127.0.0.1	008k.com
127.0.0.1	www.00hq.com
127.0.0.1	00hq.com
127.0.0.1	010402.com
127.0.0.1	www.032439.com
127.0.0.1	032439.com
127.0.0.1	www.1001-search.info
127.0.0.1	1001-search.info
127.0.0.1	www.100888290cs.com
127.0.0.1	100888290cs.com
127.0.0.1	www.100sexlinks.com
127.0.0.1	100sexlinks.com
127.0.0.1	www.10sek.com
127.0.0.1	10sek.com
127.0.0.1	www.123topsearch.com
127.0.0.1	123topsearch.com
127.0.0.1	www.132.com
127.0.0.1	132.com
127.0.0.1	www.136136.net
127.0.0.1	136136.net
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm -> 
HKEY_LOCAL_MACHINE\: Main\\Search Bar -> http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop -> 
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 -> 
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\Default_Page_URL -> http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop -> 
HKEY_CURRENT_USER\: Main\\Default_Search_URL -> http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop -> 
HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOWS\system32\blank.htm -> 
HKEY_CURRENT_USER\: Main\\Search Bar -> http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop -> 
HKEY_CURRENT_USER\: Main\\Search Page -> http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop -> 
HKEY_CURRENT_USER\: Main\\Start Page -> about:blank -> 
HKEY_CURRENT_USER\: ProxyEnable -> 0 -> 
HKEY_CURRENT_USER\: ProxyOverride -> localhost -> 
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4722 domain(s) found. -> 
44 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4705 domain(s) found. -> 
compuserve.com .[*] -> Out of zone range - ( 5 ) -> 
objects_compuserve.com [*] -> Out of zone range - ( 6 ) -> 
43 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 59032 bytes | Modified Date = 2006-12-18 04:16:42 | Attr =	]
{31FF080D-12A3-439A-A2EF-4BA95A3148E8} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\GetRight\xx2gr.dll [IE to GetRight Helper] -> Headlight Software, Inc. [Ver = 6.3a | Size = 246848 bytes | Modified Date = 2007-07-18 15:54:28 | Attr =	]
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ -> 
{32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
 [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Value  does not exist or could not be read.] -> File not found
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\HP\Digital Imaging\bin\hpdtlk02.dll [HP view] -> Hewlett-Packard Company [Ver = 1.0.0.7 | Size = 98304 bytes | Modified Date = 2003-11-21 14:26:26 | Attr =	]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 
ShellBrowser\\{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\HP\Digital Imaging\bin\hpdtlk02.dll [HP view] -> Hewlett-Packard Company [Ver = 1.0.0.7 | Size = 98304 bytes | Modified Date = 2003-11-21 14:26:26 | Attr =	]
WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
WebBrowser\\{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\HP\Digital Imaging\bin\hpdtlk02.dll [HP view] -> Hewlett-Packard Company [Ver = 1.0.0.7 | Size = 98304 bytes | Modified Date = 2003-11-21 14:26:26 | Attr =	]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Sun Java Console] -> File not found
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}:BandCLSID -> %ProgramFiles%\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dll [Web Anti-Virus statistics] -> PCSecurityShield [Ver = 6.0.2.621 | Size = 241728 bytes | Modified Date = 2007-08-23 13:56:54 | Attr =	]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] ->  [Sun Java Console] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKEY_LOCAL_MACHINE] ->  [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKEY_LOCAL_MACHINE] ->  [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ -> 
Download using FlashGet -> %ProgramFiles%\FlashGet\jc_link.htm -> File not found
Download with GetRight -> %ProgramFiles%\GetRight\GRDownload.htm ->  [Ver =  | Size = 994 bytes | Modified Date = 2006-03-29 16:35:14 | Attr =	]
E&xport to Microsoft Excel -> %SystemDrive%\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE -> File not found
Open with GetRight Browser -> %ProgramFiles%\GetRight\GRBrowse.htm ->  [Ver =  | Size = 977 bytes | Modified Date = 2006-03-29 16:35:14 | Attr =	]
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{3FC63C6D-0F42-4609-B9CB-60E12746DF01} ->	() -> 
{BFD94FAA-D328-4615-88B1-9A2F91E398FB} ->	(Westell USB Network Interface) -> 
{F577D7A2-10AF-46FB-855E-4F266894875F} ->	(1394 Net Adapter) -> 
{FF103CE6-4D4B-4ED3-86CE-50142ECBC63A} ->	(Realtek RTL8139/810x Family Fast Ethernet NIC) -> 
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ -> 
cetihpz:{CF184AD3-CDCB-4168-A3F7-8E447D129300} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\HP\hpcoretech\comp\hpuiprot.dll[CZipHandler Object] -> Hewlett-Packard Company [Ver = 2.1.4 | Size = 81920 bytes | Modified Date = 2003-12-22 08:38:40 | Attr =	]
ipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{44990301-3C9D-426D-81DF-AAB636FA4345}[HKEY_LOCAL_MACHINE] -> http://www.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab[Symantec Script Runner Class] -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab[Java Plug-in 1.4.2_03] -> 
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}[HKEY_LOCAL_MACHINE] -> http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab[Reg Error: Key does not exist or could not be opened.] -> 
{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab[Java Plug-in 1.4.2_03] -> 
{D27CDB6E-AE6D-11CF-96B8-444553540000}[HKEY_LOCAL_MACHINE] -> http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[Shockwave Flash Object] -> 
< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/tgctlsr.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/tgctlsr.dll\\.Owner -> {44990301-3C9D-426D-81DF-AAB636FA4345} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/tgctlsr.dll\\{44990301-3C9D-426D-81DF-AAB636FA4345} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/GWFSPidGen.DLL\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/GWFSPidGen.DLL\\.Owner -> Unknown Owner -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/LegitCheckControl.DLL\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/LegitCheckControl.DLL\\.Owner -> Unknown Owner -> 



[Files/Folders - Created Within 30 days]
Avenger -> %SystemDrive%\Avenger ->  [Folder | Created Date = 2008-09-27 05:36:32 | Attr =	]
rsit -> %SystemDrive%\rsit ->  [Folder | Created Date = 2008-09-04 17:21:19 | Attr =	]

[Files/Folders - Modified Within 30 days]
hiberfil.sys -> %SystemDrive%\hiberfil.sys ->  [Ver =  | Size = 2146816000 bytes | Modified Date = 2008-09-27 05:37:05 | Attr =  HS]
fidbox.dat -> %SystemRoot%\System32\drivers\fidbox.dat ->  [Ver =  | Size = 50150944 bytes | Modified Date = 2008-09-27 05:47:39 | Attr =  HS]
fidbox.idx -> %SystemRoot%\System32\drivers\fidbox.idx ->  [Ver =  | Size = 672500 bytes | Modified Date = 2008-09-23 04:47:11 | Attr =  HS]
fidbox2.dat -> %SystemRoot%\System32\drivers\fidbox2.dat ->  [Ver =  | Size = 520480 bytes | Modified Date = 2008-09-27 05:42:45 | Attr =  HS]
fidbox2.idx -> %SystemRoot%\System32\drivers\fidbox2.idx ->  [Ver =  | Size = 49796 bytes | Modified Date = 2008-09-23 04:47:11 | Attr =  HS]
wpa.dbl -> %SystemRoot%\System32\wpa.dbl ->  [Ver =  | Size = 1158 bytes | Modified Date = 2008-09-27 05:37:14 | Attr =	]
hpsysdrv.DAT -> %SystemRoot%\System\hpsysdrv.DAT ->  [Ver =  | Size = 188 bytes | Modified Date = 2008-09-27 05:38:38 | Attr =	]
bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 2048 bytes | Modified Date = 2008-09-27 05:37:08 | Attr =   S]
1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs ->  [Folder | Modified Date = 2004-11-22 13:29:03 | Attr =	]
eHomeLog-0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-0.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-07-11 07:39:45 | Attr =  H ]
eHomeLog-1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-1.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-07-11 13:54:55 | Attr =  H ]
eHomeLog-10.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-10.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-07-25 05:05:04 | Attr =  H ]
eHomeLog-11.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-11.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-07-27 12:32:43 | Attr =  H ]
eHomeLog-12.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-12.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-07-28 18:20:13 | Attr =  H ]
eHomeLog-13.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-13.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-07-29 17:35:14 | Attr =  H ]
eHomeLog-14.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-14.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-07-31 18:38:55 | Attr =  H ]
eHomeLog-15.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-15.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-07-17 17:04:36 | Attr =  H ]
eHomeLog-16.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-16.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-07-18 02:14:34 | Attr =  H ]
eHomeLog-17.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-17.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-07-27 01:30:23 | Attr =  H ]
eHomeLog-18.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-18.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-07-27 07:00:44 | Attr =  H ]
eHomeLog-19.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-19.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-01 05:36:39 | Attr =  H ]
eHomeLog-2.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-2.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-07-13 19:38:44 | Attr =  H ]
eHomeLog-20.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-20.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-01 22:10:27 | Attr =  H ]
eHomeLog-21.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-21.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-02 09:13:21 | Attr =  H ]
eHomeLog-22.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-22.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-03 00:21:56 | Attr =  H ]
eHomeLog-23.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-23.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-07-26 07:13:56 | Attr =  H ]
eHomeLog-24.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-24.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-07-26 18:05:07 | Attr =  H ]
eHomeLog-25.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-25.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-03 08:58:29 | Attr =  H ]
eHomeLog-26.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-26.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-04 06:42:15 | Attr =  H ]
eHomeLog-27.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-27.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-04 07:42:15 | Attr =  H ]
eHomeLog-28.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-28.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-05 20:03:31 | Attr =  H ]
eHomeLog-29.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-29.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-06 04:57:05 | Attr =  H ]
eHomeLog-3.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-3.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-07-14 07:22:27 | Attr =  H ]
eHomeLog-30.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-30.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-06 12:28:10 | Attr =  H ]
eHomeLog-31.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-31.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-07 22:28:27 | Attr =  H ]
eHomeLog-32.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-32.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-08 07:49:55 | Attr =  H ]
eHomeLog-33.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-33.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-08 07:53:53 | Attr =  H ]
eHomeLog-34.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-34.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-08 08:55:28 | Attr =  H ]
eHomeLog-35.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-35.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-09 01:01:29 | Attr =  H ]
eHomeLog-36.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-36.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-09 05:46:15 | Attr =  H ]
eHomeLog-37.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-37.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-10 06:37:15 | Attr =  H ]
eHomeLog-38.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-38.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-10 16:45:40 | Attr =  H ]
eHomeLog-39.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-39.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-10 18:03:32 | Attr =  H ]
eHomeLog-4.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-4.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-07-14 19:46:36 | Attr =  H ]
eHomeLog-40.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-40.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-10 19:40:08 | Attr =  H ]
eHomeLog-41.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-41.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-10 23:51:41 | Attr =  H ]
eHomeLog-42.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-42.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-11 05:04:51 | Attr =  H ]
eHomeLog-43.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-43.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-11 16:48:04 | Attr =  H ]
eHomeLog-44.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-44.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-11 17:02:04 | Attr =  H ]
eHomeLog-45.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-45.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-11 18:03:45 | Attr =  H ]
eHomeLog-46.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-46.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-13 11:58:02 | Attr =  H ]
eHomeLog-47.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-47.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-07-10 22:27:52 | Attr =  H ]
eHomeLog-5.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-5.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-07-18 09:17:36 | Attr =  H ]
eHomeLog-6.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-6.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-07-19 08:38:47 | Attr =  H ]
eHomeLog-7.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-7.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-07-20 09:38:34 | Attr =  H ]
eHomeLog-8.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-8.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-07-23 20:24:06 | Attr =  H ]
eHomeLog-9.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-9.dat ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-07-24 18:49:17 | Attr =  H ]
C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help ->  [Folder | Modified Date = 2007-07-03 21:12:33 | Attr =	]
hhcolreg.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help\hhcolreg.dat ->  [Ver =  | Size = 1307 bytes | Modified Date = 2007-07-03 21:12:33 | Attr =	]
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader ->  [Folder | Modified Date = 2004-05-11 05:37:43 | Attr =	]
qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat ->  [Ver =  | Size = 5522 bytes | Modified Date = 2008-08-13 11:59:09 | Attr =	]
qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat ->  [Ver =  | Size = 5522 bytes | Modified Date = 2008-08-13 11:59:09 | Attr =	]
C:\Documents and Settings\All Users\Application Data\Microsoft\Plus! Digital Media Edition\data\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\Plus! Digital Media Edition\data ->  [Folder | Modified Date = 2005-01-23 08:55:30 | Attr =	]
data.data -> C:\Documents and Settings\All Users\Application Data\Microsoft\Plus! Digital Media Edition\data\data.data ->  [Ver =  | Size = 2408 bytes | Modified Date = 2005-01-23 08:55:30 | Attr =	]
C:\Documents and Settings\All Users\Application Data\Microsoft\Works\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\Works ->  [Folder | Modified Date = 2006-01-29 15:13:14 | Attr =	]
wkcalcat.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Works\wkcalcat.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 2006-01-29 15:13:14 | Attr =	]
wklntnts.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Works\wklntnts.dat ->  [Ver =  | Size = 515952 bytes | Modified Date = 2006-01-29 15:13:05 | Attr =	]
wklntsk.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Works\wklntsk.dat ->  [Ver =  | Size = 515952 bytes | Modified Date = 2006-01-29 15:13:05 | Attr =	]

< End of report >


#15 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:06:39 PM

Posted 27 September 2008 - 12:54 PM

Hi dobk,
God job on that. Lets do this:

Start OTScanIt. Copy/Paste the information in the Code box below into the pane where it says "Paste fix here" and then click the Run Fix button.


[Processes - Non-Microsoft Only]
YY -> getright.exe -> %ProgramFiles%\GetRight\GetRight.exe
[Registry - Non-Microsoft Only]
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup
YY -> %AllUsersProfile%\Start Menu\Programs\Startup\GetRight - Tray Icon.lnk -> %ProgramFiles%\GetRight\GetRight.exe
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {31FF080D-12A3-439A-A2EF-4BA95A3148E8} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\GetRight\xx2gr.dll [IE to GetRight Helper]
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Sun Java Console]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
YN -> Download using FlashGet -> %ProgramFiles%\FlashGet\jc_link.htm
YY -> Download with GetRight -> %ProgramFiles%\GetRight\GRDownload.htm
NY -> Open with GetRight Browser -> %ProgramFiles%\GetRight\GRBrowse.htm
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
YN -> {3FC63C6D-0F42-4609-B9CB-60E12746DF01} -> ()
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {44990301-3C9D-426D-81DF-AAB636FA4345}[HKEY_LOCAL_MACHINE] -> http://www.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab[Symantec Script Runner Class]
[Files/Folders - Modified Within 30 days]
NY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTScanIt scan.

Follow the earlier steps to save this to your removable media and transfer it to the infected machine.
Please download HostsXpert 4.2
  • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Restore MS Hosts File".
  • Click OK at the confirmation box.
  • Click "Make Read Only".
  • Click the X to exit the program.
-- Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

I will review all the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Harry

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users