Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crashing Or Jamming On Spyware, Adware, Runs...


  • This topic is locked This topic is locked
32 replies to this topic

#1 Chaeron

Chaeron

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 23 September 2008 - 12:09 PM

Slow PC and crashes occasionally. Tried normal maintenance, but crashes or jams on run of suggested spyware, adware, virus programs.

Help please?


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:51 AM, on 9/23/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hpzipm12.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\TweakNow PowerPack\RAM_XP.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\RTC\mirc32.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Genesis\Trader\Trader.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\TweakNow PowerPack\RAM_XP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.schaeffersresearch.com/download/CfxIEAx.cab
O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Download/Cfx4Financial.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol hijack: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5021}
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\hpzipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6523 bytes

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:56 PM

Posted 03 October 2008 - 02:45 PM

:thumbsup: to BleepingComputer.com

I want to apologise that it has taken so long to get back to you. We on the HJT Team are working as fast as possible to get your log answered.

If you do not still need help, please let me know, so that I can move on to other users who still need help.

Please take note of the following:
  • While a HJT Team member is working with you, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Please reply using the Posted Image button in the lower left hand corner of your screen.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" :).
If you would still like help, please follow the instructions below:

We need to create an OTViewIt Report
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Please do an online scan with Kaspersky WebScanner.
  • Please visit the Kaspersky Online Scanner website.
    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply, please include the following:
  • OTViewIt.txt
  • Extra.txt
  • Kaspersky's Log

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 Chaeron

Chaeron
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 06 October 2008 - 02:26 PM

Thank you for getting back to me. I am posting the 3 logs w/in 24 hours. I still do require your help badly. Thanks again,
Chaeron

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:56 PM

Posted 06 October 2008 - 08:09 PM

Got it :thumbsup: Awaiting your reply with great interest :)

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 Chaeron

Chaeron
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 07 October 2008 - 11:49 AM

Here it is.... sorry it's so dang long. Appreciate all you do...

Chaeron


OTViewIt logfile created on: 10/6/2008 8:31:52 AM - Run
OTViewIt by OldTimer - Version 1.0.10.0 Folder = C:\Documents and Settings\Marshall Islands\Desktop
Windows 2000 Professional Edition Service Pack 4 (Version = 5.0.2195) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

255.54 Mb Total Physical Memory | 121.57 Mb Available Physical Memory | 47.57% Memory free
545.00 Mb Paging File | 131.75 Mb Available in Paging File | 24.18% Paging File free
Paging file location(s): C:\pagefile.sys 192 384;

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 8.47 Gb Total Space | 3.21 Gb Free Space | 37.89% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SAHARA
Current User Name: Marshall Islands
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2003/06/19 11:05:04 | 00,045,840 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\smss.exe
[2003/06/19 11:05:04 | 00,005,392 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\csrss.exe
[2004/08/24 14:59:10 | 00,182,544 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\winlogon.exe
[2003/06/19 11:05:04 | 00,089,360 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\services.exe
[2004/02/25 15:59:08 | 00,033,552 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\lsass.exe
[1999/12/07 12:00:00 | 00,007,952 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\svchost.exe
[2004/12/10 18:02:34 | 00,243,312 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
[2004/12/10 18:02:28 | 00,255,600 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
[2005/07/11 21:59:12 | 00,047,376 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\spoolsv.exe
[2008/03/17 13:36:48 | 00,607,576 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
[2004/12/30 14:19:26 | 00,030,528 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
[2002/04/25 14:49:56 | 00,253,952 | ---- | M] (Executive Software International, Inc.) -- C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
[1999/12/07 12:00:00 | 00,007,952 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\svchost.exe
[2004/12/24 11:11:46 | 00,069,632 | ---- | M] (HP) -- C:\WINNT\system32\hpzipm12.exe
[2003/06/19 11:05:04 | 00,068,368 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\regsvc.exe
[2004/04/05 09:51:40 | 00,119,568 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\MSTask.exe
[2003/06/19 11:05:04 | 00,061,712 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\stisvc.exe
[2004/12/30 14:19:32 | 01,107,784 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
[2007/01/04 13:38:10 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
[2003/06/19 11:05:04 | 00,196,706 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\WBEM\WinMgmt.exe
[1999/12/07 12:00:00 | 00,007,952 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\svchost.exe
[2003/06/19 11:05:04 | 00,243,472 | ---- | M] (Microsoft Corporation) -- C:\WINNT\Explorer.EXE
[2004/12/10 18:02:26 | 00,067,184 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
[2004/12/30 14:19:40 | 00,120,640 | ---- | M] (Symantec Corporation) -- C:\PROGRA~1\SYMANT~1\VPTray.exe
[2004/07/04 09:59:34 | 00,406,016 | ---- | M] () -- C:\Program Files\TweakNow PowerPack\RAM_XP.exe
[2008/06/10 04:27:04 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
[2007/06/21 14:06:28 | 01,318,912 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
[2007/08/30 17:43:18 | 00,103,664 | ---- | M] (Yahoo! Inc.) -- C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
[2003/08/29 19:05:36 | 00,360,448 | ---- | M] () -- C:\Program Files\SpywareGuard\sgmain.exe
[2008/07/18 22:10:42 | 00,053,448 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wuauclt.exe
[2003/08/29 11:14:58 | 00,233,472 | ---- | M] () -- C:\Program Files\SpywareGuard\sgbhp.exe
[2002/01/17 17:19:00 | 01,531,904 | ---- | M] (mIRC Co. Ltd.) -- C:\RTC\mirc32.exe
[1999/12/07 12:00:00 | 00,007,952 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\svchost.exe
[2007/12/11 13:53:52 | 02,523,136 | ---- | M] (Genesis Securities, LLC.) -- C:\Genesis\Trader\Trader.exe
[2008/09/30 07:53:10 | 00,307,712 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
[2002/08/29 07:14:40 | 00,091,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE
[2002/08/29 07:14:40 | 00,091,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE
[2002/08/29 07:14:40 | 00,091,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE
[2002/08/29 07:14:40 | 00,091,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE
[2002/08/29 07:14:40 | 00,091,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE
[2008/10/06 08:30:34 | 00,416,768 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Marshall Islands\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2008/03/17 13:36:48 | 00,607,576 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe -- (aawservice [Auto | Running])
[2003/06/19 11:05:04 | 00,089,360 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\services.exe -- (Alerter [On_Demand | Stopped])
[2003/06/19 11:05:04 | 00,089,360 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\services.exe -- (AppMgmt [On_Demand | Stopped])
[2004/07/15 01:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINNT\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[1999/12/07 12:00:00 | 00,007,952 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\svchost.exe -- (BITS [On_Demand | Start_Pending])
[2003/06/19 11:05:04 | 00,089,360 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\services.exe -- (Browser [Auto | Running])
[2004/12/10 18:02:28 | 00,255,600 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr [Auto | Running])
[2004/12/10 18:02:32 | 00,087,664 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc [On_Demand | Stopped])
[2004/12/10 18:02:34 | 00,243,312 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr [Auto | Running])
[1999/12/07 12:00:00 | 00,005,392 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\cisvc.exe -- (cisvc [On_Demand | Stopped])
[1999/12/07 12:00:00 | 00,031,504 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\clipsrv.exe -- (ClipSrv [On_Demand | Stopped])
[2004/12/30 14:19:26 | 00,030,528 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch [Auto | Running])
[2003/06/19 11:05:04 | 00,089,360 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\services.exe -- (Dhcp [Auto | Running])
[2002/04/25 14:49:56 | 00,253,952 | ---- | M] (Executive Software International, Inc.) -- C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe -- (Diskeeper [Auto | Running])
[2003/06/19 11:05:04 | 00,147,728 | ---- | M] (VERITAS Software Corp.) -- C:\WINNT\System32\dmadmin.exe -- (dmadmin [On_Demand | Stopped])
[2003/06/19 11:05:04 | 00,089,360 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\services.exe -- (dmserver [Auto | Running])
[2003/06/19 11:05:04 | 00,089,360 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\services.exe -- (Dnscache [Auto | Running])
[2003/06/19 11:05:04 | 00,089,360 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\services.exe -- (Eventlog [Auto | Running])
[1999/12/07 12:00:00 | 00,007,952 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\svchost.exe -- (EventSystem [On_Demand | Running])
[2003/06/19 11:05:04 | 00,094,992 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\faxsvc.exe -- (Fax [On_Demand | Stopped])
[2003/06/19 11:05:04 | 00,089,360 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\services.exe -- (lanmanserver [Auto | Running])
[2003/06/19 11:05:04 | 00,089,360 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\services.exe -- (lanmanworkstation [Auto | Running])
[2003/06/19 11:05:04 | 00,089,360 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\services.exe -- (LmHosts [Auto | Running])
[2003/06/19 11:05:04 | 00,089,360 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\services.exe -- (Messenger [Auto | Running])
[1999/12/07 04:00:00 | 00,021,776 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\mnmsrvc.exe -- (mnmsrvc [On_Demand | Stopped])
[1999/12/07 12:00:00 | 00,006,928 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\msdtc.exe -- (MSDTC [On_Demand | Stopped])
[2005/05/04 14:45:36 | 00,078,848 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\msiexec.exe -- (MSIServer [On_Demand | Stopped])
[2004/06/16 11:06:12 | 00,110,352 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\netdde.exe -- (NetDDE [On_Demand | Stopped])
[2004/06/16 11:06:12 | 00,110,352 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\netdde.exe -- (NetDDEdsdm [On_Demand | Stopped])
[2004/02/25 15:59:08 | 00,033,552 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\lsass.exe -- (Netlogon [On_Demand | Stopped])
[1999/12/07 12:00:00 | 00,007,952 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\svchost.exe -- (Netman [On_Demand | Running])
[2004/02/25 15:59:08 | 00,033,552 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\lsass.exe -- (NtLmSsp [On_Demand | Stopped])
[1999/12/07 12:00:00 | 00,007,952 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\svchost.exe -- (NtmsSvc [Auto | Running])
[2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2003/06/19 11:05:04 | 00,089,360 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\services.exe -- (PlugPlay [Auto | Running])
[2004/12/24 11:11:46 | 00,069,632 | ---- | M] (HP) -- C:\WINNT\system32\hpzipm12.exe -- (Pml Driver HPZ12 [Auto | Running])
[2004/02/25 15:59:08 | 00,033,552 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\lsass.exe -- (PolicyAgent [Auto | Running])
[2003/06/19 11:05:04 | 00,089,360 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\services.exe -- (ProtectedStorage [Auto | Running])
[1999/12/07 12:00:00 | 00,007,952 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\svchost.exe -- (RasAuto [On_Demand | Running])
[1999/12/07 12:00:00 | 00,007,952 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\svchost.exe -- (RasMan [On_Demand | Running])
[1999/12/07 12:00:00 | 00,007,952 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\svchost.exe -- (RemoteAccess [Disabled | Stopped])
[2003/06/19 11:05:04 | 00,068,368 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\regsvc.exe -- (RemoteRegistry [Auto | Running])
[2003/06/19 11:05:04 | 00,072,464 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\locator.exe -- (RpcLocator [On_Demand | Stopped])
[1999/12/07 12:00:00 | 00,007,952 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\svchost.exe -- (RpcSs [Auto | Running])
[2003/06/19 11:05:04 | 00,176,912 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\rsvp.exe -- (RSVP [On_Demand | Stopped])
[2004/02/25 15:59:08 | 00,033,552 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\lsass.exe -- (SamSs [Auto | Running])
[2004/12/30 14:19:36 | 00,153,416 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam [On_Demand | Stopped])
[2003/06/19 11:05:04 | 00,100,112 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\SCardSvr.exe -- (SCardDrv [On_Demand | Stopped])
[2003/06/19 11:05:04 | 00,100,112 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\SCardSvr.exe -- (SCardSvr [On_Demand | Stopped])
[2004/04/05 09:51:40 | 00,119,568 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\MSTask.exe -- (Schedule [Auto | Running])
[2003/06/19 11:05:04 | 00,089,360 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\services.exe -- (seclogon [Auto | Running])
[1999/12/07 12:00:00 | 00,007,952 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\svchost.exe -- (SENS [Auto | Running])
[1999/12/07 12:00:00 | 00,007,952 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\svchost.exe -- (SharedAccess [Auto | Running])
[2004/12/23 19:19:40 | 00,202,448 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc [On_Demand | Stopped])
[2005/07/11 21:59:12 | 00,047,376 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\spoolsv.exe -- (Spooler [Auto | Running])
[2003/06/19 11:05:04 | 00,061,712 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\stisvc.exe -- (StiSvc [Auto | Running])
[2004/12/30 14:19:32 | 01,107,784 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus [Auto | Running])
[2003/06/19 11:05:04 | 00,085,776 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\smlogsvc.exe -- (SysmonLog [On_Demand | Stopped])
[1999/12/07 12:00:00 | 00,007,952 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\svchost.exe -- (TapiSrv [On_Demand | Running])
[2003/06/19 11:05:04 | 00,186,128 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\tlntsvr.exe -- (TlntSvr [On_Demand | Stopped])
[2003/06/19 11:05:04 | 00,089,360 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\services.exe -- (TrkWks [Auto | Running])
[1999/12/07 12:00:00 | 00,017,680 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\ups.exe -- (UPS [On_Demand | Stopped])
[2003/06/19 11:05:04 | 00,022,800 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\UtilMan.exe -- (UtilMan [On_Demand | Stopped])
[2007/01/04 13:38:10 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service [Auto | Running])
[2003/06/19 11:05:04 | 00,089,360 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\services.exe -- (W32Time [On_Demand | Stopped])
[2003/06/19 11:05:04 | 00,196,706 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\WBEM\WinMgmt.exe -- (WinMgmt [Auto | Running])
[1999/12/07 12:00:00 | 00,007,952 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\svchost.exe -- (WmdmPmSN [On_Demand | Stopped])
[2003/06/19 11:05:04 | 00,089,360 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\Services.exe -- (Wmi [On_Demand | Running])
[1999/12/07 12:00:00 | 00,007,952 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\svchost.exe -- (wuauserv [Auto | Running])
[1999/12/07 12:00:00 | 00,007,952 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\svchost.exe -- (WZCSVC [On_Demand | Stopped])

========== Driver Services ==========

[2003/06/19 11:05:04 | 00,163,120 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\ACPI.sys -- (ACPI [Boot | Running])
[2003/06/19 11:05:04 | 00,011,536 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\acpiec.sys -- (ACPIEC [Disabled | Stopped])
[2003/06/19 11:05:04 | 00,120,240 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\afd.sys -- (AFD [Auto | Running])
[2003/06/19 11:05:04 | 00,021,008 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\agp440.sys -- (agp440 [Boot | Running])
[2003/06/19 11:05:04 | 00,017,840 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\asyncmac.sys -- (AsyncMac [On_Demand | Stopped])
[2003/06/19 11:05:04 | 00,086,672 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\atapi.sys -- (atapi [Boot | Running])
[1999/11/10 15:34:08 | 00,071,632 | ---- | M] (ATI Technologies Inc.) -- C:\WINNT\System32\DRIVERS\atimpab.sys -- (atirage3 [On_Demand | Stopped])
[1999/12/07 12:00:00 | 00,057,904 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\atmarpc.sys -- (Atmarpc [On_Demand | Stopped])
[1999/09/25 10:35:34 | 00,002,896 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\audstub.sys -- (audstub [On_Demand | Running])
[1999/12/07 12:00:00 | 00,004,080 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\beep.sys -- (Beep [System | Running])
File not found -- C:\DOCUME~1\MARSHA~1\LOCALS~1\Temp\catchme.sys -- (catchme [On_Demand | Stopped])
[2004/07/09 02:58:06 | 00,016,384 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\DRIVERS\CCDECODE.sys -- (CCDECODE [On_Demand | Stopped])
[1999/12/07 12:00:00 | 00,019,088 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\cdaudio.sys -- (Cdaudio [System | Stopped])
[2003/06/19 11:05:04 | 00,061,680 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\cdfs.sys -- (Cdfs [Disabled | Running])
[2005/01/18 16:02:42 | 00,058,000 | ---- | M] (Roxio) -- C:\WINNT\System32\drivers\cdr4_2K.sys -- (Cdr4_2K [System | Running])
[2005/01/18 16:02:42 | 00,023,420 | ---- | M] (Roxio) -- C:\WINNT\System32\drivers\cdralw2k.sys -- (Cdralw2k [System | Running])
[2003/06/19 11:05:04 | 00,027,984 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\cdrom.sys -- (Cdrom [System | Running])
[2003/06/19 11:05:04 | 00,030,768 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\disk.sys -- (Disk [Boot | Running])
[2003/06/19 11:05:04 | 00,007,728 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\diskperf.sys -- (Diskperf [Boot | Running])
[2003/06/19 11:05:04 | 00,369,104 | ---- | M] (VERITAS Software Corp.) -- C:\WINNT\System32\drivers\dmboot.sys -- (dmboot [Disabled | Stopped])
[2003/06/19 11:05:04 | 00,137,936 | ---- | M] (VERITAS Software Corp.) -- C:\WINNT\System32\drivers\dmio.sys -- (dmio [Boot | Running])
[2003/06/19 11:05:04 | 00,007,312 | ---- | M] (VERITAS Software Corp.) -- C:\WINNT\System32\drivers\dmload.sys -- (dmload [Boot | Running])
[1999/10/28 15:24:20 | 00,051,152 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\DMusic.sys -- (DMusic [On_Demand | Stopped])
[1999/11/06 14:06:58 | 00,358,928 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\ds1wdm.sys -- (ds1 [On_Demand | Running])
[2003/06/19 11:05:04 | 00,027,440 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\efs.sys -- (EFS [Disabled | Stopped])
[1999/10/23 12:22:20 | 00,061,712 | ---- | M] (3Com Corporation) -- C:\WINNT\System32\DRIVERS\el90xbc5.sys -- (EL90BC [On_Demand | Running])
[2003/06/19 11:05:04 | 00,140,496 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\fastfat.sys -- (Fastfat [Disabled | Running])
[2003/06/19 11:05:04 | 00,026,256 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\fdc.sys -- (Fdc [On_Demand | Running])
[2003/06/19 11:05:04 | 00,033,616 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\fips.sys -- (Fips [Auto | Running])
[2003/06/19 11:05:04 | 00,019,312 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\flpydisk.sys -- (Flpydisk [On_Demand | Running])
[2003/06/19 11:05:04 | 00,115,504 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\ftdisk.sys -- (Ftdisk [Boot | Running])
[2003/06/19 11:05:04 | 00,009,808 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\gameenum.sys -- (gameenum [On_Demand | Running])
[2003/06/19 11:05:04 | 00,034,704 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\msgpc.sys -- (Gpc [On_Demand | Running])
[2005/02/02 17:29:28 | 00,009,344 | ---- | M] (Hewlett Packard) -- C:\WINNT\system32\drivers\hpplsbulk.sys -- (HPPLSBULK [On_Demand | Running])
[2005/01/17 11:21:54 | 00,049,664 | ---- | M] (HP) -- C:\WINNT\system32\DRIVERS\HPZid412.sys -- (HPZid412 [On_Demand | Running])
[2004/12/24 12:09:12 | 00,016,496 | ---- | M] (HP) -- C:\WINNT\system32\DRIVERS\HPZipr12.sys -- (HPZipr12 [On_Demand | Running])
[2004/12/24 12:07:46 | 00,021,568 | ---- | M] (HP) -- C:\WINNT\system32\DRIVERS\HPZius12.sys -- (HPZius12 [On_Demand | Running])
[2003/06/19 11:05:04 | 00,046,992 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\i8042prt.sys -- (i8042prt [System | Running])
[2003/06/19 11:05:04 | 00,004,624 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\intelide.sys -- (IntelIde [Boot | Running])
[1999/12/07 12:00:00 | 00,034,416 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\ipfltdrv.sys -- (IpFilterDriver [On_Demand | Stopped])
[1999/12/07 12:00:00 | 00,019,984 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\ipinip.sys -- (IpInIp [On_Demand | Stopped])
[2003/06/19 11:05:04 | 00,067,120 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\ipnat.sys -- (IpNat [On_Demand | Running])
[2003/04/21 11:19:42 | 00,080,848 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\ipsec.sys -- (IPSEC [On_Demand | Running])
[2003/06/19 11:05:04 | 00,010,288 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\irenum.sys -- (IRENUM [On_Demand | Stopped])
[2003/06/19 11:05:04 | 00,046,992 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\isapnp.sys -- (isapnp [Boot | Running])
[2003/06/19 11:05:04 | 00,024,528 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\kbdclass.sys -- (Kbdclass [System | Running])
[2003/06/19 11:05:04 | 00,148,304 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\kmixer.sys -- (kmixer [On_Demand | Running])
[2003/09/20 16:32:20 | 00,071,888 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\ksecdd.sys -- (KSecDD [Boot | Running])
[1999/12/07 12:00:00 | 00,004,240 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\mnmdd.sys -- (mnmdd [System | Running])
[2003/06/19 11:05:04 | 00,029,168 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\modem.sys -- (Modem [On_Demand | Stopped])
[2003/06/19 11:05:04 | 00,021,776 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\mouclass.sys -- (Mouclass [System | Running])
[2004/02/10 11:47:54 | 00,030,160 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\mountmgr.sys -- (MountMgr [Boot | Running])
[2004/07/09 02:58:10 | 00,015,104 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\DRIVERS\MPE.sys -- (MPE [On_Demand | Stopped])
[2006/05/31 00:14:16 | 00,415,536 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\mrxsmb.sys -- (MRxSmb [System | Running])
[1999/12/07 12:00:00 | 00,021,328 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\msfs.sys -- (Msfs [System | Running])
[2002/12/12 00:14:32 | 00,007,424 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\MSKSSRV.sys -- (MSKSSRV [On_Demand | Stopped])
[2002/12/12 00:14:32 | 00,005,248 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\MSPCLOCK.sys -- (MSPCLOCK [On_Demand | Stopped])
[1999/09/25 10:36:32 | 00,004,816 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\MSPQM.sys -- (MSPQM [On_Demand | Stopped])
[2002/12/12 00:14:32 | 00,005,504 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\MSTEE.sys -- (MSTEE [On_Demand | Stopped])
[2004/12/02 06:07:24 | 00,089,328 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\mup.sys -- (Mup [Boot | Running])
[2004/07/09 02:58:28 | 00,083,968 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\DRIVERS\NABTSFEC.sys -- (NABTSFEC [On_Demand | Stopped])
[2008/10/05 01:00:00 | 00,089,104 | ---- | M] (Symantec Corporation) -- C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081005.005\naveng.sys -- (NAVENG [On_Demand | Running])
[2008/10/05 01:00:00 | 00,873,552 | ---- | M] (Symantec Corporation) -- C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081005.005\navex15.sys -- (NAVEX15 [On_Demand | Running])
[2003/06/19 11:05:04 | 00,170,928 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\ndis.sys -- (NDIS [Boot | Running])
[2003/06/19 11:05:04 | 00,009,200 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\ndistapi.sys -- (NdisTapi [On_Demand | Running])
[2003/06/19 11:05:04 | 00,011,984 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\ndisuio.sys -- (Ndisuio [On_Demand | Stopped])
[2003/06/19 11:05:04 | 00,093,360 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\ndiswan.sys -- (NdisWan [On_Demand | Running])
[1999/12/07 12:00:00 | 00,040,432 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\ndproxy.sys -- (NDProxy [On_Demand | Running])
[1999/12/07 12:00:00 | 00,033,456 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\netbios.sys -- (NetBIOS [System | Running])
[2003/07/16 11:44:28 | 00,163,600 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\netbt.sys -- (NetBT [System | Running])
[1999/12/07 12:00:00 | 00,009,680 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\netdtect.sys -- (NetDetect [On_Demand | Stopped])
[1999/12/07 12:00:00 | 00,037,040 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\npfs.sys -- (Npfs [System | Running])
[2003/06/04 15:11:36 | 00,514,320 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\ntfs.sys -- (Ntfs [Disabled | Stopped])
[1999/12/07 12:00:00 | 00,002,800 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\null.sys -- (Null [System | Running])
[1999/12/07 12:00:00 | 00,012,560 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt [On_Demand | Stopped])
[1999/12/07 12:00:00 | 00,035,344 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd [On_Demand | Stopped])
[2003/06/19 11:05:04 | 00,060,208 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\parallel.sys -- (Parallel [On_Demand | Running])
[2003/06/19 11:05:04 | 00,025,104 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\parport.sys -- (Parport [System | Running])
[2003/06/19 11:05:04 | 00,011,792 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\partmgr.sys -- (PartMgr [Boot | Running])
[1999/12/07 12:00:00 | 00,006,512 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\parvdm.sys -- (ParVdm [Auto | Running])
[2003/06/19 11:05:04 | 00,059,312 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\pci.sys -- (PCI [Boot | Running])
[2003/06/19 11:05:04 | 00,109,584 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\pcmcia.sys -- (Pcmcia [Disabled | Stopped])
[2003/06/19 11:05:04 | 00,048,464 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\raspptp.sys -- (PptpMiniport [On_Demand | Running])
[2003/06/19 11:05:04 | 00,017,680 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINNT\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
[1999/12/07 12:00:00 | 00,008,016 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\rasacd.sys -- (RasAcd [System | Running])
[2003/06/19 11:05:04 | 00,052,112 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\rasl2tp.sys -- (Rasl2tp [On_Demand | Running])
[1999/12/07 12:00:00 | 00,016,880 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\raspti.sys -- (Raspti [On_Demand | Running])
[1999/12/07 12:00:00 | 00,021,712 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\RCA.sys -- (RCA [On_Demand | Stopped])
[2005/07/18 22:42:04 | 00,170,800 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\rdbss.sys -- (Rdbss [System | Running])
[2003/06/19 11:05:04 | 00,035,344 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\redbook.sys -- (redbook [System | Stopped])
[1999/10/25 15:35:34 | 00,065,072 | ---- | M] (S3 Incorporated) -- C:\WINNT\system32\DRIVERS\s3sav4m.sys -- (S3Inc [On_Demand | Stopped])
[2002/01/11 14:29:22 | 00,156,200 | ---- | M] (S3 Incorporated) -- C:\WINNT\system32\DRIVERS\s3savg4m.sys -- (S3SAVAGE4 [On_Demand | Running])
[2006/10/10 13:53:48 | 00,005,632 | ---- | M] () -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Running])
[2006/02/16 17:51:08 | 00,004,096 | R--- | M] (SuperAdBlocker, Inc.) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Running])
[2007/02/27 12:39:26 | 00,032,256 | ---- | M] () -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL [System | Running])
[2004/02/09 15:43:56 | 00,301,200 | R--- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT [System | Running])
[2004/02/09 15:43:56 | 00,037,008 | R--- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL [Auto | Running])
[2003/06/19 11:05:04 | 00,014,160 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\serenum.sys -- (serenum [On_Demand | Running])
[2003/06/19 11:05:04 | 00,062,736 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\serial.sys -- (Serial [System | Running])
[2003/06/19 11:05:04 | 00,010,384 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\sfloppy.sys -- (Sfloppy [System | Stopped])
[2004/07/09 02:58:38 | 00,010,880 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\DRIVERS\SLIP.sys -- (SLIP [On_Demand | Stopped])
[2005/05/03 01:10:44 | 00,238,928 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\srv.sys -- (Srv [On_Demand | Running])
[1999/09/25 10:36:08 | 00,006,736 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\DRIVERS\serscan.sys -- (StillCam [On_Demand | Running])
[2004/07/09 02:58:40 | 00,014,976 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\DRIVERS\StreamIP.sys -- (streamip [On_Demand | Stopped])
[2002/12/12 00:14:32 | 00,004,096 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\swenum.sys -- (swenum [On_Demand | Running])
[2003/06/19 11:05:04 | 00,053,552 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\swmidi.sys -- (swmidi [On_Demand | Stopped])
[2004/03/04 23:46:46 | 00,082,832 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
[2004/12/23 19:19:16 | 00,016,784 | ---- | M] (Symantec Corporation) -- C:\WINNT\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV [On_Demand | Running])
[2004/12/23 19:19:18 | 00,264,240 | ---- | M] (Symantec Corporation) -- C:\WINNT\System32\Drivers\SYMTDI.SYS -- (SYMTDI [System | Running])
[2003/06/19 11:05:04 | 00,047,568 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\sysaudio.sys -- (sysaudio [On_Demand | Running])
[2003/06/19 11:05:04 | 00,332,144 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\tcpip.sys -- (Tcpip [System | Running])
[2003/06/19 11:05:04 | 00,062,672 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\udfs.sys -- (Udfs [Disabled | Stopped])
[2003/06/19 11:05:04 | 00,032,848 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\uhcd.sys -- (uhcd [On_Demand | Running])
[2003/06/19 11:05:04 | 00,173,232 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\update.sys -- (Update [On_Demand | Running])
[2003/06/19 11:05:04 | 00,040,176 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\usbhub.sys -- (usbhub [On_Demand | Running])
[2003/06/19 11:05:04 | 00,021,552 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\USBSTOR.SYS -- (USBSTOR [On_Demand | Running])
[1999/12/07 12:00:00 | 00,013,968 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\vga.sys -- (VgaSave [System | Running])
[2003/06/19 11:05:04 | 00,032,272 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\DRIVERS\wanarp.sys -- (Wanarp [On_Demand | Running])
[2003/06/19 11:05:04 | 00,073,872 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\wdmaud.sys -- (wdmaud [On_Demand | Running])
[2004/07/09 02:58:44 | 00,018,688 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\DRIVERS\WSTCODEC.SYS -- (WSTCODEC [On_Demand | Stopped])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
"Default_Search_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINNT\System32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.yahoo.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22}" (HKLM) -- C:\Program Files\AIM Search\AOLSearch.dll (America Online, Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINNT\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-21-2000478354-842925246-1957994488-1000\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINNT\System32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.yahoo.com/

[HKEY_USERS\S-1-5-21-2000478354-842925246-1957994488-1000\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_USERS\S-1-5-21-2000478354-842925246-1957994488-1000\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22}" (HKLM) -- C:\Program Files\AIM Search\AOLSearch.dll (America Online, Inc.)

[HKEY_USERS\S-1-5-21-2000478354-842925246-1957994488-1000\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINNT\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2000478354-842925246-1957994488-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (27 bytes) - C:\WINNT\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{4A368E80-174F-4872-96B5-0B27DDD11DB2} (HKLM) -- C:\Program Files\SpywareGuard\dlprotect.dll ()

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{8E718888-423F-11D2-876E-00A0C9082467}" (HKLM) -- C:\WINNT\System32\msdxm.ocx ()

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}" (HKLM) -- C:\WINNT\System32\browseui.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{0E5CBF21-D15F-11D0-8301-00AA005B4383}" (HKLM) -- C:\WINNT\System32\browseui.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}" (HKLM) -- C:\WINNT\System32\browseui.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{0E5CBF21-D15F-11D0-8301-00AA005B4383}" (HKLM) -- C:\WINNT\System32\browseui.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2000478354-842925246-1957994488-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}" (HKLM) -- C:\WINNT\System32\browseui.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2000478354-842925246-1957994488-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{0E5CBF21-D15F-11D0-8301-00AA005B4383}" (HKLM) -- C:\WINNT\System32\browseui.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2000478354-842925246-1957994488-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}" (HKLM) -- C:\WINNT\System32\browseui.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2000478354-842925246-1957994488-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{0E5CBF21-D15F-11D0-8301-00AA005B4383}" (HKLM) -- C:\WINNT\System32\browseui.dll (Microsoft Corporation)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" (Symantec Corporation)
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
"RAM Idle Professional"=C:\Program Files\TweakNow PowerPack\RAM_XP.exe ()
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" (Sun Microsystems, Inc.)
"Synchronization Manager"=mobsync.exe /logon (Microsoft Corporation)
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe (Symantec Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"= File not found
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0 (Adobe Systems Incorporated)
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-2000478354-842925246-1957994488-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"= File not found
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0 (Adobe Systems Incorporated)
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (Yahoo! Inc.)

========== (O4) RunOnce Keys ==========

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (Microsoft Corporation)

========== (O4) Startup Folders ==========

[2008/04/23 03:38:16 | 00,029,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
[2003/08/29 19:05:36 | 00,360,448 | ---- | M] () -- C:\Documents and Settings\Marshall Islands\Start Menu\Programs\Startup\SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=255

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=149
"CDRAutoRun"=0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=149

[HKEY_USERS\S-1-5-21-2000478354-842925246-1957994488-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=149
"CDRAutoRun"=0

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE [2004/05/18 16:58:38 | 10,080,960 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2000478354-842925246-1957994488-1000\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE [2004/05/18 16:58:38 | 10,080,960 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [2008/06/10 04:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %SystemDrive%\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %SystemRoot%\system32\msjava.dll [Web Browser Applet Control] -> [2003/02/28 18:26:26 | 00,947,472 | ---- | M] (Microsoft Corporation)
CmdMapping\\{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %SystemDrive%\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{A75C6120-9B36-11d4-A3F0-009027427750} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} [HKLM] -> %SystemDrive%\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE [Messenger Class] -> [2007/08/30 17:43:18 | 04,670,704 | ---- | M] (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-2000478354-842925246-1957994488-1000\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %SystemRoot%\system32\msjava.dll [Web Browser Applet Control] -> [2003/02/28 18:26:26 | 00,947,472 | ---- | M] (Microsoft Corporation)
CmdMapping\\{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %SystemDrive%\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{A75C6120-9B36-11d4-A3F0-009027427750} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} [HKLM] -> %SystemDrive%\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE [Messenger Class] -> [2007/08/30 17:43:18 | 04,670,704 | ---- | M] (Yahoo! Inc.)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}: http://www.apple.com/qtactivex/qtplugin.cab -- QuickTime Plugin Control
{21F49842-BFA9-11D2-A89C-00104B62BDDA}: http://www.schaeffersresearch.com/download/CfxIEAx.cab -- ChartFX Internet Control
{24BACF02-5676-11D3-B8DE-00105A17A9E6}: http://www.schaeffersresearch.com/Download/Cfx4Financial.cab -- ChartFX Internet Financial Client 4.0
{31435657-9980-0010-8000-00AA00389B71}: http://download.microsoft.com/download/e/2...78f/wvc1dmo.cab -- Reg Error: Key does not exist or could not be opened.
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE}: http://office.microsoft.com/officeupdate/content/opuc.cab -- Office Update Installation Engine
{4F1E5B1A-2A80-42CA-8532-2D05CB959537}: http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab -- MSN Photo Upload Tool
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}: http://acs.pandasoftware.com/activescan/as5free/asinst.cab -- ActiveScan Installer Class
{9F1C11AA-197B-4942-BA54-47A8489BB47F}: http://v4.windowsupdate.microsoft.com/CAB/...8369.7317708333 -- Reg Error: Key does not exist or could not be opened.
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://download.macromedia.com/pub/shockwa...ash/swflash.cab -- Shockwave Flash Object
DirectAnimation Java Classes: file://C:\WINNT\Java\classes\dajava.cab -- Reg Error: Key does not exist or could not be opened.
Microsoft XML Parser for Java: file://C:\WINNT\Java\classes\xmldso.cab -- Reg Error: Key does not exist or could not be opened.

========== (O17) DNS Name Servers ==========

{443A9521-27F8-4C56-B5F5-F66A6567267D} (Servers: | Description: 3Com EtherLink XL 10/100 PCI TX NIC (3C905B-TX))

========== (O20) HKLM Winlogon Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"=Explorer.exe
>[2003/06/19 11:05:04 | 00,243,472 | ---- | M] (Microsoft Corporation) -- C:\WINNT\Explorer.exe

"UserInit"=C:\WINNT\system32\userinit.exe,
>[2003/06/19 11:05:04 | 00,017,680 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\userinit.exe

"VMApplet"=rundll32 shell32,Control_RunDLL "sysdm.cpl"
>[2006/03/24 01:54:06 | 02,361,616 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\shell32.dll
>[2003/06/19 11:05:04 | 00,125,712 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\sysdm.cpl


========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
!SASWinLogon: "DllName" = C:\Program Files\SUPERAntiSpyware\SASWINLO.dll -- C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
crypt32chain: "DllName" = crypt32.dll -- C:\WINNT\system32\crypt32.dll (Microsoft Corporation)
cryptnet: "DllName" = cryptnet.dll -- C:\WINNT\system32\cryptnet.dll (Microsoft Corporation)
cscdll: "DllName" = cscdll.dll -- C:\WINNT\system32\cscdll.dll (Microsoft Corporation)
NavLogon: "DllName" = C:\WINNT\system32\NavLogon.dll -- C:\WINNT\system32\NavLogon.dll (Symantec Corporation)
sclgntfy: "DllName" = sclgntfy.dll -- C:\WINNT\system32\sclgntfy.dll (Microsoft Corporation)
SensLogn: "DllName" = WlNotify.dll -- C:\WINNT\system32\WlNotify.dll (Microsoft Corporation)
wzcnotif: "DllName" = wzcdlg.dll -- C:\WINNT\system32\wzcdlg.dll (Microsoft Corporation)

========== (O21) SSODL Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Network.ConnectionTray"={7007ACCF-3202-11D1-AAD2-00805FC1270E} (HKLM) -- C:\WINNT\system32\NETSHELL.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SysTray"={35CEC8A3-2BE6-11D2-8773-92E220524153} (HKLM) -- C:\WINNT\system32\stobject.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebCheck"={E6FB5E20-DE35-11CF-9C87-00AA005127ED} (HKLM) -- C:\WINNT\System32\webcheck.dll (Microsoft Corporation)

========== (O22) Shared Task Scheduler ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}" (HKLM) = Browseui preloader -- C:\WINNT\System32\browseui.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}" (HKLM) = Component Categories cache daemon -- C:\WINNT\System32\browseui.dll (Microsoft Corporation)

========== IFEO "Debugger" Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\]
Your Image File Name Here without a path:"Debugger" = C:\WINNT\System32\ntsd.exe (Microsoft Corporation)

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" (HKLM) -- C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" (HKLM) -- C:\Program Files\SpywareGuard\spywareguard.dll ()

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}" (HKLM) -- C:\WINNT\system32\shell32.dll (Microsoft Corporation)

========== HKLM *SecurityProviders* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
>[1999/12/07 12:00:00 | 00,080,128 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\msapsspc.dll
>[2007/04/25 00:52:16 | 00,147,216 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\schannel.dll
>[2002/08/29 07:14:40 | 00,055,296 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\digest.dll
>[1999/12/07 12:00:00 | 00,116,272 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\msnsspc.dll

========== LSA *Authentication Packages* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=msv1_0,
>[2004/03/10 18:37:18 | 00,123,152 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\msv1_0.dll

========== LSA *Security Packages* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Security Packages"=kerberos,msv1_0,schannel,
>[2005/06/14 21:22:48 | 00,208,144 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\kerberos.dll
>[2004/03/10 18:37:18 | 00,123,152 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\msv1_0.dll
>[2007/04/25 00:52:16 | 00,147,216 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\schannel.dll

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Files/Folders - Created Within 30 Days ==========

[2008/10/06 08:30:31 | 00,416,768 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Marshall Islands\Desktop\OTViewIt.exe
[2008/10/06 07:44:15 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_53c.dat
[2008/09/23 09:57:39 | 00,001,494 | ---- | C] () -- C:\Documents and Settings\Marshall Islands\Desktop\HijackThis.lnk
[2008/09/23 09:57:29 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2008/09/23 09:56:47 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Marshall Islands\Desktop\HJTInstall.exe
[2008/09/16 09:00:17 | 00,009,253 | ---- | C] () -- C:\Documents and Settings\Marshall Islands\Desktop\Geraty.pdf
[2008/09/16 08:59:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Marshall Islands\Desktop\SVNUTS
[2008/09/08 14:17:14 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_268.dat

========== Files - Modified Within 30 Days ==========

[2008/10/06 08:30:34 | 00,416,768 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Marshall Islands\Desktop\OTViewIt.exe
[2008/10/06 07:47:16 | 00,002,223 | ---- | M] () -- C:\Documents and Settings\Marshall Islands\Desktop\Trader.lnk
[2008/10/06 07:44:16 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_53c.dat
[2008/10/06 07:43:10 | 00,000,006 | -H-- | M] () -- C:\WINNT\tasks\SA.DAT
[2008/09/23 09:57:40 | 00,001,494 | ---- | M] () -- C:\Documents and Settings\Marshall Islands\Desktop\HijackThis.lnk
[2008/09/23 09:56:48 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Marshall Islands\Desktop\HJTInstall.exe
[2008/09/16 09:00:18 | 00,009,253 | ---- | M] () -- C:\Documents and Settings\Marshall Islands\Desktop\Geraty.pdf
[2008/09/11 11:29:36 | 00,025,088 | ---- | M] () -- C:\Documents and Settings\Marshall Islands\Desktop\bills(1).xls
[2008/09/10 12:49:34 | 00,062,464 | ---- | M] () -- C:\Documents and Settings\Marshall Islands\Desktop\LFG Letterhead.doc
[2008/09/08 14:17:16 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_268.dat
< End of report >







OTViewIt Extras logfile created on: 10/6/2008 8:31:52 AM - Run
OTViewIt by OldTimer - Version 1.0.10.0 Folder = C:\Documents and Settings\Marshall Islands\Desktop
Windows 2000 Professional Edition Service Pack 4 (Version = 5.0.2195) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

255.54 Mb Total Physical Memory | 121.57 Mb Available Physical Memory | 47.57% Memory free
545.00 Mb Paging File | 131.75 Mb Available in Paging File | 24.18% Paging File free
Paging file location(s): C:\pagefile.sys 192 384;

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 8.47 Gb Total Space | 3.21 Gb Free Space | 37.89% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SAHARA
Current User Name: Marshall Islands
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.hta [@ = htafile] -- Reg Error: Value does not exist or could not be read. File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== (O10) Winsock2 Catalogs ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\]
NameSpace_Catalog5\Catalog_Entries\000000000001 [Tcpip] -- C:\WINNT\System32\rnr20.dll (Microsoft Corporation)
NameSpace_Catalog5\Catalog_Entries\000000000002 [NTDS] -- C:\WINNT\System32\winrnr.dll (Microsoft Corporation)
Protocol_Catalog9\Catalog_Entries\000000000001 -- C:\WINNT\system32\msafd.dll (Microsoft Corporation)
Protocol_Catalog9\Catalog_Entries\000000000002 -- C:\WINNT\system32\msafd.dll (Microsoft Corporation)
Protocol_Catalog9\Catalog_Entries\000000000003 -- C:\WINNT\system32\msafd.dll (Microsoft Corporation)
Protocol_Catalog9\Catalog_Entries\000000000004 -- C:\WINNT\system32\msafd.dll (Microsoft Corporation)
Protocol_Catalog9\Catalog_Entries\000000000005 -- C:\WINNT\system32\msafd.dll (Microsoft Corporation)
Protocol_Catalog9\Catalog_Entries\000000000006 -- C:\WINNT\system32\msafd.dll (Microsoft Corporation)
Protocol_Catalog9\Catalog_Entries\000000000007 -- C:\WINNT\system32\msafd.dll (Microsoft Corporation)
Protocol_Catalog9\Catalog_Entries\000000000008 -- C:\WINNT\system32\msafd.dll (Microsoft Corporation)
Protocol_Catalog9\Catalog_Entries\000000000009 -- C:\WINNT\system32\msafd.dll (Microsoft Corporation)
Protocol_Catalog9\Catalog_Entries\000000000010 -- C:\WINNT\system32\msafd.dll (Microsoft Corporation)
Protocol_Catalog9\Catalog_Entries\000000000011 -- C:\WINNT\system32\msafd.dll (Microsoft Corporation)

========== HKEY_CURRENT_USER Protocol Defaults ==========


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-21-2000478354-842925246-1957994488-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2005/01/27 15:35:12 | 02,806,272 | ---- | M] (Microsoft Corporation) C:\WINNT\system32\mshtml.dll (about:{3050F406-98B5-11CF-BB82-00AA00BDCE0B} (HKLM) [Microsoft HTML About Pluggable Protocol])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004/12/07 16:37:46 | 00,495,104 | ---- | M] (Microsoft Corporation) C:\WINNT\system32\urlmon.dll (cdl:{3dd53d40-7b8b-11D0-b013-00aa0059ce02} (HKLM) [CDL: Asychronous Pluggable Protocol Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004/12/07 16:37:46 | 00,495,104 | ---- | M] (Microsoft Corporation) C:\WINNT\system32\urlmon.dll (file:{79eac9e7-baf9-11ce-8c82-00aa004ba90b} (HKLM) [file:, local: Asychronous Pluggable Protocol Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2006/02/06 16:56:32 | 00,057,344 | ---- | M] () C:\PROGRA~1\NETEXC~1.0\FlowHook.dll (flowto:{C7101FB0-28FB-11D5-883A-204C4F4F5021} (HKLM) [FlowFilter Class])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004/12/07 16:37:46 | 00,495,104 | ---- | M] (Microsoft Corporation) C:\WINNT\system32\urlmon.dll (ftp:{79eac9e3-baf9-11ce-8c82-00aa004ba90b} (HKLM) [ftp: Asychronous Pluggable Protocol Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004/12/07 16:37:46 | 00,495,104 | ---- | M] (Microsoft Corporation) C:\WINNT\system32\urlmon.dll (gopher:{79eac9e4-baf9-11ce-8c82-00aa004ba90b} (HKLM) [gopher: Asychronous Pluggable Protocol Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004/12/07 16:37:46 | 00,495,104 | ---- | M] (Microsoft Corporation) C:\WINNT\system32\urlmon.dll (http:{79eac9e2-baf9-11ce-8c82-00aa004ba90b} (HKLM) [http: Asychronous Pluggable Protocol Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll http\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll http\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004/12/07 16:37:46 | 00,495,104 | ---- | M] (Microsoft Corporation) C:\WINNT\system32\urlmon.dll (https:{79eac9e5-baf9-11ce-8c82-00aa004ba90b} (HKLM) [https: Asychronous Pluggable Protocol Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll https\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll https\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2005/04/21 07:16:56 | 00,128,000 | ---- | M] (Microsoft Corporation) C:\WINNT\System32\itss.dll (its:{9D148291-B9C8-11D0-A4CC-0000F80149F6} (HKLM) [Microsoft InfoTech Protocols for IE 4.0])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2005/01/27 15:35:12 | 02,806,272 | ---- | M] (Microsoft Corporation) C:\WINNT\system32\mshtml.dll (java script:{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} (HKLM) [Microsoft HTML Javascript Pluggable Protocol])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004/12/07 16:37:46 | 00,495,104 | ---- | M] (Microsoft Corporation) C:\WINNT\system32\urlmon.dll (local:{79eac9e7-baf9-11ce-8c82-00aa004ba90b} (HKLM) [file:, local: Asychronous Pluggable Protocol Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2005/01/27 15:35:12 | 02,806,272 | ---- | M] (Microsoft Corporation) C:\WINNT\system32\mshtml.dll (mailto:{3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} (HKLM) [Microsoft HTML Mailto Pluggable Protocol])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2006/11/06 12:47:54 | 00,596,480 | ---- | M] (Microsoft Corporation) C:\WINNT\System32\inetcomm.dll (mhtml:{05300401-BCBC-11d0-85E3-00C04FD85AB4} (HKLM) [MHTML Asychronous Pluggable Protocol Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004/12/07 16:37:46 | 00,495,104 | ---- | M] (Microsoft Corporation) C:\WINNT\system32\urlmon.dll (mk:{79eac9e6-baf9-11ce-8c82-00aa004ba90b} (HKLM) [mk: Asychronous Pluggable Protocol Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2005/04/21 07:16:56 | 00,128,000 | ---- | M] (Microsoft Corporation) C:\WINNT\System32\itss.dll (ms-its:{9D148291-B9C8-11D0-A4CC-0000F80149F6} (HKLM) [Microsoft InfoTech Protocols for IE 4.0])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004/04/22 23:30:54 | 07,334,592 | ---- | M] (Microsoft Corporation) C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL (mso-offdap:{3D9F03FA-7A94-11D3-BE81-0050048385D1} (HKLM) [Data Page Pluggable Protocol mso-offdap Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004/03/22 18:58:02 | 08,140,480 | ---- | M] (Microsoft Corporation) C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2005/01/27 15:35:12 | 02,806,272 | ---- | M] (Microsoft Corporation) C:\WINNT\system32\mshtml.dll (res:{3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} (HKLM) [Microsoft HTML Resource Pluggable Protocol])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2005/01/27 15:35:12 | 02,806,272 | ---- | M] (Microsoft Corporation) C:\WINNT\system32\mshtml.dll (sysimage:{76E67A63-06E9-11D2-A840-006008059382} (HKLM) [Microsoft HTML Resource Pluggable Protocol])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2005/01/27 15:35:12 | 02,806,272 | ---- | M] (Microsoft Corporation) C:\WINNT\system32\mshtml.dll (vbscript:{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} (HKLM) [Microsoft HTML Javascript Pluggable Protocol])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2003/09/17 11:01:28 | 00,844,048 | ---- | M] () C:\WINNT\System32\msdxm.ocx (vnd.ms.radio:{3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} (HKLM) [AsyncPProt Class])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2006/12/22 12:28:14 | 00,271,360 | ---- | M] (Microsoft Corporation) C:\WINNT\system32\mscoree.dll application/octet-stream:{1E66F26B-79EE-11D2-8710-00C04F79ED0D} (HKLM) [Cor MIME Filter, CorFltr, CorFltr 1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2006/12/22 12:28:14 | 00,271,360 | ---- | M] (Microsoft Corporation) C:\WINNT\system32\mscoree.dll application/x-complus:{1E66F26B-79EE-11D2-8710-00C04F79ED0D} (HKLM) [Cor MIME Filter, CorFltr, CorFltr 1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2006/12/22 12:28:14 | 00,271,360 | ---- | M] (Microsoft Corporation) C:\WINNT\system32\mscoree.dll application/x-msdownload:{1E66F26B-79EE-11D2-8710-00C04F79ED0D} (HKLM) [Cor MIME Filter, CorFltr, CorFltr 1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2004/12/07 16:37:46 | 00,495,104 | ---- | M] (Microsoft Corporation) C:\WINNT\system32\urlmon.dll Class Install Handler:{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} (HKLM) [AP Class Install Handler filter]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2004/12/07 16:37:46 | 00,495,104 | ---- | M] (Microsoft Corporation) C:\WINNT\system32\urlmon.dll deflate:{8f6b0360-b80d-11d0-a9b3-006097942311} (HKLM) [AP lzdhtml encoding/decoding Filter]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2004/12/07 16:37:46 | 00,495,104 | ---- | M] (Microsoft Corporation) C:\WINNT\system32\urlmon.dll gzip:{8f6b0360-b80d-11d0-a9b3-006097942311} (HKLM) [AP lzdhtml encoding/decoding Filter]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2004/12/07 16:37:46 | 00,495,104 | ---- | M] (Microsoft Corporation) C:\WINNT\system32\urlmon.dll lzdhtml:{8f6b0360-b80d-11d0-a9b3-006097942311} (HKLM) [AP lzdhtml encoding/decoding Filter]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2006/03/24 01:54:06 | 02,361,616 | ---- | M] (Microsoft Corporation) C:\WINNT\system32\shell32.dll text/webviewhtml:{733AC4CB-F1A4-11d0-B951-00A0C90312E1} (HKLM) [WebView MIME Filter]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2003/07/14 22:45:12 | 00,039,488 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1030DCDC-2425-407d-BEE1-13558B837FCA}"=HP Color LaserJet 2820/2830/2840 2.0
"{1BC13EA1-D74C-4ACA-B687-612C56390C18}"=Laser
"{21177CCC-03F8-420C-8047-37894DE92548}"=DiskeeperWorkstation
"{3248F0A8-6813-11D6-A77B-00B0D0160070}"=Java™ 6 Update 7
"{384A291D-1138-4218-A41B-87CBAE22CFBA}"=hppFaxUtility
"{43DCF766-6838-4F9A-8C91-D92DA586DFA7}"=Microsoft Windows Journal Viewer
"{59073DF9-3D3D-4FFC-AF41-C2C268A1A31E}"=hppTooCool
"{6F716D8C-398F-11D3-85E1-005004838609}"=WebFldrs
"{7D7F2CB5-F9A4-4E86-853D-1BADD936DDAD}"=hppscan2800
"{8043D1B8-81AE-4597-AAA8-1E1F49D6E4DF}"=hppManuals2800
"{848AC794-8B81-440A-81AE-6474337DB527}"=Symantec AntiVirus
"{8777AC6D-89F9-4793-8266-DE406F343E89}"=QFolder
"{90110409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Professional Edition 2003
"{A28F43DA-258F-42EC-9C95-E6C9A7475670}"=hppIOFiles
"{AA1C6B03-B081-4947-B17E-9917F440FF68}"=Reuters Plus
"{AAD6DACF-9F13-4D28-900B-CD929B615147}"=Reuters Plus
"{AC76BA86-7AD7-1033-7B44-A71000000002}"=Adobe Reader 7.1.0
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}"=Microsoft .NET Framework 1.1
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B6}"=WinZip 11.2
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}"=SUPERAntiSpyware Free Edition
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}"=Ad-Aware 2007
"{E9EB5689-4F76-4E3C-A675-5ED5F52AB890}"=NTI Shadow 3
"{FE3F3C9B-2C29-4FEE-A74F-11E436729F2C}"=Scan
"7-Zip"=7-Zip 4.23
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"AIM Search"=AIM Search
"AIM_6"=AIM 6
"CCleaner"=CCleaner (remove only)
"HijackThis"=HijackThis 2.0.2
"HP Photo & Imaging"=HP Image Zone 4.7
"KB837272"=Windows Media Player Hotfix [See KB837272 for more information]
"KB870669"=Microsoft Data Access Components KB870669
"KB885492"=Windows Media Player 9 Hotfix [See KB885492 for more information]
"LimeWire"=LimeWire 4.18.3
"LiveUpdate"=LiveUpdate 2.0 (Symantec Corporation)
"Microsoft .NET Framework 1.1 (1033)"=Microsoft .NET Framework 1.1
"Mozilla Firefox (3.0.3)"=Mozilla Firefox (3.0.3)
"NetExchangePro 3.0"=NetExchangePro 3.0
"Panda ActiveScan"=Panda ActiveScan
"Q818043"=Windows 2000 Hotfix (SP5) Q818043
"Q828026"=Windows Media Player Hotfix [See Q828026 for more information]
"SpywareGuard_is1"=SpywareGuard v2.2
"TweakNow PowerPack 2005_is1"=TweakNow PowerPack 2005
"ViewpointMediaPlayer"=Viewpoint Media Player
"Windows 2000 Service Pack"=Windows 2000 Service Pack 4
"WMP7"=Windows Media Player system update (9 Series)
"Yahoo! Messenger"=Yahoo! Messenger

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting"=GoToMeeting/GoToWebinar 3.0.0.198

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2000478354-842925246-1957994488-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting"=GoToMeeting/GoToWebinar 3.0.0.198

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/26/2008 4:58:12 PM | Computer Name = SAHARA | Source = Userenv | ID = 1000
Description = Windows cannot unload your registry file. If you have a roaming profile,
your settings are not replicated. Contact your administrator. DETAIL - Access
is denied. , Build number ((2195)).

Error - 3/3/2008 12:34:56 PM | Computer Name = SAHARA | Source = Microsoft Internet Explorer | ID = 1000
Description =

[ System Events ]
Error - 10/2/2008 1:54:39 PM | Computer Name = SAHARA | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
OFFICE-PC that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{443A9521-27F8-4C56. The master browser is stopping or an election is
being forced.

Error - 10/2/2008 2:54:42 PM | Computer Name = SAHARA | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
OFFICE-PC that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{443A9521-27F8-4C56. The master browser is stopping or an election is
being forced.

Error - 10/2/2008 4:01:29 PM | Computer Name = SAHARA | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
OFFICE-PC that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{443A9521-27F8-4C56. The master browser is stopping or an election is
being forced.

Error - 10/2/2008 5:01:29 PM | Computer Name = SAHARA | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
OFFICE-PC that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{443A9521-27F8-4C56. The master browser is stopping or an election is
being forced.

Error - 10/3/2008 10:56:05 AM | Computer Name = SAHARA | Source = atirage3 | ID = 16842754
Description = Unable to map required address ranges for graphics card.

Error - 10/3/2008 11:20:22 AM | Computer Name = SAHARA | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
OFFICE-PC that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{443A9521-27F8-4C56. The master browser is stopping or an election is
being forced.

Error - 10/3/2008 12:38:04 PM | Computer Name = SAHARA | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
OFFICE-PC that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{443A9521-27F8-4C56. The master browser is stopping or an election is
being forced.

Error - 10/3/2008 1:50:05 PM | Computer Name = SAHARA | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
OFFICE-PC that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{443A9521-27F8-4C56. The master browser is stopping or an election is
being forced.

Error - 10/3/2008 3:26:05 PM | Computer Name = SAHARA | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
OFFICE-PC that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{443A9521-27F8-4C56. The master browser is stopping or an election is
being forced.

Error - 10/6/2008 10:42:57 AM | Computer Name = SAHARA | Source = atirage3 | ID = 16842754
Description = Unable to map required address ranges for graphics card.


< End of report >




Tuesday, October 7, 2008 Operating System: Microsoft Windows 2000 Professional Service Pack 4 (build 2195) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Monday, October 06, 2008 13:05:11 Records in database: 1294374 Scan settings Scan using the following database extended Scan archives yes Scan mail databases yes Scan area My Computer A:\ C:\ D:\ E:\ Scan statistics Files scanned 30506 Threat name 9 Infected objects 41 Suspicious objects 0 Duration of the scan 04:54:15 File name Threat name Threats count C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04100000.VBN Infected: Backdoor.Win32.SdBot.vq 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\041C0000.VBN Infected: Trojan.Win32.Qhost 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\030C0000.VBN Infected: Trojan-Proxy.Win32.Ranky.bc 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\030C0001.VBN Infected: Trojan-Proxy.Win32.Ranky.gen 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\030C0002.VBN Infected: Trojan-Proxy.Win32.Ranky.bc 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\030C0003.VBN Infected: Trojan-Proxy.Win32.Ranky.bc 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\030C0004.VBN Infected: Backdoor.Win32.IRCBot.gen 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\030C0005.VBN Infected: Backdoor.Win32.IRCBot.bl 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\030C0006.VBN Infected: Backdoor.Win32.IRCBot.bl 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\030C0007.VBN Infected: Trojan-Proxy.Win32.Ranky.bc 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\030C0008.VBN Infected: Backdoor.Win32.IRCBot.bl 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\030C0009.VBN Infected: Backdoor.Win32.IRCBot.bl 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\030C000A.VBN Infected: Backdoor.Win32.Agobot.nq 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\030C000B.VBN Infected: Backdoor.Win32.IRCBot.gen 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\045C0000.VBN Infected: Backdoor.Win32.Agobot.nq 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\045C0001.VBN Infected: Backdoor.Win32.IRCBot.gen 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05300000.VBN Infected: Trojan-Proxy.Win32.Ranky.bc 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05300000.VBN Infected: Backdoor.Win32.IRCBot.bl 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05300001.VBN Infected: Backdoor.Win32.IRCBot.bl 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05300001.VBN Infected: Trojan-Proxy.Win32.Ranky.bc 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05300002.VBN Infected: Backdoor.Win32.IRCBot.bl 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05300002.VBN Infected: Trojan-Proxy.Win32.Ranky.bc 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05300003.VBN Infected: Backdoor.Win32.IRCBot.bl 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05300004.VBN Infected: Trojan-Proxy.Win32.Ranky.gen 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05300004.VBN Infected: Backdoor.Win32.IRCBot.bl 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05300005.VBN Infected: Backdoor.Win32.IRCBot.bl 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05300006.VBN Infected: Trojan-Proxy.Win32.Ranky.bc 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05300006.VBN Infected: Backdoor.Win32.IRCBot.bl 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05300007.VBN Infected: Trojan-Proxy.Win32.Ranky.bc 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05300008.VBN Infected: Backdoor.Win32.IRCBot.bl 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05300009.VBN Infected: Backdoor.Win32.IRCBot.gen 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05300009.VBN Infected: Trojan-Proxy.Win32.Ranky.bc 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0530000A.VBN Infected: Backdoor.Win32.IRCBot.gen 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0530000B.VBN Infected: Backdoor.Win32.IRCBot.bl 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0530000C.VBN Infected: Backdoor.Win32.IRCBot.bl 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0530000C.VBN Infected: Trojan-Proxy.Win32.Ranky.gen 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0530000D.VBN Infected: Backdoor.Win32.IRCBot.bl 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0530000E.VBN Infected: Backdoor.Win32.IRCBot.gen 1 C:\Documents and Settings\Marshall Islands\Desktop\DLs\Incomplete\Preview-T-5745425-darth vader.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1 C:\mIRC\rtc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.571 1 C:\RTC\mirc32.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.571 1 The selected area was scanned.

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:56 PM

Posted 07 October 2008 - 08:11 PM

Hello, Chaeron.
I understand :thumbsup: Kaspersky can take a long time :)

There doesn't appear to be active malware in there. Are you still having problems?

You have a Peer-To-Peer program installed.
Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case LimeWire). These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

Viewpoint is considered foistware instead of malware because it is installed without users approval, but doesn't spy or do anything "bad". You may like to read this article about the potential of this Viewpoint software here:
http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on Start > Run... > and then paste the following into the "Open" field: "appwiz.cpl" and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, and/or Viewpoint Media Player.

We need to execute an OTMoveIt3 script
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :files
    C:\Documents and Settings\Marshall Islands\Desktop\DLs\Incomplete\Preview-T-5745425-darth vader.mp3
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
We have to remove some entries in HiJack This
  • Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:
    O18 - Protocol hijack: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5021}
  • Close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
In your next reply, please include the following:
  • OTMoveIt3's Log
  • A New HiJack This log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:56 PM

Posted 09 October 2008 - 02:58 PM

Hello, Chaeron.
Are you still here?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 Chaeron

Chaeron
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 09 October 2008 - 03:17 PM

Billy,

Yes, and I am sorry I haven't had a chance to do the fix given yesterday. with the markets crashing world-wide, I am swamped with work (which I need the pc for) and will get to you in 24hours if that is ok. Thanks for checking. I really appreciate...

Chaeron

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:56 PM

Posted 09 October 2008 - 03:20 PM

That's perfectly fine :) Just checking to be sure you're still here.. we get lots of times when people decide to format, or take it to a shop or something and then vanish :thumbsup:

Good luck!

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 Chaeron

Chaeron
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 10 October 2008 - 12:34 PM

I hope this is what you were looking for...

Many thanks,

Chaeron


========== FILES ==========
C:\Documents and Settings\Marshall Islands\Desktop\DLs\Incomplete\Preview-T-5745425-darth vader.mp3 moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.4.2 log created on 10102008_085400




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:17:04 AM, on 10/10/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hpzipm12.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\TweakNow PowerPack\RAM_XP.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\RTC\mirc32.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINNT\system32\wuauclt.exe
C:\Genesis\Trader\Trader.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Symantec AntiVirus\VPC32.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\TweakNow PowerPack\RAM_XP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.schaeffersresearch.com/download/CfxIEAx.cab
O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Download/Cfx4Financial.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\hpzipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6379 bytes

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:56 PM

Posted 10 October 2008 - 06:01 PM

Hello, Chaeron.
That's looking fine :thumbsup:

How are things running?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#12 Chaeron

Chaeron
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 13 October 2008 - 10:12 AM

Billy, Many many thanks. Seems all better but still getting three viruses on automatic from my Symantec, but when I run a scan I get nothing. This is why I took a bit to get back to you. Ran it three times, but nothing found. But on startup twice it came up with three bugs. Thought they'd be auto deleted, but I guess not. Am trying to copy from the auto-startup what and where they are.

Chearon

#13 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:56 PM

Posted 13 October 2008 - 03:40 PM

Please clean out system restore as described below. Does norton keep prompting after that?
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Billy3

Edited by Billy O'Neal, 13 October 2008 - 03:56 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#14 Chaeron

Chaeron
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 14 October 2008 - 09:53 AM

Hi Billy,

No "System restore" after TOOLS. Just "System Info" with nothing remotely close to "restore". Shucks. Any other path?

Thanks,
Chaeron

#15 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:56 PM

Posted 14 October 2008 - 02:36 PM

Go to start -> Run and enter
%systemroot%\system32\restore\rstui.exe

:D

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users