Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS infectiion


  • This topic is locked This topic is locked
11 replies to this topic

#1 tintong

tintong

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 24 November 2008 - 08:30 PM

I tried installing malwarebyte but have had no luck launching the .exe file, but I did get around installing hijackthis and managed to pull a log of the system's current state, please see below:

--------log starts------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:11 PM, on 11/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\vsnpstd2.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
O4 - HKLM\..\Run: [@RegRunOnSecure] C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: PenPower PenKeyboard.lnk = ?
O4 - Global Startup: Status Display.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - E:\Personal Files\(BH) Belden Hon\Under 19 Restricted\New Folder 2\PartyCasino\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - E:\Personal Files\(BH) Belden Hon\Under 19 Restricted\New Folder 2\PartyCasino\RunApp.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Personal Files\(BH) Belden Hon\Under 19 Restricted\New Folder\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Personal Files\(BH) Belden Hon\Under 19 Restricted\New Folder\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antispyexpert.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.spyguardpro.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn200...erInstaller.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.ca/s/v/40.11/uploader2.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://smms.sub.fulfillment.puretracks.com/onager_smms.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200184919531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218992863000
O16 - DPF: {70EE0AA4-5A3A-4052-8FFA-2EEDA43F7942} (Innotive Cibrowser Control 1.2) - http://121.78.85.41/cab/cibrowser12.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp...302/Coupons.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes....cab?v=1,0,0,38
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll sdnbhn.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 12165 bytes


If you are able to offer any assistance I will be very very grateful!

Thank you!
Tintong

BC AdBot (Login to Remove)

 


#2 tintong

tintong
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 25 November 2008 - 07:31 PM

It just hit me but I cannot remember if I ran the previous log before or after my incomplete installation of Malwarebyte...I've re-ran a hijack this log and is posting it below:

----------log starts-------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:26:20 PM, on 11/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
O4 - HKLM\..\Run: [@RegRunOnSecure] C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: PenPower PenKeyboard.lnk = ?
O4 - Global Startup: Status Display.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - E:\Personal Files\(BH) Belden Hon\Under 19 Restricted\New Folder 2\PartyCasino\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - E:\Personal Files\(BH) Belden Hon\Under 19 Restricted\New Folder 2\PartyCasino\RunApp.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Personal Files\(BH) Belden Hon\Under 19 Restricted\New Folder\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Personal Files\(BH) Belden Hon\Under 19 Restricted\New Folder\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antispyexpert.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.spyguardpro.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn200...erInstaller.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.ca/s/v/40.11/uploader2.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://smms.sub.fulfillment.puretracks.com/onager_smms.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200184919531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218992863000
O16 - DPF: {70EE0AA4-5A3A-4052-8FFA-2EEDA43F7942} (Innotive Cibrowser Control 1.2) - http://121.78.85.41/cab/cibrowser12.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp...302/Coupons.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes....cab?v=1,0,0,38
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll sdnbhn.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 10826 bytes


Thank you in advance!
Tintong

#3 tintong

tintong
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 01 December 2008 - 12:16 PM

Man...i have a feeling my computer is hopeless isn't it...? :thumbsup:

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:15 PM

Posted 01 December 2008 - 06:33 PM

Hello, tintong
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
We need to create an OTViewIt Report
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
We need to scan for Rootkits with GMER
  • Please download GMER from one of the following mirrors:
  • Close any and all open programs, as this process may crash your computer.
  • Unzip the downloaded file to your desktop.
  • Double click Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.
In your next reply, please include the following:
  • OTViewIt.txt
  • Extra.txt
  • GMER's Log


Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 tintong

tintong
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 01 December 2008 - 07:33 PM

Hi Billy!

Thank you for assisting me with this, I was on the verge of crying and banging my head on the wall. I've followed your instructions and am posting the logs below (I ran everything in safe mode):

----------Beginning of OTViewIt.txt log-----------

OTViewIt logfile created on: 12/01/2008 7:00:41 PM - Run
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Documents and Settings\Candy Hon\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: MM/dd/yyyy

2.00 Gb Total Physical Memory | 1.73 Gb Available Physical Memory | 86.37% Memory free
3.35 Gb Paging File | 3.25 Gb Available in Paging File | 97.05% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 25.00 Gb Total Space | 10.97 Gb Free Space | 43.89% Space Free | Partition Type: NTFS
Drive D: | 17.50 Gb Total Space | 4.46 Gb Free Space | 25.50% Space Free | Partition Type: NTFS
Drive E: | 14.75 Gb Total Space | 3.10 Gb Free Space | 21.04% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DSKTP-XPPRO
Current User Name: Candy Hon
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2008/12/01 18:59:10 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Candy Hon\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2007/04/21 20:16:15 | 00,069,632 | ---- | M] (Adobe Systems) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service [On_Demand | Stopped])
[2005/09/23 06:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2000/05/24 14:20:36 | 00,015,360 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\system32\ATMsrvc.exe -- (ATMsrvc [Disabled | Stopped])
[2008/08/29 22:43:44 | 00,875,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc [Auto | Stopped])
[2008/08/29 22:43:43 | 00,231,704 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Stopped])
[2002/04/11 23:00:00 | 00,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brsvc01a.exe -- (Brother XP spl Service [Auto | Stopped])
[2005/09/23 06:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2006/10/20 20:21:24 | 00,036,864 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
[2008/10/08 23:28:21 | 00,168,432 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [Auto | Stopped])
[2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
[2006/10/30 02:33:58 | 00,741,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
[2007/04/27 10:25:52 | 00,500,800 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
[2003/06/19 22:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto | Stopped])
[2006/10/30 02:34:02 | 00,122,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
File not found -- -- (NMIndexingService [Disabled | Stopped])
[2007/09/16 12:07:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Stopped])
[2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2007/10/18 10:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])
[2007/10/25 14:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])
[2006/10/18 19:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
[2008/04/29 18:56:20 | 00,061,856 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\system32\ZuneBusEnum.exe -- (ZuneBusEnum [Auto | Stopped])
[2008/04/29 18:56:32 | 05,065,120 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc [On_Demand | Stopped])
[2008/04/29 18:56:22 | 00,245,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\system32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc [On_Demand | Stopped])

========== Driver Services ==========

[2006/12/04 16:11:46 | 04,025,984 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM [On_Demand | Stopped])
[2006/06/05 13:48:30 | 00,019,200 | ---- | M] (SlySoft, Inc.) -- C:\WINDOWS\system32\drivers\AnyDVD.sys -- (AnyDVD [On_Demand | Running])
[2008/08/29 22:43:42 | 00,097,928 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (AvgLdx86 [System | Stopped])
[2008/07/04 07:25:06 | 00,026,824 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (AvgMfx86 [System | Stopped])
[2008/07/04 07:25:15 | 00,076,040 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (AvgTdiX [Auto | Stopped])
[2004/10/15 11:50:20 | 00,015,295 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\system32\drivers\BrScnUsb.sys -- (BrScnUsb [On_Demand | Stopped])
[2003/10/28 14:17:52 | 00,005,273 | ---- | M] (Arrowkey) -- C:\Program Files\321Studios\Shared\CDRPDACC.SYS -- (CDRPDACC [Auto | Stopped])
[2002/07/12 10:46:06 | 00,129,988 | ---- | M] (Unknown) -- C:\WINDOWS\system32\drivers\VQ110.sys -- (DCamVQ110 [On_Demand | Stopped])
[2006/04/21 20:44:39 | 00,008,064 | ---- | M] (Elaborate Bytes AG) -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys -- (ElbyCDIO [Auto | Stopped])
[2006/09/19 13:44:04 | 00,015,664 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
[2007/09/16 12:07:00 | 06,853,088 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv [On_Demand | Stopped])
[2008/11/24 00:13:01 | 00,030,946 | ---- | M] (Greatis Software) -- C:\WINDOWS\system32\drivers\Partizan.sys -- (Partizan [Boot | Running])
[2007/04/21 20:55:42 | 00,034,528 | ---- | M] (VSO Software) -- C:\WINDOWS\system32\drivers\Pcouffin.sys -- (Pcouffin [On_Demand | Stopped])
[2002/02/24 06:35:00 | 00,014,604 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc [On_Demand | Running])
[2001/07/18 14:07:38 | 00,020,704 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\system32\drivers\PPMOUCLS.SYS -- (ppmoucls [System | Stopped])
[2001/08/23 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2008/12/01 18:56:58 | 00,025,773 | ---- | M] (Greatis Software) -- C:\WINDOWS\system32\drivers\regguard.sys -- (RegGuard [On_Demand | Stopped])
[2004/08/03 21:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139 [On_Demand | Running])
[2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2004/03/22 21:31:52 | 00,302,720 | ---- | M] () -- C:\WINDOWS\system32\drivers\snpstd2.sys -- (snpstd2 [On_Demand | Stopped])
[2006/08/07 04:16:00 | 00,076,560 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm [Auto | Stopped])
[2008/04/13 13:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])
[2008/03/27 15:27:46 | 00,503,008 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\wdf01000.sys -- (Wdf01000 [On_Demand | Running])
[2004/04/14 10:08:00 | 00,010,144 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\WmBEnum.sys -- (WmBEnum [On_Demand | Running])
[2004/04/14 10:08:00 | 00,021,280 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\WmFilter.sys -- (WmFilter [On_Demand | Running])
[2004/04/14 10:08:00 | 00,005,600 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\WmVirHid.sys -- (WmVirHid [On_Demand | Stopped])
[2004/04/14 10:08:00 | 00,044,064 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\WmXlCore.sys -- (WmXlCore [On_Demand | Running])
[2001/08/23 07:00:00 | 00,012,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\ws2ifsl.sys -- (WS2IFSL [System | Running])
[2008/04/29 18:39:04 | 00,040,704 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\zumbus.sys -- (zumbus [Auto | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://go.microsoft.com/fwlink/?LinkId=69157

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=about:blank

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-21-2052111302-573735546-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=about:blank

[HKEY_USERS\S-1-5-21-2052111302-573735546-725345543-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2052111302-573735546-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

Hosts file not found

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (Sun Microsystems, Inc.)
{9030D464-4C02-4ABF-8ECC-5164760863C6} (HKLM) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
{AA58ED58-01DD-4d91-8333-CF10577473F7} (HKLM) -- c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (HKLM) -- C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll (Google Inc.)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" (HKLM) -- c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" (HKLM) -- C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" (HKLM) -- C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

[HKEY_USERS\S-1-5-21-2052111302-573735546-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

[HKEY_USERS\S-1-5-21-2052111302-573735546-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" (HKLM) -- C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
""= File not found
"@RegRunOnSecure"=C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe (Greatis Software)
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" (Adobe Systems Inc.)
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
"BrMfcWnd"=C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN ()
"ControlCenter3"=C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun (Brother Industries, Ltd.)
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 (Microsoft Corporation)
"IndexSearch"=C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe (ScanSoft, Inc.)
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k File not found
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC ()
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe (Nero AG)
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
"nwiz"=nwiz.exe /install ()
"PaperPort PTD"=C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.)
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName (Microsoft Corporation)
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC (Microsoft Corporation)
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
"RegRun WinBait"=C:\WINDOWS\winbait.exe ()
"SetDefPrt"=C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe (Brother Industories, Ltd.)
"SNPSTD2"=C:\WINDOWS\vsnpstd2.exe ()
"SoundMan"=SOUNDMAN.EXE (Realtek Semiconductor Corp.)
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot (Scansoft, Inc.)
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Regrun2"=C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe (Greatis Software)

[HKEY_USERS\S-1-5-21-2052111302-573735546-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Regrun2"=C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe (Greatis Software)

========== (O4) RunOnce Keys ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"=C:\Program Files\Mozilla Firefox\plugins\NPSWF32_FlashUtil.exe -p (Adobe Systems, Inc.)

[HKEY_USERS\S-1-5-21-2052111302-573735546-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"=C:\Program Files\Mozilla Firefox\plugins\NPSWF32_FlashUtil.exe -p (Adobe Systems, Inc.)

========== (O4) Startup Folders ==========

[2007/04/21 20:16:07 | 00,025,214 | R--- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
[2001/08/09 16:41:56 | 00,036,864 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PenPower PenKeyboard.lnk = C:\WINPENJR\win32\penkeybd.exe
[2002/02/22 17:36:10 | 00,122,880 | ---- | M] (Kyushu Matsubleepa Electric Co.,Ltd) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Status Display.lnk = C:\Program Files\Panasonic\Panasonic KX-P7105 and KX-P7110\Status Display\stmndsp.exe
[2005/06/01 14:41:18 | 00,065,536 | ---- | M] (AKSoftware) -- C:\Documents and Settings\Candy Hon\Start Menu\Programs\Startup\TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe
[2006/05/21 02:43:08 | 00,180,224 | ---- | M] () -- C:\Documents and Settings\Candy Hon\Start Menu\Programs\Startup\UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
[2006/05/21 02:43:14 | 00,155,648 | ---- | M] (Y'z@Home) -- C:\Documents and Settings\Candy Hon\Start Menu\Programs\Startup\Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
Convert link target to Adobe PDF: C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004/12/14 01:13:40 | 00,225,280 | ---- | M] (Adobe Systems Incorporated)
Convert link target to existing PDF: C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004/12/14 01:13:40 | 00,225,280 | ---- | M] (Adobe Systems Incorporated)
Convert selected links to Adobe PDF: C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004/12/14 01:13:40 | 00,225,280 | ---- | M] (Adobe Systems Incorporated)
Convert selected links to existing PDF: C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004/12/14 01:13:40 | 00,225,280 | ---- | M] (Adobe Systems Incorporated)
Convert selection to Adobe PDF: C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004/12/14 01:13:40 | 00,225,280 | ---- | M] (Adobe Systems Incorporated)
Convert selection to existing PDF: C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004/12/14 01:13:40 | 00,225,280 | ---- | M] (Adobe Systems Incorporated)
Convert to Adobe PDF: C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004/12/14 01:13:40 | 00,225,280 | ---- | M] (Adobe Systems Incorporated)
Convert to existing PDF: C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004/12/14 01:13:40 | 00,225,280 | ---- | M] (Adobe Systems Incorporated)
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2003/08/13 01:34:38 | 10,073,144 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2052111302-573735546-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\]
Convert link target to Adobe PDF: C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004/12/14 01:13:40 | 00,225,280 | ---- | M] (Adobe Systems Incorporated)
Convert link target to existing PDF: C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004/12/14 01:13:40 | 00,225,280 | ---- | M] (Adobe Systems Incorporated)
Convert selected links to Adobe PDF: C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004/12/14 01:13:40 | 00,225,280 | ---- | M] (Adobe Systems Incorporated)
Convert selected links to existing PDF: C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004/12/14 01:13:40 | 00,225,280 | ---- | M] (Adobe Systems Incorporated)
Convert selection to Adobe PDF: C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004/12/14 01:13:40 | 00,225,280 | ---- | M] (Adobe Systems Incorporated)
Convert selection to existing PDF: C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004/12/14 01:13:40 | 00,225,280 | ---- | M] (Adobe Systems Incorporated)
Convert to Adobe PDF: C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004/12/14 01:13:40 | 00,225,280 | ---- | M] (Adobe Systems Incorporated)
Convert to existing PDF: C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004/12/14 01:13:40 | 00,225,280 | ---- | M] (Adobe Systems Incorporated)
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2003/08/13 01:34:38 | 10,073,144 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.6.0_02\bin\npjpi160_02.dll [2007/07/12 03:00:35 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}: Button: PartyCasino -- E:\Personal Files\(BH) Belden Hon\Under 19 Restricted\New Folder 2\PartyCasino\RunApp.exe [2008/05/22 20:33:24 | 00,110,592 | ---- | M] ()
{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}: Menu: PartyCasino -- E:\Personal Files\(BH) Belden Hon\Under 19 Restricted\New Folder 2\PartyCasino\RunApp.exe [2008/05/22 20:33:24 | 00,110,592 | ---- | M] ()
{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}: Button: PartyPoker.com -- E:\Personal Files\(BH) Belden Hon\Under 19 Restricted\New Folder\PartyPoker\RunApp.exe [2006/11/07 10:58:44 | 00,110,592 | ---- | M] ()
{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}: Menu: PartyPoker.com -- E:\Personal Files\(BH) Belden Hon\Under 19 Restricted\New Folder\PartyPoker\RunApp.exe [2006/11/07 10:58:44 | 00,110,592 | ---- | M] ()
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\network diagnostic\xpnetdiag.exe [2008/04/13 13:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/13 19:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/13 19:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 19:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 19:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 19:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2052111302-573735546-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 19:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
amaena.com: * in Trusted sites
antimalwareguard.com: * in Trusted sites
antispyexpert.com: * in Trusted sites
avsystemcare.com: * in Trusted sites
gomyhit.com: * in Trusted sites
imagesrvr.com: * in Trusted sites
onerateld.com: * in Trusted sites
safetydownload.com: * in Trusted sites
spyguardpro.com: * in Trusted sites
storageguardsoft.com: * in Trusted sites
trustedantivirus.com: * in Trusted sites
virusremover2008.com: * in Trusted sites
virusschlacht.com: * in Trusted sites
1 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-2052111302-573735546-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
amaena.com: * in Trusted sites
antimalwareguard.com: * in Trusted sites
antispyexpert.com: * in Trusted sites
avsystemcare.com: * in Trusted sites
gomyhit.com: * in Trusted sites
imagesrvr.com: * in Trusted sites
onerateld.com: * in Trusted sites
safetydownload.com: * in Trusted sites
spyguardpro.com: * in Trusted sites
storageguardsoft.com: * in Trusted sites
trustedantivirus.com: * in Trusted sites
virusremover2008.com: * in Trusted sites
virusschlacht.com: * in Trusted sites
1 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{0CCA191D-13A6-4E29-B746-314DEE697D83}: http://upload.facebook.com/controls/2008.1...toUploader5.cab -- Facebook Photo Uploader 5 Control
{15589FA1-C456-11CE-BF01-000000000000}: http://www.errornuker.com/products/errn200...erInstaller.exe -- Reg Error: Key does not exist or could not be opened.
{215B8138-A3CF-44C5-803F-8226143CFC0A}: http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab -- Trend Micro ActiveX Scan Agent 6.6
{233C1507-6A77-46A4-9443-F871F945D258}: http://download.macromedia.com/pub/shockwa...director/sw.cab -- Shockwave ActiveX Control
{474F00F5-3853-492C-AC3A-476512BBC336}: http://picasaweb.google.ca/s/v/40.11/uploader2.cab -- UploadListView Class
{5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD}: http://smms.sub.fulfillment.puretracks.com/onager_smms.cab -- OnagerCtrl Class
{5F8469B4-B055-49DD-83F7-62B522420ECC}: http://upload.facebook.com/controls/Facebo...otoUploader.cab -- Facebook Photo Uploader Control
{6414512B-B978-451D-A0D8-FCFDF33E833C}: http://www.update.microsoft.com/windowsupd...b?1200184919531 -- WUWebControl Class
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}: http://www.update.microsoft.com/microsoftu...b?1218992863000 -- MUWebControl Class
{70EE0AA4-5A3A-4052-8FFA-2EEDA43F7942}: http://121.78.85.41/cab/cibrowser12.cab -- Innotive Cibrowser Control 1.2
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab -- Java Plug-in 1.6.0_02
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}: http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab -- Reg Error: Key does not exist or could not be opened.
{9522B3FB-7A2B-4646-8AF6-36E7F593073C}: http://a19.g.akamai.net/7/19/7125/4058/ftp...302/Coupons.cab -- Reg Error: Key does not exist or could not be opened.
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_02
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_02
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab -- Shockwave Flash Object
{E9A7F56F-C40F-4928-8C6F-7A72F2A25222}: http://www.imagestation.com/common/classes....cab?v=1,0,0,38 -- AxRUploadControl Object

========== (O17) DNS Name Servers ==========

{4221D045-2ABA-4EC7-8788-346750974A9F} (Servers: | Description: Realtek RTL8139 Family PCI Fast Ethernet NIC)
{FE04142C-96E9-4D51-AF4A-CBC91F8AA9AB} (Servers: | Description: )

========== (O20) AppInit_DLLs ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_Dlls"=avgrsstx.dll sdnbhn.dll
>[2008/07/04 07:25:07 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\avgrsstx.dll
>File not found --

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
AtiExtEvent: "DllName" = Reg Error: Value DLLName does not exist or could not be read. -- File not found

========== LSA *Authentication Packages* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=msv1_0,C:\WINDOWS\system32\mlJBQKAr,
>File not found --

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2007/04/01 16:16:51 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

========== Files/Folders - Created Within 30 Days ==========

[5 C:\WINDOWS\*.tmp files]
[2008/12/01 19:00:06 | 00,422,400 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Candy Hon\Desktop\OTViewIt.exe
[2008/11/24 20:23:28 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2008/11/24 20:23:28 | 00,000,706 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008/11/24 20:23:25 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008/11/24 20:23:24 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2008/11/24 20:20:55 | 00,001,744 | ---- | C] () -- C:\Documents and Settings\Candy Hon\Desktop\HijackThis.lnk
[2008/11/24 20:20:55 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2008/11/24 20:19:02 | 00,002,015 | RH-- | C] () -- C:\WINDOWS\System32\drivers\hosts
[2008/11/24 20:18:53 | 00,000,000 | ---D | C] -- C:\Program Files\RogueRemover PRO
[2008/11/24 19:49:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2008/11/24 19:30:30 | 00,001,693 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Error Nuker.lnk
[2008/11/24 19:30:29 | 00,000,000 | ---D | C] -- C:\Program Files\Error Nuker
[2008/11/24 18:23:03 | 02,372,472 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Candy Hon\Desktop\mbam-setup.exe
[2008/11/24 00:46:27 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Candy Hon\Desktop\HJTInstall.exe
[2008/11/24 00:15:16 | 00,000,000 | ---D | C] -- C:\WINDOWS\RestoreSafeDeleted
[2008/11/24 00:14:12 | 00,025,773 | ---- | C] (Greatis Software) -- C:\WINDOWS\System32\drivers\regguard.sys
[2008/11/24 00:13:59 | 00,000,002 | RHS- | C] () -- C:\WINDOWS\winstart.bat
[2008/11/24 00:13:01 | 00,030,946 | ---- | C] (Greatis Software) -- C:\WINDOWS\System32\drivers\Partizan.sys
[2008/11/24 00:13:01 | 00,028,672 | ---- | C] (Greatis Software) -- C:\WINDOWS\System32\Partizan.exe
[2008/11/24 00:12:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Candy Hon\My Documents\RegRun2
[2008/11/24 00:12:42 | 00,016,384 | ---- | C] () -- C:\WINDOWS\WinBait.org
[2008/11/24 00:12:42 | 00,016,384 | ---- | C] () -- C:\WINDOWS\WinBait.exe
[2008/11/24 00:12:42 | 00,000,759 | ---- | C] () -- C:\Documents and Settings\Candy Hon\Desktop\RegRun Control Center.lnk
[2008/11/24 00:12:41 | 00,000,000 | ---D | C] -- C:\Program Files\Greatis
[2008/11/24 00:12:09 | 06,871,358 | ---- | C] () -- C:\Documents and Settings\Candy Hon\Desktop\regruns.zip
[2008/11/23 23:43:24 | 00,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2008/11/23 22:13:44 | 01,638,615 | -HS- | C] () -- C:\WINDOWS\System32\ahuhudva.ini
[2008/11/23 22:13:38 | 00,072,704 | ---- | C] () -- C:\WINDOWS\System32\avduhuha.dll
[2008/11/23 22:13:35 | 00,129,024 | ---- | C] () -- C:\WINDOWS\System32\SDNBHN.del
[2008/11/23 22:13:34 | 00,129,024 | ---- | C] () -- C:\WINDOWS\System32\vajvfxex.dll
[2008/11/23 22:13:14 | 00,026,112 | ---- | C] () -- C:\WINDOWS\System32\nnnmlkHB.dll
[2008/11/23 22:13:14 | 00,026,112 | ---- | C] () -- C:\WINDOWS\System32\geBtTNFu.dll
[2008/11/23 22:12:24 | 00,597,290 | -HS- | C] () -- C:\WINDOWS\System32\rAKQBJlm.ini2
[2008/11/23 22:12:24 | 00,597,290 | -HS- | C] () -- C:\WINDOWS\System32\rAKQBJlm.ini
[2008/11/23 22:12:16 | 00,318,464 | ---- | C] () -- C:\WINDOWS\System32\MLJBQKAR.del
[2008/11/23 22:07:09 | 00,026,112 | ---- | C] () -- C:\WINDOWS\System32\NNNLJGGG.DLL.del
[2008/11/23 22:07:09 | 00,026,112 | ---- | C] () -- C:\WINDOWS\System32\cbXRJYOh.dll
[2008/11/23 21:44:21 | 00,000,000 | ---D | C] -- C:\Temp
[2008/11/23 21:44:16 | 00,002,407 | ---- | C] () -- C:\WINDOWS\System32\MSINET.DEP
[2008/11/23 21:44:14 | 00,035,840 | ---- | C] () -- C:\WINDOWS\System32\PRUNNET.del
[2008/11/16 20:12:17 | 00,000,872 | ---- | C] () -- C:\Documents and Settings\Candy Hon\Start Menu\Programs\Startup\UberIcon.lnk
[2008/11/16 20:12:17 | 00,000,832 | ---- | C] () -- C:\Documents and Settings\Candy Hon\Start Menu\Programs\Startup\Y'z Shadow.lnk
[2008/11/16 20:12:16 | 00,000,838 | ---- | C] () -- C:\Documents and Settings\Candy Hon\Start Menu\Programs\Startup\TransBar.lnk
[2008/11/16 20:10:13 | 00,005,376 | ---- | C] () -- C:\WINDOWS\BricoPackFoldersDelete.cmd

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[5 C:\WINDOWS\*.tmp files]
[2008/12/01 18:59:10 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Candy Hon\Desktop\OTViewIt.exe
[2008/12/01 18:56:58 | 00,025,773 | ---- | M] (Greatis Software) -- C:\WINDOWS\System32\drivers\regguard.sys
[2008/12/01 18:55:17 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008/12/01 18:54:46 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008/11/29 17:09:35 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008/11/29 16:51:07 | 00,002,335 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2008/11/24 20:23:28 | 00,000,706 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008/11/24 20:20:55 | 00,001,744 | ---- | M] () -- C:\Documents and Settings\Candy Hon\Desktop\HijackThis.lnk
[2008/11/24 20:19:02 | 00,002,015 | RH-- | M] () -- C:\WINDOWS\System32\drivers\hosts
[2008/11/24 19:52:01 | 00,372,872 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/11/24 19:30:30 | 00,001,693 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Error Nuker.lnk
[2008/11/24 18:20:38 | 02,372,472 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Candy Hon\Desktop\mbam-setup.exe
[2008/11/24 00:45:14 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Candy Hon\Desktop\HJTInstall.exe
[2008/11/24 00:19:54 | 00,597,290 | -HS- | M] () -- C:\WINDOWS\System32\rAKQBJlm.ini
[2008/11/24 00:18:56 | 00,597,290 | -HS- | M] () -- C:\WINDOWS\System32\rAKQBJlm.ini2
[2008/11/24 00:13:59 | 00,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2008/11/24 00:13:59 | 00,001,688 | ---- | M] () -- C:\WINDOWS\System32\AUTOEXEC.NT
[2008/11/24 00:13:59 | 00,000,002 | RHS- | M] () -- C:\WINDOWS\winstart.bat
[2008/11/24 00:13:01 | 00,030,946 | ---- | M] (Greatis Software) -- C:\WINDOWS\System32\drivers\Partizan.sys
[2008/11/24 00:13:01 | 00,028,672 | ---- | M] (Greatis Software) -- C:\WINDOWS\System32\Partizan.exe
[2008/11/24 00:12:42 | 00,000,759 | ---- | M] () -- C:\Documents and Settings\Candy Hon\Desktop\RegRun Control Center.lnk
[2008/11/24 00:06:36 | 06,871,358 | ---- | M] () -- C:\Documents and Settings\Candy Hon\Desktop\regruns.zip
[2008/11/23 22:13:56 | 01,638,615 | -HS- | M] () -- C:\WINDOWS\System32\ahuhudva.ini
[2008/11/23 22:13:38 | 00,072,704 | ---- | M] () -- C:\WINDOWS\System32\avduhuha.dll
[2008/11/23 22:13:35 | 00,129,024 | ---- | M] () -- C:\WINDOWS\System32\vajvfxex.dll
[2008/11/23 22:13:35 | 00,129,024 | ---- | M] () -- C:\WINDOWS\System32\SDNBHN.del
[2008/11/23 22:13:14 | 00,026,112 | ---- | M] () -- C:\WINDOWS\System32\nnnmlkHB.dll
[2008/11/23 22:13:14 | 00,026,112 | ---- | M] () -- C:\WINDOWS\System32\geBtTNFu.dll
[2008/11/23 22:12:21 | 00,318,464 | ---- | M] () -- C:\WINDOWS\System32\MLJBQKAR.del
[2008/11/23 22:07:09 | 00,026,112 | ---- | M] () -- C:\WINDOWS\System32\NNNLJGGG.DLL.del
[2008/11/23 22:07:09 | 00,026,112 | ---- | M] () -- C:\WINDOWS\System32\cbXRJYOh.dll
[2008/11/23 21:44:16 | 00,115,016 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MSINET.OCX
[2008/11/23 21:44:16 | 00,029,184 | ---- | M] () -- C:\WINDOWS\System32\MSINET.oca
[2008/11/23 21:44:16 | 00,002,407 | ---- | M] () -- C:\WINDOWS\System32\MSINET.DEP
[2008/11/23 21:44:14 | 00,035,840 | ---- | M] () -- C:\WINDOWS\System32\PRUNNET.del
[2008/11/23 08:14:45 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2008/11/23 08:14:45 | 00,000,232 | -H-- | M] () -- C:\sqmdata11.sqm
[2008/11/20 08:02:23 | 30,231,282 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2008/11/19 16:11:23 | 00,040,609 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2008/11/19 15:01:57 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
[2008/11/19 15:01:57 | 00,000,232 | -H-- | M] () -- C:\sqmdata10.sqm
[2008/11/19 14:52:58 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2008/11/19 14:52:58 | 00,000,232 | -H-- | M] () -- C:\sqmdata09.sqm
[2008/11/19 14:52:28 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2008/11/19 14:52:28 | 00,000,232 | -H-- | M] () -- C:\sqmdata08.sqm
[2008/11/18 18:23:47 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2008/11/18 18:23:47 | 00,000,232 | -H-- | M] () -- C:\sqmdata07.sqm
[2008/11/18 18:18:25 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2008/11/18 18:18:25 | 00,000,232 | -H-- | M] () -- C:\sqmdata06.sqm
[2008/11/18 11:20:29 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2008/11/18 11:20:29 | 00,000,232 | -H-- | M] () -- C:\sqmdata05.sqm
[2008/11/16 20:12:19 | 00,072,066 | ---- | M] () -- C:\WINDOWS\BricoPackUninst.cmd
[2008/11/16 20:12:19 | 00,005,376 | ---- | M] () -- C:\WINDOWS\BricoPackFoldersDelete.cmd
[2008/11/16 20:12:18 | 00,218,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\uxtheme.dll
[2008/11/16 20:12:07 | 02,359,350 | ---- | M] () -- C:\WINDOWS\BricoPack Wallpaper.bmp
[2008/11/16 20:12:07 | 00,000,872 | ---- | M] () -- C:\Documents and Settings\Candy Hon\Start Menu\Programs\Startup\UberIcon.lnk
[2008/11/16 20:12:07 | 00,000,838 | ---- | M] () -- C:\Documents and Settings\Candy Hon\Start Menu\Programs\Startup\TransBar.lnk
[2008/11/16 20:11:41 | 00,000,832 | ---- | M] () -- C:\Documents and Settings\Candy Hon\Start Menu\Programs\Startup\Y'z Shadow.lnk
[2008/11/15 09:55:07 | 00,000,071 | ---- | M] () -- C:\WINDOWS\Pex.INI
[2008/11/13 15:18:56 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2008/11/13 15:18:56 | 00,000,232 | -H-- | M] () -- C:\sqmdata04.sqm
[2008/11/12 15:25:48 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2008/11/12 15:25:48 | 00,000,232 | -H-- | M] () -- C:\sqmdata03.sqm
[2008/11/12 15:25:11 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2008/11/12 15:25:11 | 00,000,232 | -H-- | M] () -- C:\sqmdata02.sqm
[2008/11/10 16:43:58 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2008/11/10 16:43:58 | 00,000,232 | -H-- | M] () -- C:\sqmdata01.sqm
[2008/11/05 17:34:57 | 00,000,202 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2008/11/05 15:25:20 | 00,334,743 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2008/11/04 22:40:44 | 00,043,008 | ---- | M] () -- C:\Documents and Settings\Candy Hon\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/03 22:22:01 | 00,520,190 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2008/11/03 22:22:01 | 00,439,594 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2008/11/03 22:22:01 | 00,071,172 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2008/11/02 17:24:38 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2008/11/02 17:24:38 | 00,000,232 | -H-- | M] () -- C:\sqmdata00.sqm
[2008/11/02 12:29:18 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm
[2008/11/02 12:29:18 | 00,000,232 | -H-- | M] () -- C:\sqmdata19.sqm
< End of report >


---------------Beginning of Extras.txt------------------

OTViewIt Extras logfile created on: 12/01/2008 7:00:41 PM - Run
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Documents and Settings\Candy Hon\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: MM/dd/yyyy

2.00 Gb Total Physical Memory | 1.73 Gb Available Physical Memory | 86.37% Memory free
3.35 Gb Paging File | 3.25 Gb Available in Paging File | 97.05% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 25.00 Gb Total Space | 10.97 Gb Free Space | 43.89% Space Free | Partition Type: NTFS
Drive D: | 17.50 Gb Total Space | 4.46 Gb Free Space | 25.50% Space Free | Partition Type: NTFS
Drive E: | 14.75 Gb Total Space | 3.10 Gb Free Space | 21.04% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DSKTP-XPPRO
Current User Name: Candy Hon
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"AntiVirusDisableNotify"=1
"FirewallDisableNotify"=1
"UpdatesDisableNotify"=1
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=1
"DoNotAllowExceptions"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 19:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/04/13 13:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2007/10/18 10:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[2007/10/02 16:18:24 | 00,304,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/13 19:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/04/13 13:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
File not found -- C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe
File not found -- C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe
File not found -- C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe
[2008/04/13 19:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
[2007/04/27 10:25:54 | 14,672,448 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
[2008/08/29 22:42:43 | 00,641,304 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe
[2008/08/29 22:43:44 | 00,875,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe
[2007/10/18 10:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[2007/10/02 16:18:24 | 00,304,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2008/07/04 07:25:11 | 00,079,128 | ---- | M] (AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG8\avgpp.dll (linkscanner:{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} (HKLM) [XPLPPFilter Class])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2007/10/18 10:31:54 | 00,066,072 | ---- | M] (Microsoft Corporation) C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (livecall:{828030A1-22C1-4009-854F-8E305202313F} (HKLM) [Reg Error: Value does not exist or could not be read.])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2000/04/19 17:47:36 | 00,520,117 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (ms-itss:{0A9007C0-4076-11D3-8789-0000F8105754} (HKLM) [Microsoft Infotech Storage Protocol for IE 4.0])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2007/10/18 10:31:54 | 00,066,072 | ---- | M] (Microsoft Corporation) C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (msnim:{828030A1-22C1-4009-854F-8E305202313F} (HKLM) [Reg Error: Value does not exist or could not be read.])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2003/08/04 12:19:34 | 07,330,360 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (mso-offdap:{3D9F03FA-7A94-11D3-BE81-0050048385D1} (HKLM) [Data Page Pluggable Protocol mso-offdap Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2003/08/01 14:09:04 | 08,086,072 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2003/07/14 21:45:12 | 00,039,488 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3}"=Zune Language Pack (FR)
"{025C3792-E9C6-432A-92C1-661F99D021CA}"=Ulead Photo Explorer 8.5
"{07A540AB-D785-11D5-8E89-0090275862A0}"=Corel Graphics Suite 11
"{08094E03-AFE4-4853-9D31-6D0743DF5328}"=QuickTime
"{10106AA7-38E7-4348-8396-9F535DF763EF}"=MSTPCRT
"{15095BF3-A3D7-4DDF-B193-3A496881E003}"=Microsoft .NET Framework 3.0
"{18D10072035C4515918F7E37EAFAACFC}"=AutoUpdate
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"=Google Toolbar for Internet Explorer
"{31CF0A98-8618-4829-921A-036714CF01A6}"=Panasonic KX-P7105 and KX-P7110 Ver2.31
"{3248F0A8-6813-11D6-A77B-00B0D0160020}"=Java™ 6 Update 2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{3592F5CB-B524-43AA-92F2-2377268199CC}"=iTunes
"{491DD792-AD81-429C-9EB4-86DD3D22E333}"=Windows Communication Foundation
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}"=Windows Live Messenger
"{5545EEE1-FA36-4F76-B6BE-5696E7F4E2D6}"=VBA (2627.01)
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}"=neroxml
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}"=Microsoft .NET Framework 2.0
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}"=MSXML 4.0 SP2 Parser and SDK
"{71C97545-E547-4A8B-B0C8-61FF853270AC}"=PaperPort
"{7299052b-02a4-4627-81f2-1818da5d550d}"=Microsoft Visual C++ 2005 Redistributable
"{7B63B2922B174135AFC0E1377DD81EC2}"=DivX
"{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}"=Windows Workflow Foundation
"{8A5F34E2-37CF-4AD4-808C-2D413786E31A}"=Microsoft Visual C Runtime
"{8ADFC4160D694100B5B8A22DE9DCABD9}"=DivX Player
"{8AF3E926-ED59-11D4-A44B-0000E86D2305}"=Ulead GIF Animator 5
"{8DC9BEFF-07FC-4631-BBF4-8F00F74953C2}"=InterVideo WinDVD Platinum
"{90110409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Professional Edition 2003
"{90170409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office FrontPage 2003
"{903B0409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Project Professional 2003
"{90510409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Visio Professional 2003
"{95120000-00B9-0409-0000-0000000FF1CE}"=Microsoft Application Error Reporting
"{9527A496-5DF9-412A-ADC7-168BA5379CA6}"=Microsoft Flight Simulator X
"{99BF44DF-1181-11D5-B627-0010B5557563}"=Ulead MediaStudio Pro 6.5 Trial (remove only)
"{9A912C12-A7DA-44D7-BD57-5CA85E2F33E1}"=Brother MFL-Pro Suite
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}"=Windows Live installer
"{AC1FBAF2-2B8D-4E9D-B881-37D1A52E77C5}"=Ulead COOL 360
"{AC76BA86-1033-0000-7760-000000000002}"=Adobe Acrobat 7.0 Professional
"{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}"=Windows Live Sign-in Assistant
"{B13A7C41581B411290FBC0395694E2A9}"=DivX Converter
"{B9242864-2841-4ADE-86E0-8F90F91B04DD}"=Logitech Gaming Software
"{BAF78226-3200-4DB4-BE33-4D922A799840}"=Windows Presentation Foundation
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}"=Microsoft .NET Framework 1.1
"{DBEA1034-5882-4A88-8033-81C4EF0CFA29}"=Google Toolbar for Internet Explorer
"{EADAA6F7-991F-4CE9-B5CE-FCF3D81F7C7D}"=USB PC Camera (SN9C103)
"{EE4ACABF-531E-419A-9225-B8E0FA4955AF}"=Zune Language Pack (ES)
"{F7D53B02-2C51-4CF5-9A51-F7A6D658EA5A}"=PenPowerJR-6.0
"{FB08F381-6533-4108-B7DD-039E11FBC27E}"=Realtek AC'97 Audio
"{FF70513F-E3A7-402F-84FB-B7810A064BE2}"=Zune
"Adobe Acrobat 7.0 Professional"=Adobe Acrobat 7.0 Professional
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe Shockwave Player"=Adobe Shockwave Player
"Adobe Type Manager 4.1"=Adobe Type Manager 4.1
"AnimatorDV Simple_is1"=AnimatorDV Simple PC Format Special Edition
"AnyDVD"=AnyDVD
"AVG8Uninstall"=AVG Free 8.0
"dBpowerAMP AAC Codec"=dBpowerAMP AAC Codec
"dBpowerAMP Music Converter"=dBpowerAMP Music Converter
"dBpowerAMP Ogg Vorbis Codec"=dBpowerAMP Ogg Vorbis Codec
"dMC Power Pack"=dMC Power Pack
"DVD X Rescue"=DVD X Rescue
"DVDXCopy Platinum 4.0.3"=DVDXCopy Platinum 4.0.3
"DVDXCopyPlatinum"=DVD X Copy Platinum 4.0.3
"Error Nuker"=Error Nuker
"Google Updater"=Google Updater
"HijackThis"=HijackThis 2.0.2
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"InstallShield_{07A540AB-D785-11D5-8E89-0090275862A0}"=Corel Graphics Suite 11
"InstallShield_{9527A496-5DF9-412A-ADC7-168BA5379CA6}"=Microsoft Flight Simulator X
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)"=Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0"=Microsoft .NET Framework 2.0
"Microsoft .NET Framework 3.0"=Microsoft .NET Framework 3.0
"Mozilla Firefox (3.0.1)"=Mozilla Firefox (3.0.1)
"MSCompPackV1"=Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST"=MSN
"Nero - Burning Rom!UninstallKey"=Nero 6 Ultra Edition
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers"=NVIDIA Drivers
"Pack Vista Inspirat 2"=Pack Vista Inspirat 2 1.0
"PartyCasino"=PartyCasino
"RegRun Security Suite_is1"=RegRun Security Suite Standard
"SP1_9527A496-5DF9-412A-ADC7-168BA5379CA6"=Microsoft Flight Simulator X Service Pack 1
"Switch"=Switch Sound File Converter
"VQ110"=VQ110 Digital Video Camera
"Wdf01007"=Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"WIC"=Windows Imaging Component
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"Windows Media Player"=Windows Media Player 11
"Windows XP Service Pack"=Windows XP Service Pack 3
"WinRAR archiver"=WinRAR archiver
"WMFDist11"=Windows Media Format 11 runtime
"wmp11"=Windows Media Player 11
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC"=XML Paper Specification Shared Components Pack 1.0
"Zune"=Zune

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/04/2008 6:47:01 PM | Computer Name = DSKTP-XPPRO | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16574, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/02/2008 11:05:03 PM | Computer Name = DSKTP-XPPRO | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16574, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/02/2008 11:05:06 PM | Computer Name = DSKTP-XPPRO | Source = Application Hang | ID = 1001
Description = Fault bucket 551330672.

Error - 11/18/2008 11:13:18 PM | Computer Name = DSKTP-XPPRO | Source = Application Error | ID = 1000
Description = Faulting application partygaming.exe, version 1.0.0.126, faulting
module unknown, version 0.0.0.0, fault address 0x00000000.

Error - 11/18/2008 11:23:00 PM | Computer Name = DSKTP-XPPRO | Source = Application Error | ID = 1000
Description = Faulting application partygaming.exe, version 1.0.0.126, faulting
module unknown, version 0.0.0.0, fault address 0xa62a7a0c.

Error - 11/23/2008 10:50:27 AM | Computer Name = DSKTP-XPPRO | Source = Application Hang | ID = 1002
Description = Hanging application XPress.exe, version 4.0.3.8, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 11/24/2008 8:50:18 PM | Computer Name = DSKTP-XPPRO | Source = Application Hang | ID = 1002
Description = Hanging application mbam-setup[1].tmp, version 51.49.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/24/2008 9:25:50 PM | Computer Name = DSKTP-XPPRO | Source = Application Hang | ID = 1002
Description = Hanging application mbam-setup[3].tmp, version 51.49.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/24/2008 9:34:00 PM | Computer Name = DSKTP-XPPRO | Source = Application Hang | ID = 1002
Description = Hanging application _iu14D2N.tmp, version 51.49.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 11/24/2008 9:34:56 PM | Computer Name = DSKTP-XPPRO | Source = Application Hang | ID = 1002
Description = Hanging application _iu14D2N.tmp, version 51.49.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 11/25/2008 8:23:11 PM | Computer Name = DSKTP-XPPRO | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD AvgLdx86 AvgMfx86 Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss Tcpip WS2IFSL

Error - 11/25/2008 8:25:28 PM | Computer Name = DSKTP-XPPRO | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 11/25/2008 8:26:31 PM | Computer Name = DSKTP-XPPRO | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 11/25/2008 8:26:58 PM | Computer Name = DSKTP-XPPRO | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 11/25/2008 8:27:26 PM | Computer Name = DSKTP-XPPRO | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 11/25/2008 8:27:31 PM | Computer Name = DSKTP-XPPRO | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 12/01/2008 7:55:29 PM | Computer Name = DSKTP-XPPRO | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 12/01/2008 7:56:25 PM | Computer Name = DSKTP-XPPRO | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AvgLdx86 AvgMfx86 Fips Processor

Error - 12/01/2008 7:59:49 PM | Computer Name = DSKTP-XPPRO | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 12/01/2008 7:59:58 PM | Computer Name = DSKTP-XPPRO | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}


< End of report >


The following is the report generated using GMER, I was unable to launch any of the .exe files from the websites you have provided. I worked around by downloading a copy off of cnet, but I'm not sure if it's the same version you had advised me to use (it had 1.0.14.14536 next to GMER in the menu bar):

------------Beginning of GMER scan report---------------

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-01 19:17:01
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

Code E1989550 ZwEnumerateKey
Code E1998468 ZwFlushInstructionCache
Code BAC08EAB pIofCallDriver

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP E1989554
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP E199846C

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[692] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F2C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[692] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A166F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[692] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A15F0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[692] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A1634 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[692] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A157C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[692] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A15B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[692] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A16AA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[692] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F31676 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[692] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D7000A
.text C:\Program Files\Internet Explorer\iexplore.exe[692] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00D6000A
.text C:\Program Files\Internet Explorer\iexplore.exe[692] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D8000A
.text C:\WINDOWS\Explorer.EXE[1556] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E0000A
.text C:\WINDOWS\Explorer.EXE[1556] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00DF000A
.text C:\WINDOWS\Explorer.EXE[1556] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E1000A

---- Modules - GMER 1.0.14 ----

Module \systemroot\system32\drivers\TDSSnraa.sys (*** hidden *** ) BAC07000-BAC19000 (73728 bytes)

---- Threads - GMER 1.0.14 ----

Thread 4:288 BAC09D66
---- Processes - GMER 1.0.14 ----

Library C:\Documents (*** hidden *** ) @ C:\Documents [1692] 0x00400000

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\drivers\TDSSnraa.sys (*** hidden *** ) [SYSTEM] TDSSserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSnraa.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSnraa.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSmcyo.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSalif.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSsrxi.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSkgnx.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSuxrr.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSdcte.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSrxhc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSkhcu.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSgwyx.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSnraa.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSnraa.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSmcyo.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSalif.dat
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSsrxi.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSkgnx.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSuxrr.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSdcte.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSrxhc.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSkhcu.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSgwyx.log
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@affid 11
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@subid v3020
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@control 0x09 0x19 0x1F 0x16 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@prov 10010
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@googleadserver pagead2.googlesyndication.com
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@flagged 1

---- EOF - GMER 1.0.14 ----


Thank you again for your help on this...I really really appreciate it! I don't know how much hope there is left for my computer... :thumbsup:

Thanks a million!
Tintong

P.S. I'm not sure if this is a virus thing or my computer is just messed up, but I've noticed I am unable to launch some .exe files and my AVG is unable to update...

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:15 PM

Posted 01 December 2008 - 11:53 PM

Hello, tintong
Your System is Infected with a Backdoor!!
Backdoors cause severe damage to windows' internals, and allow an attacker complete control over the infected system. Because this state allows the attacker to download new malware on demand, log keystrokes, execute programs, and/or view the system's screen, it is recommended to reformat and reinstall the operating system on this machine. Several experts in the security community believe that once a system is infected with one of these types of backdoors, the system itself can never be trusted again.

I ask that you disconnect this system from the internet NOW!. While it is attached to the internet, the attacker can modify the system, and prevent fixes from working as intended.

Another danger of this type of infection is that of Identity Theft. Because such malware can read all of your passwords, bank account numbers, etc. from your keystrokes, I would recomend contacting banking institutions accessed from this machine to ensure your accounts are secure. Most banks will not charge to send you new credit/debit cards, and getting these numbers replaced would be a good idea. It would also be a good idea to change passwords for anything you commonly use online. Online stores, Facebook/Myspace, Email, etc. If it has been on that machine it may have been read by someone else. Don't do it from this machine, as it is now compromised. Do it from another known clean machine. A good place to do this is at your local public library.

I would strongly recomend format and reinstallation of this machine. For more information, you may wish to read one of these excellent articles:Please let me know if you wish to continue to clean this machine or if you wish to format.

If you wish to continue, please follow the following instructions.

If ComboFix will not run, please rename it to GlobRemover.exe and see if that works.

We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :thumbsup:
In your next reply, please include the following:
  • ComboFix.txt

Billy3

Edited by Billy O'Neal, 01 December 2008 - 11:56 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 tintong

tintong
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 02 December 2008 - 09:02 AM

Hi Billy,

Thank you for your recommendation, I think I will reformat and reinstall the machine.

I do have a question...if my laptop's internet is running off of the infected computer's wireless network, will this compromise my laptop as well?

I'm not very good with this virus thing...

Thanks again,
tintong

#8 tintong

tintong
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 02 December 2008 - 09:29 AM

Oh sorry, one more thing, is it likely that my other hard drive is infected also?

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:15 PM

Posted 02 December 2008 - 07:37 PM

The data contained on the disks is likely okay. You didn't have a file infector on here. But you did have the TDSSSERV rootkit which can hide itself very well.

http://www.symantec.com/en/ph/enterprise/s...-99&tabid=2 <-- Here's a writeup on it but don't believe symantec's risk rating.. they give everything ones or twos anymore :thumbsup:.

Your laptop is likely fine so long as it was not infected via the same channel as this machine.

Good luck,

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 tintong

tintong
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 02 December 2008 - 10:10 PM

Thanks so much for your help Billy!

If after I reformat the system, would it be possible for me to post a log on this thread so you can do a quick peek and make sure everything looks ok?

P.S. I know what I'll be doing this weekend!

Cheers,
tintong

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:15 PM

Posted 02 December 2008 - 10:17 PM

Sure... though I can assure you it will be clean :thumbsup:

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:15 PM

Posted 06 December 2008 - 04:59 PM

Hello, tintong
Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users