Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Popups, Modified Home Page, Addres Bar..


  • Please log in to reply
12 replies to this topic

#1 Simonsays

Simonsays

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 29 August 2008 - 06:19 PM

So I get this computer from a friend who wants it fixed. He knows nothing about computers, so I would be suprised if he knew about HiJackThis :thumbsup: . Well, I don't know how to read the logs, so I am in need of help from the experts here at BleepingComputer.com

Heres the problems
  • Intel Boot File Failed?
  • Homepage modified
  • Address Bar Disappeared (I got it back, was just unchecked)
  • Toolbars...
  • Virus program with no remove file and not in the add/remove files
Heres the log..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:14:30 PM, on 8/29/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\java.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\VirusIsolator\VirusIsolator.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.webtvparty.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webtvparty.com/search.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {CE3BD90E-65A2-40D4-B0B0-D33515C8802C} - C:\WINNT\System32\awtrOhFy.dll (file missing)
O2 - BHO: (no name) - {D2376FB3-3D0D-414D-83AA-3AD6AD6B111F} - C:\WINNT\system32\nnnkifEv.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {B21EAD36-EC0C-4B82-B102-1AB20B481977} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [MyWebSearch bar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -3
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [VirusIsolator.exe] C:\Program Files\VirusIsolator\VirusIsolator.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversFWBInitialSetup1.0.0.15-3.cab
O20 - Winlogon Notify: nnnkifEv - nnnkifEv.dll (file missing)
O21 - SSODL: vadokmxt - {85D6D3D0-6CDE-4E1E-9714-59D6B4230BAD} - C:\WINNT\vadokmxt.dll
O21 - SSODL: wdpoefan - {5CB2273D-2E7C-4CF3-A5E5-AB9B86CAF7A2} - C:\WINNT\wdpoefan.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

--
End of file - 4528 bytes


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:18 AM

Posted 29 August 2008 - 06:32 PM

Hello Simonsays

Welcome to BleepingComputer :thumbsup:
========================
ownload OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
      Rootkit Search -Yes
      Drivers -Non Microsoft
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. Make sure that the first line is code with brackets around it [] and that the last line is /code with brackets around it [].

If, after posting, the last line is not <End of Report> then the log is too big to fit into a single post and you will need to split it into multiple posts or attach it as a file.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 Simonsays

Simonsays
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 29 August 2008 - 07:22 PM

Thanks, but I do not see Rootkit Search or Driver -non-microsoft.


Here's the log though..

[code]
OTScanIt logfile created on: 8/29/2008 5:20:30 PM
OTScanIt by OldTimer - Version 1.0.17.0	 Folder = C:\Documents and Settings\Owner.GEORGIEBOY\Desktop\OTScanIt
Windows XP Home Edition Service Pack 1 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
246.73 Mb Total Physical Memory | 77.23 Mb Available Physical Memory | 31.30% Memory free
605.79 Mb Paging File | 426.31 Mb Available in Paging File | 70.37% Paging File free
Paging file location(s): C:\pagefile.sys 372 744;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 9.32 Gb Free Space | 25.02% Space Free | Partition Type: NTFS
Drive D: | 480.33 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GEORGIEBOY
Current User Name: Owner
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user

[Processes - Non-Microsoft Only]
aolacsd.exe -> %CommonProgramFiles%\AOL\ACS\AOLacsd.exe -> America Online [Ver = 3.0.0.1 | Size = 10328 bytes | Modified Date = 10/20/2004 7:40:04 AM | Attr = R  ]
linksysupdater.exe -> %ProgramFiles%\Linksys\Linksys Updater\bin\LinksysUpdater.exe ->  [Ver =  | Size = 204800 bytes | Modified Date = 1/15/2008 10:28:20 AM | Attr =	]
wanmpsvc.exe -> %SystemRoot%\wanmpsvc.exe -> America Online, Inc. [Ver = 9, 0, 0, 0 | Size = 65536 bytes | Modified Date = 8/27/2003 10:27:44 AM | Attr =	]
java.exe -> %SystemRoot%\system32\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Modified Date = 9/24/2007 10:30:28 PM | Attr =	]
mwsoemon.exe -> %ProgramFiles%\MyWebSearch\bar\1.bin\MWSOEMON.EXE -> MyWebSearch.com [Ver = 1,2,2,4 | Size = 28672 bytes | Modified Date = 4/13/2008 1:47:37 PM | Attr =	]
jusched.exe -> %ProgramFiles%\Java\jre1.6.0_03\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 1:11:35 AM | Attr =	]
jucheck.exe -> %ProgramFiles%\Java\jre1.6.0_03\bin\jucheck.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 329104 bytes | Modified Date = 9/25/2007 1:11:35 AM | Attr =	]
otscanit.exe -> %UserProfile%\Desktop\OTScanIt\OTScanIt.exe -> OldTimer Tools [Ver = 1.0.17.0 | Size = 402944 bytes | Modified Date = 8/26/2008 8:26:02 PM | Attr =	]

[Win32 Services - Non-Microsoft Only]
(AOL ACS) AOL Connectivity Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\AOL\ACS\AOLacsd.exe -> America Online [Ver = 3.0.0.1 | Size = 10328 bytes | Modified Date = 10/20/2004 7:40:04 AM | Attr = R  ]
(AOLService) AOL Spyware Protection Service [Win32_Own | Auto | Stopped] -> %SystemDrive%\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe -> File not found
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %SystemRoot%\system32\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.0.503.0 | Size = 204800 bytes | Modified Date = 3/31/2003 5:00:00 AM | Attr =	]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 4/4/2005 12:41:10 AM | Attr =	]
(LinksysUpdater) Linksys Updater [Win32_Own | Auto | Running] -> %ProgramFiles%\Linksys\Linksys Updater\bin\LinksysUpdater.exe ->  [Ver =  | Size = 204800 bytes | Modified Date = 1/15/2008 10:28:20 AM | Attr =	]
(NetSvc) Intel NCS NetService [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Intel\NCS\Sync\NetSvc.exe -> Intel(R) Corporation [Ver = 1.2.26.0 | Size = 143360 bytes | Modified Date = 3/3/2003 12:33:40 PM | Attr =	]
(WANMiniportService) WAN Miniport (ATW) Service [Win32_Own | Auto | Running] -> %SystemRoot%\wanmpsvc.exe -> America Online, Inc. [Ver = 9, 0, 0, 0 | Size = 65536 bytes | Modified Date = 8/27/2003 10:27:44 AM | Attr =	]

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_03\bin\jusched.exe ["C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 1:11:35 AM | Attr =	]
< RunOnce [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce -> 
MyWebSearch bar Uninstall -> %ProgramFiles%\Uninstall Fun Web Products.dll [rundll32 C:\PROGRA~1\UNINST~1.DLL,O -3] -> MyWebSearch.com [Ver = 2, 2, 60, 11 | Size = 381012 bytes | Modified Date = 4/13/2008 1:47:37 PM | Attr =	]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
VirusIsolator.exe -> %ProgramFiles%\VirusIsolator\VirusIsolator.exe [C:\Program Files\VirusIsolator\VirusIsolator.exe] -> VirusIsolator Software [Ver = 1.0.0.1 | Size = 976384 bytes | Modified Date = 4/24/2008 1:00:39 PM | Attr =	]
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad -> 
{85D6D3D0-6CDE-4E1E-9714-59D6B4230BAD} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\vadokmxt.dll [vadokmxt] ->  [Ver =  | Size = 196608 bytes | Modified Date = 4/24/2008 2:29:12 AM | Attr =	]
{5CB2273D-2E7C-4CF3-A5E5-AB9B86CAF7A2} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\wdpoefan.dll [wdpoefan] ->  [Ver =  | Size = 225280 bytes | Modified Date = 4/24/2008 2:29:14 AM | Attr =	]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks -> 
{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\nnnkifEv.dll [] -> File not found
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
Explorer.exe -> %SystemRoot%\explorer.exe -> Microsoft Corporation [Ver = 6.00.2800.1106 (xpsp1.020828-1920) | Size = 1004032 bytes | Modified Date = 3/31/2003 5:00:00 AM | Attr =	]
*MultiFile Done* -> -> 
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit -> 
C:\WINNT\system32\userinit.exe -> %SystemRoot%\system32\userinit.exe -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 22016 bytes | Modified Date = 3/31/2003 5:00:00 AM | Attr =	]
*MultiFile Done* -> -> 
*UIHost* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost -> 
logonui.exe -> %SystemRoot%\system32\logonui.exe -> Microsoft Corporation [Ver = 6.00.2800.1106 (xpsp1.020828-1920) | Size = 504320 bytes | Modified Date = 3/31/2003 5:00:00 AM | Attr =	]
*MultiFile Done* -> -> 
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet -> 
rundll32 shell32 -> %SystemRoot%\system32\shell32.dll -> Microsoft Corporation [Ver = 6.00.2800.1873 (xpsp2.060713-0016) | Size = 8353280 bytes | Modified Date = 7/13/2006 6:46:56 AM | Attr =	]
Control_RunDLL "sysdm.cpl" -> %SystemRoot%\system32\sysdm.cpl -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 268288 bytes | Modified Date = 3/31/2003 5:00:00 AM | Attr =	]
*MultiFile Done* -> -> 
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 
igfxcui -> %SystemRoot%\system32\igfxsrvc.dll -> Intel Corporation [Ver = 3.0.0.2209 | Size = 319488 bytes | Modified Date = 7/10/2003 3:12:26 AM | Attr =	]
nnnkifEv ->  -> File not found
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ not found. -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\dontdisplaylastusername -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\legalnoticecaption ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\legalnoticetext ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\shutdownwithoutlogon -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\undockwithoutlogon -> 1 -> 
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 0 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr -> 1 -> 
< CDROM Autorun Setting > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\ -> ->
*DependOnGroup* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DependOnGroup -> 
SCSI miniport ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Group -> SCSI CDROM Class -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Start -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Tag -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Type -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DisplayName -> CD-ROM Driver -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ImagePath -> %SystemRoot%\system32\drivers\cdrom.sys [System32\DRIVERS\cdrom.sys] -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 47488 bytes | Modified Date = 3/31/2003 5:00:00 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun -> 1 -> 
*AutoRunAlwaysDisable* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRunAlwaysDisable -> 
NEC	 MBR-7	->  -> File not found
NEC	 MBR-7.4  ->  -> File not found
PIONEER CHANGR DRM-1804X ->  -> File not found
PIONEER CD-ROM DRM-6324X ->  -> File not found
PIONEER CD-ROM DRM-624X  ->  -> File not found
TORiSAN CD-ROM CDR_C36 ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\ -> -> 
< Drives with AutoRun files > ->  -> 
AUTORUN.INF [[autorun] | ACTION=Linksys RangePlus Wireless Router | ICON=Setup.exe,0 | LABEL=Linksys WRT110 | OPEN=Setup.exe | ] -> D:\AUTORUN.INF [ CDFS ] ->  [Ver =  | Size = 109 bytes | Modified Date = 1/21/2008 1:04:21 PM | Attr = R  ]
< HOSTS File > (734 bytes and 19 lines) -> C:\WINNT\System32\drivers\etc\Hosts -> 
127.0.0.1	   localhost
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm -> 
HKEY_LOCAL_MACHINE\: Main\\Search Bar -> http://www.webtvparty.com/searchbar.html -> 
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://www.webtvparty.com/search.html -> 
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINNT\System32\blank.htm -> 
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_CURRENT_USER\: Main\\Start Page -> http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2 -> 
HKEY_CURRENT_USER\: ProxyEnable -> 0 -> 
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] -> Adobe Systems Incorporated [Ver = 6.0.0.2003051500 | Size = 50376 bytes | Modified Date = 5/14/2003 11:47:54 PM | Attr =	]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 9/25/2007 1:11:33 AM | Attr =	]
{CE3BD90E-65A2-40D4-B0B0-D33515C8802C} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\System32\awtrOhFy.dll [Reg Error: Value  does not exist or could not be read.] -> File not found
{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\nnnkifEv.dll [Reg Error: Value  does not exist or could not be read.] -> File not found
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
{8E718888-423F-11D2-876E-00A0C9082467} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\msdxm.ocx [&Radio] ->  [Ver =  | Size = 844048 bytes | Modified Date = 9/17/2003 12:01:28 PM | Attr =	]
{B21EAD36-EC0C-4B82-B102-1AB20B481977} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 
ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Sun Java Console] -> File not found
{c95fe080-8f5d-11d2-a20b-00aa003c157a}: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [@shdoclc.dll,-866] -> File not found
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [] -> File not found
CmdMapping: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [] -> File not found
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] ->  [Sun Java Console] -> File not found
CmdMapping\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} [HKEY_LOCAL_MACHINE] ->  [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKEY_LOCAL_MACHINE] ->  [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} [HKEY_LOCAL_MACHINE] ->  [@shdoclc.dll,-866] -> File not found
CmdMapping\\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} [HKEY_LOCAL_MACHINE] ->  [Reg Error: Value MenuText does not exist or could not be read.] -> File not found
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{3028BF3B-89B5-4F31-8862-3FED9F8B52EF} ->	(Intel(R) PRO/100 VE Network Connection) -> 
< Default Protocols [HKEY_CURRENT_USER\] - Select to Repair > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults -> 
shell -> shell protocol not assigned -> 
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ -> 
ipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
vnd.ms.radio:{3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\msdxm.ocx[AsyncPProt Class] ->  [Ver =  | Size = 844048 bytes | Modified Date = 9/17/2003 12:01:28 PM | Attr =	]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}[HKEY_LOCAL_MACHINE] -> http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversFWBInitialSetup1.0.0.15-3.cab[Reg Error: Key does not exist or could not be opened.] -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[Java Plug-in 1.6.0_03] -> 
{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab[Java Plug-in 1.4.2] -> 
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[Java Plug-in 1.6.0_03] -> 
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[Java Plug-in 1.6.0_03] -> 
< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> ->


[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\DefaultLaunchPermission -> [Binary data over 100 bytes] -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\EnableDCOM -> Y -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST\\System.EnterpriseServices.Thunk.dll ->  -> 
Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ not found. -> -> 
Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ not found. -> -> 
Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ not found. -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ -> ->
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages -> 
msv1_0 -> %SystemRoot%\system32\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 108544 bytes | Modified Date = 3/31/2003 5:00:00 AM | Attr =	]
C:\WINNT\System32\awtrOhFy ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Bounds -> 0  [binary data] -> 
*Security Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages -> 
kerberos -> %SystemRoot%\system32\kerberos.dll -> Microsoft Corporation [Ver = 5.1.2600.1701 (xpsp2.050614-1532) | Size = 285184 bytes | Modified Date = 6/15/2005 10:50:24 AM | Attr =	]
msv1_0 -> %SystemRoot%\system32\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 108544 bytes | Modified Date = 3/31/2003 5:00:00 AM | Attr =	]
schannel -> %SystemRoot%\system32\schannel.dll -> Microsoft Corporation [Ver = 5.1.2600.1347 (xpsp2.040109-1800) | Size = 136704 bytes | Modified Date = 3/29/2004 6:48:36 PM | Attr =	]
wdigest -> %SystemRoot%\system32\wdigest.dll -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 46592 bytes | Modified Date = 3/31/2003 5:00:00 AM | Attr =	]
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\LsaPid -> 720 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\SecureBoot -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\auditbaseobjects -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\crashonauditfail -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\disabledomaincreds -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\everyoneincludesanonymous -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fipsalgorithmpolicy -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\forceguest -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fullprivilegeauditing ->  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\limitblankpassworduse -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\lmcompatibilitylevel -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nodefaultadminowner -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nolmhash -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymous -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymoussam -> 1 -> 
*Notification Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Notification Packages -> 
scecli -> %SystemRoot%\system32\scecli.dll -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 174592 bytes | Modified Date = 3/31/2003 5:00:00 AM | Attr =	]
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\ -> -> 
*ProviderOrder* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\\ProviderOrder -> 
Windows NT Access Provider ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\\ProviderPath -> %SystemRoot%\system32\ntmarta.dll [%SystemRoot%\system32\ntmarta.dll] -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 112128 bytes | Modified Date = 3/31/2003 5:00:00 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\\Pattern -> 9E 03 AA BD FC 2E 27 FB 0F 3B 85 74 E3 AA FF E0 36 63 61 61 31 63 62 39 00 00 00 00 01 00 00 00 B4 01 00 00 B8 01 00 00 34 CA 06 00 45 9D BF 71 04 00 00 00 10 00 00 00 00 00 00 00 E2 6F 39 FA  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\\GrafBlumGroup -> 34 8C A5 CB 6E 5F 73 02 F7  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\\Lookup -> 92 6D 0B C3 FC 81  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0\\ntlmminclientsec -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0\\ntlmminserversec -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\\SkewMatrix -> 83 68 CE 5F 32 46 06 50 A5 2F 62 CB 8B 5E 9B 24  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\\SSOURL -> http://www.passport.com -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\\Time -> 1C 4B 00 3A 13 A4 C3 01  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Name -> Digest -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Comment -> Digest SSPI Authentication Package -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Capabilities -> 16464 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\RpcId -> 65535 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Version -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\TokenSize -> 65535 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Time -> 00 E0 23 0E 7D F7 C2 01  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Type -> 49 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Name -> DPA -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Comment -> DPA Security Package -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Capabilities -> 55 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\RpcId -> 17 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Version -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\TokenSize -> 768 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Time -> 00 E0 23 0E 7D F7 C2 01  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Type -> 49 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Name -> MSN -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Comment -> MSN Security Package -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Capabilities -> 55 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\RpcId -> 18 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Version -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\TokenSize -> 768 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Time -> 00 E0 23 0E 7D F7 C2 01  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Type -> 49 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Type -> 32 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Start -> 3 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ImagePath -> %SystemRoot%\system32\svchost.exe [%SystemRoot%\System32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 12800 bytes | Modified Date = 3/31/2003 5:00:00 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DisplayName -> Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnService -> Netman;NLA;RasMan;ALG; -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnGroup ->  -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ObjectName -> LocalSystem -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Description -> Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\\ServiceDll -> %SystemRoot%\system32\ipnathlp.dll [%SystemRoot%\System32\ipnathlp.dll] -> Microsoft Corporation [Ver = 5.1.2600.1364 (xpsp2.040109-1800) | Size = 439808 bytes | Modified Date = 3/29/2004 6:48:36 PM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security\\Security -> [Binary data over 100 bytes] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Type -> 32 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Start -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ImagePath -> %SystemRoot%\system32\svchost.exe [%systemroot%\system32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 12800 bytes | Modified Date = 3/31/2003 5:00:00 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\DisplayName -> Automatic Updates -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ObjectName -> LocalSystem -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Description -> Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site. -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\\ServiceDll -> %SystemRoot%\system32\wuauserv.dll [C:\WINNT\System32\wuauserv.dll] -> Microsoft Corporation [Ver = 5.4.3630.1106 (xpsp1.020828-1920) | Size = 9216 bytes | Modified Date = 3/31/2003 5:00:00 AM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\\Security -> [Binary data over 100 bytes] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\0 -> Root\LEGACY_WUAUSERV\0000 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\Count -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\NextInstance -> 1 -> 
Reg Error: Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\ not found. -> -> 
Reg Error: Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\ not found. -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\\ProxyEnable -> 0 -> 


[Files/Folders - Created Within 30 days]
java.exe -> %SystemRoot%\System32\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Created Date = 8/28/2008 12:51:19 PM | Attr =	]
javacpl.cpl -> %SystemRoot%\System32\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 69632 bytes | Created Date = 8/28/2008 12:51:19 PM | Attr =	]
javaw.exe -> %SystemRoot%\System32\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Created Date = 8/28/2008 12:51:19 PM | Attr =	]
javaws.exe -> %SystemRoot%\System32\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 139264 bytes | Created Date = 8/28/2008 12:51:19 PM | Attr =	]
[Files Created - Additional Folder Scans - Non-Microsoft Only]
Linksys -> %AllUsersProfile%\Application Data\Linksys ->  [Folder | Created Date = 8/28/2008 12:51:58 PM | Attr =	]
Adobe -> %AppData%\Adobe ->  [Folder | Created Date = 8/28/2008 12:33:04 PM | Attr =	]
AdobeUM -> %AppData%\AdobeUM ->  [Folder | Created Date = 8/28/2008 12:33:26 PM | Attr =	]
Sun -> %AppData%\Sun ->  [Folder | Created Date = 8/28/2008 12:49:26 PM | Attr =	]
Adobe -> %UserProfile%\Local Settings\Application Data\Adobe ->  [Folder | Created Date = 8/28/2008 12:33:13 PM | Attr =	]
My eBooks -> %UserProfile%\My Documents\My eBooks ->  [Folder | Created Date = 8/28/2008 12:33:07 PM | Attr =	]
HijackThis.lnk -> %UserProfile%\Desktop\HijackThis.lnk ->  [Ver =  | Size = 1734 bytes | Created Date = 8/29/2008 4:14:19 PM | Attr =	]
HJTInstall.exe -> %UserProfile%\Desktop\HJTInstall.exe -> Trend Micro Inc. [Ver = 2.00.2 | Size = 812344 bytes | Created Date = 8/29/2008 4:14:12 PM | Attr =	]
OTScanIt -> %UserProfile%\Desktop\OTScanIt ->  [Folder | Created Date = 8/29/2008 5:18:22 PM | Attr =	]
OTScanIt.exe -> %UserProfile%\Desktop\OTScanIt.exe ->  [Ver =  | Size = 573647 bytes | Created Date = 8/29/2008 5:17:55 PM | Attr =	]
Linksys -> %ProgramFiles%\Linksys ->  [Folder | Created Date = 8/28/2008 12:51:39 PM | Attr =	]
Trend Micro -> %ProgramFiles%\Trend Micro ->  [Folder | Created Date = 8/29/2008 4:14:19 PM | Attr =	]
Uninstall Fun Web Products.dll -> %ProgramFiles%\Uninstall Fun Web Products.dll -> MyWebSearch.com [Ver = 2, 2, 60, 11 | Size = 381012 bytes | Created Date = 8/29/2008 4:13:10 PM | Attr =	]

[Files/Folders - Modified Within 30 days]
hiberfil.sys -> %SystemDrive%\hiberfil.sys ->  [Ver =  | Size = 258789376 bytes | Modified Date = 8/29/2008 4:00:54 PM | Attr =  HS]
Program Files -> %ProgramFiles% ->  [Folder | Modified Date = 8/29/2008 4:14:19 PM | Attr =	]
CatRoot2 -> %SystemRoot%\System32\CatRoot2 ->  [Folder | Modified Date = 8/29/2008 4:01:24 PM | Attr =	]
1 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> 
wpa.dbl -> %SystemRoot%\System32\wpa.dbl ->  [Ver =  | Size = 1158 bytes | Modified Date = 8/29/2008 4:00:59 PM | Attr =	]
bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 2048 bytes | Modified Date = 8/29/2008 4:00:57 PM | Attr =   S]
inf -> %SystemRoot%\inf ->  [Folder | Modified Date = 8/28/2008 1:15:18 PM | Attr =  H ]
Installer -> %SystemRoot%\Installer ->  [Folder | Modified Date = 8/28/2008 12:51:46 PM | Attr =  HS]
Prefetch -> %SystemRoot%\Prefetch ->  [Folder | Modified Date = 8/29/2008 5:18:23 PM | Attr =	]
system32 -> %SystemRoot%\system32 ->  [Folder | Modified Date = 8/29/2008 4:13:03 PM | Attr =	]
Temp -> %SystemRoot%\Temp ->  [Folder | Modified Date = 8/28/2008 12:51:43 PM | Attr =	]
SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 8/29/2008 4:01:02 PM | Attr =  H ]
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader ->  [Folder | Modified Date = 12/19/2003 7:13:56 PM | Attr =	]
qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat ->  [Ver =  | Size = 5476 bytes | Modified Date = 8/14/2008 9:29:51 AM | Attr =	]
qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat ->  [Ver =  | Size = 4232 bytes | Modified Date = 8/14/2008 9:29:51 AM | Attr =	]
C:\Documents and Settings\All Users\Application Data\Microsoft\Works\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\Works ->  [Folder | Modified Date = 4/22/2008 6:27:28 AM | Attr =	]
CalMRU.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Works\CalMRU.dat ->  [Ver =  | Size = 780 bytes | Modified Date = 12/17/2004 8:21:59 PM | Attr =	]
wkcalcat.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Works\wkcalcat.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 1/31/2004 2:24:36 PM | Attr =	]
wklntnts.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Works\wklntnts.dat ->  [Ver =  | Size = 531672 bytes | Modified Date = 5/14/2008 7:29:08 AM | Attr =	]
wklntsk.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Works\wklntsk.dat ->  [Ver =  | Size = 531672 bytes | Modified Date = 5/14/2008 7:29:08 AM | Attr =	]
C:\Documents and Settings\Owner.GEORGIEBOY\Local Settings\Temp\McDMTemp007\ -> C:\Documents and Settings\Owner.GEORGIEBOY\Local Settings\Temp\McDMTemp007 ->  [Folder | Modified Date = 8/29/2008 4:11:28 PM | Attr =	]
DwnldMgr.exe -> C:\Documents and Settings\Owner.GEORGIEBOY\Local Settings\Temp\McDMTemp007\DwnldMgr.exe -> McAfee, Inc. [Ver = 2,0,132,0 | Size = 882008 bytes | Modified Date = 8/21/2007 12:51:04 PM | Attr =	]
C:\Documents and Settings\Owner.GEORGIEBOY\Local Settings\Temp\ -> C:\Documents and Settings\Owner.GEORGIEBOY\Local Settings\Temp ->  [Folder | Modified Date = 8/29/2008 5:15:36 PM | Attr =	]
uninst.dll -> C:\Documents and Settings\Owner.GEORGIEBOY\Local Settings\Temp\uninst.dll ->  [Ver =  | Size = 114688 bytes | Modified Date = 11/19/2004 12:54:58 PM | Attr =	]
13 C:\Documents and Settings\Owner.GEORGIEBOY\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Owner.GEORGIEBOY\Local Settings\Temp\*.tmp -> 
C:\Documents and Settings\Owner.GEORGIEBOY\Local Settings\Temp\McDMTemp007\ -> C:\Documents and Settings\Owner.GEORGIEBOY\Local Settings\Temp\McDMTemp007 ->  [Folder | Modified Date = 8/29/2008 4:11:28 PM | Attr =	]
DMRes.dll -> C:\Documents and Settings\Owner.GEORGIEBOY\Local Settings\Temp\McDMTemp007\DMRes.dll -> McAfee, Inc. [Ver = 6666,7777,9999,8888 | Size = 12576 bytes | Modified Date = 10/5/2007 9:00:54 AM | Attr =	]
McBrwsr2.dll -> C:\Documents and Settings\Owner.GEORGIEBOY\Local Settings\Temp\McDMTemp007\McBrwsr2.dll -> McAfee, Inc. [Ver = 8,0,157,0 | Size = 255344 bytes | Modified Date = 8/21/2007 12:19:20 PM | Attr =	]
McUtil.dll -> C:\Documents and Settings\Owner.GEORGIEBOY\Local Settings\Temp\McDMTemp007\McUtil.dll -> McAfee, Inc. [Ver = 8,0,157,0 | Size = 122224 bytes | Modified Date = 8/21/2007 12:19:18 PM | Attr =	]
MispLF.dll -> C:\Documents and Settings\Owner.GEORGIEBOY\Local Settings\Temp\McDMTemp007\MispLF.dll -> McAfee, Inc. [Ver = 8,0,157,0 | Size = 226672 bytes | Modified Date = 8/21/2007 12:19:20 PM | Attr =	]
C:\Documents and Settings\Owner.GEORGIEBOY\Local Settings\Temp\McDMTemp007\ -> C:\Documents and Settings\Owner.GEORGIEBOY\Local Settings\Temp\McDMTemp007 ->  [Folder | Modified Date = 8/29/2008 4:11:28 PM | Attr =	]
config.ini -> C:\Documents and Settings\Owner.GEORGIEBOY\Local Settings\Temp\McDMTemp007\config.ini ->  [Ver =  | Size = 110 bytes | Modified Date = 8/29/2008 4:11:28 PM | Attr =	]
C:\WINNT\Temp\ -> C:\WINNT\Temp ->  [Folder | Modified Date = 8/28/2008 12:51:43 PM | Attr =	]
alcupd.exe -> C:\WINNT\Temp\alcupd.exe -> Realtek Semiconductor Corp. [Ver = 1, 6, 3, 0 | Size = 208896 bytes | Modified Date = 4/4/2003 2:54:14 PM | Attr =	]
setupthp.exe -> C:\WINNT\Temp\setupthp.exe ->  [Ver =  | Size = 158208 bytes | Modified Date = 2/4/2004 7:51:13 PM | Attr =	]
soundman.exe -> C:\WINNT\Temp\soundman.exe -> Realtek Semiconductor Corp. [Ver = 5.1.00 | Size = 54784 bytes | Modified Date = 4/24/2003 3:53:54 PM | Attr =	]
9 C:\WINNT\Temp\*.tmp files -> C:\WINNT\Temp\*.tmp -> 
C:\WINNT\Temp\_ISTMP0.DIR\ -> C:\WINNT\Temp\_ISTMP0.DIR\ ->  [Folder | Modified Date = 2/4/2004 7:16:49 PM | Attr =	]
IsUninst.Exe -> C:\WINNT\Temp\_ISTMP0.DIR\IsUninst.Exe -> InstallShield Software Corporation [Ver = 5.00.221.0 | Size = 315904 bytes | Modified Date = 8/26/1997 12:06:34 PM | Attr =	]
C:\WINNT\Temp\_ISTMP1.DIR\ -> C:\WINNT\Temp\_ISTMP1.DIR\ ->  [Folder | Modified Date = 2/4/2004 7:28:28 PM | Attr =	]
IsUninst.Exe -> C:\WINNT\Temp\_ISTMP1.DIR\IsUninst.Exe -> InstallShield Software Corporation [Ver = 5.00.221.0 | Size = 315904 bytes | Modified Date = 8/26/1997 12:06:34 PM | Attr =	]
C:\WINNT\Temp\_ISTMP2.DIR\ -> C:\WINNT\Temp\_ISTMP2.DIR\ ->  [Folder | Modified Date = 2/4/2004 7:50:11 PM | Attr =	]
IsUninst.Exe -> C:\WINNT\Temp\_ISTMP2.DIR\IsUninst.Exe -> InstallShield Software Corporation [Ver = 5.00.221.0 | Size = 315904 bytes | Modified Date = 8/26/1997 12:06:34 PM | Attr =	]
C:\WINNT\Temp\_ISTMP3.DIR\ -> C:\WINNT\Temp\_ISTMP3.DIR\ ->  [Folder | Modified Date = 3/20/2004 11:51:52 PM | Attr =	]
uninst.exe -> C:\WINNT\Temp\_ISTMP3.DIR\uninst.exe -> InstallShield Corporation, Inc. [Ver = 2.20.916.0 | Size = 302592 bytes | Modified Date = 11/6/1996 12:09:42 PM | Attr =	]
C:\WINNT\Temp\_ISTMP4.DIR\ -> C:\WINNT\Temp\_ISTMP4.DIR\ ->  [Folder | Modified Date = 3/20/2004 11:54:42 PM | Attr =	]
uninst.exe -> C:\WINNT\Temp\_ISTMP4.DIR\uninst.exe -> InstallShield Corporation, Inc. [Ver = 2.20.920.0 | Size = 299008 bytes | Modified Date = 11/5/1996 4:13:22 PM | Attr =	]
C:\WINNT\Temp\_ISTMP6.DIR\ -> C:\WINNT\Temp\_ISTMP6.DIR\ ->  [Folder | Modified Date = 3/21/2004 1:05:51 AM | Attr =	]
uninst.exe -> C:\WINNT\Temp\_ISTMP6.DIR\uninst.exe -> InstallShield Corporation, Inc. [Ver = 2.20.920.0 | Size = 299008 bytes | Modified Date = 11/5/1996 4:13:22 PM | Attr =	]
C:\WINNT\Temp\ -> C:\WINNT\Temp ->  [Folder | Modified Date = 8/28/2008 12:51:43 PM | Attr =	]
AcsInstall.dll -> C:\WINNT\Temp\AcsInstall.dll -> America Online, Inc [Ver = 3.0.14.1.US.1		 | Size = 126976 bytes | Modified Date = 11/11/2004 1:20:24 PM | Attr =	]
audio3d.dll -> C:\WINNT\Temp\audio3d.dll -> Sensaura Ltd [Ver = 4.12.01.2008 | Size = 720896 bytes | Modified Date = 8/27/2002 3:23:22 PM | Attr =	]
crlds3d.dll -> C:\WINNT\Temp\crlds3d.dll -> Sensaura Ltd [Ver = 4.12.01.2002 | Size = 765952 bytes | Modified Date = 11/21/2002 2:07:10 PM | Attr =	]
insmac2k.dll -> C:\WINNT\Temp\insmac2k.dll -> America Online, Inc. [Ver = 6.0.0.0 | Size = 62976 bytes | Modified Date = 12/8/2003 1:54:36 PM | Attr =	]
mpengine.dll -> C:\WINNT\Temp\mpengine.dll -> Microsoft Corporation [Ver = 1.1.2704.0 | Size = 2793864 bytes | Modified Date = 8/25/2007 12:33:22 AM | Attr =	]
mpengine.dllef4f6a7a -> C:\WINNT\Temp\mpengine.dll ->  [Ver =  | Size = 0 bytes | Modified Date = 9/12/2007 10:36:43 AM | Attr =	]
mpengine.dll444e84db -> C:\WINNT\Temp\mpengine.dll ->  [Ver =  | Size = 0 bytes | Modified Date = 9/12/2007 10:36:43 AM | Attr =	]
newdev.dll -> C:\WINNT\Temp\newdev.dll -> Microsoft Corporation [Ver = 5.1.2600.1164 (xpsp2.021217-1051) | Size = 238080 bytes | Modified Date = 1/31/2003 3:46:24 PM | Attr =	]
ocpchk.dll -> C:\WINNT\Temp\ocpchk.dll ->  [Ver =  | Size = 57344 bytes | Modified Date = 11/3/2004 2:16:06 PM | Attr =	]
tbinst.dll -> C:\WINNT\Temp\tbinst.dll -> America Online, Inc. [Ver = 3.1.3.15 | Size = 12288 bytes | Modified Date = 10/14/2004 6:50:03 PM | Attr =	]
ZDATAI5.DLL -> C:\WINNT\Temp\ZDATAI5.DLL -> InstallShield Corp. [Ver = 5, 0, 221, 0 | Size = 46080 bytes | Modified Date = 2/4/2004 7:50:08 PM | Attr =	]
ZDATAI50.DLL -> C:\WINNT\Temp\ZDATAI50.DLL -> InstallShield Corp. [Ver = 5, 0, 200, 0 | Size = 45056 bytes | Modified Date = 2/13/2005 2:52:01 PM | Attr =	]
_WUTL50.DLL -> C:\WINNT\Temp\_WUTL50.DLL -> InstallShield Corporation, Inc. [Ver = 5.00.116.0 | Size = 40448 bytes | Modified Date = 2/4/2004 7:50:08 PM | Attr =	]
_WUTL95.DLL -> C:\WINNT\Temp\_WUTL95.DLL -> InstallShield Corporation, Inc. [Ver = 5.00.116.0 | Size = 40448 bytes | Modified Date = 2/13/2005 2:52:01 PM | Attr =	]
9 C:\WINNT\Temp\*.tmp files -> C:\WINNT\Temp\*.tmp -> 
C:\WINNT\Temp\_ISTMP0.DIR\ -> C:\WINNT\Temp\_ISTMP0.DIR\ ->  [Folder | Modified Date = 2/4/2004 7:16:49 PM | Attr =	]
551e77.DLL -> C:\WINNT\Temp\_ISTMP0.DIR\551e77.DLL -> InstallShield Software Corporation [Ver = 5.00.221.0 | Size = 128512 bytes | Modified Date = 8/26/1997 12:00:34 PM | Attr =	]
Ctl3d32.dll -> C:\WINNT\Temp\_ISTMP0.DIR\Ctl3d32.dll -> Microsoft Corporation [Ver = 2.31.000 | Size = 27136 bytes | Modified Date = 7/13/1995 6:46:26 PM | Attr =	]
C:\WINNT\Temp\_ISTMP1.DIR\ -> C:\WINNT\Temp\_ISTMP1.DIR\ ->  [Folder | Modified Date = 2/4/2004 7:28:28 PM | Attr =	]
375cd.DLL -> C:\WINNT\Temp\_ISTMP1.DIR\375cd.DLL -> InstallShield Software Corporation [Ver = 5.00.221.0 | Size = 128512 bytes | Modified Date = 8/26/1997 12:00:34 PM | Attr =	]
Ctl3d32.dll -> C:\WINNT\Temp\_ISTMP1.DIR\Ctl3d32.dll -> Microsoft Corporation [Ver = 2.31.000 | Size = 27136 bytes | Modified Date = 7/13/1995 6:46:26 PM | Attr =	]
C:\WINNT\Temp\_ISTMP2.DIR\ -> C:\WINNT\Temp\_ISTMP2.DIR\ ->  [Folder | Modified Date = 2/4/2004 7:50:11 PM | Attr =	]
10e05f.DLL -> C:\WINNT\Temp\_ISTMP2.DIR\10e05f.DLL -> InstallShield Software Corporation [Ver = 5.00.221.0 | Size = 128512 bytes | Modified Date = 8/26/1997 12:00:34 PM | Attr =	]
Ctl3d32.dll -> C:\WINNT\Temp\_ISTMP2.DIR\Ctl3d32.dll -> Microsoft Corporation [Ver = 2.31.000 | Size = 27136 bytes | Modified Date = 7/13/1995 6:46:26 PM | Attr =	]
C:\WINNT\Temp\_ISTMP3.DIR\ -> C:\WINNT\Temp\_ISTMP3.DIR\ ->  [Folder | Modified Date = 3/20/2004 11:51:52 PM | Attr =	]
29fb21.DLL -> C:\WINNT\Temp\_ISTMP3.DIR\29fb21.DLL -> InstallShield Corporation, Inc. [Ver = 3.00.084.0 | Size = 202240 bytes | Modified Date = 9/15/1997 2:09:16 PM | Attr =	]
CTL3D32.DLL -> C:\WINNT\Temp\_ISTMP3.DIR\CTL3D32.DLL -> Microsoft Corporation [Ver = 2.31.000 | Size = 27136 bytes | Modified Date = 7/13/1995 6:46:26 PM | Attr =	]
CTL3D32S.DLL -> C:\WINNT\Temp\_ISTMP3.DIR\CTL3D32S.DLL -> Microsoft Corporation [Ver = 2.31.000 | Size = 26624 bytes | Modified Date = 7/13/1995 6:48:10 PM | Attr =	]
shell.dll -> C:\WINNT\Temp\_ISTMP3.DIR\shell.dll ->  [Ver =  | Size = 141652 bytes | Modified Date = 8/19/1997 5:37:48 PM | Attr =	]
C:\WINNT\Temp\_ISTMP4.DIR\ -> C:\WINNT\Temp\_ISTMP4.DIR\ ->  [Folder | Modified Date = 3/20/2004 11:54:42 PM | Attr =	]
2c9266.DLL -> C:\WINNT\Temp\_ISTMP4.DIR\2c9266.DLL -> InstallShield Corporation, Inc. [Ver = 3.00.090.0 | Size = 182784 bytes | Modified Date = 9/13/1997 7:21:58 PM | Attr =	]
CTL3D32.DLL -> C:\WINNT\Temp\_ISTMP4.DIR\CTL3D32.DLL -> Microsoft Corporation [Ver = 2.31.000 | Size = 27136 bytes | Modified Date = 7/13/1995 6:46:26 PM | Attr =	]
CTL3D32S.DLL -> C:\WINNT\Temp\_ISTMP4.DIR\CTL3D32S.DLL -> Microsoft Corporation [Ver = 2.31.000 | Size = 26624 bytes | Modified Date = 7/13/1995 6:48:10 PM | Attr =	]
shell.dll -> C:\WINNT\Temp\_ISTMP4.DIR\shell.dll ->  [Ver =  | Size = 141652 bytes | Modified Date = 8/19/1997 5:37:48 PM | Attr =	]
C:\WINNT\Temp\_ISTMP5.DIR\ -> C:\WINNT\Temp\_ISTMP5.DIR\ ->  [Folder | Modified Date = 3/21/2004 1:04:03 AM | Attr =	]
6bfb7e.DLL -> C:\WINNT\Temp\_ISTMP5.DIR\6bfb7e.DLL -> InstallShield Corporation, Inc. [Ver = 3.00.090.0 | Size = 182784 bytes | Modified Date = 8/18/1998 6:09:30 PM | Attr =	]
C:\WINNT\Temp\_ISTMP6.DIR\ -> C:\WINNT\Temp\_ISTMP6.DIR\ ->  [Folder | Modified Date = 3/21/2004 1:05:51 AM | Attr =	]
6db7f3.DLL -> C:\WINNT\Temp\_ISTMP6.DIR\6db7f3.DLL -> InstallShield Corporation, Inc. [Ver = 3.00.090.0 | Size = 182784 bytes | Modified Date = 9/13/1997 7:21:58 PM | Attr =	]
CTL3D32.DLL -> C:\WINNT\Temp\_ISTMP6.DIR\CTL3D32.DLL -> Microsoft Corporation [Ver = 2.31.000 | Size = 27136 bytes | Modified Date = 7/13/1995 6:46:26 PM | Attr =	]
CTL3D32S.DLL -> C:\WINNT\Temp\_ISTMP6.DIR\CTL3D32S.DLL -> Microsoft Corporation [Ver = 2.31.000 | Size = 26624 bytes | Modified Date = 7/13/1995 6:48:10 PM | Attr =	]
shell.dll -> C:\WINNT\Temp\_ISTMP6.DIR\shell.dll ->  [Ver =  | Size = 141652 bytes | Modified Date = 8/19/1997 5:37:48 PM | Attr =	]
C:\WINNT\Temp\nsb172.tmp\ -> C:\WINNT\Temp\nsb172.tmp\ ->  [Folder | Modified Date = 3/8/2005 4:32:42 PM | Attr =	]
System.dll -> C:\WINNT\Temp\nsb172.tmp\System.dll ->  [Ver =  | Size = 9216 bytes | Modified Date = 3/8/2005 4:32:42 PM | Attr =	]
UserInfo.dll -> C:\WINNT\Temp\nsb172.tmp\UserInfo.dll ->  [Ver =  | Size = 4096 bytes | Modified Date = 3/8/2005 4:32:42 PM | Attr =	]
C:\WINNT\Temp\nsd48.tmp\ -> C:\WINNT\Temp\nsd48.tmp\ ->  [Folder | Modified Date = 3/12/2005 7:44:27 AM | Attr =	]
System.dll -> C:\WINNT\Temp\nsd48.tmp\System.dll ->  [Ver =  | Size = 9216 bytes | Modified Date = 3/12/2005 7:44:27 AM | Attr =	]
UserInfo.dll -> C:\WINNT\Temp\nsd48.tmp\UserInfo.dll ->  [Ver =  | Size = 4096 bytes | Modified Date = 3/12/2005 7:44:27 AM | Attr =	]
C:\WINNT\Temp\nsnF0.tmp\ -> C:\WINNT\Temp\nsnF0.tmp\ ->  [Folder | Modified Date = 3/8/2005 4:20:38 PM | Attr =	]
System.dll -> C:\WINNT\Temp\nsnF0.tmp\System.dll ->  [Ver =  | Size = 9216 bytes | Modified Date = 3/8/2005 4:20:38 PM | Attr =	]
UserInfo.dll -> C:\WINNT\Temp\nsnF0.tmp\UserInfo.dll ->  [Ver =  | Size = 4096 bytes | Modified Date = 3/8/2005 4:20:38 PM | Attr =	]
C:\WINNT\Temp\nst1D2.tmp\ -> C:\WINNT\Temp\nst1D2.tmp\ ->  [Folder | Modified Date = 3/8/2005 4:51:44 PM | Attr =	]
System.dll -> C:\WINNT\Temp\nst1D2.tmp\System.dll ->  [Ver =  | Size = 9216 bytes | Modified Date = 3/8/2005 4:51:44 PM | Attr =	]
UserInfo.dll -> C:\WINNT\Temp\nst1D2.tmp\UserInfo.dll ->  [Ver =  | Size = 4096 bytes | Modified Date = 3/8/2005 4:51:44 PM | Attr =	]
C:\WINNT\Temp\ -> C:\WINNT\Temp ->  [Folder | Modified Date = 8/28/2008 12:51:43 PM | Attr =	]
Perflib_Perfdata_21fc.dat -> C:\WINNT\Temp\Perflib_Perfdata_21fc.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 5/12/2008 7:24:29 PM | Attr =	]
9 C:\WINNT\Temp\*.tmp files -> C:\WINNT\Temp\*.tmp -> 
C:\WINNT\Temp\Cookies\ -> C:\WINNT\Temp\Cookies ->  [Folder | Modified Date = 1/2/2004 2:32:35 PM | Attr =   S]
index.dat -> C:\WINNT\Temp\Cookies\index.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 1/2/2004 2:32:35 PM | Attr =	]
C:\WINNT\Temp\History\History.IE5\ -> C:\WINNT\Temp\History\History.IE5\ ->  [Folder | Modified Date = 1/2/2004 2:32:35 PM | Attr =   S]
index.dat -> C:\WINNT\Temp\History\History.IE5\index.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 1/2/2004 2:32:35 PM | Attr =	]
C:\WINNT\Temp\Temporary Internet Files\Content.IE5\ -> C:\WINNT\Temp\Temporary Internet Files\Content.IE5\ ->  [Folder | Modified Date = 1/2/2004 2:32:35 PM | Attr =   S]
index.dat -> C:\WINNT\Temp\Temporary Internet Files\Content.IE5\index.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 1/2/2004 2:32:35 PM | Attr =	]
C:\WINNT\Temp\ -> C:\WINNT\Temp ->  [Folder | Modified Date = 8/28/2008 12:51:43 PM | Attr =	]
addons.ini -> C:\WINNT\Temp\addons.ini ->  [Ver =  | Size = 14404 bytes | Modified Date = 11/11/2004 6:09:41 AM | Attr = R  ]
_INS0432.INI -> C:\WINNT\Temp\_INS0432.INI ->  [Ver =  | Size = 58 bytes | Modified Date = 2/13/2005 2:52:01 PM | Attr =	]
9 C:\WINNT\Temp\*.tmp files -> C:\WINNT\Temp\*.tmp -> 
C:\WINNT\Temp\_ISTMP0.DIR\ -> C:\WINNT\Temp\_ISTMP0.DIR\ ->  [Folder | Modified Date = 2/4/2004 7:16:49 PM | Attr =	]
Corecomp.ini -> C:\WINNT\Temp\_ISTMP0.DIR\Corecomp.ini ->  [Ver =  | Size = 24950 bytes | Modified Date = 7/14/1997 3:21:12 PM | Attr =	]
C:\WINNT\Temp\_ISTMP1.DIR\ -> C:\WINNT\Temp\_ISTMP1.DIR\ ->  [Folder | Modified Date = 2/4/2004 7:28:28 PM | Attr =	]
Corecomp.ini -> C:\WINNT\Temp\_ISTMP1.DIR\Corecomp.ini ->  [Ver =  | Size = 24950 bytes | Modified Date = 7/14/1997 3:21:12 PM | Attr =	]
C:\WINNT\Temp\_ISTMP2.DIR\ -> C:\WINNT\Temp\_ISTMP2.DIR\ ->  [Folder | Modified Date = 2/4/2004 7:50:11 PM | Attr =	]
Corecomp.ini -> C:\WINNT\Temp\_ISTMP2.DIR\Corecomp.ini ->  [Ver =  | Size = 24950 bytes | Modified Date = 7/14/1997 3:21:12 PM | Attr =	]
C:\WINNT\Temp\_ISTMP3.DIR\ -> C:\WINNT\Temp\_ISTMP3.DIR\ ->  [Folder | Modified Date = 3/20/2004 11:51:52 PM | Attr =	]
corecomp.ini -> C:\WINNT\Temp\_ISTMP3.DIR\corecomp.ini ->  [Ver =  | Size = 16259 bytes | Modified Date = 9/30/1996 1:23:14 PM | Attr =	]
C:\WINNT\Temp\_ISTMP4.DIR\ -> C:\WINNT\Temp\_ISTMP4.DIR\ ->  [Folder | Modified Date = 3/20/2004 11:54:42 PM | Attr =	]
corecomp.ini -> C:\WINNT\Temp\_ISTMP4.DIR\corecomp.ini ->  [Ver =  | Size = 16259 bytes | Modified Date = 9/30/1996 1:23:14 PM | Attr =	]
C:\WINNT\Temp\_ISTMP6.DIR\ -> C:\WINNT\Temp\_ISTMP6.DIR\ ->  [Folder | Modified Date = 3/21/2004 1:05:51 AM | Attr =	]
corecomp.ini -> C:\WINNT\Temp\_ISTMP6.DIR\corecomp.ini ->  [Ver =  | Size = 16259 bytes | Modified Date = 9/30/1996 1:23:14 PM | Attr =	]
C:\WINNT\Temp\History\History.IE5\ -> C:\WINNT\Temp\History\History.IE5\ ->  [Folder | Modified Date = 1/2/2004 2:32:35 PM | Attr =   S]
desktop.ini -> C:\WINNT\Temp\History\History.IE5\desktop.ini ->  [Ver =  | Size = 113 bytes | Modified Date = 1/2/2004 2:32:35 PM | Attr =  HS]
C:\WINNT\Temp\Temporary Internet Files\Content.IE5\ -> C:\WINNT\Temp\Temporary Internet Files\Content.IE5\ ->  [Folder | Modified Date = 1/2/2004 2:32:35 PM | Attr =   S]
desktop.ini -> C:\WINNT\Temp\Temporary Internet Files\Content.IE5\desktop.ini ->  [Ver =  | Size = 67 bytes | Modified Date = 1/2/2004 2:32:35 PM | Attr =  HS]
C:\WINNT\Temp\Temporary Internet Files\Content.IE5\3P787KHS\ -> C:\WINNT\Temp\Temporary Internet Files\Content.IE5\3P787KHS ->  [Folder | Modified Date = 1/2/2004 2:32:35 PM | Attr =   S]
desktop.ini -> C:\WINNT\Temp\Temporary Internet Files\Content.IE5\3P787KHS\desktop.ini ->  [Ver =  | Size = 67 bytes | Modified Date = 1/2/2004 2:32:35 PM | Attr =  HS]
C:\WINNT\Temp\Temporary Internet Files\Content.IE5\S9E30T2B\ -> C:\WINNT\Temp\Temporary Internet Files\Content.IE5\S9E30T2B ->  [Folder | Modified Date = 1/2/2004 2:32:35 PM | Attr =   S]
desktop.ini -> C:\WINNT\Temp\Temporary Internet Files\Content.IE5\S9E30T2B\desktop.ini ->  [Ver =  | Size = 67 bytes | Modified Date = 1/2/2004 2:32:35 PM | Attr =  HS]
C:\WINNT\Temp\Temporary Internet Files\Content.IE5\TTRH8EOU\ -> C:\WINNT\Temp\Temporary Internet Files\Content.IE5\TTRH8EOU ->  [Folder | Modified Date = 1/2/2004 2:32:35 PM | Attr =   S]
desktop.ini -> C:\WINNT\Temp\Temporary Internet Files\Content.IE5\TTRH8EOU\desktop.ini ->  [Ver =  | Size = 67 bytes | Modified Date = 1/2/2004 2:32:35 PM | Attr =  HS]
C:\WINNT\Temp\Temporary Internet Files\Content.IE5\TZO81J5A\ -> C:\WINNT\Temp\Temporary Internet Files\Content.IE5\TZO81J5A ->  [Folder | Modified Date = 1/2/2004 2:32:35 PM | Attr =   S]
desktop.ini -> C:\WINNT\Temp\Temporary Internet Files\Content.IE5\TZO81J5A\desktop.ini ->  [Ver =  | Size = 67 bytes | Modified Date = 1/2/2004 2:32:35 PM | Attr =  HS]
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
Linksys -> %AllUsersProfile%\Application Data\Linksys ->  [Folder | Modified Date = 8/28/2008 12:51:58 PM | Attr =	]
Adobe -> %AppData%\Adobe ->  [Folder | Modified Date = 8/28/2008 12:33:04 PM | Attr =	]
AdobeUM -> %AppData%\AdobeUM ->  [Folder | Modified Date = 8/28/2008 12:33:26 PM | Attr =	]
Sun -> %AppData%\Sun ->  [Folder | Modified Date = 8/28/2008 12:49:26 PM | Attr =	]
Adobe -> %UserProfile%\Local Settings\Application Data\Adobe ->  [Folder | Modified Date = 8/28/2008 12:33:13 PM | Attr =	]
IconCache.db -> %UserProfile%\Local Settings\Application Data\IconCache.db ->  [Ver =  | Size = 4790630 bytes | Modified Date = 8/28/2008 2:40:00 PM | Attr =  H ]
codecs -> %AllUsersProfile%\Documents\codecs ->  [Folder | Modified Date = 8/4/2008 9:46:11 AM | Attr =	]
My Videos -> %AllUsersProfile%\Documents\My Videos ->  [Folder | Modified Date = 8/15/2008 10:39:58 AM | Attr = R  ]
ps3 -> %AllUsersProfile%\Documents\ps3 ->  [Folder | Modified Date = 8/27/2008 1:22:37 PM | Attr =	]
update_ob -> %AllUsersProfile%\Documents\update_ob ->  [Folder | Modified Date = 8/4/2008 9:40:42 AM | Attr =	]
vis -> %AllUsersProfile%\Documents\vis ->  [Folder | Modified Date = 8/4/2008 9:39:55 AM | Attr =	]
My eBooks -> %UserProfile%\My Documents\My eBooks ->  [Folder | Modified Date = 8/28/2008 12:33:07 PM | Attr =	]
HijackThis.lnk -> %UserProfile%\Desktop\HijackThis.lnk ->  [Ver =  | Size = 1734 bytes | Modified Date = 8/29/2008 4:14:19 PM | Attr =	]
HJTInstall.exe -> %UserProfile%\Desktop\HJTInstall.exe -> Trend Micro Inc. [Ver = 2.00.2 | Size = 812344 bytes | Modified Date = 8/29/2008 4:14:12 PM | Attr =	]
OTScanIt -> %UserProfile%\Desktop\OTScanIt ->  [Folder | Modified Date = 8/29/2008 5:18:22 PM | Attr =	]
OTScanIt.exe -> %UserProfile%\Desktop\OTScanIt.exe ->  [Ver =  | Size = 573647 bytes | Modified Date = 8/29/2008 5:18:09 PM | Attr =	]

< End of report >

[/code]

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:18 AM

Posted 29 August 2008 - 07:50 PM

Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Registry - Non-Microsoft Only]
< RunOnce [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
YY -> MyWebSearch bar Uninstall -> %ProgramFiles%\Uninstall Fun Web Products.dll [rundll32 C:\PROGRA~1\UNINST~1.DLL,O -3]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> VirusIsolator.exe -> %ProgramFiles%\VirusIsolator\VirusIsolator.exe [C:\Program Files\VirusIsolator\VirusIsolator.exe]
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YY -> {85D6D3D0-6CDE-4E1E-9714-59D6B4230BAD} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\vadokmxt.dll [vadokmxt]
YY -> {5CB2273D-2E7C-4CF3-A5E5-AB9B86CAF7A2} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\wdpoefan.dll [wdpoefan]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YN -> {D2376FB3-3D0D-414D-83AA-3AD6AD6B111F} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\nnnkifEv.dll []
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YN -> nnnkifEv -> 
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr -> 1
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> 
YN -> HKEY_CURRENT_USER\: Main\\Start Page -> http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {CE3BD90E-65A2-40D4-B0B0-D33515C8802C} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\System32\awtrOhFy.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {D2376FB3-3D0D-414D-83AA-3AD6AD6B111F} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\nnnkifEv.dll [Reg Error: Value  does not exist or could not be read.]
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
YY -> C:\WINNT\System32\awtrOhFy -> 
< BotCheck > -> 
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> Uninstall Fun Web Products.dll -> %ProgramFiles%\Uninstall Fun Web Products.dll
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed either a message box will popup telling you that it is finished or you will be asked to reboot to finish the fix. If it is finished, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that information back here.

I will review the information when it comes back in.
Post that log then do the below:
===================================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
==================================================
After that please post the Mbam log and a new Hijackthis log and let me know how things are running?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 Simonsays

Simonsays
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 29 August 2008 - 08:17 PM

The Fix Log

[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\MyWebSearch bar Uninstall deleted successfully.
C:\Program Files\Uninstall Fun Web Products.dll moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\VirusIsolator.exe deleted successfully.
C:\Program Files\VirusIsolator\VirusIsolator.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\vadokmxt deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{85D6D3D0-6CDE-4E1E-9714-59D6B4230BAD}\ deleted successfully.
C:\WINNT\vadokmxt.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\wdpoefan deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CB2273D-2E7C-4CF3-A5E5-AB9B86CAF7A2}\ deleted successfully.
C:\WINNT\wdpoefan.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnkifEv\ deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE3BD90E-65A2-40D4-B0B0-D33515C8802C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CE3BD90E-65A2-40D4-B0B0-D33515C8802C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}\ not found.
[Registry - Additional Scans - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages:C:\WINNT\System32\awtrOhFy deleted successfully.
File  not found.
[Files Created - Additional Folder Scans - Non-Microsoft Only]
File C:\Program Files\Uninstall Fun Web Products.dll not found!
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINNT\temp\hsperfdata_SYSTEM\1860 scheduled to be deleted on reboot.
Windows Temp folder emptied.
RecycleBin -> emptied.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.17.0 fix logfile created on 08292008_180922

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINNT\temp\hsperfdata_SYSTEM\1860 not found!


#6 Simonsays

Simonsays
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 29 August 2008 - 08:41 PM

Malwarebytes' Anti-Malware 1.25

Database version: 1096

Windows 5.1.2600 Service Pack 1



6:39:38 PM 8/29/2008

mbam-log-08-29-2008 (18-39-38).txt



Scan type: Quick Scan

Objects scanned: 52816

Time elapsed: 10 minute(s), 1 second(s)



Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 31

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 7

Files Infected: 41



Memory Processes Infected:

(No malicious items detected)



Memory Modules Infected:

(No malicious items detected)



Registry Keys Infected:

HKEY_CLASSES_ROOT\Interface\{0263d762-b6e5-4dcf-91a5-e1283d25e850} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{4005c168-1692-4cfd-b21b-03f29dc530d4} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{aeb838dd-2819-4a77-8bf8-e75405b85f6f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\VirusIsolator (Rogue.VirusIsolator) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webvideo (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\dpevflbg.bgdq (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\dpevflbg.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\MSVPS.MSVPSApp (Trojan.FakeAlert) -> Quarantined and deleted successfully.



Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\vadokmxt (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\wdpoefan (Trojan.FakeAlert) -> Quarantined and deleted successfully.



Registry Data Items Infected:

(No malicious items detected)



Folders Infected:

C:\WINNT\privacy_danger (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINNT\privacy_danger\images (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Program Files\VirusIsolator (Rogue.VirusIsolator) -> Quarantined and deleted successfully.

C:\Program Files\VirusIsolator\Infected (Rogue.VirusIsolator) -> Quarantined and deleted successfully.

C:\Program Files\VirusIsolator\Suspicious (Rogue.VirusIsolator) -> Quarantined and deleted successfully.

C:\WINNT\PIF (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner.GEORGIEBOY\Start Menu\Programs\VirusIsolator (Rogue.VirusIsolator) -> Quarantined and deleted successfully.



Files Infected:

C:\WINNT\olgdqarf.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\Guest\Local Settings\Temp\aprvuqtv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Guest\Local Settings\Temp\flpnllqv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Guest\Local Settings\Temp\gebxxxv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Guest\Local Settings\Temp\GLKB4.tmp (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

C:\Documents and Settings\Guest\Local Settings\Temp\hnfjmhjb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Guest\Local Settings\Temp\korwdjgg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Guest\Local Settings\Temp\ms1210521948.exe (Trojan.Clicker) -> Quarantined and deleted successfully.

C:\Documents and Settings\Guest\Local Settings\Temp\opnlJcbX.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Guest\Local Settings\Temp\opnnooo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Guest\Local Settings\Temp\pcmofymj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Guest\Local Settings\Temp\qatquppr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Guest\Local Settings\Temp\rsyncini.exe (Trojan.Shutdowner) -> Quarantined and deleted successfully.

C:\Documents and Settings\Guest\Local Settings\Temp\ssvbwofb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Guest\Local Settings\Temp\tdpdtwwc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Guest\Local Settings\Temp\vjncokwj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Guest\Local Settings\Temp\wditewju.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Guest\Local Settings\Temp\winvsnet.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Documents and Settings\Guest\Local Settings\Temp\wvuvtus.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Guest\Local Settings\Temp\yazzsnet.exe (Adware.PurityScan) -> Quarantined and deleted successfully.

C:\WINNT\privacy_danger\index.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINNT\privacy_danger\images\capt.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINNT\privacy_danger\images\danger.jpg (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINNT\privacy_danger\images\down.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINNT\privacy_danger\images\spacer.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Program Files\VirusIsolator\vscan.tsi (Rogue.VirusIsolator) -> Quarantined and deleted successfully.

C:\Program Files\VirusIsolator\zlib.dll (Rogue.VirusIsolator) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner.GEORGIEBOY\Start Menu\Programs\VirusIsolator\VirusIsolator.lnk (Rogue.VirusIsolator) -> Quarantined and deleted successfully.

C:\WINNT\b.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\rs.txt (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINNT\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINNT\wxvgsdbq.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner.GEORGIEBOY\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusIsolator.lnk (Rogue.VirusIsolator) -> Quarantined and deleted successfully.

C:\Documents and Settings\Guest\Local Settings\Temp\xpre.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Guest\Local Settings\Temp\xrun.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner.GEORGIEBOY\Desktop\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner.GEORGIEBOY\Desktop\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner.GEORGIEBOY\Desktop\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner.GEORGIEBOY\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner.GEORGIEBOY\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner.GEORGIEBOY\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.


#7 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:18 AM

Posted 29 August 2008 - 08:53 PM

Great please post a new Hijackthis log and let me know how things are running?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#8 Simonsays

Simonsays
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 29 August 2008 - 08:56 PM

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:56:41 PM, on 8/29/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal



Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\wanmpsvc.exe

C:\WINNT\system32\java.exe

C:\WINNT\Explorer.EXE

C:\WINNT\notepad.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINNT\System32\wuauclt.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINNT\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.webtvparty.com/searchbar.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webtvparty.com/search.html

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: (no name) - {B21EAD36-EC0C-4B82-B102-1AB20B481977} - (no file)

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe



--

End of file - 3711 bytes


#9 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:18 AM

Posted 29 August 2008 - 09:09 PM

The first thing I will need you to do is to Download ONE of these anti-virus programs and install it.
These are free.
AVG free 8.0
Note this is free antispyware protection and Antivirus protection.
or
Antivir
=========================
After that please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.webtvparty.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webtvparty.com/search.html
O3 - Toolbar: (no name) - {B21EAD36-EC0C-4B82-B102-1AB20B481977} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm



Now click on Fix Checked and then close Hijackthis.
===================================
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINNT\web\related.htm
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
==========
Post the OT Move it log and a new Hijackthis log and then let me know if things are back to normal?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#10 Simonsays

Simonsays
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 29 August 2008 - 10:07 PM

This computer is running Windows XP Home, but for some reason AVG says it ddoesnt support this windows version... weird... I know..

Anyways heres the OT Log

C:\WINNT\web\related.htm moved successfully.
 
OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08292008_200448




HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:52 PM, on 8/29/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\java.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Documents and Settings\Owner.GEORGIEBOY\Desktop\OTMoveIt2.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

--
End of file - 3035 bytes


#11 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:18 AM

Posted 29 August 2008 - 10:15 PM

It says that becasue you have only Service Pack 1 installed.
Once you get Service Pack 2 installed it will work.

Everything back to normal?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#12 Simonsays

Simonsays
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 29 August 2008 - 10:20 PM

I'm going to install service pack 2 and reboot. Be back:)

#13 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:18 AM

Posted 29 August 2008 - 10:49 PM

ok
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users