Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus 2009 is destroying my LIFE!


  • Please log in to reply
19 replies to this topic

#1 jpcook

jpcook

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sundance
  • Local time:01:29 PM

Posted 10 October 2008 - 04:34 PM

Antivirus-fullscan.com (Antivirus 2009) has taken over my life as I knew it.

I cannot access the home page of my website from my computer because AV2009 takes my browser. I have to kill the IE process to get out.
I've been working for weeks trying to rid my system of this while trying to keep work comming in. I'm dead in the water.
---------
OS - WinXP-SP2
BROWSERS - IE6-> IE7, Opera, Maxthon, FireFox all current as of three weeks ago.
ISP - Comcast
HOST - Bluehost
SITES - Joomla 1.5.7 (new installations, nothing of value)
URLS - efinancialharmonu.com/pp1 (pp and pps) (new installations, nothing of value)
Marriage - on the rocks
-------------
Symptoms:

• In the beginning, a month or more ago, I would be working on the back end of Joomla (efinancialharmony.com/pps/administrator) when I would get a popup telling me that I had viruses. Behind the popup there would be a blue window showing something was being downloaded or scanned. I don’t ever recall having clicked on it. To regain control of the browser I have to kill the process.

• I’ve gone through all the procedures that a variety of sites recommend, i.e. Castlecops, Bleeping, etc. and I still am hijacked. I’ve installed many scanners, had scans done, etc. During this time however, the presentation of AV2009 has changed, that is at times it was Win XP Antivirus then Antivirus 2008 then Antivirus 2009. I have screen captures of several and I can send them if it would help. I am attaching the current version as Presentation AV2009.png. I don’t know the changing of the presentation is due to morphing or reinfection or infection by visiting my site or just a series of infections.

• When hijacked, IE7 redirects me from my site to (attached: IE address for AV.png)

hxxp://antivirus-fullscan.com/2009/1/en/freescan.php?id=880147&user=147

• Installing ZoneAlarm has allowed me to see the hundreds of attempts to access my computer from IP addresses around the world hitting on different ports. Attached AZ port scan.png.

• ActiveX controls shows one as:
WscanCtl. Class (Not Verified) CA ActiveX Control webscan.dll

• Now that I’ve tightened up security on XP, accessing my own site causes this privacy alert: Attached file Site Screen with alert.png which shows:

hxxp://87.248.180.90/in.html?s=sg
hxxp://securetds.ws/soft.php?aid=0147&d=6&product=XPA&refer=…..
hxxp://antivirus-fullscan.com/2009/1/en/freescan.php?id=880147&user=147


• I cleaned out everything using CCleaner and Windows ‘cleanmgr’, rebooted and went directly to my site at efinacialharmony.com/pps/administrator, took the hit from the AV2009 and then went in to the Temporary Internet Files and found (file attached: Temp Internet Files.png) showing:

freescan.php?id=88014&user=147 as an HTML document

and

cookie:cacdev@securetds.ws/

• In the log file on my hosted site I found this entry with an IP of 124.13.79.241
(Bluehost hit from AU.png)

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU


• Downloaded program files shows one that has no creation date, no last accessed date, status unknown and a name of {8FFB… (file attached: downloaded program files.png)

• Windows Internet logs:

ACCESS,2007/07/08,01:21:00 -6:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (221.208.208.83:Port 33626).,N/A,N/A

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU


• I just found the Windows Security fire wall and activated it. Not sure why, but it felt good.
• This is the Hijack file currently. I don’t believe I’ve reproduced the problem by going to my website since I last booted. So this should be clean.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:42:20, on 10/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\UltraEdit-32\uedit32.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\MICROS~2\OFFICE11\ois.exe
C:\PROGRA~1\MICROS~2\OFFICE11\ois.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.bleepingcomputer.com/forums/topic34773.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: URLDetector Class - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: iOpus iMacros - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\Program Files\iMacrosie\imacros.dll
O9 - Extra 'Tools' menuitem: iMacros Web Automation - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\Program Files\iMacrosie\imacros.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - hxxp://www.pandasoftware.com/activescan (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O15 - Trusted Zone: hxxp://*.avgate.net
O15 - Trusted Zone: hxxp://home.comcast.net
O15 - Trusted Zone: hxxp://*.download.com
O15 - Trusted Zone: hxxp://*.download.microsoft.com
O15 - Trusted Zone: hxxp://www.grc.com
O15 - Trusted Zone: hxxp://www.networksolutions.com
O15 - Trusted Zone: www.tortoisecvs.org
O15 - Trusted Zone: hxxp://www.tortoisecvs.org
O15 - Trusted Zone: hxxp://*.update.microsoft.com
O15 - Trusted Zone: hxxp://*.windowsupdate.com
O15 - Trusted Zone: hxxp://*.windowsupdate.microsoft.com
O15 - Trusted IP range: 140.99.52.211
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - hxxp://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - hxxp://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - hxxp://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - hxxp://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - hxxp://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: CVSNT Locking Service 2.5.03.2382 (cvslock) - Unknown owner - C:\Program Files\CVSNT\cvslock.exe
O23 - Service: CVSNT Dispatch service 2.5.03.2382 (cvsnt) - March Hare Software Ltd - C:\Program Files\CVSNT\cvsservice.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - C:\Program Files\MozyHome\mozybackup.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: O&O Defrag (OODefrag) - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9507 bytes


--------------------
Anything, anyone that can help me to get rid of this thing will go directly to the top of my Christmas card list.
Thank you.

Attached Files


Edited by jpcook, 10 October 2008 - 04:41 PM.


BC AdBot (Login to Remove)

 


#2 jpcook

jpcook
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sundance
  • Local time:01:29 PM

Posted 11 October 2008 - 01:59 PM

I've done:
update Ad-Aware, CCleaner, SpyBot
CCleaner
reboot to safe mode
CCleaner
Ad-Aware
reboot to safe mode
CCleaner
reboot to safe mode
SpyBot
reboot to safe mode
CCleaner
reboot to normal mode.
update MBAM
CCleaner
reboot to safe mode
MBAM

-------- nothing showed catching anything

Any ideas?

#3 jpcook

jpcook
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sundance
  • Local time:01:29 PM

Posted 12 October 2008 - 04:05 PM

Followed up with:
Housecall
Panda
BitDefender
Stinger.

Nothing.

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:29 PM

Posted 12 October 2008 - 08:48 PM

Hello jpcook and welcome to BC. I don't see anything in the HJT log. If this always happens when an attempt is made to connect to the website then it would make me think that the webserver is compromised and it doesn't have anything to do with this particular machine.

Let's see what we can find.

Before running a new scan let's clean out the temporoary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Do not change any settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessry).
Use the Add Reply button and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt2 folder and named OTScanIt.txt.

I will review it when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 jpcook

jpcook
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sundance
  • Local time:01:29 PM

Posted 13 October 2008 - 01:29 AM

OT,

Thank you very much. I'm all over it now and will get back to you as soon as it's finished.

#6 jpcook

jpcook
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sundance
  • Local time:01:29 PM

Posted 13 October 2008 - 02:39 AM

OT,

OTScanIT log attached.
Thank you.

Some of my thoughts:
I think I've locked down my system pretty well, ports, ZoneAlarm, Avira, etc, prompt javascript, prompt cookies.
I've specifically blocked the url and IP that I am redirected to when the infection arises:
87.248.180.

  • ninety
  • antivirus-fullscan.com

I read about configuring the 403...500 error pages on the server. This might be important?
.htaccess is another thing I havn't tried.

However these treat only the symptoms and not to root cause.

I am concerned that if I am infected that I might infect my hosted site.
If that is possible and the redirection is taking place from the server, then will I then re-infect my computer?
I'm preparing to backup my websites and ask BlueHost to nuke the directories and set up a new one.
As you can see, I am not very coherent.

Thank you for your help.
Joe

Attached Files



#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:29 PM

Posted 13 October 2008 - 07:16 AM

Hi jpcook. That's not what I asked for. I don't want an OTScanIt log. I want an OTScanIt2 log. Go back to my original post and follow the link I gave. Then run the scan as instructed.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#8 jpcook

jpcook
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sundance
  • Local time:01:29 PM

Posted 13 October 2008 - 01:21 PM

OT,

Sorry I missed that. Attached, I hope, is the right one.

Thank you.

Attached Files



#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:29 PM

Posted 13 October 2008 - 04:21 PM

Hi jpcook. I don't see anything even remotely suspicious in the log. That thing is clean. Are there still popups from AntiVirus whatever if system isn't connected to the website? If not, do they show up when it is? If so, then the problem lies on the site, not on this system.

We can run an online scan and see if that shows anything. I would be surprised if it did but it certainly can't hurt. All of the other security packages will need to be disabled or shutdown and then do the following:

Both of these require Internet Explorer. Try F-Secure first. Sometimes it doesn't play nice with other system components so if it cannot complete then try the Kaspersky scan. You only need to complete one of the two.

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on Online Services and then Online Scanner
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
If the F-Secure scan did not work then try an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Copy/paste the following back here in your next reply:
  • The online virus scan report (whichever one you ran)
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#10 jpcook

jpcook
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sundance
  • Local time:01:29 PM

Posted 13 October 2008 - 11:56 PM

Breaking news....

I went to efincialharmon.com/j157pp/. This was a Joomla 1.5.7 install. Did not use my pc to install it. Before one px came up on the screen, I got the latest pcvirusbuster.com.

Then I went to efincialharmon.com/pps/ and I got the old antivirus-fullscan 2009.

When I finish crying I'm going to re-scan and follow your instructions.

( As I type, the computer is so slow that I have to wait after some key strokes and even then not all keys I press appear on the screen. I'm at 3% on my cpu. No process is hoging and I have plenty of memory. .....???? Symptom?)

#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:29 PM

Posted 14 October 2008 - 04:33 AM

Hi jpcook. Yup, it's the sites that are infected. Either that or the server they are hosted on. If it is on a leased server then the hoster's should be notified that there is an issue they need to take care of. If it is the servers themselves and not just those sites then any other websites hosted there could be infected too.

Run the online scan and a new OTScanIt2 log and we'll clean this machine up. If you can't runthe online scan then just run the OTScanIt2 log. After that, if you go back there, you'll most likely get reinfected each time.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#12 jpcook

jpcook
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sundance
  • Local time:01:29 PM

Posted 14 October 2008 - 02:07 PM

Status:

F-Secure running since last night. It stopped when it found a problem file and poped up "Continue" or do something else. I think I lost 8 hours because I wasn't there to hit "continue". But it's running right now. Thank you.

#13 jpcook

jpcook
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sundance
  • Local time:01:29 PM

Posted 14 October 2008 - 09:50 PM

Scanning Report
Tuesday, October 14, 2008 18:07:02 - 20:32:39
Computer name: THOR
Scanning type: Scan target for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 0 malware found

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 116488
System: 7000
Not scanned: 51
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 0
Submitted: 0
Files not scanned:
x7

#14 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:29 PM

Posted 15 October 2008 - 10:56 AM

Hi jpcook. That looks pretty clean. Try one last scan with OTScanIt2. I don't think it's going to find anything but let's see.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#15 jpcook

jpcook
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sundance
  • Local time:01:29 PM

Posted 15 October 2008 - 12:59 PM

Scanning Report
Tuesday, October 14, 2008 22:46:24 - 07:31:41
Computer name: THOR
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\ E:\ H:\ I:\ J:\ K:\ N:\ O:\


--------------------------------------------------------------------------------

Result: 0 malware found

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 650400
System: 7026
Not scanned: 157
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 0
Submitted: 0
Files not scanned:
H

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-10-15
F-Secure AVP: 7.0.171, 2008-10-14
F-Secure Pegasus: 1.20.0, 2008-09-01
F-Secure Blacklight: 1.0.68
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

OTScanIt logfile created on: 10/15/2008 11:50:48 AM - Run 3
OTScanIt2 by OldTimer - Version 1.0.0.12b	 Folder = H:\---- eFinancial Harmony.com ----\2008-09-09 virus\OTScanIt2
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
510.73 Mb Total Physical Memory | 150.81 Mb Available Physical Memory | 29.53% Memory free
4.00 Gb Paging File | 3.87 Gb Available in Paging File | 96.82% Paging File free
Paging file location(s): C:\pagefile.sys 10 10;D:\pagefile.sys 0 0;E:\pagefile.sys 0 0;H:\pagefile.sys 0 0;J:\pagefile.sys 0 0;N:\pagefile.sys 1500 1500;O:\pagefile.sys 0 0;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 39.06 Gb Total Space | 9.10 Gb Free Space | 23.29% Space Free | Partition Type: NTFS
Drive D: | 154.76 Gb Total Space | 85.89 Gb Free Space | 55.50% Space Free | Partition Type: NTFS
Drive E: | 39.06 Gb Total Space | 8.22 Gb Free Space | 21.05% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
Drive G: | 4.29 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive H: | 14.65 Gb Total Space | 3.24 Gb Free Space | 22.09% Space Free | Partition Type: NTFS
Drive I: | 9.77 Gb Total Space | 1.24 Gb Free Space | 12.65% Space Free | Partition Type: NTFS
Drive J: | 9.80 Gb Total Space | 1.47 Gb Free Space | 15.03% Space Free | Partition Type: NTFS
Drive K: | 153.38 Gb Total Space | 153.32 Gb Free Space | 99.96% Space Free | Partition Type: NTFS
Drive N: | 7.81 Gb Total Space | 4.49 Gb Free Space | 57.49% Space Free | Partition Type: NTFS
Drive O: | 225.94 Gb Total Space | 132.46 Gb Free Space | 58.62% Space Free | Partition Type: NTFS
 
Computer Name: THOR
Current User Name: CACDEV
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days
 
[Processes - Safe List]
vsmon.exe -> %SystemRoot%\system32\ZoneLabs\vsmon.exe -> [2008/07/09 09:05:18 | 00,075,304 | ---- | M] (Zone Labs, LLC)
zlclient.exe -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlclient.exe -> [2008/07/09 09:05:20 | 00,919,016 | ---- | M] (Zone Labs, LLC)
wscntfy.exe -> %SystemRoot%\system32\wscntfy.exe -> [2004/08/04 06:00:00 | 00,013,824 | ---- | M] (Microsoft Corporation)
tsvncache.exe -> %ProgramFiles%\TortoiseSVN\bin\TSVNCache.exe -> [2008/01/05 15:03:10 | 00,405,504 | ---- | M] (www.tortoisesvn.org)
iexplore.exe -> %ProgramFiles%\Internet Explorer\iexplore.exe -> [2007/08/13 18:43:56 | 00,622,080 | ---- | M] (Microsoft Corporation)
avgwdsvc.exe -> %ProgramFiles%\AVG\AVG8\avgwdsvc.exe -> [2008/10/02 01:08:40 | 00,231,704 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgrsx.exe -> %ProgramFiles%\AVG\AVG8\avgrsx.exe -> [2008/10/02 01:08:41 | 00,287,000 | ---- | M] (AVG Technologies CZ, s.r.o.)
textpad.exe -> %ProgramFiles%\TextPad 4\TextPad.exe -> [2004/06/17 16:06:44 | 01,941,504 | ---- | M] (Helios Software Solutions)
acrord32info.exe -> %ProgramFiles%\Adobe\Reader 9.0\Reader\AcroRd32Info.exe -> [2008/06/11 23:00:00 | 00,014,704 | ---- | M] (Adobe Systems Incorporated)
otscanit2.exe -> H:\---- eFinancial Harmony.com ----\2008-09-09 virus\OTScanIt2\OTScanIt2.exe -> [2008/10/13 00:15:12 | 00,416,256 | ---- | M] (OldTimer Tools)
 
[Win32 Services - Safe List]
(aawservice) Lavasoft Ad-Aware Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Lavasoft\Ad-Aware\aawservice.exe -> [2008/09/13 20:54:37 | 00,611,664 | ---- | M] (Lavasoft)
(AntiVirScheduler) Avira AntiVir Personal - Free Antivirus Scheduler [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\sched.exe -> [2008/06/12 14:46:25 | 00,068,865 | ---- | M] (Avira GmbH)
(AntiVirService) Avira AntiVir Personal - Free Antivirus Guard [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avguard.exe -> [2008/08/20 21:09:43 | 00,149,761 | ---- | M] (Avira GmbH)
(aspnet_state) ASP.NET State Service [Win32_Own | Disabled | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -> [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation)
(Ati HotKey Poller) Ati HotKey Poller [Win32_Own | Auto | Stopped] -> %SystemRoot%\system32\ati2evxx.exe -> [2007/09/29 03:56:34 | 00,483,328 | ---- | M] (ATI Technologies Inc.)
(avg8wd) AVG Free8 WatchDog [Win32_Own | Auto | Running] -> %ProgramFiles%\AVG\AVG8\avgwdsvc.exe -> [2008/10/02 01:08:40 | 00,231,704 | ---- | M] (AVG Technologies CZ, s.r.o.)
(AWService) AdminWorks Agent X6 [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Intel\IDU\awServ.exe -> [2005/12/02 21:10:52 | 00,066,560 | ---- | M] (OSA Technologies Inc., An Avocent Company)
(Bonjour Service) Bonjour Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Bonjour\mDNSResponder.exe -> [2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.)
(clr_optimization_v2.0.50727_32) .NET Runtime Optimization Service v2.0.50727_X86 [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -> [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation)
(CSIScanner) CSIScanner [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\PrevxCSI\prevxcsi.exe -> [2008/09/25 19:50:56 | 00,618,040 | ---- | M] (Prevx)
(cvslock) CVSNT Locking Service 2.5.03.2382 [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\CVSNT\cvslock.exe -> [2006/07/05 15:19:26 | 00,058,368 | ---- | M] ()
(cvsnt) CVSNT Dispatch service 2.5.03.2382 [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\CVSNT\cvsservice.exe -> [2006/07/05 15:19:26 | 00,037,888 | ---- | M] (March Hare Software Ltd)
(Diskeeper) Diskeeper [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Executive Software\Diskeeper\DkService.exe -> [2005/04/30 16:33:20 | 00,622,700 | ---- | M] (Executive Software International, Inc.)
(FontCache3.0.0.0) Windows Presentation Foundation Font Cache 3.0.0.0 [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -> [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation)
(gusvc) Google Updater Service [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> [2008/03/03 15:01:22 | 00,138,680 | ---- | M] (Google)
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\1150\Intel 32\IDriverT.exe -> [2005/11/14 01:06:04 | 00,069,632 | ---- | M] (Macrovision Corporation)
(idsvc) Windows CardSpace [Win32_Shared | Unknown | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -> [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation)
(IISADMIN) IIS Admin [Win32_Shared | Disabled | Stopped] -> %SystemRoot%\system32\inetsrv\inetinfo.exe -> [2004/08/04 06:00:00 | 00,015,872 | ---- | M] (Microsoft Corporation)
(iPod Service) iPod Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\iPod\bin\iPodService.exe -> [2008/09/08 23:02:00 | 00,536,872 | ---- | M] (Apple Inc.)
(Macromedia Licensing Service) Macromedia Licensing Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Macromedia Shared\Service\Macromedia Licensing.exe -> [2006/03/19 18:14:53 | 00,068,096 | ---- | M] ()
(MDM) Machine Debug Manager [Win32_Own | Disabled | Stopped] -> %CommonProgramFiles%\Microsoft Shared\VS7DEBUG\MDM.EXE -> [2003/06/20 00:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation)
(mozybackup) MozyHome Backup Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\MozyHome\mozybackup.exe -> [2008/07/14 09:25:52 | 00,087,344 | ---- | M] ()
(MSSQL$SQLEXPRESS) SQL Server (SQLEXPRESS) [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -> [2005/10/14 04:51:45 | 28,768,528 | ---- | M] (Microsoft Corporation)
(MSSQLServerADHelper) SQL Server Active Directory Helper [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Microsoft SQL Server\90\Shared\sqladhlp90.exe -> [2005/10/14 04:50:19 | 00,045,272 | ---- | M] (Microsoft Corporation)
(msvsmon80) Visual Studio 2005 Remote Debugger [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe -> [2005/09/23 08:01:16 | 02,799,808 | ---- | M] (Microsoft Corporation)
(NetTcpPortSharing) Net.Tcp Port Sharing Service [Win32_Shared | Disabled | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -> [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation)
(NMSAccessU) NMSAccessU [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\CDBurnerXP\NMSAccessU.exe -> [2008/06/15 15:34:20 | 00,071,096 | ---- | M] ()
(OODefrag) O&O Defrag [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\system32\oodag.exe -> [2002/02/08 13:15:20 | 00,263,168 | ---- | M] (O&O Software GmbH)
(ose) Office Source Engine [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Microsoft Shared\Source Engine\OSE.EXE -> [2003/07/28 13:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation)
(sdAuxService) PC Tools Auxiliary Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Spyware Doctor\pctsAuxs.exe -> [2008/06/13 15:29:14 | 00,356,920 | ---- | M] (PC Tools)
(sdCoreService) PC Tools Security Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Spyware Doctor\pctsSvc.exe -> [2008/09/22 14:42:06 | 01,079,176 | ---- | M] (PC Tools)
(SMTPSVC) Simple Mail Transfer Protocol (SMTP) [Win32_Shared | Disabled | Stopped] -> %SystemRoot%\system32\inetsrv\inetinfo.exe -> [2004/08/04 06:00:00 | 00,015,872 | ---- | M] (Microsoft Corporation)
(SNMP) SNMP Service [Win32_Own | Disabled | Stopped] -> %SystemRoot%\system32\snmp.exe -> [2006/11/20 02:42:45 | 00,033,280 | ---- | M] (Microsoft Corporation)
(SNMPTRAP) SNMP Trap Service [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\system32\snmptrap.exe -> [2004/08/04 06:00:00 | 00,008,704 | ---- | M] (Microsoft Corporation)
(SQLBrowser) SQL Server Browser [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Microsoft SQL Server\90\Shared\sqlbrowser.exe -> [2005/10/14 04:51:12 | 00,239,320 | ---- | M] (Microsoft Corporation)
(SQLWriter) SQL Server VSS Writer [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Microsoft SQL Server\90\Shared\sqlwriter.exe -> [2005/10/14 04:53:50 | 00,087,768 | ---- | M] (Microsoft Corporation)
(vsmon) TrueVector Internet Monitor [Win32_Own | Auto | Running] -> %SystemRoot%\system32\ZoneLabs\vsmon.exe -> [2008/07/09 09:05:18 | 00,075,304 | ---- | M] (Zone Labs, LLC)
(WinDefend) Windows Defender [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Windows Defender\MsMpEng.exe -> [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation)
(WMPNetworkSvc) Windows Media Player Network Sharing Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Windows Media Player\wmpnetwk.exe -> [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation)
 
[Driver Services - Safe List]
(adpu320) adpu320 [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\adpu320.sys -> [2004/09/08 17:36:52 | 00,132,608 | ---- | M] (Adaptec, Inc.)
(ati2mtag) ati2mtag [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ati2mtag.sys -> [2007/09/29 04:06:00 | 02,456,064 | ---- | M] (ATI Technologies Inc.)
(avgio) avgio [Kernel | System | Running] -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avgio.sys -> [2007/02/27 15:25:01 | 00,011,840 | ---- | M] (Avira GmbH)
(AvgLdx86) AVG Free AVI Loader Driver x86 [Kernel | System | Running] -> %SystemRoot%\system32\drivers\avgldx86.sys -> [2008/10/02 01:08:53 | 00,097,928 | ---- | M] (AVG Technologies CZ, s.r.o.)
(AvgMfx86) AVG Free On-access Scanner Minifilter Driver x86 [File_System | System | Running] -> %SystemRoot%\system32\drivers\avgmfx86.sys -> [2008/10/02 01:08:52 | 00,026,824 | ---- | M] (AVG Technologies CZ, s.r.o.)
(avgntflt) avgntflt [File_System | On_Demand | Stopped] -> %ProgramFiles%\Avira\AntiVir PersonalEdition Classic\avgntflt.sys -> [2008/05/20 16:29:41 | 00,052,032 | ---- | M] (Avira GmbH)
(avipbb) avipbb [Kernel | System | Running] -> %SystemRoot%\system32\drivers\avipbb.sys -> [2008/06/27 15:03:55 | 00,075,072 | ---- | M] (Avira GmbH)
(CamDrL) Logitech QuickCam Pro 3000(CamDrl) [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Camdrl.sys -> [2004/10/08 12:59:12 | 00,326,656 | ---- | M] (Logitech Inc.)
(dfmirage) dfmirage [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\dfmirage.sys -> [2008/02/28 10:43:40 | 00,027,392 | ---- | M] (DemoForge, LLC)
(E100B) Intel(R) PRO Network Connection Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\e100b325.sys -> [2005/06/13 14:58:04 | 00,162,816 | ---- | M] (Intel Corporation)
(GEARAspiWDM) GEAR ASPI Filter Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\GEARAspiWDM.sys -> [2008/04/17 13:12:54 | 00,015,464 | ---- | M] (GEAR Software Inc.)
(giveio) giveio [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\giveio.sys -> [2008/06/23 00:49:00 | 00,005,248 | ---- | M] ()
(HdAudAddService) Microsoft UAA Function Driver for High Definition Audio Service [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Hdaudio.sys -> [2005/01/07 18:07:16 | 00,145,920 | ---- | M] (Windows (R) Server 2003 DDK provider)
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\Hdaudbus.sys -> [2005/01/07 18:07:18 | 00,138,752 | ---- | M] (Windows (R) Server 2003 DDK provider)
(IKFileSec) File Security Driver [File_System | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\ikfilesec.sys -> [2008/08/25 11:36:28 | 00,040,840 | ---- | M] (PCTools Research Pty Ltd.)
(IKSysFlt) System Filter Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\iksysflt.sys -> [2008/08/25 11:36:28 | 00,066,952 | ---- | M] (PCTools Research Pty Ltd.)
(IKSysSec) System Security Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\iksyssec.sys -> [2008/08/25 11:36:30 | 00,081,288 | ---- | M] (PCTools Research Pty Ltd.)
(IntcAzAudAddService) Service for Realtek HD Audio (WDM) [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\RtkHDAud.Sys -> [2005/12/09 17:48:40 | 04,123,136 | ---- | M] (Realtek Semiconductor Corp.)
(kbdhid) Keyboard HID Driver [Kernel | System | Running] -> %SystemRoot%\system32\drivers\kbdhid.sys -> [2004/08/03 23:58:36 | 00,014,848 | ---- | M] (Microsoft Corporation)
(KLIF) KLIF [File_System | System | Running] -> %SystemRoot%\system32\drivers\klif.sys -> [2007/07/19 15:10:28 | 00,127,768 | ---- | M] (Kaspersky Lab)
(LVUSBSta) Logitech USB Monitor Filter [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\LVUSBSta.sys -> [2005/05/27 10:31:28 | 00,022,016 | ---- | M] (Logitech Inc.)
(MODEMCSA) Unimodem Streaming Filter Device [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\MODEMCSA.sys -> [2001/08/17 14:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation)
(mozyFilter) mozyFilter [File_System | System | Running] -> %SystemRoot%\system32\drivers\mozy.sys -> [2008/07/14 09:25:28 | 00,053,752 | ---- | M] (Mozy, Inc.)
(NTIDrvr) Upper Class Filter Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\NTIDrvr.sys -> [2006/01/29 20:51:06 | 00,006,144 | ---- | M] (NewTech Infosystems, Inc.)
(OsaFsLoc) OsaFsLoc [Kernel | System | Running] -> %SystemRoot%\system32\drivers\OsaFsLoc.sys -> [2005/11/11 15:51:56 | 00,012,298 | ---- | M] (OSA Technologies)
(osaio) osaio [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\osaio.sys -> [2005/06/30 17:58:36 | 00,007,296 | ---- | M] (OSA Technologies, An Avocent Company)
(pavboot) pavboot [File_System | Boot | Running] -> %SystemRoot%\system32\drivers\pavboot.sys -> [2008/06/19 17:24:30 | 00,028,544 | ---- | M] (Panda Security, S.L.)
(PhilCam8116) Logitech QuickCam Pro 3000(PID_08B0) [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\CamDrL21.sys -> [2002/12/10 04:53:24 | 00,236,121 | ---- | M] (Logitech Inc.)
(PQNTDrv) PQNTDrv [Kernel | System | Running] -> %SystemRoot%\System32\drivers\PQNTDRV.sys -> [2003/03/14 14:18:30 | 00,004,228 | ---- | M] (PowerQuest Corporation)
(PrevxDriver) PREVX Kernel Mode Agent [File_System | Boot | Running] -> %SystemRoot%\system32\drivers\pxfsf.sys -> [2006/10/20 16:03:42 | 00,272,256 | ---- | M] (Prevx Limited, http://www.prevx1.com/)
(PrevxEmulator) PREVX Emulator Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\PxEmu.sys -> [2006/10/20 16:03:46 | 00,100,864 | ---- | M] (Prevx Limited, http://www.prevx1.com/)
(PrevxTdi) PREVX Tdi filter [Kernel | System | Running] -> %SystemRoot%\system32\drivers\pxtdi.sys -> [2006/10/20 16:03:42 | 00,018,560 | ---- | M] (Prevx Limited, http://www.prevx1.com/)
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ptilink.sys -> [2004/08/04 06:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.)
(pxark) pxark [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\pxark.sys -> [2008/09/25 19:50:56 | 00,017,408 | ---- | M] (Prevx)
(PXRDDriver) PREVX Rootkitscan driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\pxrd.sys -> [2006/08/24 11:55:58 | 00,013,568 | ---- | M] ()
(RimUsb) BlackBerry Device [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\RimUsb.sys -> [2006/07/13 10:17:24 | 00,022,528 | ---- | M] (Research In Motion Limited)
(RimVSerPort) RIM Virtual Serial Port v2 [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\RimSerial.sys -> [2006/06/30 16:10:56 | 00,026,752 | R--- | M] (Research in Motion Ltd)
(ROOTMODEM) Microsoft Legacy Modem Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\rootmdm.sys -> [2004/08/04 06:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation)
(SABProcEnum) SABProcEnum [Kernel | On_Demand | Stopped] -> %ProgramFiles%\Internet Explorer\SABProcEnum.sys -> File not found
(SASDIFSV) SASDIFSV [Kernel | System | Running] -> %ProgramFiles%\SUPERAntiSpyware\sasdifsv.sys -> [2008/09/03 14:07:14 | 00,008,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
(SASENUM) SASENUM [Kernel | On_Demand | Stopped] -> %ProgramFiles%\SUPERAntiSpyware\SASENUM.SYS -> [2008/09/03 14:07:16 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
(SASKUTIL) SASKUTIL [Kernel | System | Running] -> %ProgramFiles%\SUPERAntiSpyware\SASKUTIL.SYS -> [2008/09/03 14:07:12 | 00,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\secdrv.sys -> [2007/11/13 04:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
(SIODRV) SIODRV [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\SIODRV.SYS -> [2006/01/29 20:48:53 | 00,007,424 | ---- | M] (Intel Corporation)
(SMBios) Intel (R) System Management BIOS Service [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\SMBios.sys -> [2003/11/03 17:39:10 | 00,036,484 | ---- | M] (Intel Corporation)
(smbusp) Intel(R) SMBus 2.0 Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\intelsmb.sys -> [2005/03/15 17:04:22 | 00,021,248 | ---- | M] (Intel Corporation)
(srescan) srescan [Kernel | Boot | Running] -> %SystemRoot%\system32\ZoneLabs\srescan.sys -> [2008/02/27 03:10:44 | 00,051,176 | ---- | M] (Zone Labs, LLC)
(ssmdrv) ssmdrv [Kernel | System | Running] -> %SystemRoot%\system32\drivers\ssmdrv.sys -> [2007/03/01 10:34:22 | 00,028,352 | ---- | M] (Avira GmbH)
(tmcomm) tmcomm [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\tmcomm.sys -> [2008/09/29 14:34:38 | 00,102,664 | ---- | M] (Trend Micro Inc.)
(UBHelper) UBHelper [Kernel | System | Running] -> %SystemRoot%\System32\drivers\UBHelper.sys -> [2004/12/17 18:14:44 | 00,013,952 | ---- | M] ()
(usbaudio) USB Audio Driver (WDM) [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\USBAUDIO.sys -> [2004/08/03 17:07:56 | 00,059,264 | ---- | M] (Microsoft Corporation)
(vncdrv) vncdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\vncdrv.sys -> [2004/06/26 13:22:00 | 00,004,736 | ---- | M] (RDV Soft)
(vsdatant) vsdatant [Kernel | System | Running] -> %SystemRoot%\system32\vsdatant.sys -> [2008/07/09 09:05:22 | 00,394,952 | ---- | M] (Zone Labs, LLC)
(WS2IFSL) Windows Socket 2.0 Non-IFS Service Provider Support Environment [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\ws2ifsl.sys -> [2004/08/04 06:00:00 | 00,012,032 | ---- | M] (Microsoft Corporation)
 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\"Default_Page_URL" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome -> 
HKEY_LOCAL_MACHINE\: Main\\"Default_Search_URL" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_LOCAL_MACHINE\: Main\\"Default_Secondary_Page_URL" ->  -> 
HKEY_LOCAL_MACHINE\: Main\\"Extensions Off Page" -> about:NoAdd-ons -> 
HKEY_LOCAL_MACHINE\: Main\\"Local Page" -> C:\windows\system32\blank.htm -> 
HKEY_LOCAL_MACHINE\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_LOCAL_MACHINE\: Main\\"Security Risk Page" -> about:SecurityRisk -> 
HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home -> 
HKEY_LOCAL_MACHINE\: Search\\"CustomizeSearch" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 
HKEY_LOCAL_MACHINE\: Search\\"CustomSearch" -> http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr8/*http://www.yahoo.com/ext/search/search.html -> 
HKEY_LOCAL_MACHINE\: Search\\"Default_Search_URL" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_LOCAL_MACHINE\: Search\\"SearchAssistant" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\"Local Page" -> C:\windows\system32\blank.htm -> 
HKEY_CURRENT_USER\: Main\\"Page_Transitions" ->  -> 
HKEY_CURRENT_USER\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_CURRENT_USER\: Main\\"Start Page" -> http://www.bleepingcomputer.com/malware-removal/remove-xp-antispyware-2009 -> 
HKEY_CURRENT_USER\: SearchURL\\"" -> http://home.microsoft.com/access/autosearch.asp?p=%s -> 
HKEY_CURRENT_USER\: URLSearchHooks\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> [2006/10/26 10:28:40 | 00,440,384 | ---- | M] (Yahoo! Inc.)
HKEY_CURRENT_USER\: "ProxyEnable" -> 0 -> 
HKEY_CURRENT_USER\: "ProxyOverride" -> *.local -> 
< HOSTS File > (718252 bytes and 19205 lines) -> C:\WINDOWS\System32\drivers\etc\Hosts -> 
First 25 entries...
127.0.0.1  localhost
127.0.0.1  ad.a8.net
127.0.0.1  asy.a8ww.net
127.0.0.1  a9rhiwa.cn #[Google.Warning]
127.0.0.1  www.a9rhiwa.cn
127.0.0.1  acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1  www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1  phpadsnew.abac.com
127.0.0.1  a.abnad.net
127.0.0.1  b.abnad.net
127.0.0.1  c.abnad.net #[eTrust.Tracking.Cookie]
127.0.0.1  d.abnad.net
127.0.0.1  e.abnad.net
127.0.0.1  t.abnad.net
127.0.0.1  z.abnad.net
127.0.0.1  banners.absolpublisher.com
127.0.0.1  tracking.absolstats.com
127.0.0.1  adv.abv.bg
127.0.0.1  bimg.abv.bg
127.0.0.1  www2.a-counter.kiev.ua
127.0.0.1  track.acclaimnetwork.com
127.0.0.1  accuserveadsystem.com
127.0.0.1  www.accuserveadsystem.com
127.0.0.1  gtb5.acecounter.com
127.0.0.1  gtcc1.acecounter.com
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{00C6482D-C502-44C8-8409-FCE54AD9C208} [HKLM] -> %ProgramFiles%\TechSmith\SnagIt 7\SnagItBHO.dll [HelperObject Class] -> [2005/10/14 07:25:00 | 00,049,152 | ---- | M] (TechSmith Corporation)
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} [HKLM] -> %ProgramFiles%\AVG\AVG8\avgssie.dll [AVG Safe Search] -> [2008/10/02 01:08:41 | 00,455,960 | ---- | M] (AVG Technologies CZ, s.r.o.)
{55EA1964-F5E4-4D6A-B9B2-125B37655FCB} [HKLM] -> %AllUsersProfile%\Application Data\Prevx\pxbho.dll [URLDetector Class] -> [2006/01/10 12:09:54 | 00,090,112 | ---- | M] (Prevx Ltd.)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\ssv.dll [SSVHelper Class] -> [2008/06/10 04:27:02 | 00,509,328 | ---- | M] (Sun Microsystems, Inc.)
{A057A204-BACC-4D26-9990-79A187E2698E} [HKLM] -> %ProgramFiles%\AVG\AVG8\avgtoolbar.dll [AVG Security Toolbar] -> [2008/10/02 01:08:46 | 02,055,960 | ---- | M] (AVG, Technologies CZ, s.r.o				  )
{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} [HKLM] -> %ProgramFiles%\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [EpsonToolBandKicker Class] -> [2005/02/22 15:50:34 | 00,368,640 | ---- | M] (SEIKO EPSON CORPORATION)
{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} [HKLM] -> %ProgramFiles%\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [ZoneAlarm Spy Blocker BHO] -> [2008/10/05 22:17:55 | 00,262,144 | ---- | M] (ZoneAlarm)
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" [HKLM] -> %ProgramFiles%\TechSmith\SnagIt 7\SnagItIEAddin.dll [SnagIt] -> [2005/10/14 07:25:00 | 00,131,072 | ---- | M] (TechSmith Corporation)
"{A057A204-BACC-4D26-9990-79A187E2698E}" [HKLM] -> %ProgramFiles%\AVG\AVG8\avgtoolbar.dll [AVG Security Toolbar] -> [2008/10/02 01:08:46 | 02,055,960 | ---- | M] (AVG, Technologies CZ, s.r.o				  )
"{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA}" [HKLM] -> %ProgramFiles%\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [ZoneAlarm Spy Blocker] -> [2008/10/05 22:17:55 | 00,262,144 | ---- | M] (ZoneAlarm)
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 
ShellBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] ->  [&Google] -> File not found
WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] ->  [&Google] -> File not found
WebBrowser\\"{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
WebBrowser\\"{724D43A0-0D85-11D4-9908-00400523E39A}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> [2006/10/26 10:28:40 | 00,440,384 | ---- | M] (Yahoo! Inc.)
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"OpenDNS Update" -> %ProgramFiles%\OpenDNS Updater\OpenDNS Updater.exe ["C:\Program Files\OpenDNS Updater\OpenDNS Updater.exe"] -> [2008/10/14 17:24:00 | 00,281,088 | ---- | M] (OpenDNS)
"WinPatrol" -> %ProgramFiles%\BillP Studios\WinPatrol\WinPatrol.exe [C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot] -> [2008/09/18 21:59:00 | 00,333,120 | ---- | M] (BillP Studios)
"ZoneAlarm Client" -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlclient.exe ["C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"] -> [2008/07/09 09:05:20 | 00,919,016 | ---- | M] (Zone Labs, LLC)
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
< CACDEV Startup Folder > -> C:\Documents and Settings\CACDEV\Start Menu\Programs\Startup -> 
< Software Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions
\Infodelivery\Restrictions\\"NoJITSetup" ->  [1] -> File not found
\Infodelivery\Restrictions\\"NoUpdateCheck" ->  [1] -> File not found
< Software Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"LinkResolveIgnoreLinkInfo" ->  [0] -> File not found
\\"NoResolveSearch" ->  [1] -> File not found
\\"NoDriveAutoRun" ->  [67108863] -> File not found
\\"NoDriveTypeAutoRun" ->  [255] -> File not found
\\"NoDrives" ->  [0] -> File not found
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"dontdisplaylastusername" ->  [0] -> File not found
\\"legalnoticecaption" ->  [] -> File not found
\\"legalnoticetext" ->  [] -> File not found
\\"shutdownwithoutlogon" ->  [1] -> File not found
\\"undockwithoutlogon" ->  [1] -> File not found
\\"HideLegacyLogonScripts" ->  [0] -> File not found
\\"HideLogoffScripts" ->  [0] -> File not found
\\"RunLogonScriptSync" ->  [1] -> File not found
\\"RunStartupScriptSync" ->  [0] -> File not found
\\"HideStartupScripts" ->  [0] -> File not found
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [145] -> File not found
\\"NoLowDiskSpaceChecks" ->  [1] -> File not found
\\"NoInstrumentation" ->  [1] -> File not found
\\"ForceStartMenuLogOff" ->  [1] -> File not found
\\"NoSMBalloonTip" ->  [1] -> File not found
\\"NoSimpleStartMenu" ->  [1] -> File not found
\\"ConfirmFileDelete" ->  [1] -> File not found
\\"NoThumbnailCache" ->  [1] -> File not found
\\"NoStartMenuMFUprogramsList" ->  [1] -> File not found
\\"ClearRecentDocsOnExit" ->  [1] -> File not found
\\"NoRecentDocsHistory" ->  [0] -> File not found
\\"NoViewOnDrive" ->  [0] -> File not found
\\"NoLogoff" ->  [0] -> File not found
\\"LinkResolveIgnoreLinkInfo" ->  [0] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"HideLegacyLogonScripts" ->  [0] -> File not found
\\"HideLogoffScripts" ->  [0] -> File not found
\\"RunLogonScriptSync" ->  [1] -> File not found
\\"RunStartupScriptSync" ->  [0] -> File not found
\\"HideStartupScripts" ->  [0] -> File not found
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{0483894E-2422-45E0-8384-021AFF1AF3CD}:{0483894E-2422-45E0-8384-021AFF1AF3CD} [HKLM] -> %ProgramFiles%\iMacrosie\imacros.dll [Button: iOpus iMacros] -> [2007/10/01 21:01:18 | 00,942,080 | ---- | M] (iOpus Software GmbH)
{0483894E-2422-45E0-8384-021AFF1AF3CD}: [HKLM] ->  [Menu: iMacros Web Automation] -> File not found
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Menu: Sun Java Console] -> [2008/06/10 04:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{36ECAF82-3300-8F84-092E-AFF36D6C7040}:{86529161-034E-4F8A-88D2-3C625E612E04} [HKLM] -> %ProgramFiles%\WinHTTrack\WinHTTrackIEBar.dll [Button: Run WinHTTrack] -> [2007/11/16 13:00:40 | 00,131,072 | ---- | M] ()
{36ECAF82-3300-8F84-092E-AFF36D6C7040}:{86529161-034E-4F8A-88D2-3C625E612E04} [HKLM] -> %ProgramFiles%\WinHTTrack\WinHTTrackIEBar.dll [Menu: Launch WinHTTrack] -> [2007/11/16 13:00:40 | 00,131,072 | ---- | M] ()
{653D93AF-C741-4e5e-8C1B-59BA43F93E16}:Exec [HKLM] ->  [Button: Panda ActiveScan] -> File not found
{85d1f590-48f4-11d9-9669-0800200c9a66}:Exec [HKLM] -> %SystemRoot%\bdoscandel.exe [Menu: Uninstall BitDefender Online Scanner v8] -> [2006/05/25 01:22:06 | 00,053,248 | ---- | M] ()
{92780B25-18CC-41C8-B9BE-3C9C571A8263}:{FF059E31-CC5A-4E2E-BF3B-96E929D65503} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Button: Research] -> [2003/07/14 23:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{CF819DA3-9882-4944-ADF5-6EF17ECF3C6E}:Exec [HKLM] -> %ProgramFiles%\Fiddler2\Fiddler.exe [Button: Fiddler2] -> [2008/09/16 21:34:36 | 00,471,040 | ---- | M] (Eric Lawrence)
{CF819DA3-9882-4944-ADF5-6EF17ECF3C6E}:Exec [HKLM] -> %ProgramFiles%\Fiddler2\Fiddler.exe [Menu: Fiddler2] -> [2008/09/16 21:34:36 | 00,471,040 | ---- | M] (Eric Lawrence)
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\"{0483894E-2422-45E0-8384-021AFF1AF3CD}" [HKLM] -> %ProgramFiles%\iMacrosie\imacros.dll [iOpus iMacros] -> [2007/10/01 21:01:18 | 00,942,080 | ---- | M] (iOpus Software GmbH)
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Sun Java Console] -> [2008/06/10 04:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\"{36ECAF82-3300-8F84-092E-AFF36D6C7040}" [HKLM] -> %ProgramFiles%\WinHTTrack\WinHTTrackIEBar.dll [Run WinHTTrack] -> [2007/11/16 13:00:40 | 00,131,072 | ---- | M] ()
CmdMapping\\"{653D93AF-C741-4e5e-8C1B-59BA43F93E16}" [HKLM] ->  [Panda ActiveScan] -> File not found
CmdMapping\\"{85d1f590-48f4-11d9-9669-0800200c9a66}" [HKLM] -> %SystemRoot%\bdoscandel.exe [Uninstall BitDefender Online Scanner v8] -> [2006/05/25 01:22:06 | 00,053,248 | ---- | M] ()
CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 23:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{CF819DA3-9882-4944-ADF5-6EF17ECF3C6E}" [HKLM] -> %ProgramFiles%\Fiddler2\Fiddler.exe [Fiddler2] -> [2008/09/16 21:34:36 | 00,471,040 | ---- | M] (Eric Lawrence)
CmdMapping\\"{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}" [HKLM] ->  [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] ->  [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 2 domain(s) found. -> 
1 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 5958 domain(s) found. -> 
avgate.net .[http] -> Trusted sites -> 
www_bitdefender.com [http] -> Trusted sites -> 
www_bleepingcomputer.com [http] -> Trusted sites -> 
www_bluehost.com [http] -> Trusted sites -> 
home_comcast.net [http] -> Trusted sites -> 
www_compassdesigns.net [http] -> Trusted sites -> 
download.com .[http] -> Trusted sites -> 
download.microsoft.com .[http] -> Trusted sites -> 
f-secure.com .[*] -> Trusted sites -> 
www_grc.com [http] -> Trusted sites -> 
www_kaspersky.nl [http] -> Trusted sites -> 
update_microsoft.com [http] -> Trusted sites -> 
update_microsoft.com [https] -> Trusted sites -> 
windowsupdate_microsoft.com [http] -> Trusted sites -> 
www.update_microsoft.com [http] -> Trusted sites -> 
www_networksolutions.com [http] -> Trusted sites -> 
www_pandasecurity.com [http] -> Trusted sites -> 
www_tortoisecvs.org [*] -> Trusted sites -> 
www_tortoisecvs.org [http] -> Trusted sites -> 
update.microsoft.com .[http] -> Trusted sites -> 
update.microsoft.com .[https] -> Trusted sites -> 
windowsupdate.com .[http] -> Trusted sites -> 
windowsupdate.microsoft.com .[http] -> Trusted sites -> 
125 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 72 range(s) found. -> 
Range71 [:Range = 140.99.52.211] -> * = Trusted sites |  -> 
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} [HKLM] -> http://go.microsoft.com/fwlink/?linkid=58813[Office Genuine Advantage Validation Tool] -> 
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} [HKLM] -> http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab[CKAVWebScan Object] -> 
{17492023-C23A-453E-A040-C7C580BBF700} [HKLM] -> [Windows Genuine Advantage Validation Tool] -> 
{215B8138-A3CF-44C5-803F-8226143CFC0A} [HKLM] -> http://prerelease.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab[Trend Micro ActiveX Scan Agent 6.6] -> 
{2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} [HKLM] -> http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab[ActiveScan 2.0 Installer Class] -> 
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab} [HKLM] -> C:\Program Files\Yahoo!\Common\yinsthelper.dll[YInstStarter Class] -> 
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} [HKLM] -> http://office.microsoft.com/officeupdate/content/opuc3.cab[Office Update Installation Engine] -> 
{56762DEC-6B0D-4AB4-A8AD-989993B5D08B} [HKLM] -> [OnlineScanner Control] -> 
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} [HKLM] -> http://download.bitdefender.com/resources/scan8/oscan8.cab[BDSCANONLINE Control] -> 
{5ED80217-570B-4DA9-BF44-BE107C0EC166} [HKLM] -> http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab[Windows Live Safety Center Base Module] -> 
{644E432F-49D3-41A1-8DD5-E099162EEEC5} [HKLM] -> http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[Symantec RuFSI Utility Class] -> 
{7B297BFD-85E4-4092-B2AF-16A91B2EA103} [HKLM] -> http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab[WScanCtl Class] -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab[Java Plug-in 1.6.0_07] -> 
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [HKLM] -> http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab[Reg Error: Key does not exist or could not be opened.] -> 
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} [HKLM] -> http://acs.pandasoftware.com/activescan/as5free/asinst.cab[ActiveScan Installer Class] -> 
{A90A5822-F108-45AD-8482-9BC8B12DD539} [HKLM] -> http://www.crucial.com/controls/cpcScanner.cab[Crucial cpcScan] -> 
{B1E2B96C-12FE-45E2-BEF1-44A219113CDD} [HKLM] -> http://www.superadblocker.com/activex/sabspx.cab[SABScanProcesses Class] -> 
{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} [HKLM] -> http://support.f-secure.com/ols/fscax.cab[F-Secure Online Scanner 3.3] -> 
{C7DB51B4-BCF7-4923-8874-7F1A0DC92277} [HKLM] -> http://office.microsoft.com/officeupdate/content/opuc4.cab[Office Update Installation Engine] -> 
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab[Java Plug-in 1.6.0_07] -> 
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab[Java Plug-in 1.6.0_07] -> 
{FE5B9F54-7764-4C01-89F0-4862601EE954} [HKLM] -> http://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0[DigWebHelper Class] -> 
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{9B98FDEC-4146-42BF-A578-E6500146C8FE} ->	() -> 
{F95966C0-10AF-4A97-BF83-FB189C0055AB} -> 208.67.222.222,208.67.220.220   (Intel(R) PRO/100 VE Network Connection) -> 
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs -> 
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls -> 
avgrsstx.dll -> %SystemRoot%\system32\avgrsstx.dll -> [2008/10/02 01:08:56 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.)
*MultiFile Done* -> -> 
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 
!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll -> [2008/07/23 16:28:18 | 00,352,256 | ---- | M] (SUPERAntiSpyware.com)
AtiExtEvent -> %SystemRoot%\system32\ati2evxx.dll -> [2007/09/29 03:57:56 | 00,122,880 | ---- | M] (ATI Technologies Inc.)
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks -> 
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" [HKLM] -> %ProgramFiles%\Windows Defender\MpShHook.dll [Microsoft AntiMalware ShellExecuteHook] -> [2006/11/03 19:20:00 | 00,083,224 | ---- | M] (Microsoft Corporation)
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" [HKLM] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> [2008/05/13 10:13:36 | 00,077,824 | ---- | M] (SuperAdBlocker.com)
< LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages -> 
*LSA Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages -> 
setuid -> %SystemRoot%\system32\setuid.dll -> [2006/07/05 15:19:26 | 00,064,512 | ---- | M] (March-Hare Software Ltd)
*MultiFile Done* -> -> 
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List -> 
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> [2004/08/04 02:56:58 | 00,140,800 | ---- | M] (Microsoft Corporation)
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -> 
"C:\Program Files\AVG\AVG8\avgupd.exe" -> C:\Program Files\AVG\AVG8\avgupd.exe [C:\Program Files\AVG\AVG8\avgupd.exe:*:Disabled:avgupd.exe] -> [2008/10/02 01:08:41 | 00,641,304 | ---- | M] (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Bonjour\mDNSResponder.exe" -> C:\Program Files\Bonjour\mDNSResponder.exe [C:\Program Files\Bonjour\mDNSResponder.exe:*:Disabled:Bonjour] -> [2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" -> C:\Program Files\iTunes\iTunes.exe [C:\Program Files\iTunes\iTunes.exe:*:Disabled:iTunes] -> [2008/09/08 23:02:02 | 14,228,264 | ---- | M] (Apple Inc.)
"C:\Program Files\UltraEdit-32\uedit32.exe" -> C:\Program Files\UltraEdit-32\uedit32.exe [C:\Program Files\UltraEdit-32\uedit32.exe:*:Disabled:UltraEdit-32 Professional Text/Hex Editor] -> [2006/01/27 12:20:00 | 03,317,836 | ---- | M] (IDM Computer Solutions, Inc.)
"C:\WINDOWS\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019] -> [2004/08/04 02:56:58 | 00,140,800 | ---- | M] (Microsoft Corporation)
"C:\WINDOWS\system32\ZoneLabs\vsmon.exe" -> C:\WINDOWS\system32\ZoneLabs\vsmon.exe [C:\WINDOWS\system32\ZoneLabs\vsmon.exe:*:Enabled:TrueVector Service] -> [2008/07/09 09:05:18 | 00,075,304 | ---- | M] (Zone Labs, LLC)
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot -> 
"AlternateShell" -> cmd.exe -> 
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 -> 
"DisplayName" -> CD-ROM Driver -> 
"ImagePath" -> %SystemRoot%\system32\drivers\cdrom.sys [system32\DRIVERS\cdrom.sys] -> [2004/08/04 06:00:00 | 00,049,536 | ---- | M] (Microsoft Corporation)
< Drives with AutoRun files > ->  -> 
C:\AUTOEXEC.BAT [] -> %SystemDrive%\AUTOEXEC.BAT [ NTFS ] -> [2006/01/29 19:10:48 | 00,000,000 | ---- | M] ()
H:\AUTOEXEC.BAT [] -> H:\AUTOEXEC.BAT [ NTFS ] -> [2006/03/08 17:04:54 | 00,000,000 | ---- | M] ()
N:\AUTOEXEC.BAT [] -> N:\AUTOEXEC.BAT [ NTFS ] -> [2002/01/02 01:39:36 | 00,000,000 | ---- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\T\Shell
\T\Shell\\"" ->  [AutoRun] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\T\Shell\AutoRun
\T\Shell\AutoRun\\"" ->  [Auto&Play] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\T\Shell\AutoRun\command
\T\Shell\AutoRun\command\\"" -> T:\LaunchU3.exe [T:\LaunchU3.exe -a] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2f10f588-38a0-11db-9a12-0013206548f5}\Shell
\{2f10f588-38a0-11db-9a12-0013206548f5}\Shell\\"" ->  [AutoRun] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2f10f588-38a0-11db-9a12-0013206548f5}\Shell\AutoRun
\{2f10f588-38a0-11db-9a12-0013206548f5}\Shell\AutoRun\\"" ->  [Auto&Play] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2f10f588-38a0-11db-9a12-0013206548f5}\Shell\AutoRun\command
\{2f10f588-38a0-11db-9a12-0013206548f5}\Shell\AutoRun\command\\"" -> T:\LaunchU3.exe [T:\LaunchU3.exe -a] -> File not found
 
 
[Files/Folders - Created Within 30 Days]
7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
Tracing a hacker.url -> %UserProfile%\Desktop\Tracing a hacker.url -> [2008/10/14 22:30:47 | 00,000,298 | ---- | C] ()
Vitalsecurity.org - A Revolution is the Solution.url -> %UserProfile%\Desktop\Vitalsecurity.org - A Revolution is the Solution.url -> [2008/10/14 22:05:42 | 00,000,186 | ---- | C] ()
SmartSniff Freeware Packet Sniffer - Capture TCP-IP packets on your network adapter.mht -> %UserProfile%\My Documents\SmartSniff Freeware Packet Sniffer - Capture TCP-IP packets on your network adapter.mht -> [2008/10/14 15:34:34 | 00,076,895 | ---- | C] ()
MozillaHistoryView View the list of visited web sites in Firefox-Mozilla-Netscape browsers.url -> %UserProfile%\Desktop\MozillaHistoryView View the list of visited web sites in Firefox-Mozilla-Netscape browsers.url -> [2008/10/14 15:27:36 | 00,000,276 | ---- | C] ()
pps.zip -> %UserProfile%\My Documents\pps.zip -> [2008/10/14 15:06:27 | 05,447,446 | ---- | C] ()
pp1.zip -> %UserProfile%\My Documents\pp1.zip -> [2008/10/14 15:00:00 | 33,530,190 | ---- | C] ()
efinancialharmony.com -> %UserProfile%\My Documents\efinancialharmony.com -> [2008/10/14 14:41:52 | 00,002,683 | ---- | C] ()
accesslog_efinancialharmony.com_10_14_2008.gz -> %UserProfile%\My Documents\accesslog_efinancialharmony.com_10_14_2008.gz -> [2008/10/14 14:41:34 | 00,000,709 | ---- | C] ()
CCleaner.lnk -> %UserProfile%\Desktop\CCleaner.lnk -> [2008/10/13 23:18:42 | 00,001,556 | ---- | C] ()
fsaua.data -> %SystemDrive%\fsaua.data -> [2008/10/13 23:02:27 | 00,000,000 | ---D | C]
New malware site.doc -> %UserProfile%\My Documents\New malware site.doc -> [2008/10/13 20:13:38 | 00,021,504 | ---- | C] ()
Kaspersky Lab -> %AllUsersProfile%\Application Data\Kaspersky Lab -> [2008/10/12 21:07:50 | 00,000,000 | ---D | C]
Kaspersky Lab -> %SystemRoot%\System32\Kaspersky Lab -> [2008/10/12 21:07:47 | 00,000,000 | ---D | C]
HouseCall 6.6 -> %SystemRoot%\System32\HouseCall 6.6 -> [2008/10/12 00:09:04 | 00,000,000 | ---D | C]
OpenDNS Updater -> %ProgramFiles%\OpenDNS Updater -> [2008/10/11 22:24:31 | 00,000,000 | ---D | C]
Fonts-Backup -> %SystemDrive%\Fonts-Backup -> [2008/10/10 20:30:27 | 00,000,000 | ---D | C]
SDHelper (Spybot - Search & Destroy) -> %ProgramFiles%\SDHelper (Spybot - Search & Destroy) -> [2008/10/10 12:03:47 | 00,000,000 | ---D | C]
HostsMan Backups -> %AllUsersProfile%\Documents\HostsMan Backups -> [2008/10/06 22:31:18 | 00,000,000 | ---D | C]
abelhadigital.com -> %AppData%\abelhadigital.com -> [2008/10/06 22:30:52 | 00,000,000 | ---D | C]
abelhadigital.com -> %AllUsersProfile%\Application Data\abelhadigital.com -> [2008/10/06 22:30:52 | 00,000,000 | ---D | C]
fidbox.dat -> %SystemRoot%\System32\drivers\fidbox.dat -> [2008/10/06 10:22:49 | 10,544,160 | -HS- | C] ()
fidbox.idx -> %SystemRoot%\System32\drivers\fidbox.idx -> [2008/10/06 10:22:49 | 00,132,968 | -HS- | C] ()
WinDirStat -> %ProgramFiles%\WinDirStat -> [2008/10/05 22:31:26 | 00,000,000 | ---D | C]
ZoneAlarmSB -> %ProgramFiles%\ZoneAlarmSB -> [2008/10/05 22:17:51 | 00,000,000 | ---D | C]
zllsputility.exe -> %SystemRoot%\zllsputility.exe -> [2008/10/05 21:19:27 | 00,075,248 | ---- | C] (Zone Labs, LLC)
klif.sys -> %SystemRoot%\System32\drivers\klif.sys -> [2008/10/05 21:19:10 | 00,127,768 | ---- | C] (Kaspersky Lab)
libeay32_0.9.6l.dll -> %SystemRoot%\System32\libeay32_0.9.6l.dll -> [2008/10/05 21:18:40 | 00,796,048 | ---- | C] ()
vsregexp.dll -> %SystemRoot%\System32\vsregexp.dll -> [2008/10/05 21:18:39 | 00,071,144 | ---- | C] (Zone Labs, LLC)
vsxml.dll -> %SystemRoot%\System32\vsxml.dll -> [2008/10/05 21:18:18 | 00,099,816 | ---- | C] (Zone Labs, LLC)
Zone Labs -> %ProgramFiles%\Zone Labs -> [2008/10/05 21:18:18 | 00,000,000 | ---D | C]
vsconfig.xml -> %SystemRoot%\System32\vsconfig.xml -> [2008/10/05 21:18:17 | 00,352,918 | ---- | C] ()
vspubapi.dll -> %SystemRoot%\System32\vspubapi.dll -> [2008/10/05 21:18:17 | 00,275,944 | ---- | C] (Zone Labs, LLC)
vsmonapi.dll -> %SystemRoot%\System32\vsmonapi.dll -> [2008/10/05 21:18:17 | 00,103,912 | ---- | C] (Zone Labs, LLC)
vsutil.dll -> %SystemRoot%\System32\vsutil.dll -> [2008/10/05 21:17:24 | 00,472,552 | ---- | C] (Zone Labs, LLC)
vsinit.dll -> %SystemRoot%\System32\vsinit.dll -> [2008/10/05 21:17:24 | 00,157,160 | ---- | C] (Zone Labs, LLC)
Uniblue SpeedUpMyPC 2009.lnk -> %AllUsersProfile%\Desktop\Uniblue SpeedUpMyPC 2009.lnk -> [2008/10/05 18:29:22 | 00,000,875 | ---- | C] ()
{51019853-129C-4EDE-9030-D5FD7BBD9AD0} -> %AllUsersProfile%\Application Data\{51019853-129C-4EDE-9030-D5FD7BBD9AD0} -> [2008/10/05 18:17:37 | 00,000,000 | -H-D | C]
XPSViewer -> %SystemRoot%\System32\XPSViewer -> [2008/10/05 16:56:10 | 00,000,000 | ---D | C]
Reference Assemblies -> %ProgramFiles%\Reference Assemblies -> [2008/10/05 16:55:40 | 00,000,000 | ---D | C]
printfilterpipelinesvc.exe -> %SystemRoot%\System32\dllcache\printfilterpipelinesvc.exe -> [2008/10/05 16:53:42 | 00,597,504 | ---- | C] (Microsoft Corporation)
xpsshhdr.dll -> %SystemRoot%\System32\xpsshhdr.dll -> [2008/10/05 16:53:42 | 00,575,488 | ---- | C] (Microsoft Corporation)
xpsshhdr.dll -> %SystemRoot%\System32\dllcache\xpsshhdr.dll -> [2008/10/05 16:53:42 | 00,575,488 | ---- | C] (Microsoft Corporation)
prntvpt.dll -> %SystemRoot%\System32\prntvpt.dll -> [2008/10/05 16:53:42 | 00,117,760 | ---- | C] (Microsoft Corporation)
filterpipelineprintproc.dll -> %SystemRoot%\System32\dllcache\filterpipelineprintproc.dll -> [2008/10/05 16:53:42 | 00,089,088 | ---- | C] (Microsoft Corporation)
xpssvcs.dll -> %SystemRoot%\System32\xpssvcs.dll -> [2008/10/05 16:53:41 | 01,676,288 | ---- | C] (Microsoft Corporation)
xpssvcs.dll -> %SystemRoot%\System32\dllcache\xpssvcs.dll -> [2008/10/05 16:53:41 | 01,676,288 | ---- | C] (Microsoft Corporation)
SxsCaPendDel -> %SystemRoot%\SxsCaPendDel -> [2008/10/05 16:52:41 | 00,000,000 | ---D | C]
AHCache -> %SystemDrive%\AHCache -> [2008/10/05 16:36:19 | 00,000,000 | RH-D | C]
tmp.reg -> %SystemRoot%\System32\tmp.reg -> [2008/10/04 16:55:42 | 00,001,314 | ---- | C] ()
WinPatrol -> %AppData%\WinPatrol -> [2008/10/03 21:39:45 | 00,000,000 | ---D | C]
BillP Studios -> %ProgramFiles%\BillP Studios -> [2008/10/03 21:39:38 | 00,000,000 | ---D | C]
WBEM -> %SystemRoot%\WBEM -> [2008/10/03 18:37:40 | 00,000,000 | ---D | C]
en-US -> %SystemRoot%\System32\en-US -> [2008/10/03 18:37:39 | 00,000,000 | ---D | C]
ie7 -> %SystemRoot%\ie7 -> [2008/10/03 18:36:41 | 00,000,000 | -H-D | C]
$NtServicePackUninstallIDNMitigationAPIs$ -> %SystemRoot%\$NtServicePackUninstallIDNMitigationAPIs$ -> [2008/10/03 18:36:25 | 00,000,000 | -H-D | C]
$NtServicePackUninstallNLSDownlevelMapping$ -> %SystemRoot%\$NtServicePackUninstallNLSDownlevelMapping$ -> [2008/10/03 18:35:52 | 00,000,000 | -H-D | C]
xmllite.dll -> %SystemRoot%\System32\xmllite.dll -> [2008/10/03 18:34:52 | 00,121,856 | ---- | C] (Microsoft Corporation)
du.exe -> %SystemDrive%\du.exe -> [2008/10/03 11:42:15 | 00,154,424 | ---- | C] (Sysinternals - www.sysinternals.com)
HouseCall 6.6 -> %AppData%\HouseCall 6.6 -> [2008/10/02 14:54:06 | 00,000,000 | ---D | C]
Windows Live Safety Center -> %ProgramFiles%\Windows Live Safety Center -> [2008/10/02 12:07:26 | 00,000,000 | ---D | C]
avgrsstx.dll -> %SystemRoot%\System32\avgrsstx.dll -> [2008/10/02 01:08:56 | 00,010,520 | ---- | C] (AVG Technologies CZ, s.r.o.)
AVG Free 8.0.lnk -> %AllUsersProfile%\Desktop\AVG Free 8.0.lnk -> [2008/10/02 01:08:56 | 00,001,515 | ---- | C] ()
avgldx86.sys -> %SystemRoot%\System32\drivers\avgldx86.sys -> [2008/10/02 01:08:53 | 00,097,928 | ---- | C] (AVG Technologies CZ, s.r.o.)
avgmfx86.sys -> %SystemRoot%\System32\drivers\avgmfx86.sys -> [2008/10/02 01:08:52 | 00,026,824 | ---- | C] (AVG Technologies CZ, s.r.o.)
incavi.avm -> %SystemRoot%\System32\drivers\Avg\incavi.avm -> [2008/10/02 01:08:47 | 28,815,931 | ---- | C] ()
avi7.avg -> %SystemRoot%\System32\drivers\Avg\avi7.avg -> [2008/10/02 01:08:47 | 06,061,540 | ---- | C] ()
miniavi.avg -> %SystemRoot%\System32\drivers\Avg\miniavi.avg -> [2008/10/02 01:08:47 | 00,307,238 | ---- | C] ()
microavi.avg -> %SystemRoot%\System32\drivers\Avg\microavi.avg -> [2008/10/02 01:08:47 | 00,068,419 | ---- | C] ()
AVGTOOLBAR -> %AppData%\AVGTOOLBAR -> [2008/10/02 01:08:47 | 00,000,000 | ---D | C]
Avg -> %SystemRoot%\System32\drivers\Avg -> [2008/10/02 01:08:47 | 00,000,000 | ---D | C]
avg8 -> %AllUsersProfile%\Application Data\avg8 -> [2008/10/02 01:08:40 | 00,000,000 | ---D | C]
AVG -> %ProgramFiles%\AVG -> [2008/10/02 01:08:40 | 00,000,000 | ---D | C]
Spyware Doctor.lnk -> %AllUsersProfile%\Desktop\Spyware Doctor.lnk -> [2008/09/28 19:51:27 | 00,001,645 | ---- | C] ()
iksyssec.sys -> %SystemRoot%\System32\drivers\iksyssec.sys -> [2008/09/28 19:51:25 | 00,081,288 | ---- | C] (PCTools Research Pty Ltd.)
iksysflt.sys -> %SystemRoot%\System32\drivers\iksysflt.sys -> [2008/09/28 19:51:25 | 00,066,952 | ---- | C] (PCTools Research Pty Ltd.)
ikfilesec.sys -> %SystemRoot%\System32\drivers\ikfilesec.sys -> [2008/09/28 19:51:25 | 00,040,840 | ---- | C] (PCTools Research Pty Ltd.)
kcom.sys -> %SystemRoot%\System32\drivers\kcom.sys -> [2008/09/28 19:51:25 | 00,029,576 | ---- | C] (PCTools Research Pty Ltd.)
Spyware Doctor -> %ProgramFiles%\Spyware Doctor -> [2008/09/28 19:51:15 | 00,000,000 | ---D | C]
SoftLogica -> %AppData%\SoftLogica -> [2008/09/27 23:58:40 | 00,000,000 | ---D | C]
SoftLogica -> %AllUsersProfile%\Application Data\SoftLogica -> [2008/09/27 23:58:40 | 00,000,000 | ---D | C]
Enigma Software Group -> %ProgramFiles%\Enigma Software Group -> [2008/09/26 02:20:42 | 00,000,000 | ---D | C]
SUPERAntiSpyware.com -> %AllUsersProfile%\Application Data\SUPERAntiSpyware.com -> [2008/09/25 23:27:08 | 00,000,000 | ---D | C]
SUPERAntiSpyware Professional.lnk -> %AllUsersProfile%\Desktop\SUPERAntiSpyware Professional.lnk -> [2008/09/25 23:26:57 | 00,001,764 | ---- | C] ()
SUPERAntiSpyware.com -> %AppData%\SUPERAntiSpyware.com -> [2008/09/25 23:26:54 | 00,000,000 | ---D | C]
SUPERAntiSpyware -> %ProgramFiles%\SUPERAntiSpyware -> [2008/09/25 23:26:54 | 00,000,000 | ---D | C]
Fiddler2 -> %ProgramFiles%\Fiddler2 -> [2008/09/25 20:15:01 | 00,000,000 | ---D | C]
pxark.sys -> %SystemRoot%\System32\drivers\pxark.sys -> [2008/09/25 19:50:56 | 00,017,408 | ---- | C] (Prevx)
PrevxCSI -> %ProgramFiles%\PrevxCSI -> [2008/09/25 19:50:56 | 00,000,000 | ---D | C]
PrevxCSI -> %AllUsersProfile%\Application Data\PrevxCSI -> [2008/09/25 19:50:23 | 00,000,000 | ---D | C]
mozy.blk -> %SystemRoot%\mozy.blk -> [2008/09/25 00:23:49 | 00,010,454 | ---- | C] ()
mozy.flt -> %SystemRoot%\mozy.flt -> [2008/09/25 00:23:49 | 00,001,124 | ---- | C] ()
mozy.sys -> %SystemRoot%\System32\drivers\mozy.sys -> [2008/09/25 00:23:44 | 00,053,752 | ---- | C] (Mozy, Inc.)
MozyHome -> %ProgramFiles%\MozyHome -> [2008/09/25 00:23:42 | 00,000,000 | ---D | C]
FreeUndelete -> %ProgramFiles%\FreeUndelete -> [2008/09/23 00:05:29 | 00,000,000 | ---D | C]
Opera -> %UserProfile%\Local Settings\Application Data\Opera -> [2008/09/20 20:02:21 | 00,000,000 | ---D | C]
Opera.lnk -> %AllUsersProfile%\Desktop\Opera.lnk -> [2008/09/20 20:02:14 | 00,000,600 | ---- | C] ()
 
[Files/Folders - Modified Within 30 Days]
7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help -> [2006/03/15 03:01:25 | 00,000,000 | ---D | M]
hhcolreg.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help\hhcolreg.dat -> [2008/05/23 16:42:54 | 00,045,627 | ---- | M] ()
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader -> [2006/01/29 21:32:30 | 00,000,000 | ---D | M]
qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat -> [2008/10/13 23:00:58 | 00,004,232 | ---- | M] ()
qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat -> [2008/10/13 23:00:58 | 00,004,617 | ---- | M] ()
C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA -> [2006/01/30 12:33:09 | 00,000,000 | ---D | M]
opa11.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa11.dat -> [2006/05/19 21:20:43 | 00,012,394 | ---- | M] ()
C:\Documents and Settings\All Users\Application Data\Microsoft\VisualStudio\8.0\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\VisualStudio\8.0 -> [2006/03/12 15:33:31 | 00,000,000 | ---D | M]
vs000223.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\VisualStudio\8.0\vs000223.dat -> [2006/07/11 00:34:57 | 00,677,178 | -H-- | M] ()
C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\ -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus -> [2008/10/14 23:12:48 | 00,000,000 | ---D | M]
fsgk32.exe -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\fsgk32.exe -> [2008/10/14 22:46:05 | 00,413,696 | ---- | M] (F-Secure Corp.)
fssm32.exe -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\fssm32.exe -> [2008/10/14 22:46:05 | 00,494,592 | ---- | M] (F-Secure Corp.)
C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\fsav_beta\ -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\fsav_beta -> [2008/10/14 22:46:05 | 00,000,000 | ---D | M]
fsgk32.exe -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\fsav_beta\fsgk32.exe -> [2008/10/14 22:46:05 | 00,413,696 | ---- | M] (F-Secure Corp.)
fssm32.exe -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\fsav_beta\fssm32.exe -> [2008/10/14 22:46:05 | 00,494,592 | ---- | M] (F-Secure Corp.)
C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\ -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus -> [2008/10/14 23:12:48 | 00,000,000 | ---D | M]
AVPFPI0.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\AVPFPI0.dll -> [2008/10/14 22:46:05 | 00,147,538 | ---- | M] (Kaspersky Lab)
avpproxy.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\avpproxy.dll -> [2008/10/14 22:46:05 | 00,077,910 | ---- | M] (F-Secure Corporation)
daas_s.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\daas_s.dll -> [2008/02/27 15:59:28 | 00,495,616 | ---- | M] (F-Secure Corporation)
fm4av.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\fm4av.dll -> [2008/10/14 22:46:05 | 00,514,048 | ---- | M] ()
fpinor.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\fpinor.dll -> [2008/10/14 22:46:05 | 00,113,664 | ---- | M] (F-Secure Corporation)
fsbl.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\fsbl.dll -> [2008/10/14 22:46:05 | 00,049,152 | ---- | M] (F-Secure Corporation)
fsbld.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\fsbld.dll -> [2008/10/14 22:45:52 | 00,551,544 | ---- | M] (F-Secure Corporation)
fsecr32.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\fsecr32.dll -> [2008/10/14 22:45:58 | 00,262,144 | ---- | M] (F-Secure Corporation)
fsgkiapi.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\fsgkiapi.dll -> [2008/10/14 22:46:05 | 00,082,432 | ---- | M] (F-Secure Corp.)
fsmart.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\fsmart.dll -> [2008/10/14 22:46:01 | 00,147,456 | ---- | M] (F-Secure Corporation)
fspe32.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\fspe32.dll -> [2008/10/14 22:45:58 | 00,385,024 | ---- | M] (F-Secure Corporation)
fssubmit.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\fssubmit.dll -> [2008/10/14 22:45:54 | 00,651,264 | ---- | M] (F-Secure Corporation)
fsup32.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\fsup32.dll -> [2008/10/14 22:45:58 | 00,577,536 | ---- | M] (F-Secure Corporation)
fsupcx32.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\fsupcx32.dll -> [2008/10/14 22:45:58 | 00,073,728 | ---- | M] (F-Secure Corporation)
fsupfg32.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\fsupfg32.dll -> [2008/10/14 22:45:58 | 00,098,304 | ---- | M] (F-Secure Corporation)
fsupmw32.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\fsupmw32.dll -> [2008/10/14 22:45:58 | 00,086,016 | ---- | M] (F-Secure Corporation)
fsupnp32.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\fsupnp32.dll -> [2008/10/14 22:45:58 | 00,098,304 | ---- | M] (F-Secure Corporation)
fsupux32.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\fsupux32.dll -> [2008/10/14 22:45:58 | 00,090,112 | ---- | M] (F-Secure Corporation)
fsupwu32.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\fsupwu32.dll -> [2008/10/14 22:45:58 | 00,090,112 | ---- | M] (F-Secure Corporation)
fsusscr.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\fsusscr.dll -> [2008/10/14 22:46:01 | 00,888,832 | ---- | M] (F-Secure Corporation)
Nse_w32.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\Nse_w32.dll -> [2008/10/14 22:45:49 | 00,588,856 | ---- | M] (Norman ASA)
C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\fsav_beta\ -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\fsav_beta -> [2008/10/14 22:46:05 | 00,000,000 | ---D | M]
AVPFPI0.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\fsav_beta\AVPFPI0.dll -> [2008/10/14 22:46:05 | 00,147,538 | ---- | M] (Kaspersky Lab)
avpproxy.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\fsav_beta\avpproxy.dll -> [2008/10/14 22:46:05 | 00,077,910 | ---- | M] (F-Secure Corporation)
fm4av.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\fsav_beta\fm4av.dll -> [2008/10/14 22:46:05 | 00,514,048 | ---- | M] ()
fpinor.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\fsav_beta\fpinor.dll -> [2008/10/14 22:46:05 | 00,113,664 | ---- | M] (F-Secure Corporation)
fsbl.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\fsav_beta\fsbl.dll -> [2008/10/14 22:46:05 | 00,049,152 | ---- | M] (F-Secure Corporation)
fsgkiapi.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\fsav_beta\fsgkiapi.dll -> [2008/10/14 22:46:05 | 00,082,432 | ---- | M] (F-Secure Corp.)
C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\hydrawin\ -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\hydrawin -> [2008/10/14 22:45:59 | 00,000,000 | ---D | M]
fsecr32.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\hydrawin\fsecr32.dll -> [2008/10/14 22:45:58 | 00,262,144 | ---- | M] (F-Secure Corporation)
fspe32.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\hydrawin\fspe32.dll -> [2008/10/14 22:45:58 | 00,385,024 | ---- | M] (F-Secure Corporation)
fsup32.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\hydrawin\fsup32.dll -> [2008/10/14 22:45:58 | 00,577,536 | ---- | M] (F-Secure Corporation)
fsupcx32.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\hydrawin\fsupcx32.dll -> [2008/10/14 22:45:58 | 00,073,728 | ---- | M] (F-Secure Corporation)
fsupfg32.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\hydrawin\fsupfg32.dll -> [2008/10/14 22:45:58 | 00,098,304 | ---- | M] (F-Secure Corporation)
fsupmw32.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\hydrawin\fsupmw32.dll -> [2008/10/14 22:45:58 | 00,086,016 | ---- | M] (F-Secure Corporation)
fsupnp32.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\hydrawin\fsupnp32.dll -> [2008/10/14 22:45:58 | 00,098,304 | ---- | M] (F-Secure Corporation)
fsupux32.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\hydrawin\fsupux32.dll -> [2008/10/14 22:45:58 | 00,090,112 | ---- | M] (F-Secure Corporation)
fsupwu32.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\hydrawin\fsupwu32.dll -> [2008/10/14 22:45:58 | 00,090,112 | ---- | M] (F-Secure Corporation)
C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\mlcwin\ -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\mlcwin -> [2008/10/14 22:46:01 | 00,000,000 | ---D | M]
fsmart.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\mlcwin\fsmart.dll -> [2008/10/14 22:46:01 | 00,147,456 | ---- | M] (F-Secure Corporation)
fsusscr.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\mlcwin\fsusscr.dll -> [2008/10/14 22:46:01 | 00,888,832 | ---- | M] (F-Secure Corporation)
C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\ols_30_pegdb\ -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\ols_30_pegdb -> [2008/10/14 22:45:50 | 00,000,000 | ---D | M]
Nse_w32.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\ols_30_pegdb\Nse_w32.dll -> [2008/10/14 22:45:49 | 00,588,856 | ---- | M] (Norman ASA)
C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\ols_33_bin\ -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\ols_33_bin -> [2008/10/14 22:45:54 | 00,000,000 | ---D | M]
fssubmit.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\ols_33_bin\fssubmit.dll -> [2008/10/14 22:45:54 | 00,651,264 | ---- | M] (F-Secure Corporation)
C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\ols_bl\ -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\ols_bl -> [2008/10/14 22:45:52 | 00,000,000 | ---D | M]
fsblu.dll -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\ols_bl\fsblu.dll -> [2008/10/14 22:45:52 | 00,551,544 | ---- | M] (F-Secure Corporation)
C:\Documents and Settings\CACDEV\Local Settings\Temp\Cookies\ -> C:\Documents and Settings\CACDEV\Local Settings\Temp\Cookies -> [2008/10/14 22:42:26 | 00,000,000 | -HSD | M]
index.dat -> C:\Documents and Settings\CACDEV\Local Settings\Temp\Cookies\index.dat -> [2008/10/15 00:09:27 | 00,032,768 | ---- | M] ()
C:\Documents and Settings\CACDEV\Local Settings\Temp\History\History.IE5\ -> C:\Documents and Settings\CACDEV\Local Settings\Temp\History\History.IE5\ -> [2008/10/14 22:36:40 | 00,000,000 | -HSD | M]
index.dat -> C:\Documents and Settings\CACDEV\Local Settings\Temp\History\History.IE5\index.dat -> [2008/10/15 00:09:27 | 00,311,296 | ---- | M] ()
C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\ -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus -> [2008/10/14 23:12:48 | 00,000,000 | ---D | M]
ext.dat -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\ext.dat -> [2008/10/14 22:45:43 | 00,000,444 | ---- | M] ()
fsedb.dat -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\fsedb.dat -> [2008/10/14 22:45:58 | 01,635,434 | ---- | M] ()
fsupdllb.dat -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\fsupdllb.dat -> [2008/10/14 22:45:58 | 00,422,594 | ---- | M] ()
fsupplgn.dat -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\fsupplgn.dat -> [2008/10/14 22:45:58 | 00,000,226 | ---- | M] ()
fsuptmpl.dat -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\fsuptmpl.dat -> [2008/10/14 22:45:58 | 00,005,828 | ---- | M] ()
perf.dat -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\perf.dat -> [2008/10/14 22:46:25 | 00,000,128 | ---- | M] ()
sae.dat -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\sae.dat -> [2008/10/14 22:45:43 | 00,000,243 | ---- | M] ()
sai.dat -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\Anti-Virus\sai.dat -> [2008/10/14 22:45:43 | 00,001,348 | ---- | M] ()
C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\avmisc\ -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\avmisc -> [2008/10/14 22:45:43 | 00,000,000 | ---D | M]
ext.dat -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\avmisc\ext.dat -> [2008/10/14 22:45:43 | 00,000,444 | ---- | M] ()
sae.dat -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\avmisc\sae.dat -> [2008/10/14 22:45:43 | 00,000,243 | ---- | M] ()
sai.dat -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\avmisc\sai.dat -> [2008/10/14 22:45:43 | 00,001,348 | ---- | M] ()
C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\hydrawin\ -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\hydrawin -> [2008/10/14 22:45:59 | 00,000,000 | ---D | M]
fsedb.dat -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\hydrawin\fsedb.dat -> [2008/10/14 22:45:58 | 01,635,434 | ---- | M] ()
fsupdllb.dat -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\hydrawin\fsupdllb.dat -> [2008/10/14 22:45:58 | 00,422,594 | ---- | M] ()
fsupplgn.dat -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\hydrawin\fsupplgn.dat -> [2008/10/14 22:45:58 | 00,000,226 | ---- | M] ()
fsuptmpl.dat -> C:\Documents and Settings\CACDEV\Local Settings\Temp\OnlineScanner\updates\hydrawin\fsuptmpl.dat -> [2008/10/14 22:45:58 | 00,005,828 | ---- | M] ()
C:\Documents and Settings\CACDEV\Local Settings\Temp\Temporary Internet Files\Content.IE5\ -> C:\Documents and Settings\CACDEV\Local Settings\Temp\Temporary Internet Files\Content.IE5\ -> [2008/10/14 22:37:10 | 00,000,000 | -HSD | M]
index.dat -> C:\Documents and Settings\CACDEV\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat -> [2008/10/15 00:09:27 | 01,409,024 | ---- | M] ()
fidbox.dat -> %SystemRoot%\System32\drivers\fidbox.dat -> [2008/10/15 11:47:58 | 10,544,160 | -HS- | M] ()
incavi.avm -> %SystemRoot%\System32\drivers\Avg\incavi.avm -> [2008/10/15 10:56:59 | 28,815,931 | ---- | M] ()
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> %UserProfile%\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> [2008/10/14 23:14:21 | 00,113,152 | ---- | M] ()
Tracing a hacker.url -> %UserProfile%\Desktop\Tracing a hacker.url -> [2008/10/14 22:30:48 | 00,000,298 | ---- | M] ()
Vitalsecurity.org - A Revolution is the Solution.url -> %UserProfile%\Desktop\Vitalsecurity.org - A Revolution is the Solution.url -> [2008/10/14 22:05:42 | 00,000,186 | ---- | M] ()
vsconfig.xml -> %SystemRoot%\System32\vsconfig.xml -> [2008/10/14 17:55:53 | 00,352,918 | ---- | M] ()
wpa.dbl -> %SystemRoot%\System32\wpa.dbl -> [2008/10/14 17:55:04 | 00,021,760 | ---- | M] ()
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [2008/10/14 17:55:02 | 00,000,006 | -H-- | M] ()
bootstat.dat -> %SystemRoot%\bootstat.dat -> [2008/10/14 17:54:43 | 00,002,048 | --S- | M] ()
fidbox.idx -> %SystemRoot%\System32\drivers\fidbox.idx -> [2008/10/14 17:50:33 | 00,132,968 | -HS- | M] ()
IconCache.db -> %UserProfile%\Local Settings\Application Data\IconCache.db -> [2008/10/14 17:50:02 | 13,455,860 | -H-- | M] ()
SmartSniff Freeware Packet Sniffer - Capture TCP-IP packets on your network adapter.mht -> %UserProfile%\My Documents\SmartSniff Freeware Packet Sniffer - Capture TCP-IP packets on your network adapter.mht -> [2008/10/14 15:34:37 | 00,076,895 | ---- | M] ()
MozillaHistoryView View the list of visited web sites in Firefox-Mozilla-Netscape browsers.url -> %UserProfile%\Desktop\MozillaHistoryView View the list of visited web sites in Firefox-Mozilla-Netscape browsers.url -> [2008/10/14 15:27:36 | 00,000,276 | ---- | M] ()
pps.zip -> %UserProfile%\My Documents\pps.zip -> [2008/10/14 15:07:22 | 05,447,446 | ---- | M] ()
pp1.zip -> %UserProfile%\My Documents\pp1.zip -> [2008/10/14 15:02:37 | 33,530,190 | ---- | M] ()
accesslog_efinancialharmony.com_10_14_2008.gz -> %UserProfile%\My Documents\accesslog_efinancialharmony.com_10_14_2008.gz -> [2008/10/14 14:41:35 | 00,000,709 | ---- | M] ()
efinancialharmony.com -> %UserProfile%\My Documents\efinancialharmony.com -> [2008/10/14 14:40:40 | 00,002,683 | ---- | M] ()
CCleaner.lnk -> %UserProfile%\Desktop\CCleaner.lnk -> [2008/10/13 23:18:43 | 00,001,556 | ---- | M] ()
New malware site.doc -> %UserProfile%\My Documents\New malware site.doc -> [2008/10/13 20:13:39 | 00,021,504 | ---- | M] ()
SUPERAntiSpyware Professional.lnk -> %AllUsersProfile%\Desktop\SUPERAntiSpyware Professional.lnk -> [2008/10/11 12:38:07 | 00,001,764 | ---- | M] ()
GDIPFONTCACHEV1.DAT -> %UserProfile%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT -> [2008/10/11 00:52:09 | 00,017,512 | ---- | M] ()
FNTCACHE.DAT -> %SystemRoot%\System32\FNTCACHE.DAT -> [2008/10/10 22:27:35 | 00,083,928 | ---- | M] ()
miniavi.avg -> %SystemRoot%\System32\drivers\Avg\miniavi.avg -> [2008/10/10 10:08:57 | 00,307,238 | ---- | M] ()
zllictbl.dat -> %SystemRoot%\System32\zllictbl.dat -> [2008/10/05 22:28:24 | 00,004,212 | -H-- | M] ()
Uniblue SpeedUpMyPC 2009.lnk -> %AllUsersProfile%\Desktop\Uniblue SpeedUpMyPC 2009.lnk -> [2008/10/05 18:29:22 | 00,000,875 | ---- | M] ()
PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI -> [2008/10/05 16:57:51 | 00,613,596 | ---- | M] ()
perfh009.dat -> %SystemRoot%\System32\perfh009.dat -> [2008/10/05 16:57:51 | 00,505,906 | ---- | M] ()
perfc009.dat -> %SystemRoot%\System32\perfc009.dat -> [2008/10/05 16:57:51 | 00,097,496 | ---- | M] ()
microavi.avg -> %SystemRoot%\System32\drivers\Avg\microavi.avg -> [2008/10/05 16:24:36 | 00,068,419 | ---- | M] ()
CDBurnerXP.lnk -> %AllUsersProfile%\Desktop\CDBurnerXP.lnk -> [2008/10/05 15:08:58 | 00,001,612 | ---- | M] ()
tmp.reg -> %SystemRoot%\System32\tmp.reg -> [2008/10/04 19:12:28 | 00,001,314 | ---- | M] ()
desktop.ini -> %UserProfile%\My Documents\desktop.ini -> [2008/10/04 11:41:05 | 00,000,077 | -HS- | M] ()
avgrsstx.dll -> %SystemRoot%\System32\avgrsstx.dll -> [2008/10/02 01:08:56 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.)
AVG Free 8.0.lnk -> %AllUsersProfile%\Desktop\AVG Free 8.0.lnk -> [2008/10/02 01:08:56 | 00,001,515 | ---- | M] ()
avgldx86.sys -> %SystemRoot%\System32\drivers\avgldx86.sys -> [2008/10/02 01:08:53 | 00,097,928 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgmfx86.sys -> %SystemRoot%\System32\drivers\avgmfx86.sys -> [2008/10/02 01:08:52 | 00,026,824 | ---- | M] (AVG Technologies CZ, s.r.o.)
avi7.avg -> %SystemRoot%\System32\drivers\Avg\avi7.avg -> [2008/10/02 01:08:47 | 06,061,540 | ---- | M] ()
tmcomm.sys -> %SystemRoot%\System32\drivers\tmcomm.sys -> [2008/09/29 14:34:38 | 00,102,664 | ---- | M] (Trend Micro Inc.)
Spyware Doctor.lnk -> %AllUsersProfile%\Desktop\Spyware Doctor.lnk -> [2008/09/28 19:51:27 | 00,001,645 | ---- | M] ()
wininit.ini -> %SystemRoot%\wininit.ini -> [2008/09/28 12:38:38 | 00,000,351 | ---- | M] ()
pxark.sys -> %SystemRoot%\System32\drivers\pxark.sys -> [2008/09/25 19:50:56 | 00,017,408 | ---- | M] (Prevx)
mozy.blk -> %SystemRoot%\mozy.blk -> [2008/09/25 10:25:31 | 00,010,454 | ---- | M] ()
mozy.flt -> %SystemRoot%\mozy.flt -> [2008/09/25 10:25:30 | 00,001,124 | ---- | M] ()
Opera.lnk -> %AllUsersProfile%\Desktop\Opera.lnk -> [2008/09/20 20:02:14 | 00,000,600 | ---- | M] ()
< End of report >
--------------------------------

Can you, will you, help me to understand just a little about being "infected"?
I'm assuming I picked this up through some mechanism on my pc.
Then somehow I infect my website.
Then my website becomes virus center and re-infects me every time I go back?
I can browse for days if I don't go to my site with no error. Once there, BOOM, it's back in one form or another.

I was wondering if netstat and a sniffer might help me find out the root cause, what file, what directory the little bugger is hiding in that is "calling home".

I'm going to have the entire site nuked and I'll just start over.

In any case, I do apreciate the help you have provided, the style and the expertise.
Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users