Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unsure what type of infection, multiple threats detected


  • This topic is locked This topic is locked
10 replies to this topic

#1 NoStatic

NoStatic

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:bucharest
  • Local time:09:44 PM

Posted 06 February 2009 - 10:26 AM

Hello,

Somewhere in December, Kaspersky stopped updating the database, but I thought this was something temporary and probably due to poor internet connection.
Having no time whatsoever to investigate further, I did not alarm until perhaps 4 days ago when I started having this error message displayed every minute or so, saying something like "xdshd.exe has encountered an error and needs to close". Kaspersky didn't pick up anything while scanning but the situation became even more weird when I tried to visit Kaspersky's site to update the database manually and Firefox said it can't find a server while all other sites I tried to visit then were ok.
I got Avast, ComboFix, RegCure, Malwarebyte's Anti-Malware and Ad-Aware and they all picked up different kind of threats. After this, Kaspersky reacted too and found 71 infections + 80 or so found by Malwarebyte's + 8 (unable to fix) infections at boot scan.
During these last 4 days, the computer acted in all sorts of ways:
- Kaspersky kept on crashing before it ended it's scan; even in safe mode, Kaspersky never once finished scanning.
- around 4 error messages at startup, 1 even before Windows logon screen
- a few times windows logon was terminated by windows, while saying it's protecting the computer
- both Avast and Kaspersky detected, among other infections, this certain file that could not be repaired, removed, quarantined, renamed: user32.dll
- Most important: NetActivator - a program I never understood the purpose of, installed as a requirement from my lan network provider, stopped working - error 0x000007b - leaving me unable to connect to the internet.

In hope of having posted the right way,

Thank you very much for your time! :thumbup2:


------------
Later edit:
Also during these last 4 days, "Task manager" stopped showing up when pressing CTRL+ALT+DEL or on right click until this morning.
+ I cannot get hidden files to show through "Folder Options"


------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:56, on 2009-02-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\system32\Wintab32.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
e:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Microsoft IntelliType Pro\itype.exe
E:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
E:\WINDOWS\RTHDCPL.EXE
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\WinTools\RAM Saver Pro\ramsaverpro.exe
E:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
E:\Program Files\uTorrent\uTorrent.exe
E:\WINDOWS\explorer.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;localhost
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - E:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - E:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinSys2] E:\WINDOWS\system32\winsys2.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] E:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [itype] "E:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NetActivator] E:\Program Files\NetActivator\NetActivator.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Ad-Watch] E:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [AVP] "E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [RAMSaverPro] C:\Program Files\WinTools\RAM Saver Pro\ramsaverpro.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "E:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [uTorrent] "E:\Program Files\uTorrent\uTorrent.exe"
O4 - Startup: Dropbox.lnk = E:\Program Files\Dropbox\Dropbox.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = E:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - E:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - E:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\WINDOWS\system32\shdocvw.dll
O15 - Trusted Zone: http://asia.msi.com.tw
O15 - Trusted Zone: http://global.msi.com.tw
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1212807711062
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{20D339E3-6A3F-441E-B599-9B2081D4BE94}: NameServer = 86.107.172.2,194.126.179.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{20D339E3-6A3F-441E-B599-9B2081D4BE94}: NameServer = 86.107.172.2,194.126.179.100
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - E:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - E:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - E:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - e:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: ServiceLayer - Nokia. - E:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Wintab32 - Unknown owner - E:\WINDOWS\system32\Wintab32.exe

--
End of file - 12117 bytes

Edited by NoStatic, 06 February 2009 - 12:02 PM.


BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:44 PM

Posted 14 February 2009 - 07:20 PM

Hello, NoStatic
:thumbup2: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
We need to create an OTListIt2 Report
  • Please download OTListIt2 from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
We need to scan for Rootkits with GMER
  • Please download GMER from one of the following mirrors:
  • Close any and all open programs, as this process may crash your computer.
  • Unzip the downloaded file to your desktop.
  • Double click Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.
In your next reply, please include the following:
  • OTListIt.txt
  • Extra.txt
  • GMER's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 NoStatic

NoStatic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:bucharest
  • Local time:09:44 PM

Posted 15 February 2009 - 11:57 AM

Hello Billy,

thank you so much for taking the time to assist me. :thumbup2:
As an update to my previous situation I would say that (I'm not sure what is relevant so I will enumerate the changes I noticed):

1. The network admin has let me go online without the Netactivator thingie (which is still busted with error 0x0000007b) - apparently the program needs .net framework and this is what causes it to crash. I tried uninstalling and reinstalling .net framework but on reinstall there's this error that I can't get over - I can't remember exactly but there had something to do with the installer itself.
2. After getting back online avast kept telling me at system startup it's blocking a connection to irc.zief.pl; once or twice it had asked me if I want to close the connection to teenpassage or something like that ( a site I never opened and know nothing of)
3. Task manager is back and working properly and also now I can view hidden files.
4. starting yesterday I am offline again - I could not say why exactly. Every time I restart the computer my network settings were gone and repair would not work until I got Winsockfix - that would fix the problem with a restart and me manually setting the IP and all the other coordinates but it would only last till next restart when I had to do the same actions all over again. Today avast instructed me to quarantine a .sys file and starting that moment my ethernet card appeared in the device list with an exclamation sign, together with all the other network adapters (code 39). I tried to uninstall, roll back, got newer versions of the drivers for the network card, but nothing worked.
5. While Kaspersky and Avast pick up something here and there, MalawareBytes says my system is clean. I uninstalled Avast after I restored the sys file that it had on quarantine - thinking that would fix my ethernet problem but no.
6. Out of all the errors that kept coming up at system startup - only one remains to this day: spoolsv.exe (0x003900664)


Latest detections by Kaspersky (with obsolete database):
Net-worm.win32.kido.ih
Trojan.win32.Agent.aqvz
Worm.win32.AutoRun.tgf
Trojan-Downloader.win32.Small.agbh

About the logs you requested, I can only provide the 2 that come from OTListIt2, as the Gmer left me a little puzzled. While under Rootkit tab, I pressed scan. It scanned and then it showed no log and there was nowhere on that window a button where I would go "save". I tried selecting the multiple lines listed on the screen and pressed the "copy" button but when trying to paste it in a notepad, nothing happened.


Again thank you very much, Billy!!!

Cristina


-----------------------------

OTListIt.txt


OTListIt logfile created on: 2/15/2009 1:06:49 PM - Run
OTListIt2 by OldTimer - Version 1.0.4.1 Folder = E:\Documents and Settings\Save or Cancel\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.36 Mb Total Physical Memory | 527.04 Mb Available Physical Memory | 51.55% Memory free
3.90 Gb Paging File | 3.04 Gb Available in Paging File | 77.95% Paging File free
Paging file location(s): C:\pagefile.sys 0 0;E:\pagefile.sys 1536 4000;

%SystemDrive% = E: | %SystemRoot% = E:\WINDOWS | %ProgramFiles% = E:\Program Files
Drive C: | 109.10 Gb Total Space | 57.26 Gb Free Space | 52.48% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 39.95 Gb Total Space | 11.49 Gb Free Space | 28.77% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SAVEORCANCEL
Current User Name: Save or Cancel
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

[2009/02/05 23:01:25 | 00,018,752 | ---- | M] (ALWIL Software) -- E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
[2009/02/05 23:08:40 | 00,138,680 | ---- | M] (ALWIL Software) -- E:\Program Files\Alwil Software\Avast4\ashServ.exe
[2000/12/15 01:21:00 | 00,110,592 | ---- | M] () -- E:\WINDOWS\system32\wintab32.exe
[2008/11/07 14:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
[2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- E:\Program Files\Bonjour\mDNSResponder.exe
[2009/01/09 23:09:55 | 00,168,432 | ---- | M] (Google) -- E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
[2007/12/13 21:02:10 | 01,442,600 | ---- | M] (Nero AG) -- E:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
[2008/12/16 00:05:49 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- E:\Program Files\Java\jre6\bin\jqs.exe
[2006/10/26 12:40:34 | 00,356,352 | ---- | M] (Microsoft Corporation) -- E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
[2007/06/28 18:43:00 | 00,176,196 | ---- | M] (NVIDIA Corporation) -- E:\WINDOWS\system32\nvsvc32.exe
[2007/07/24 11:15:14 | 00,185,632 | ---- | M] (Protexis Inc.) -- e:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
[2004/08/03 23:56:56 | 00,050,688 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\system32\rundll32.exe
[2004/08/03 23:56:58 | 00,153,088 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\system32\taskmgr.exe
[2008/12/16 00:05:49 | 00,136,600 | ---- | M] (Sun Microsystems, Inc.) -- E:\Program Files\Java\jre6\bin\jusched.exe
[2008/10/14 21:38:56 | 00,623,992 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
[2004/08/03 23:56:56 | 00,050,688 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\system32\rundll32.exe
[2006/11/22 03:08:57 | 00,813,912 | ---- | M] (Microsoft Corporation) -- E:\Program Files\Microsoft IntelliType Pro\itype.exe
[2007/02/06 01:52:10 | 00,849,280 | ---- | M] (Microsoft Corporation) -- E:\Program Files\Microsoft IntelliPoint\ipoint.exe
[2008/11/20 13:20:54 | 00,290,088 | ---- | M] (Apple Inc.) -- E:\Program Files\iTunes\iTunesHelper.exe
[2008/05/28 13:52:50 | 16,881,152 | ---- | M] (Realtek Semiconductor Corp.) -- E:\WINDOWS\RTHDCPL.EXE
[2009/02/05 23:08:45 | 00,081,000 | ---- | M] (ALWIL Software) -- E:\Program Files\Alwil Software\Avast4\ashDisp.exe
[2009/02/13 14:41:06 | 00,047,616 | ---- | M] () -- E:\WINDOWS\system32\reader_s.exe
[2008/06/07 17:22:35 | 00,105,472 | ---- | M] () -- C:\Program Files\WinTools\RAM Saver Pro\ramsaverpro.exe
[2007/03/29 14:41:26 | 00,222,128 | ---- | M] (Macrovision Corporation) -- E:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
[2009/02/13 14:41:06 | 00,047,616 | ---- | M] () -- E:\Documents and Settings\Save or Cancel\reader_s.exe
[2008/06/03 23:51:40 | 00,672,256 | ---- | M] (Macrovision Europe Ltd.) -- E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
[2008/11/20 13:20:44 | 00,536,872 | ---- | M] (Apple Inc.) -- E:\Program Files\iPod\bin\iPodService.exe
[2009/02/11 20:43:56 | 00,307,704 | ---- | M] (Mozilla Corporation) -- E:\Program Files\Mozilla\firefox.exe
[2009/02/15 12:57:44 | 00,437,760 | ---- | M] (OldTimer Tools) -- E:\Documents and Settings\Save or Cancel\Desktop\OTListIt2.exe

========== (O23) Win32 Services (SafeList) ==========

[2007/03/20 15:41:24 | 00,153,792 | ---- | M] (Adobe Systems Incorporated) -- E:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe -- (Adobe Version Cue CS3 [On_Demand | Stopped])
[2008/11/07 14:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
[2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2009/02/05 23:01:25 | 00,018,752 | ---- | M] (ALWIL Software) -- E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv [Auto | Running])
[2009/01/07 00:20:23 | 00,077,944 | ---- | M] (Autodesk) -- E:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service [On_Demand | Stopped])
[2009/02/05 23:08:40 | 00,138,680 | ---- | M] (ALWIL Software) -- E:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus [Auto | Running])
[2009/02/05 23:08:26 | 00,254,040 | ---- | M] (ALWIL Software) -- E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner [On_Demand | Stopped])
[2009/02/05 23:06:04 | 00,352,920 | ---- | M] (ALWIL Software) -- E:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner [On_Demand | Stopped])
[2008/02/08 18:36:14 | 00,227,856 | ---- | M] (Kaspersky Lab) -- E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe -- (AVP [Auto | Stopped])
[2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- E:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
[2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- e:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2008/06/03 23:51:40 | 00,672,256 | ---- | M] (Macrovision Europe Ltd.) -- E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Running])
[2009/01/09 23:09:55 | 00,168,432 | ---- | M] (Google) -- E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [Auto | Running])
[2004/08/03 23:56:46 | 00,038,912 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll -- (helpsvc [Auto | Running])
[2007/06/04 22:14:50 | 00,217,088 | ---- | M] (Hewlett-Packard Co.) -- E:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll -- (hpqcxs08 [On_Demand | Running])
[2007/06/04 22:14:50 | 00,131,072 | ---- | M] (Hewlett-Packard Co.) -- E:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll -- (hpqddsvc [Auto | Running])
File not found -- -- (idsvc [Unknown | Stopped])
[2007/12/13 21:02:10 | 01,442,600 | ---- | M] (Nero AG) -- E:\Program Files\Nero\Nero8\InCD\InCDsrv.exe -- (InCDsrv [Auto | Running])
[2008/11/20 13:20:44 | 00,536,872 | ---- | M] (Apple Inc.) -- E:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
[2008/12/16 00:05:49 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- E:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
[2006/10/26 12:40:34 | 00,356,352 | ---- | M] (Microsoft Corporation) -- E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe -- (MDM [Auto | Running])
[2006/10/26 23:47:54 | 00,065,824 | ---- | M] (Microsoft Corporation) -- E:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service [On_Demand | Stopped])
[2007/12/03 13:21:24 | 00,869,672 | ---- | M] (Nero AG) -- E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe -- (Nero BackItUp Scheduler 3 [Disabled | Stopped])
[2007/12/13 21:02:20 | 00,050,984 | ---- | M] (Nero AG) -- E:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe -- (NeroRegInCDSrv [Disabled | Stopped])
[2006/11/08 15:35:36 | 00,043,520 | ---- | M] (Hewlett-Packard) -- E:\WINDOWS\system32\HPZinw12.dll -- (Net Driver HPZ12 [Auto | Running])
File not found -- -- (NetTcpPortSharing [Disabled | Stopped])
[2007/12/13 18:10:56 | 00,447,784 | ---- | M] (Nero AG) -- E:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe -- (NMIndexingService [On_Demand | Stopped])
[2001/08/23 12:00:00 | 00,020,992 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\system32\regedt32.exe -- (NOD32FiXTemDono [Disabled | Stopped])
[2007/06/28 18:43:00 | 00,176,196 | ---- | M] (NVIDIA Corporation) -- E:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
[2006/10/26 18:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) -- E:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
[2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- E:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2006/11/08 15:35:38 | 00,053,248 | ---- | M] (Hewlett-Packard) -- E:\WINDOWS\system32\HPZipm12.dll -- (Pml Driver HPZ12 [Auto | Running])
[2007/07/24 11:15:14 | 00,185,632 | ---- | M] (Protexis Inc.) -- e:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2 [Auto | Running])
[2008/08/07 10:17:30 | 00,592,896 | ---- | M] (Nokia.) -- E:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer [On_Demand | Stopped])
[2000/12/15 01:21:00 | 00,110,592 | ---- | M] () -- E:\WINDOWS\system32\wintab32.exe -- (Wintab32 [Auto | Running])
[2006/09/15 23:30:16 | 00,055,296 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\system32\WudfSvc.dll -- (WudfSvc [Auto | Running])

========== Driver Services (SafeList) ==========

[2009/02/05 23:05:11 | 00,026,944 | ---- | M] (ALWIL Software) -- E:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4 [System | Running])
[2009/02/05 23:07:12 | 00,020,560 | ---- | M] (ALWIL Software) -- E:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk [Auto | Running])
[2009/02/05 23:08:10 | 00,094,032 | ---- | M] (ALWIL Software) -- E:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2 [Auto | Running])
[2009/02/05 23:06:10 | 00,023,152 | ---- | M] (ALWIL Software) -- E:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr [On_Demand | Running])
[2009/02/05 23:07:23 | 00,114,768 | ---- | M] (ALWIL Software) -- E:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP [System | Running])
[2009/02/05 23:06:20 | 00,051,376 | ---- | M] (ALWIL Software) -- E:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi [System | Running])
[2009/02/13 14:41:04 | 00,137,824 | ---- | M] () -- E:\WINDOWS\system32\drivers\cdaudio.sys -- (AVPsys [On_Demand | Stopped])
[2009/02/13 14:41:04 | 00,137,824 | ---- | M] () -- E:\WINDOWS\system32\drivers\cdaudio.sys -- (Cdaudio [System | Stopped])
[2009/02/13 18:15:02 | 00,137,920 | ---- | M] () -- E:\WINDOWS\system32\drivers\ethqsxuz.sys -- (ethqsxuz [System | Stopped])
[2007/04/17 10:58:56 | 00,042,496 | R--- | M] (VIA Technologies, Inc. ) -- E:\WINDOWS\system32\drivers\fetnd5bv.sys -- (FET5X86V [On_Demand | Running])
[2001/08/17 14:13:08 | 00,027,165 | ---- | M] (VIA Technologies, Inc. ) -- E:\WINDOWS\system32\drivers\fetnd5.sys -- (FETNDIS [On_Demand | Stopped])
[2008/04/17 12:12:54 | 00,015,464 | ---- | M] (GEAR Software Inc.) -- E:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
[2005/01/07 16:07:16 | 00,145,920 | ---- | M] (Windows ® Server 2003 DDK provider) -- E:\WINDOWS\system32\drivers\Hdaudio.sys -- (HdAudAddService [On_Demand | Stopped])
[2005/01/07 16:07:18 | 00,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) -- E:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus [On_Demand | Running])
[2007/03/08 06:20:48 | 00,049,920 | R--- | M] (HP) -- E:\WINDOWS\system32\drivers\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])
[2007/03/08 06:20:49 | 00,016,496 | R--- | M] (HP) -- E:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])
[2007/03/08 06:20:50 | 00,021,568 | R--- | M] (HP) -- E:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12 [On_Demand | Stopped])
[2007/08/17 12:31:26 | 00,101,120 | R--- | M] (Huawei Technologies Co., Ltd.) -- E:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard [On_Demand | Stopped])
[2007/12/13 21:02:00 | 00,128,424 | ---- | M] (Nero AG) -- E:\WINDOWS\system32\drivers\InCDfs.sys -- (InCDfs [Disabled | Running])
[2007/12/13 21:02:10 | 00,038,952 | ---- | M] (Nero AG) -- E:\WINDOWS\system32\drivers\InCDPass.sys -- (InCDPass [System | Running])
[2007/12/13 21:02:10 | 00,040,360 | ---- | M] (Nero AG) -- E:\WINDOWS\system32\drivers\InCDRm.sys -- (incdrm [System | Running])
[2008/06/02 17:10:18 | 04,752,384 | ---- | M] (Realtek Semiconductor Corp.) -- E:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
[2004/08/03 21:58:36 | 00,014,848 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\system32\drivers\kbdhid.sys -- (kbdhid [System | Running])
[2008/10/30 11:30:41 | 00,112,144 | ---- | M] (Kaspersky Lab) -- E:\WINDOWS\system32\drivers\kl1.sys -- (kl1 [Boot | Stopped])
[2007/12/28 19:51:04 | 00,195,344 | ---- | M] (Kaspersky Lab) -- E:\WINDOWS\system32\drivers\klif.sys -- (klif [System | Running])
[2007/12/13 13:28:40 | 00,024,592 | ---- | M] (Kaspersky Lab) -- E:\WINDOWS\system32\drivers\klim5.sys -- (klim5 [On_Demand | Running])
[2007/06/18 13:18:26 | 00,023,680 | ---- | M] (Motorola) -- E:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem [On_Demand | Stopped])
[2007/06/28 18:43:00 | 06,807,328 | ---- | M] (NVIDIA Corporation) -- E:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv [On_Demand | Running])
[2009/02/13 15:38:15 | 00,033,920 | ---- | M] () -- E:\WINDOWS\system32\drivers\pdkzpmgj.sys -- (pdkzpmgj [Boot | Running])
[2006/11/08 09:02:34 | 00,021,760 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\system32\drivers\point32.sys -- (Point32 [On_Demand | Running])
[2002/09/16 16:14:32 | 00,004,228 | ---- | M] (PowerQuest Corporation) -- E:\WINDOWS\system32\drivers\PQNTDRV.sys -- (PQNTDrv [System | Running])
[2001/08/23 12:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- E:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2009/02/13 11:52:28 00,000,000 | ---D | M] -- E:\WINDOWS\system32\Restore -- (restore [On_Demand | Stopped])
[2004/07/17 10:36:38 | 00,027,440 | ---- | M] () -- E:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2002/10/15 21:41:06 | 00,102,220 | ---- | M] (Sony Corporation) -- E:\WINDOWS\system32\drivers\sonypvs1.sys -- (sonypvs1 [On_Demand | Stopped])
[2001/08/17 12:56:16 | 00,007,552 | ---- | M] (Sony Corporation) -- E:\WINDOWS\system32\drivers\SONYPVU1.SYS -- (SONYPVU1 [On_Demand | Stopped])
[2004/08/04 01:07:44 | 00,044,672 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\system32\drivers\UAGP35.SYS -- (uagp35 [Boot | Running])
[2008/10/01 12:01:28 | 00,032,000 | ---- | M] (Apple, Inc.) -- E:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
[2004/08/03 22:07:56 | 00,059,264 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio [On_Demand | Stopped])
[2006/10/17 19:22:26 | 00,009,216 | ---- | M] (VIA Technologies, Inc.) -- E:\WINDOWS\system32\drivers\videX32.sys -- (videX32 [Boot | Running])
[2000/12/15 01:21:00 | 00,023,552 | ---- | M] (LCS/Telegraphics) -- E:\WINDOWS\system32\drivers\w2kbhid.sys -- (W2kbhid [On_Demand | Stopped])
[2006/11/02 06:22:54 | 00,492,000 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\system32\drivers\wdf01000.sys -- (Wdf01000 [On_Demand | Stopped])
[2007/06/15 10:00:00 | 00,072,704 | ---- | M] (WIBU-SYSTEMS AG) -- E:\WINDOWS\system32\drivers\WibuKey.sys -- (WIBUKEY [Auto | Running])
[2000/12/15 01:21:00 | 00,013,824 | ---- | M] (LCS/Telegraphics) -- E:\WINDOWS\system32\drivers\wtcls2k.sys -- (Wtcls2k [On_Demand | Stopped])
[2006/10/18 16:39:58 | 00,017,920 | ---- | M] (VIA Technologies,Inc) -- E:\WINDOWS\system32\drivers\xfilt.sys -- (xfilt [Boot | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;localhost

HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



HKU\S-1-5-21-1645522239-1563985344-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
HKU\S-1-5-21-1645522239-1563985344-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
HKU\S-1-5-21-1645522239-1563985344-682003330-1003\S-1-5-21-1645522239-1563985344-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
HKU\S-1-5-21-1645522239-1563985344-682003330-1003\S-1-5-21-1645522239-1563985344-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;localhost

O1 HOSTS File: (736 bytes) - E:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 www.tEenPassage.com
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll File not found
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe [2008/11/14 13:53:38 00,000,000 | ---D | M]
O3 - HKCU\..\Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll File not found
O3 - HKU\.DEFAULT\..\Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll File not found
O3 - HKU\S-1-5-18\..\Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll File not found
O3 - HKU\S-1-5-21-1645522239-1563985344-682003330-1003\..\Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe_ID0EYTHM] E:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [AVP] "E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" (Kaspersky Lab)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\ipoint.exe" (Microsoft Corporation)
O4 - HKLM..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [itype] "E:\Program Files\Microsoft IntelliType Pro\itype.exe" (Microsoft Corporation)
O4 - HKLM..\Run: [NetActivator] E:\Program Files\NetActivator\NetActivator.exe ()
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] nwiz.exe /install ()
O4 - HKLM..\Run: [QuickTime Task] "E:\Program Files\QuickTime\QTTask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [reader_s] E:\WINDOWS\System32\reader_s.exe ()
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [ISUSPM] "E:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler (Macrovision Corporation)
O4 - HKCU..\Run: [RAMSaverPro] C:\Program Files\WinTools\RAM Saver Pro\ramsaverpro.exe ()
O4 - HKCU..\Run: [reader_s] E:\Documents and Settings\Save or Cancel\reader_s.exe ()
O4 - HKCU..\Run: [uTorrent] "E:\Program Files\uTorrent\uTorrent.exe" (BitTorrent, Inc.)
O4 - HKU\S-1-5-21-1645522239-1563985344-682003330-1003..\Run: [ISUSPM] "E:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler (Macrovision Corporation)
O4 - HKU\S-1-5-21-1645522239-1563985344-682003330-1003..\Run: [RAMSaverPro] C:\Program Files\WinTools\RAM Saver Pro\ramsaverpro.exe ()
O4 - HKU\S-1-5-21-1645522239-1563985344-682003330-1003..\Run: [reader_s] E:\Documents and Settings\Save or Cancel\reader_s.exe ()
O4 - HKU\S-1-5-21-1645522239-1563985344-682003330-1003..\Run: [uTorrent] "E:\Program Files\uTorrent\uTorrent.exe" (BitTorrent, Inc.)
O4 - Startup: E:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk = E:\Program Files\Common Files\Autodesk Shared\acstart17.exe (Autodesk, Inc)
O4 - Startup: E:\Documents and Settings\Save or Cancel\Start Menu\Programs\Startup\Dropbox.lnk = E:\Program Files\Dropbox\Dropbox.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFileMenu = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarCustomize = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoViewContextMenu = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1645522239-1563985344-682003330-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1645522239-1563985344-682003330-1003\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1645522239-1563985344-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1645522239-1563985344-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 0
O7 - HKU\S-1-5-21-1645522239-1563985344-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFileMenu = 0
O7 - HKU\S-1-5-21-1645522239-1563985344-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1645522239-1563985344-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarCustomize = 0
O7 - HKU\S-1-5-21-1645522239-1563985344-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 0
O7 - HKU\S-1-5-21-1645522239-1563985344-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 0
O7 - HKU\S-1-5-21-1645522239-1563985344-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoViewContextMenu = 0
O7 - HKU\S-1-5-21-1645522239-1563985344-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O7 - HKU\S-1-5-21-1645522239-1563985344-682003330-1003_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1645522239-1563985344-682003330-1003_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra Button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll (Kaspersky Lab)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - E:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.)
O9 - Extra Button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - E:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O15 - HKLM\..Trusted Sites: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Sites: asia.msi.com.tw (http in Trusted sites)
O15 - HKCU\..Trusted Sites: global.msi.com.tw (http in Trusted sites)
O15 - HKCU\..Trusted Sites: www.msi.com.tw (http in Trusted sites)
O15 - HKCU\..Trusted Sites: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1645522239-1563985344-682003330-1003\..Trusted Sites: asia.msi.com.tw (http in Trusted sites)
O15 - HKU\S-1-5-21-1645522239-1563985344-682003330-1003\..Trusted Sites: global.msi.com.tw (http in Trusted sites)
O15 - HKU\S-1-5-21-1645522239-1563985344-682003330-1003\..Trusted Sites: www.msi.com.tw (http in Trusted sites)
O15 - HKU\S-1-5-21-1645522239-1563985344-682003330-1003\..Trusted Sites: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://utilities.pcpitstop.com/da/PCPitStop.CAB (PCPitstop Utility)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1212807711062 (WUWebControl Class)
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} http://liveupdate.msi.com.tw/autobios/LOnline/install.cab (WebSDev Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 194.126.179.100,86.107.172.2
O18 - Protocol\Handler: - grooveLocalGWS - E:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler: - ipp - No CLSID value found
O18 - Protocol\Handler: - ipp\0x00000001 - E:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler: - msdaipp - No CLSID value found
O18 - Protocol\Handler: - msdaipp\0x00000001 - E:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler: - msdaipp\oledb - E:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler: - ms-help - E:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - E:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - See sections below for AppInitDlls and Winlogon settings

========== Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
klogon: "DllName" = E:\WINDOWS\system32\klogon.dll -- E:\WINDOWS\system32\klogon.dll (Kaspersky Lab)

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" (HKLM) -- E:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

========== Safeboot Options ==========

"AlternateShell" = cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2009/02/09 15:02:33 | 00,000,000 | ---- | M] () -- E:\AUTOEXEC.BAT -- [ NTFS ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2029f039-83d5-11dd-ba79-001d920554af}\Shell]
"" = AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2029f039-83d5-11dd-ba79-001d920554af}\Shell\AutoRun]
"" = Auto&Play

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2beae476-8430-11dd-ba7c-001d920554af}\Shell]
"" = AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2beae476-8430-11dd-ba7c-001d920554af}\Shell\AutoRun]
"" = Auto&Play

========== Files/Folders - Created Within 30 Days ==========

[13 E:\WINDOWS\System32\*.tmp files]
[8 E:\WINDOWS\*.tmp files]
[2088/02/01 16:15:26 | 00,000,000 | ---D | C] -- E:\WINDOWS\System32\3361
[2088/02/01 16:14:31 | 00,000,334 | ---- | C] () -- E:\WINDOWS\tasks\jojfdeat.job
[2009/02/15 12:59:26 | 00,490,698 | ---- | C] () -- E:\Documents and Settings\Save or Cancel\Desktop\gmer.zip
[2009/02/15 12:57:43 | 00,437,760 | ---- | C] (OldTimer Tools) -- E:\Documents and Settings\Save or Cancel\Desktop\OTListIt2.exe
[2009/02/15 02:18:14 | 00,000,000 | ---D | C] -- E:\Documents and Settings\Save or Cancel\Application Data\vlc
[2009/02/14 14:20:34 | 00,001,668 | ---- | C] () -- E:\Documents and Settings\All Users\Desktop\Mozilla Thunderbird.lnk
[2009/02/14 14:20:28 | 00,001,528 | ---- | C] () -- E:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/02/14 00:31:15 | 50,798,3313 | ---- | C] () -- E:\Documents and Settings\Save or Cancel\Desktop\03 The Wisdom of the Dream - A World of Dreams.mov
[2009/02/14 00:30:33 | 50,923,5796 | ---- | C] () -- E:\Documents and Settings\Save or Cancel\Desktop\02 The Wisdom of the Dream - Inheritance of Dreams.mov
[2009/02/14 00:29:45 | 50,749,8461 | ---- | C] () -- E:\Documents and Settings\Save or Cancel\Desktop\01 The Wisdom of the Dream - A Life of Dreams.mov
[2009/02/13 23:15:02 | 00,251,171 | ---- | C] () -- E:\Documents and Settings\Save or Cancel\Desktop\Untitled-1.ai
[2009/02/13 18:15:06 | 00,001,748 | ---- | C] () -- E:\WINDOWS\System32\netsf.inf
[2009/02/13 18:15:06 | 00,000,695 | ---- | C] () -- E:\WINDOWS\System32\netsf_m.inf
[2009/02/13 15:38:15 | 00,033,920 | ---- | C] () -- E:\WINDOWS\System32\drivers\pdkzpmgj.sys
[2009/02/13 15:34:24 | 00,137,920 | ---- | C] () -- E:\WINDOWS\System32\drivers\ethqsxuz.sys
[2009/02/13 14:43:10 | 00,182,912 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\dllcache\ndis.sys
[2009/02/13 14:41:06 | 00,047,616 | ---- | C] () -- E:\WINDOWS\System32\reader_s.exe
[2009/02/13 14:41:04 | 00,137,824 | ---- | C] () -- E:\WINDOWS\System32\drivers\cdaudio.sys
[2009/02/13 14:27:15 | 00,000,000 | ---D | C] -- E:\ERDNT
[2009/02/13 14:25:58 | 01,433,600 | ---- | C] (Option^Explicit Software Solutions) -- E:\Documents and Settings\Save or Cancel\Desktop\winsockfix.exe
[2009/02/13 13:55:07 | 00,006,200 | ---- | C] () -- E:\WINDOWS\System32\acdb.err
[2009/02/13 13:25:19 | 00,000,000 | ---D | C] -- E:\Documents and Settings\Save or Cancel\Desktop\IceSword122en
[2009/02/13 13:23:01 | 00,003,506 | ---- | C] () -- E:\WINDOWS\System32\tmp.reg
[2009/02/13 13:22:33 | 00,289,144 | ---- | C] (S!Ri) -- E:\WINDOWS\System32\VCCLSID.exe
[2009/02/13 13:22:33 | 00,288,417 | ---- | C] (S!Ri) -- E:\WINDOWS\System32\SrchSTS.exe
[2009/02/13 13:22:33 | 00,153,600 | ---- | C] (SteelWerX) -- E:\WINDOWS\System32\swreg.exe
[2009/02/13 13:22:33 | 00,107,520 | ---- | C] (S!Ri.URZ) -- E:\WINDOWS\System32\VACFix.exe
[2009/02/13 13:22:33 | 00,102,912 | ---- | C] (S!Ri.URZ) -- E:\WINDOWS\System32\IEDFix.exe
[2009/02/13 13:22:33 | 00,102,912 | ---- | C] (S!Ri.URZ) -- E:\WINDOWS\System32\IEDFix.C.exe
[2009/02/13 13:22:33 | 00,102,400 | ---- | C] (S!Ri.URZ) -- E:\WINDOWS\System32\404Fix.exe
[2009/02/13 13:22:33 | 00,100,864 | ---- | C] (S!Ri.URZ) -- E:\WINDOWS\System32\o4Patch.exe
[2009/02/13 13:22:33 | 00,098,304 | ---- | C] (SteelWerX) -- E:\WINDOWS\System32\swxcacls.exe
[2009/02/13 13:22:33 | 00,098,304 | ---- | C] (S!Ri.URZ) -- E:\WINDOWS\System32\Agent.OMZ.Fix.exe
[2009/02/13 13:22:33 | 00,073,728 | ---- | C] (http://www.beyondlogic.org) -- E:\WINDOWS\System32\Process.exe
[2009/02/13 13:22:33 | 00,068,608 | ---- | C] () -- E:\WINDOWS\System32\dumphive.exe
[2009/02/13 13:22:33 | 00,061,440 | ---- | C] () -- E:\WINDOWS\System32\swsc.exe
[2009/02/13 13:22:33 | 00,046,592 | ---- | C] () -- E:\WINDOWS\System32\WS2Fix.exe
[2009/02/13 13:22:29 | 00,000,000 | ---D | C] -- E:\Documents and Settings\Save or Cancel\Desktop\SmitfraudFix
[2009/02/13 12:47:46 | 00,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/02/13 12:47:42 | 00,001,756 | ---- | C] () -- E:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Professional.lnk
[2009/02/13 12:47:40 | 00,000,000 | ---D | C] -- E:\Program Files\SUPERAntiSpyware
[2009/02/13 12:47:40 | 00,000,000 | ---D | C] -- E:\Documents and Settings\Save or Cancel\Application Data\SUPERAntiSpyware.com
[2009/02/13 12:45:10 | 05,956,640 | ---- | C] () -- E:\Documents and Settings\Save or Cancel\Desktop\SUPERAntiSpywarePro.exe
[2009/02/13 12:45:10 | 02,205,157 | ---- | C] () -- E:\Documents and Settings\Save or Cancel\Desktop\IceSword122en.zip
[2009/02/13 12:45:10 | 01,661,962 | ---- | C] () -- E:\Documents and Settings\Save or Cancel\Desktop\SmitfraudFix.exe
[2009/02/13 01:00:44 | 00,000,000 | -HSD | C] -- E:\RECYCLER
[2009/02/13 00:41:14 | 00,000,000 | ---D | C] -- E:\ComboFix
[2009/02/12 00:07:59 | 00,067,072 | -H-- | C] () -- E:\WINDOWS\System32\secupdat.dat
[2009/02/11 23:48:27 | 00,000,000 | ---D | C] -- E:\Program Files\Passcape
[2009/02/11 23:41:51 | 02,921,379 | R--- | C] () -- E:\Documents and Settings\Save or Cancel\Desktop\ComboFix.exe
[2009/02/11 23:41:43 | 00,049,664 | ---- | C] () -- E:\Documents and Settings\Save or Cancel\Desktop\gamerme.exe
[2009/02/11 13:06:10 | 00,000,000 | ---D | C] -- E:\Documents and Settings\Save or Cancel\Desktop\av-i386-daily
[2009/02/11 13:06:05 | 00,000,000 | ---D | C] -- E:\Documents and Settings\Save or Cancel\Desktop\av-i386-cumul
[2009/02/11 13:06:00 | 00,000,000 | ---D | C] -- E:\Documents and Settings\Save or Cancel\Desktop\av-i386&ids-daily
[2009/02/11 13:00:58 | 01,288,137 | ---- | C] () -- E:\Documents and Settings\Save or Cancel\Desktop\av-i386-daily.zip
[2009/02/11 12:48:55 | 00,000,000 | ---D | C] -- E:\Documents and Settings\Save or Cancel\Desktop\av-i386&ids-cumul
[2009/02/11 12:43:49 | 47,141,668 | ---- | C] () -- E:\Documents and Settings\Save or Cancel\Desktop\av-i386-cumul.zip
[2009/02/11 12:43:48 | 02,117,470 | ---- | C] () -- E:\Documents and Settings\Save or Cancel\Desktop\av-i386&ids-daily.zip
[2009/02/11 12:43:42 | 47,970,375 | ---- | C] () -- E:\Documents and Settings\Save or Cancel\Desktop\av-i386&ids-cumul.zip
[2009/02/10 18:35:23 | 00,000,000 | ---D | C] -- E:\Documents and Settings\Save or Cancel\My Documents\iTunes
[2009/02/10 18:25:21 | 00,001,528 | ---- | C] () -- E:\Documents and Settings\All Users\Desktop\RegCure Application.lnk
[2009/02/09 15:02:33 | 00,000,000 | RHS- | C] () -- E:\MSDOS.SYS
[2009/02/09 15:02:33 | 00,000,000 | RHS- | C] () -- E:\IO.SYS
[2009/02/09 15:02:33 | 00,000,000 | ---- | C] () -- E:\CONFIG.SYS
[2009/02/09 15:02:33 | 00,000,000 | ---- | C] () -- E:\AUTOEXEC.BAT
[2009/02/08 23:21:22 | 00,000,000 | ---D | C] -- E:\WINDOWS\SxsCaPendDel
[2009/02/08 21:16:26 | 00,000,000 | ---- | C] () -- E:\WINDOWS\System32\AAWService_2009_02_08_21_16_26.dmp
[2009/02/06 23:41:24 | 00,000,000 | ---D | C] -- E:\Program Files\CCleaner
[2009/02/06 00:49:41 | 00,023,152 | ---- | C] (ALWIL Software) -- E:\WINDOWS\System32\drivers\aswRdr.sys
[2009/02/06 00:49:40 | 00,051,376 | ---- | C] (ALWIL Software) -- E:\WINDOWS\System32\drivers\aswTdi.sys
[2009/02/06 00:49:40 | 00,026,944 | ---- | C] (ALWIL Software) -- E:\WINDOWS\System32\drivers\aavmker4.sys
[2009/02/06 00:49:38 | 00,114,768 | ---- | C] (ALWIL Software) -- E:\WINDOWS\System32\drivers\aswSP.sys
[2009/02/06 00:49:38 | 00,097,480 | ---- | C] (ALWIL Software) -- E:\WINDOWS\System32\AvastSS.scr
[2009/02/06 00:49:38 | 00,020,560 | ---- | C] (ALWIL Software) -- E:\WINDOWS\System32\drivers\aswFsBlk.sys
[2009/02/06 00:49:37 | 00,094,032 | ---- | C] (ALWIL Software) -- E:\WINDOWS\System32\drivers\aswmon2.sys
[2009/02/06 00:49:37 | 00,093,296 | ---- | C] (ALWIL Software) -- E:\WINDOWS\System32\drivers\aswmon.sys
[2009/02/06 00:49:23 | 01,256,296 | ---- | C] (ALWIL Software) -- E:\WINDOWS\System32\aswBoot.exe
[2009/02/06 00:49:23 | 00,380,928 | ---- | C] () -- E:\WINDOWS\System32\actskin4.ocx
[2009/02/06 00:49:20 | 00,000,000 | ---D | C] -- E:\Program Files\Alwil Software
[2009/02/05 22:38:02 | 00,000,000 | ---D | C] -- E:\Program Files\NetActivator
[2009/02/05 21:45:35 | 00,000,456 | ---- | C] () -- E:\WINDOWS\tasks\RegCure Program Check.job
[2009/02/05 21:45:34 | 00,000,390 | ---- | C] () -- E:\WINDOWS\tasks\RegCure.job
[2009/02/05 21:44:34 | 00,000,000 | ---D | C] -- E:\WINDOWS\RegCure
[2009/02/05 21:44:34 | 00,000,000 | ---D | C] -- E:\Program Files\RegCure
[2009/02/05 14:22:27 | 00,049,152 | ---- | C] (NirSoft) -- E:\WINDOWS\NIRCMD.exe
[2009/02/05 14:22:26 | 00,179,712 | ---- | C] (SteelWerX) -- E:\WINDOWS\SWREG.exe
[2009/02/05 14:22:25 | 00,085,504 | ---- | C] () -- E:\WINDOWS\zip.exe
[2009/02/05 14:22:19 | 00,155,136 | ---- | C] (SteelWerX) -- E:\WINDOWS\SWSC.exe
[2009/02/05 14:22:18 | 00,229,888 | ---- | C] (SteelWerX) -- E:\WINDOWS\SWXCACLS.exe
[2009/02/05 11:48:09 | 00,000,000 | ---D | C] -- E:\WINDOWS\ERDNT
[2009/02/05 11:48:07 | 00,000,000 | ---D | C] -- E:\Qoobox
[2009/02/05 11:35:10 | 00,002,184 | ---- | C] () -- E:\WINDOWS\System32\wpa.dbl
[2009/02/04 20:44:59 | 00,000,000 | ---D | C] -- E:\Documents and Settings\Save or Cancel\Application Data\Malwarebytes
[2009/02/04 20:44:26 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- E:\WINDOWS\System32\drivers\mbam.sys
[2009/02/04 20:44:16 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- E:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/02/04 20:44:02 | 00,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/02/04 20:43:58 | 00,000,000 | ---D | C] -- E:\Program Files\Malwarebytes' Anti-Malware
[2009/02/04 20:40:34 | 00,000,472 | ---- | C] () -- E:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/02/04 20:33:26 | 00,000,000 | ---D | C] -- E:\Program Files\Lavasoft
[2009/02/04 20:33:26 | 00,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/02/04 19:23:12 | 00,000,000 | ---D | C] -- E:\WINDOWS\System32\inf
[2009/02/04 16:07:57 | 00,000,000 | ---- | C] () -- E:\WINDOWS\mqcd.dbt
[2009/02/04 16:07:03 | 00,028,672 | ---- | C] () -- E:\WINDOWS\System32\do8d.sr
[2009/02/04 16:07:02 | 00,032,768 | ---- | C] () -- E:\WINDOWS\System32\rer.wa
[2009/02/04 16:07:02 | 00,032,768 | ---- | C] () -- E:\WINDOWS\System32\qzhr1.ant
[2009/02/04 16:07:00 | 00,028,672 | ---- | C] () -- E:\WINDOWS\System32\dedwf.lp
[2009/02/04 16:06:59 | 00,077,312 | ---- | C] () -- E:\WINDOWS\System32\re3d.pf
[2009/02/04 16:06:51 | 00,108,336 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\mswinsck.ocx
[2009/02/04 12:25:47 | 00,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Application Data\Simply Super Software
[2009/02/04 12:24:17 | 00,000,000 | ---D | C] -- E:\Documents and Settings\Save or Cancel\My Documents\Simply Super Software
[2009/02/04 12:23:39 | 00,000,000 | ---D | C] -- E:\Documents and Settings\Save or Cancel\Local Settings\Application Data\Thinstall
[2009/02/04 12:23:39 | 00,000,000 | ---D | C] -- E:\Documents and Settings\Save or Cancel\Application Data\Thinstall
[2009/02/03 21:41:00 | 00,000,000 | ---D | C] -- E:\Program Files\SpywareBlaster
[2009/02/03 21:24:44 | 00,000,000 | ---D | C] -- E:\Program Files\Trend Micro
[2009/02/03 14:32:49 | 00,000,000 | ---D | C] -- E:\Program Files\Webroot
[2009/02/03 14:32:49 | 00,000,000 | ---D | C] -- E:\Documents and Settings\Save or Cancel\Application Data\Webroot
[2009/02/03 14:32:49 | 00,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Application Data\Webroot
[2009/02/02 14:22:24 | 00,097,820 | ---- | C] () -- E:\WINDOWS\grep.exe
[2009/02/02 14:22:21 | 00,116,224 | ---- | C] () -- E:\WINDOWS\sed.exe
[2009/02/02 14:22:20 | 00,109,984 | ---- | C] (Smallfrogs Studio) -- E:\WINDOWS\fdsv.exe
[2009/02/02 14:22:20 | 00,072,548 | ---- | C] () -- E:\WINDOWS\VFIND.exe
[2009/02/01 23:25:05 | 00,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Application Data\Last.fm
[2009/02/01 23:23:41 | 00,000,000 | ---D | C] -- E:\Documents and Settings\Save or Cancel\Local Settings\Application Data\Last.fm
[2009/02/01 23:23:31 | 00,000,000 | ---D | C] -- E:\Program Files\Last.fm
[2009/01/31 15:15:18 | 00,000,000 | R--D | C] -- E:\Documents and Settings\Save or Cancel\My Documents\My Dropbox
[2009/01/31 15:14:22 | 00,000,678 | ---- | C] () -- E:\Documents and Settings\Save or Cancel\Start Menu\Programs\Startup\Dropbox.lnk
[2009/01/31 15:14:12 | 00,000,000 | ---D | C] -- E:\Documents and Settings\Save or Cancel\Application Data\Dropbox
[2009/01/31 15:14:09 | 00,000,000 | ---D | C] -- E:\Program Files\Dropbox
[2009/01/17 10:44:00 | 00,086,528 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\AhnRpta.exe

========== Files - Modified Within 30 Days ==========

[13 E:\WINDOWS\System32\*.tmp files]
[8 E:\WINDOWS\*.tmp files]
[2009/02/15 13:06:22 | 87,999,776 | -HS- | M] () -- E:\WINDOWS\System32\drivers\fidbox.dat
[2009/02/15 12:59:28 | 00,490,698 | ---- | M] () -- E:\Documents and Settings\Save or Cancel\Desktop\gmer.zip
[2009/02/15 12:57:44 | 00,437,760 | ---- | M] (OldTimer Tools) -- E:\Documents and Settings\Save or Cancel\Desktop\OTListIt2.exe
[2009/02/14 21:16:32 | 00,000,627 | ---- | M] () -- E:\WINDOWS\win.ini
[2009/02/14 21:16:04 | 00,000,456 | ---- | M] () -- E:\WINDOWS\tasks\RegCure Program Check.job
[2009/02/14 21:00:00 | 00,000,334 | ---- | M] () -- E:\WINDOWS\tasks\jojfdeat.job
[2009/02/14 20:52:53 | 00,000,736 | ---- | M] () -- E:\WINDOWS\System32\drivers\etc\hosts
[2009/02/14 20:51:42 | 01,006,112 | -HS- | M] () -- E:\WINDOWS\System32\drivers\fidbox2.dat
[2009/02/14 20:51:42 | 00,000,006 | -H-- | M] () -- E:\WINDOWS\tasks\SA.DAT
[2009/02/14 20:51:37 | 00,002,048 | --S- | M] () -- E:\WINDOWS\bootstat.dat
[2009/02/14 20:51:02 | 01,170,032 | -HS- | M] () -- E:\WINDOWS\System32\drivers\fidbox.idx
[2009/02/14 20:51:02 | 00,097,460 | -HS- | M] () -- E:\WINDOWS\System32\drivers\fidbox2.idx
[2009/02/14 14:20:38 | 00,001,668 | ---- | M] () -- E:\Documents and Settings\All Users\Desktop\Mozilla Thunderbird.lnk
[2009/02/14 14:20:31 | 00,001,528 | ---- | M] () -- E:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/02/14 00:24:13 | 00,251,171 | ---- | M] () -- E:\Documents and Settings\Save or Cancel\Desktop\Untitled-1.ai
[2009/02/13 18:15:06 | 00,001,748 | ---- | M] () -- E:\WINDOWS\System32\netsf.inf
[2009/02/13 18:15:06 | 00,000,695 | ---- | M] () -- E:\WINDOWS\System32\netsf_m.inf
[2009/02/13 18:15:02 | 00,137,920 | ---- | M] () -- E:\WINDOWS\System32\drivers\ethqsxuz.sys
[2009/02/13 15:38:15 | 00,033,920 | ---- | M] () -- E:\WINDOWS\System32\drivers\pdkzpmgj.sys
[2009/02/13 15:34:27 | 00,067,072 | -H-- | M] () -- E:\WINDOWS\System32\secupdat.dat
[2009/02/13 14:43:10 | 00,182,912 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\System32\drivers\ndis.sys
[2009/02/13 14:43:10 | 00,182,912 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\System32\dllcache\ndis.sys
[2009/02/13 14:41:06 | 00,047,616 | ---- | M] () -- E:\WINDOWS\System32\reader_s.exe
[2009/02/13 14:41:04 | 00,137,824 | ---- | M] () -- E:\WINDOWS\System32\drivers\cdaudio.sys
[2009/02/13 14:22:12 | 01,433,600 | ---- | M] (Option^Explicit Software Solutions) -- E:\Documents and Settings\Save or Cancel\Desktop\winsockfix.exe
[2009/02/13 14:09:04 | 00,000,032 | ---- | M] () -- E:\WINDOWS\System32\drivers\etc\hosts.bak
[2009/02/13 13:57:38 | 00,006,200 | ---- | M] () -- E:\WINDOWS\System32\acdb.err
[2009/02/13 13:23:01 | 00,003,506 | ---- | M] () -- E:\WINDOWS\System32\tmp.reg
[2009/02/13 12:47:42 | 00,001,756 | ---- | M] () -- E:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Professional.lnk
[2009/02/13 12:14:26 | 02,205,157 | ---- | M] () -- E:\Documents and Settings\Save or Cancel\Desktop\IceSword122en.zip
[2009/02/13 12:10:06 | 05,956,640 | ---- | M] () -- E:\Documents and Settings\Save or Cancel\Desktop\SUPERAntiSpywarePro.exe
[2009/02/13 12:04:14 | 01,661,962 | ---- | M] () -- E:\Documents and Settings\Save or Cancel\Desktop\SmitfraudFix.exe
[2009/02/13 01:24:21 | 00,000,069 | ---- | M] () -- E:\WINDOWS\NeroDigital.ini
[2009/02/13 00:55:44 | 00,000,227 | ---- | M] () -- E:\WINDOWS\system.ini
[2009/02/13 00:40:51 | 02,921,379 | R--- | M] () -- E:\Documents and Settings\Save or Cancel\Desktop\ComboFix.exe
[2009/02/12 11:51:47 | 00,000,284 | ---- | M] () -- E:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/02/11 23:41:44 | 00,049,664 | ---- | M] () -- E:\Documents and Settings\Save or Cancel\Desktop\gamerme.exe
[2009/02/11 20:41:02 | 00,000,472 | ---- | M] () -- E:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/02/11 13:01:02 | 01,288,137 | ---- | M] () -- E:\Documents and Settings\Save or Cancel\Desktop\av-i386-daily.zip
[2009/02/11 13:00:57 | 47,141,668 | ---- | M] () -- E:\Documents and Settings\Save or Cancel\Desktop\av-i386-cumul.zip
[2009/02/11 12:43:48 | 47,970,375 | ---- | M] () -- E:\Documents and Settings\Save or Cancel\Desktop\av-i386&ids-cumul.zip
[2009/02/11 12:43:48 | 02,117,470 | ---- | M] () -- E:\Documents and Settings\Save or Cancel\Desktop\av-i386&ids-daily.zip
[2009/02/10 18:25:21 | 00,001,528 | ---- | M] () -- E:\Documents and Settings\All Users\Desktop\RegCure Application.lnk
[2009/02/10 14:58:37 | 00,002,626 | ---- | M] () -- E:\WINDOWS\System32\CONFIG.NT
[2009/02/09 18:11:26 | 00,203,288 | ---- | M] () -- E:\Documents and Settings\Save or Cancel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/02/09 15:02:33 | 00,000,000 | RHS- | M] () -- E:\MSDOS.SYS
[2009/02/09 15:02:33 | 00,000,000 | RHS- | M] () -- E:\IO.SYS
[2009/02/09 15:02:33 | 00,000,000 | ---- | M] () -- E:\CONFIG.SYS
[2009/02/09 15:02:33 | 00,000,000 | ---- | M] () -- E:\AUTOEXEC.BAT
[2009/02/09 14:54:05 | 00,000,321 | -HS- | M] () -- E:\boot.ini
[2009/02/09 13:25:12 | 00,234,496 | ---- | M] () -- E:\Documents and Settings\Save or Cancel\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/08 23:35:03 | 00,418,342 | ---- | M] () -- E:\WINDOWS\System32\PerfStringBackup.INI
[2009/02/08 23:35:03 | 00,402,272 | ---- | M] () -- E:\WINDOWS\System32\perfh009.dat
[2009/02/08 23:35:03 | 00,061,724 | ---- | M] () -- E:\WINDOWS\System32\perfc009.dat
[2009/02/08 23:29:17 | 02,912,432 | ---- | M] () -- E:\WINDOWS\System32\FNTCACHE.DAT
[2009/02/08 21:16:26 | 00,000,000 | ---- | M] () -- E:\WINDOWS\System32\AAWService_2009_02_08_21_16_26.dmp
[2009/02/07 15:52:15 | 00,002,184 | ---- | M] () -- E:\WINDOWS\System32\wpa.dbl
[2009/02/07 12:44:21 | 00,577,024 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\System32\user32.DLL
[2009/02/05 23:11:35 | 01,256,296 | ---- | M] (ALWIL Software) -- E:\WINDOWS\System32\aswBoot.exe
[2009/02/05 23:08:19 | 00,093,296 | ---- | M] (ALWIL Software) -- E:\WINDOWS\System32\drivers\aswmon.sys
[2009/02/05 23:08:10 | 00,094,032 | ---- | M] (ALWIL Software) -- E:\WINDOWS\System32\drivers\aswmon2.sys
[2009/02/05 23:07:23 | 00,114,768 | ---- | M] (ALWIL Software) -- E:\WINDOWS\System32\drivers\aswSP.sys
[2009/02/05 23:07:12 | 00,020,560 | ---- | M] (ALWIL Software) -- E:\WINDOWS\System32\drivers\aswFsBlk.sys
[2009/02/05 23:06:20 | 00,051,376 | ---- | M] (ALWIL Software) -- E:\WINDOWS\System32\drivers\aswTdi.sys
[2009/02/05 23:06:10 | 00,023,152 | ---- | M] (ALWIL Software) -- E:\WINDOWS\System32\drivers\aswRdr.sys
[2009/02/05 23:05:11 | 00,026,944 | ---- | M] (ALWIL Software) -- E:\WINDOWS\System32\drivers\aavmker4.sys
[2009/02/05 23:04:45 | 00,097,480 | ---- | M] (ALWIL Software) -- E:\WINDOWS\System32\AvastSS.scr
[2009/02/05 21:45:35 | 00,000,390 | ---- | M] () -- E:\WINDOWS\tasks\RegCure.job
[2009/02/04 16:24:19 | 00,014,336 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\System32\svchost.exe
[2009/02/04 16:07:57 | 00,000,000 | ---- | M] () -- E:\WINDOWS\mqcd.dbt
[2009/02/04 16:07:03 | 00,028,672 | ---- | M] () -- E:\WINDOWS\System32\do8d.sr
[2009/02/04 16:07:02 | 00,032,768 | ---- | M] () -- E:\WINDOWS\System32\rer.wa
[2009/02/04 16:07:02 | 00,032,768 | ---- | M] () -- E:\WINDOWS\System32\qzhr1.ant
[2009/02/04 16:07:00 | 00,028,672 | ---- | M] () -- E:\WINDOWS\System32\dedwf.lp
[2009/02/04 16:06:59 | 00,077,312 | ---- | M] () -- E:\WINDOWS\System32\re3d.pf
[2009/02/04 16:06:51 | 00,108,336 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\mswinsck.ocx
[2009/02/03 20:10:06 | 00,658,432 | -HS- | M] () -- E:\Documents and Settings\Save or Cancel\Desktop\Thumbs.db
[2009/02/01 13:58:54 | 00,359,040 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\System32\drivers\tcpip.sys
[2009/01/31 15:14:22 | 00,000,678 | ---- | M] () -- E:\Documents and Settings\Save or Cancel\Start Menu\Programs\Startup\Dropbox.lnk
[2009/01/17 10:44:51 | 00,145,442 | RHS- | M] () -- E:\x2csvg.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 263779 bytes -> %SystemRoot%\Temp:temp
@Alternate Data Stream - 207 bytes -> %AllUsersProfile%\Application Data\TEMP:CB0AACC9
@Alternate Data Stream - 151 bytes -> %AllUsersProfile%\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 120 bytes -> %AllUsersProfile%\Application Data\TEMP:5C321E34
@Alternate Data Stream - 110 bytes -> %AllUsersProfile%\Application Data\TEMP:888AFB86
@Alternate Data Stream - 0 bytes -> %UserProfile%\Desktop\Thumbs.db:encryptable
< End of report >





---------------------------



Extras.txt



OTListIt Extras logfile created on: 2/15/2009 1:06:50 PM - Run
OTListIt2 by OldTimer - Version 1.0.4.1 Folder = E:\Documents and Settings\Save or Cancel\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.36 Mb Total Physical Memory | 527.04 Mb Available Physical Memory | 51.55% Memory free
3.90 Gb Paging File | 3.04 Gb Available in Paging File | 77.95% Paging File free
Paging file location(s): C:\pagefile.sys 0 0;E:\pagefile.sys 1536 4000;

%SystemDrive% = E: | %SystemRoot% = E:\WINDOWS | %ProgramFiles% = E:\Program Files
Drive C: | 109.10 Gb Total Space | 57.26 Gb Free Space | 52.48% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 39.95 Gb Total Space | 11.49 Gb Free Space | 28.77% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SAVEORCANCEL
Current User Name: Save or Cancel
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- E:\Program Files\Mozilla\firefox.exe (Mozilla Corporation)
========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1
"" =
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
File not found -- E:\Program Files\HP\Digital Imaging\bin\hpqpse.exe:*:Enabled:hpqpse.exe
File not found -- E:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe:*:Enabled:hpqphotocrm.exe
File not found -- E:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe:*:Enabled:hpqsudi.exe
File not found -- E:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe:*:Enabled:hpqpsapp.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2009/02/11 12:23:24 | 00,270,128 | ---- | M] (BitTorrent, Inc.) -- E:\Program Files\uTorrent\uTorrent.exe:*:Enabled:オTorrent
[2007/12/20 21:23:00 | 00,072,264 | ---- | M] (Kaspersky Lab) -- E:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 7.0.1.321\English\setup.exe:*:Enabled:Kaspersky Anti-Virus 7.0 Setup
[2007/08/30 16:43:18 | 04,670,704 | ---- | M] (Yahoo! Inc.) -- E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
[2007/08/30 16:43:18 | 00,091,376 | ---- | M] (Yahoo! Inc.) -- E:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server
[2008/03/04 11:00:00 | 23,073,792 | ---- | M] (Graphisoft R&D) -- E:\Program Files\Graphisoft\ArchiCAD 11\ArchiCAD.exe:*:Enabled:ArchiCAD 11.0.0 Component
[2007/03/20 15:41:24 | 00,153,792 | ---- | M] (Adobe Systems Incorporated) -- E:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server
[2006/10/27 14:16:48 | 12,813,096 | ---- | M] (Microsoft Corporation) -- E:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook
[2006/10/27 14:37:44 | 00,338,216 | ---- | M] (Microsoft Corporation) -- E:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove
[2006/10/27 14:03:04 | 01,018,664 | ---- | M] (Microsoft Corporation) -- E:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote
[2008/11/20 13:20:48 | 14,294,824 | ---- | M] (Apple Inc.) -- E:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
[2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- E:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"_{7F05E704-30A6-421A-97A7-8EEB1C7FF010}" = CorelDRAW® Graphics Suite X4
"_{CE2DA11A-917F-4CF5-AB55-755EC115DD10}" = CorelDRAW® Graphics Suite X4 - Windows Shell Extension
"{00060000-0000-1004-8002-0000C06B5161}" = WIBU-KEY Setup (WIBU-KEY Remove)
"{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3
"{0224CACC-994D-45F8-B973-D65056EA9C2F}" = Adobe XMP DVA Panels CS3
"{0327FA9D-975C-448C-A086-577D57BB25B8}" = Adobe Soundbooth CS3 Codecs
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics
"{0E4BC542-9CFD-4E97-B586-9F1E5516E7B9}" = Microsoft IntelliPoint 6.1
"{10E1E87C-656C-4D08-86D6-5443D28583BE}" = TrayApp
"{13F00518-807A-4B3A-83B0-A7CD90F3A398}" = MarketResearch
"{1753255A-0AEB-4220-8C75-607B73F0C133}" = Copy
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{193EAFD0-1BAF-4FB4-B18F-79D5D6A4B285}" = Adobe After Effects CS3 Presets
"{1A524CFE-DF85-4555-8BC2-0C89DBD8BC2C}" = PC Connectivity Solution
"{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}" = Google Earth
"{1D58229F-C505-45CA-8223-F35F3A34B963}" = Adobe Version Cue CS3 Server {ko_KR}
"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
"{212748BB-0DA5-46DE-82A1-403736DC9F27}" = MSVC80_x86
"{22466889-7642-488d-AA0E-F619704CF7AB}" = DeviceDiscovery
"{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}" = Adobe ExtendScript Toolkit 2
"{2604C0F9-BFD3-4BA0-9EB5-22537C648F03}" = MobileMe Control Panel
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 11
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{29FA38B4-0AE4-4D0D-8A51-6165BB990BB0}" = WebReg
"{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}" = Adobe Flash Video Encoder
"{2F28B3C9-2C89-4206-8B33-8ADC9577C49B}" = Scan
"{318AB667-3230-41B5-A617-CB3BF748D371}" = iTunes
"{3248F0A8-6813-11D6-A77B-00B0D0160060}" = Java™ 6 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3546736D-0EF5-466D-B22F-92F1472657E2}" = Digitope Pixelshop
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{415CDA53-9100-476F-A7B2-476691E117C7}" = HP Smart Web Printing
"{4458C442-7376-4CF9-AF58-E8CEA6722363}" = Adobe Setup
"{44A27085-0616-4181-A0C3-81C7ECA17F73}" = CorelDRAW Graphics Suite X4
"{485ACF57-F364-440A-8496-E1E81C8FA1AA}" = Adobe Premiere Pro CS3 Third Party Content
"{487B0B9B-DCD4-440D-89A0-A6EDE1A545A3}" = HPSSupply
"{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}" = Kaspersky Anti-Virus 7.0
"{50F102CA-4BE2-41A9-9810-5BB05EB91B9A}" = Adobe Premiere Pro CS3 Functional Content
"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
"{543E938C-BDC4-4933-A612-01293996845F}" = UnloadSupport
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{54B2EAD9-A110-43F7-B010-2859A1BD2AFE}" = Adobe Encore CS3
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5783F2D7-5001-0409-0002-0060B0CE6BBA}" = AutoCAD 2007 - English
"{58DCEEE5-532E-44F4-B1D7-A146EF9E9FDA}" = Adobe Premiere Pro CS3
"{5C08784B-D955-4BB4-8C70-43C89A738F58}" = Motorola Phone Tools
"{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}" = Sony USB Driver
"{5FCCD531-1B38-4A94-924C-127F722F1033}" = Nero 8
"{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}" = Adobe Setup
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6B52140A-F189-4945-BFFC-DB3F00B8C589}" = Adobe Flash CS3
"{6B708481-748A-4EB4-97C1-CD386244FF77}" = Adobe MotionPicture Color Files
"{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}" = AHV content for Acrobat and Flash
"{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}" = PartitionMagic
"{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}" = Adobe Color Common Settings
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{7059BDA7-E1DB-442C-B7A1-6144596720A4}" = HP Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}" = Avanquest update
"{7ACFB90E-8FD0-4397-AD3A-5195412623A3}" = Adobe Help Viewer CS3
"{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}" = Adobe Dreamweaver CS3
"{7DFC1012-D346-46CE-B03E-FF79125AE029}" = Adobe Fireworks CS3
"{7E20EFE6-E604-48C6-8B39-BA4742F2CDB4}" = Zune Desktop Theme
"{7F05E704-30A6-421A-97A7-8EEB1C7FF010}" = CorelDRAW Graphics SUite X4 - ICA
"{7F05E704-30A6-421A-97A7-8EEB1C7FF012}" = CorelDRAW Graphics Suite X4 - Capture
"{7F05E704-30A6-421A-97A7-8EEB1C7FF013}" = CorelDRAW Graphics Suite X4 - Draw
"{7F05E704-30A6-421A-97A7-8EEB1C7FF014}" = CorelDRAW Graphics Suite X4 - PP
"{7F05E704-30A6-421A-97A7-8EEB1C7FF016}" = CorelDRAW Graphics Suite X4 - Content
"{7F05E704-30A6-421A-97A7-8EEB1C7FF017}" = CorelDRAW Graphics Suite X4 - Filters
"{7F05E704-30A6-421A-97A7-8EEB1C7FF019}" = CorelDRAW Graphics Suite X4 - FontNav
"{7F05E704-30A6-421A-97A7-8EEB1C7FF100}" = CorelDRAW Graphics Suite X4 - Lang EN
"{81B3BEF9-5D97-4096-86E9-5B48A5BC32D0}" = Motorola Driver Installation 3.4.0
"{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC}" = Adobe Video Profiles
"{8718DC03-D066-4957-94E5-50C3C5042E8E}" = Adobe Creative Suite 3 Master Collection
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
"{97E038E1-41AD-4C93-BCDC-6A2394AEE352}" = Vegas Movie Studio Platinum 9.0
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{9D0798D0-AF6C-4E62-94B1-AEBF1A43E00A}" = CorelDRAW Graphics Suite X4 - IPM
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{A6B23EFA-6590-482C-A11F-5ACE1B91F5B9}" = Adobe Soundbooth CS3
"{A92A4DB0-CD37-42D1-BE1D-603D53C24328}" = Intel® Processor ID Utility
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-1033-0000-7760-000000000003}" = Adobe Acrobat 8 Professional
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.3
"{AEA07F97-9088-497c-8821-0F36BD5DC251}" = HPProductAssistant
"{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}" = Adobe Setup
"{B4F35A00-24FD-4fb3-BF5E-413D5423434D}" = DJ_AIO_Software_min
"{B61D21B6-469D-4423-B161-62DB20B8A70E}" = Visual Basic for Applications ® Core - English
"{B671CBFD-4109-4D35-9252-3062D3CCB7B2}" = Adobe SING CS3
"{B73CFB12-C814-4638-AFFD-7E3AAFAF0B4E}" = Adobe BridgeTalk Plugin CS3
"{B8B7A4D8-80E1-4DAE-BD33-7FD535BA3931}" = Adobe Encore CS3 Codecs
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}" = Motorola Phone Tools
"{BCD6CD1A-0DBE-412E-9F25-3B500D1E6BA1}" = SolutionCenter
"{BE5F3842-8309-4754-92D5-83E02E6077A3}" = Adobe Extension Manager CS3
"{BF439B41-0252-48DE-8B8B-0430CB26A181}" = CorelDRAW Graphics Suite X4 - VBA
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1920D73-7374-49d9-8C37-58A6E49078A5}" = F2100_Help
"{C5BD220A-EFE8-48A5-B70E-9503D535FACE}" = Adobe WAS CS3
"{C5C66EEE-7A05-4B11-A0B9-524F917BCE25}" = Sony Sound Forge Audio Studio 9.0
"{C5EF81AC-FE4C-4157-97E3-2E08B000742A}" = F2100_doccd
"{C73A3AB4-99A4-45E5-B77F-09A3065E0D6A}" = Microsoft IntelliType Pro 6.1
"{CA50045C-5119-48e7-9BA7-6B317379857A}" = DJ_AIO_Software
"{CB3F8375-B600-4B9F-83C9-238ED1E583FD}" = Adobe InDesign CS3
"{CE2DA11A-917F-4CF5-AB55-755EC115DD10}" = CorelDRAW® Graphics Suite X4 - Windows Shell Extension
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D0E39A1D-0CEE-4D85-B4A2-E3BE990D075E}" = Destination Component
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D5A31AB1-345D-47C7-A87B-036A669F6DF1}" = Adobe XMP Panels CS3
"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser
"{DB81779E-7CC5-4630-BCFC-754004956444}" = Visual Basic for Applications ® Core
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{E2662C24-B31E-4349-A084-32EB76E8B760}" = BufferChm
"{E548726E-F4E8-459f-BAB8-45551BC071E9}" = DJ_AIO_ProductContext
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{E7A9DCC5-8D19-4B95-BED8-2DB41F920F11}" = Microsoft WorldWide Telescope
"{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}" = Toolbox
"{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}" = Adobe InDesign CS3 Icon Handler
"{EB0202F7-016A-410C-ADE4-40F848CCC661}" = Adobe After Effects CS3
"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}" = Apple Mobile Device Support
"{F08E8D2E-F132-4742-9C87-D5FF223A016A}" = Adobe Illustrator CS3
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1C409F0-8322-4c87-BD08-2F62777D490D}" = F2100
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F49FEF83-45CA-4CE8-8304-A7372BA07AA9}" = Motorola Phone Tools
"{F958CA02-BB40-4007-894B-258729456EE4}" = QuickTime
"{FA8A44D7-3E8A-4034-9C4F-088FA6B72BC4}" = HP Deskjet All-In-One Software 9.0
"{FC9E08AA-CD59-4C59-BEF9-87E05B9E37D7}" = Adobe Contribute CS3
"{FD8D8B04-BEAD-4A55-AA1D-62D2373E7DEA}" = Status
"{FF11004C-F42A-4A31-9BCF-7F5C8FDBE53C}" = Adobe Setup
"{FFC1ADE3-944B-4231-894E-3903C37271D2}" = Adobe Setup
"001FFFFFFF11FF00FF0701F05F02F000-R1" = ArchiCAD 11 INT
"Adobe Acrobat 8 Professional" = Adobe Acrobat 8.1.3 Professional
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"Adobe_3e054d2218e7aa282c2369d939e58ff" = Adobe ExtendScript Toolkit 2
"Adobe_4dcfd9b7e901b57f81f667144603236" = Add or Remove Adobe Creative Suite 3 Master Collection
"Adobe_6c8e2cb4fd241c55406016127a6ab2e" = Adobe Color Common Settings
"Adobe_719d6f144d0c086a0dfa7ff76bb9ac1" = Adobe Photoshop CS3
"Adobe_c3c7fe8b09d497ab2b3fd91c9353390" = Adobe Flash CS3 Professional
"Artlantis Studio" = Artlantis Studio 1.2
"Autodesk DWF Viewer" = Autodesk DWF Viewer
"avast!" = avast! Antivirus
"CCleaner" = CCleaner (remove only)
"Dropbox" = Dropbox
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Eset NOD32 v3.0.642 FiX1.2 by TemDono_is1" = NOD32 v3.0.642 FiX1.2 by TemDono (31 days remaining forever up
"FileZilla Client" = FileZilla Client 3.1.5.1
"Flickr Uploadr" = Flickr Uploadr 3.0.5
"Google Updater" = Google Updater
"Heroes of Might and Magicョ III" = Heroes of Might and Magicョ III Complete
"HijackThis" = HijackThis 2.0.2
"HP Imaging Device Functions" = HP Imaging Device Functions 9.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center 9.0
"HPExtendedCapabilities" = HP Customer Participation Program 9.0
"IconPackager" = IconPackager
"InstallShield_{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}" = PowerQuest PartitionMagic 8.0
"InstallWIX_{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}" = Kaspersky Anti-Virus 7.0
"LastFM_is1" = Last.fm 1.5.2.38918
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"mIRC" = mIRC
"Mozilla Firefox (3.0.6)" = Mozilla Firefox (3.0.6)
"Mozilla Thunderbird (2.0.0.19)" = Mozilla Thunderbird (2.0.0.19)
"MSI Live Update 3" = MSI Live Update 3
"Native Instruments Traktor DJ Studio 3" = Native Instruments Traktor DJ Studio 3
"NetActivator_is1" = NetActivator v1.4
"NVIDIA Drivers" = NVIDIA Drivers
"RAM Saver Pro" = RAM Saver Pro
"RegCure" = RegCure
"ShockwaveFlash" = Macromedia Flash Player 8
"SpywareBlaster_is1" = SpywareBlaster 4.1
"TweakNow RegCleaner Professional_is1" = TweakNow RegCleaner Professional
"VLC media player" = VideoLAN VLC media player 0.8.6h
"VN_VUIns_Rhine_VIA" = VIA Rhine-Family Fast-Ethernet Adapter
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"WinRAR" = WinRAR
"WMFDist11" = Windows Media Format 11 runtime
"Wudf01005" = Microsoft User-Mode Driver Framework Feature Pack 1.5
"xlarge_08S" = xlarge_08Sスクリーンセーバー
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yahoo! Messenger" = Yahoo! Messenger

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"MPR" = Mozilla Password Recovery
"uTorrent" = オTorrent

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1645522239-1563985344-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"MPR" = Mozilla Password Recovery
"uTorrent" = オTorrent

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 2/13/2009 9:15:09 AM | Computer Name = SAVEORCANCEL | Source = avast! | ID = 33554522
Description = AAVM - initialization error: Unhandled exception in AavmProviderStop
[Inner], MAIL.

Error - 2/13/2009 9:21:18 AM | Computer Name = SAVEORCANCEL | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
E:\windows\system32\wgsbbjhv.dll failed, 00000005.

Error - 2/13/2009 9:27:24 AM | Computer Name = SAVEORCANCEL | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
E:\windows\system32\wgsbbjhv.dll failed, 00000005.

Error - 2/13/2009 3:55:34 PM | Computer Name = SAVEORCANCEL | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
E:\windows\system32\wgsbbjhv.dll failed, 00000005.

Error - 2/13/2009 4:09:01 PM | Computer Name = SAVEORCANCEL | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
E:\windows\system32\wgsbbjhv.dll failed, 00000005.

Error - 2/13/2009 4:23:27 PM | Computer Name = SAVEORCANCEL | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
E:\windows\system32\wgsbbjhv.dll failed, 00000005.

Error - 2/14/2009 8:03:13 AM | Computer Name = SAVEORCANCEL | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
E:\windows\system32\wgsbbjhv.dll failed, 00000005.

Error - 2/14/2009 8:27:09 AM | Computer Name = SAVEORCANCEL | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
E:\windows\system32\wgsbbjhv.dll failed, 00000005.

Error - 2/14/2009 2:03:47 PM | Computer Name = SAVEORCANCEL | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
E:\windows\system32\wgsbbjhv.dll failed, 00000005.

Error - 2/14/2009 2:52:57 PM | Computer Name = SAVEORCANCEL | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
E:\windows\system32\wgsbbjhv.dll failed, 00000005.

[ Application Events ]
Error - 2/5/2009 5:38:29 AM | Computer Name = SAVEORCANCEL | Source = Application Error | ID = 1000
Description = Faulting application userinit.exe, version 5.1.2600.2180, faulting
module unknown, version 0.0.0.0, fault address 0x008a0664.

Error - 2/5/2009 5:40:26 AM | Computer Name = SAVEORCANCEL | Source = Application Error | ID = 1000
Description = Faulting application userinit.exe, version 5.1.2600.2180, faulting
module unknown, version 0.0.0.0, fault address 0x008a0664.

Error - 2/5/2009 8:36:42 AM | Computer Name = SAVEORCANCEL | Source = Application Error | ID = 1000
Description = Faulting application userinit.exe, version 5.1.2600.2180, faulting
module unknown, version 0.0.0.0, fault address 0x008a0664.

Error - 2/5/2009 6:30:01 PM | Computer Name = SAVEORCANCEL | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Failed to compile: E:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe .
Error code = 0x8007000b

Error - 2/5/2009 6:30:02 PM | Computer Name = SAVEORCANCEL | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Failed to compile: E:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication
Foundation\ComSvcConfig.exe . Error code = 0x8007000b

Error - 2/5/2009 6:30:05 PM | Computer Name = SAVEORCANCEL | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Failed to compile: E:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication
Foundation\ServiceModelReg.exe . Error code = 0x8007000b

Error - 2/5/2009 6:30:06 PM | Computer Name = SAVEORCANCEL | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Failed to compile: E:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication
Foundation\SMSvcHost.exe . Error code = 0x8007000b

Error - 2/5/2009 6:30:07 PM | Computer Name = SAVEORCANCEL | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Failed to compile: E:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication
Foundation\WsatConfig.exe . Error code = 0x8007000b

Error - 2/5/2009 6:30:07 PM | Computer Name = SAVEORCANCEL | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Failed to compile: E:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
. Error code = 0x8007000b

Error - 2/5/2009 7:00:55 PM | Computer Name = SAVEORCANCEL | Source = Application Error | ID = 1000
Description = Faulting application userinit.exe, version 5.1.2600.2180, faulting
module unknown, version 0.0.0.0, fault address 0x008a0664.

[ OSession Events ]
Error - 12/16/2008 5:39:35 PM | Computer Name = SAVEORCANCEL | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session
lasted 5259 seconds with 4500 seconds of active time. This session ended with a
crash.

Error - 12/16/2008 5:41:35 PM | Computer Name = SAVEORCANCEL | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session
lasted 110 seconds with 60 seconds of active time. This session ended with a crash.

Error - 12/16/2008 5:51:37 PM | Computer Name = SAVEORCANCEL | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session
lasted 597 seconds with 300 seconds of active time. This session ended with a crash.

Error - 12/16/2008 8:10:50 PM | Computer Name = SAVEORCANCEL | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 17130
seconds with 2400 seconds of active time. This session ended with a crash.

Error - 12/17/2008 9:21:02 AM | Computer Name = SAVEORCANCEL | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session
lasted 10790 seconds with 2640 seconds of active time. This session ended with
a crash.

Error - 12/17/2008 9:22:30 AM | Computer Name = SAVEORCANCEL | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session
lasted 48 seconds with 0 seconds of active time. This session ended with a crash.

Error - 12/17/2008 9:26:12 AM | Computer Name = SAVEORCANCEL | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session
lasted 162 seconds with 120 seconds of active time. This session ended with a crash.

Error - 12/19/2008 7:47:21 PM | Computer Name = SAVEORCANCEL | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session
lasted 43751 seconds with 420 seconds of active time. This session ended with a
crash.

Error - 12/19/2008 7:47:57 PM | Computer Name = SAVEORCANCEL | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session
lasted 16 seconds with 0 seconds of active time. This session ended with a crash.

Error - 1/8/2009 10:36:41 AM | Computer Name = SAVEORCANCEL | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session
lasted 1929 seconds with 60 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 2/11/2009 7:27:03 PM | Computer Name = SAVEORCANCEL | Source = NetBT | ID = 4321
Description = The name "HOME :0" could not be registered on the Interface
with IP address 194.0.125.172. The machine with the IP address 194.0.125.190 did
not allow the name to be claimed by this machine.

Error - 2/11/2009 7:27:18 PM | Computer Name = SAVEORCANCEL | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Print Spooler service
to connect.

Error - 2/11/2009 7:27:18 PM | Computer Name = SAVEORCANCEL | Source = Service Control Manager | ID = 7000
Description = The Print Spooler service failed to start due to the following error:
%%1053

Error - 2/11/2009 7:27:18 PM | Computer Name = SAVEORCANCEL | Source = Service Control Manager | ID = 7023
Description = The sxpdkc service terminated with the following error: %%1114

Error - 2/11/2009 7:27:18 PM | Computer Name = SAVEORCANCEL | Source = Service Control Manager | ID = 7023
Description = The Microsoft Center service terminated with the following error:
%%1114

Error - 2/12/2009 5:09:00 AM | Computer Name = SAVEORCANCEL | Source = NetBT | ID = 4321
Description = The name "HOME :0" could not be registered on the Interface
with IP address 194.0.125.172. The machine with the IP address 194.0.125.190 did
not allow the name to be claimed by this machine.

Error - 2/12/2009 5:09:21 AM | Computer Name = SAVEORCANCEL | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Print Spooler service
to connect.

Error - 2/12/2009 5:09:22 AM | Computer Name = SAVEORCANCEL | Source = Service Control Manager | ID = 7000
Description = The Print Spooler service failed to start due to the following error:
%%1053

Error - 2/12/2009 5:09:22 AM | Computer Name = SAVEORCANCEL | Source = Service Control Manager | ID = 7023
Description = The sxpdkc service terminated with the following error: %%1114

Error - 2/12/2009 5:09:22 AM | Computer Name = SAVEORCANCEL | Source = Service Control Manager | ID = 7023
Description = The Microsoft Center service terminated with the following error:
%%1114


< End of report >

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:44 PM

Posted 16 February 2009 - 05:20 PM

Hello, NoStatic
We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it's author: Posted Image

How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :thumbup2:
NOTE: If ComboFix will not run, please rename it to GlobRemover.exe and try again!

We need to repair some of windows' internal registration settings
  • Please download Dial-A-Fix from one of the following mirrors:
  • Extract the zip file to your desktop.
  • Double click Dial-a-Fix.exe to start the program.
  • Press the green double checkmark box (Looks like this: Posted Image)
  • UNcheck "Empty Temp Folders", as well as "Adjust Time/Date" in the prep section. The prep section should then look like this:
    Posted Image
  • When the window looks like this, press the GO button in the bottom of the window.
    Posted Image
  • Exit/Close Dial-A-Fix
In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 NoStatic

NoStatic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:bucharest
  • Local time:09:44 PM

Posted 17 February 2009 - 08:00 AM

Hello Billy,
this is the combo fix log:


ComboFix 09-02-15.01 - Save or Cancel 2009-02-17 13:58:03.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.364 [GMT 2:00]
Running from: e:\documents and settings\Save or Cancel\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

e:\documents and settings\Save or Cancel\reader_s.exe
e:\windows\system32\404Fix.exe
e:\windows\system32\Agent.OMZ.Fix.exe
e:\windows\system32\dumphive.exe
e:\windows\system32\IEDFix.C.exe
e:\windows\system32\IEDFix.exe
e:\windows\system32\o4Patch.exe
e:\windows\system32\Process.exe
e:\windows\system32\reader_s.exe
e:\windows\system32\SrchSTS.exe
e:\windows\system32\tmp.reg
e:\windows\system32\VACFix.exe
e:\windows\system32\VCCLSID.exe
e:\windows\system32\WS2Fix.exe
G:\autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Passthru
-------\Service_restore


((((((((((((((((((((((((( Files Created from 2009-01-17 to 2009-02-17 )))))))))))))))))))))))))))))))
.

2088-02-01 16:15 . 2009-02-05 23:13 <DIR> d-------- e:\windows\system32\3361
2009-02-15 15:23 . 2009-02-15 15:23 213,376 --a------ e:\windows\system32\drivers\NDIS.sys
2009-02-15 13:30 . 2009-02-15 13:30 132 --a------ e:\windows\system32\43.tmp
2009-02-15 13:13 . 2009-02-15 14:22 250 --a------ e:\windows\gmer.ini
2009-02-15 02:18 . 2009-02-15 02:18 <DIR> d-------- e:\documents and settings\Save or Cancel\Application Data\vlc
2009-02-13 18:15 . 2009-02-15 13:33 1,748 --a------ e:\windows\system32\netsf.inf
2009-02-13 18:15 . 2009-02-15 13:33 695 --a------ e:\windows\system32\netsf_m.inf
2009-02-13 18:12 . 2009-02-13 18:12 132 --a------ e:\windows\system32\21.tmp
2009-02-13 15:34 . 2009-02-13 15:34 32,256 --ah----- e:\documents and settings\Save or Cancel\dgwcje.exe
2009-02-13 14:43 . 2009-02-13 14:43 213,376 --a--c--- e:\windows\system32\dllcache\ndis.sys
2009-02-13 14:41 . 2009-02-13 14:41 137,824 --a------ e:\windows\system32\drivers\cdaudio.sys
2009-02-13 14:41 . 2009-02-13 14:41 32,256 --ah----- e:\documents and settings\Save or Cancel\tykmyti.exe
2009-02-13 14:38 . 2009-02-13 14:38 132 --a------ e:\windows\system32\3.tmp
2009-02-13 14:27 . 2009-02-13 14:27 <DIR> d-------- E:\ERDNT
2009-02-13 13:55 . 2009-02-13 13:57 6,200 --a------ e:\windows\system32\acdb.err
2009-02-13 12:47 . 2009-02-13 12:47 <DIR> d-------- e:\program files\SUPERAntiSpyware
2009-02-13 12:47 . 2009-02-15 23:28 <DIR> d-------- e:\documents and settings\Save or Cancel\Application Data\SUPERAntiSpyware.com
2009-02-13 12:47 . 2009-02-13 12:47 <DIR> d-------- e:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-12 11:22 . 2009-02-12 11:22 128 --a------ e:\windows\system32\C.tmp
2009-02-12 11:22 . 2009-02-12 11:22 0 --a------ e:\windows\system32\D.tmp
2009-02-12 00:08 . 2009-02-12 00:08 32,256 --ah----- e:\documents and settings\Save or Cancel\jon.exe
2009-02-12 00:08 . 2009-02-12 00:08 128 --a------ e:\windows\system32\57.tmp
2009-02-12 00:07 . 2009-02-13 15:34 67,072 ---h----- e:\windows\system32\secupdat.dat
2009-02-12 00:07 . 2009-02-12 00:07 32,256 --ah----- e:\documents and settings\Save or Cancel\deo.exe
2009-02-12 00:07 . 2009-02-12 00:07 616 --a------ e:\windows\system32\55.tmp
2009-02-12 00:05 . 2009-02-12 00:05 128 --a------ e:\windows\system32\51.tmp
2009-02-11 23:48 . 2009-02-11 23:48 <DIR> d-------- e:\program files\Passcape
2009-02-10 00:04 . 2009-02-12 01:26 98,304 --a------ e:\windows\DUMP6793.tmp
2009-02-10 00:04 . 2009-02-12 12:36 98,304 --a------ e:\windows\DUMP5e4c.tmp
2009-02-10 00:04 . 2009-02-15 15:04 90,112 --a------ e:\windows\DUMP54b7.tmp
2009-02-10 00:04 . 2009-02-13 15:21 90,112 --a------ e:\windows\DUMP4bdd.tmp
2009-02-10 00:04 . 2009-02-15 14:16 90,112 --a------ e:\windows\DUMP4630.tmp
2009-02-08 23:21 . 2009-02-08 23:28 <DIR> d-------- e:\windows\SxsCaPendDel
2009-02-08 21:16 . 2009-02-08 21:16 0 --a------ e:\windows\system32\AAWService_2009_02_08_21_16_26.dmp
2009-02-06 23:41 . 2009-02-06 23:41 <DIR> d-------- e:\program files\CCleaner
2009-02-06 00:49 . 2009-02-06 00:49 <DIR> d-------- e:\program files\Alwil Software
2009-02-05 22:38 . 2009-02-05 22:38 <DIR> d-------- e:\program files\NetActivator
2009-02-05 21:44 . 2009-02-10 18:25 <DIR> d-------- e:\windows\RegCure
2009-02-05 21:44 . 2009-02-05 22:16 <DIR> d-------- e:\program files\RegCure
2009-02-05 11:35 . 2009-02-07 15:52 2,184 --a------ e:\windows\system32\wpa.dbl
2009-02-04 20:44 . 2009-02-04 20:44 <DIR> d-------- e:\documents and settings\Save or Cancel\Application Data\Malwarebytes
2009-02-04 20:44 . 2009-02-04 20:44 <DIR> d-------- e:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-04 20:44 . 2009-01-14 16:11 38,496 --a------ e:\windows\system32\drivers\mbamswissarmy.sys
2009-02-04 20:44 . 2009-01-14 16:11 15,504 --a------ e:\windows\system32\drivers\mbam.sys
2009-02-04 20:43 . 2009-02-04 20:44 <DIR> d-------- e:\program files\Malwarebytes' Anti-Malware
2009-02-04 20:33 . 2009-02-13 22:19 <DIR> d-------- e:\program files\Lavasoft
2009-02-04 20:33 . 2009-02-13 22:19 <DIR> d-------- e:\documents and settings\All Users\Application Data\Lavasoft
2009-02-04 19:23 . 2009-02-05 14:27 <DIR> d-------- e:\windows\system32\inf
2009-02-04 16:44 . 2009-02-04 19:19 <DIR> d-------- e:\documents and settings\Administrator
2009-02-04 16:07 . 2009-02-04 16:07 32,768 --a------ e:\windows\system32\rer.wa
2009-02-04 16:07 . 2009-02-04 16:07 32,768 --a------ e:\windows\system32\qzhr1.ant
2009-02-04 16:07 . 2009-02-04 16:07 28,672 --a------ e:\windows\system32\do8d.sr
2009-02-04 16:07 . 2009-02-04 16:07 28,672 --a------ e:\windows\system32\dedwf.lp
2009-02-04 16:07 . 2009-02-04 16:07 0 --a------ e:\windows\mqcd.dbt
2009-02-04 16:06 . 2009-02-04 16:06 108,336 --a------ e:\windows\mswinsck.ocx
2009-02-04 16:06 . 2009-02-04 16:06 77,312 --a------ e:\windows\system32\re3d.pf
2009-02-04 12:25 . 2009-02-04 12:25 <DIR> d-------- e:\documents and settings\All Users\Application Data\Simply Super Software
2009-02-04 12:23 . 2009-02-04 12:23 <DIR> d-------- e:\documents and settings\Save or Cancel\Application Data\Thinstall
2009-02-03 21:41 . 2009-02-06 23:39 <DIR> d-------- e:\program files\SpywareBlaster
2009-02-03 21:24 . 2009-02-03 21:24 <DIR> d-------- e:\program files\Trend Micro
2009-02-03 14:32 . 2009-02-03 14:32 <DIR> d-------- e:\program files\Webroot
2009-02-03 14:32 . 2009-02-03 14:32 <DIR> d-------- e:\documents and settings\Save or Cancel\Application Data\Webroot
2009-02-03 14:32 . 2009-02-03 22:54 <DIR> d-------- e:\documents and settings\All Users\Application Data\Webroot
2009-02-01 23:25 . 2009-02-01 23:25 <DIR> d-------- e:\documents and settings\All Users\Application Data\Last.fm
2009-02-01 23:23 . 2009-02-04 00:16 <DIR> d-------- e:\program files\Last.fm
2009-01-31 15:14 . 2009-02-07 21:39 <DIR> d-------- e:\program files\Dropbox
2009-01-31 15:14 . 2009-02-17 14:04 <DIR> d-------- e:\documents and settings\Save or Cancel\Application Data\Dropbox
2009-01-17 10:44 . 2004-08-03 23:56 86,528 --a------ e:\windows\AhnRpta.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-17 12:19 88,833,056 --sha-w e:\windows\system32\drivers\fidbox.dat
2009-02-17 12:04 --------- d-----w e:\documents and settings\Save or Cancel\Application Data\uTorrent
2009-02-17 12:02 1,007,904 --sha-w e:\windows\system32\drivers\fidbox2.dat
2009-02-17 12:01 97,604 --sha-w e:\windows\system32\drivers\fidbox2.idx
2009-02-17 12:01 1,193,624 --sha-w e:\windows\system32\drivers\fidbox.idx
2009-02-17 11:38 --------- d-----w e:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-02-17 02:36 --------- d-----w e:\documents and settings\All Users\Application Data\Google Updater
2009-02-16 12:32 --------- d-----w e:\program files\Mozilla
2009-02-09 18:58 --------- d-----w e:\program files\Sony
2009-02-08 21:26 --------- d-----w e:\program files\MSBuild
2009-02-08 20:50 --------- d---a-w e:\documents and settings\All Users\Application Data\TEMP
2009-02-07 10:44 577,024 ----a-w e:\windows\system32\user32.DLL
2009-02-04 14:24 14,336 ----a-w e:\windows\system32\svchost.exe
2009-02-03 21:01 --------- d-----w e:\program files\FileZilla FTP Client
2009-02-02 08:12 --------- d-----w e:\documents and settings\Save or Cancel\Application Data\FileZilla
2009-02-01 21:25 --------- d-----w e:\program files\iTunes
2009-02-01 11:58 359,040 ----a-w e:\windows\system32\drivers\tcpip.sys
2009-01-27 19:45 --------- d-----w e:\documents and settings\Save or Cancel\Application Data\Publish Providers
2009-01-26 22:26 --------- d-----w e:\program files\Mozilla Thunderbird
2009-01-26 15:16 --------- d-----w e:\documents and settings\Save or Cancel\Application Data\mIRC
2009-01-25 15:07 --------- d-----w e:\program files\mIRC
2009-01-17 08:44 145,442 --sh--r E:\x2csvg.exe
2009-01-15 16:36 144,339 --sh--r E:\ve.exe
2009-01-13 12:22 2,516 --sha-w e:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-01-09 21:10 --------- d-----w e:\program files\Google
2009-01-08 09:56 --------- d-----w e:\program files\Bonjour
2009-01-07 13:43 --------- d-----w e:\program files\Microsoft Research
2009-01-07 00:03 --------- d-----w e:\documents and settings\Save or Cancel\Application Data\Autodesk
2009-01-06 22:20 --------- d-----w e:\program files\Common Files\Autodesk Shared
2009-01-06 22:20 --------- d-----w e:\program files\AutoCAD 2007
2009-01-06 22:19 --------- d-----w e:\program files\AnswerWorks 4.0
2009-01-06 22:17 --------- d-----w e:\documents and settings\All Users\Application Data\Autodesk
2009-01-06 22:15 --------- d-----w e:\program files\Autodesk
2009-01-03 13:53 1,366 ----a-w e:\windows\Fonts\FTC_____.PFM
2009-01-03 13:53 1,152 ----a-w e:\windows\Fonts\FTUBL___.PFM
2009-01-03 13:53 1,148 ----a-w e:\windows\Fonts\FTI_____.PFM
2009-01-03 13:53 1,147 ----a-w e:\windows\Fonts\FTR_____.PFM
2009-01-03 13:53 1,093 ----a-w e:\windows\Fonts\FTL_____.PFM
2009-01-03 13:52 1,375 ----a-w e:\windows\Fonts\FTBLC___.PFM
2009-01-03 13:52 1,147 ----a-w e:\windows\Fonts\FTBL____.PFM
2009-01-03 13:52 1,062 ----a-w e:\windows\Fonts\FTBI____.PFM
2009-01-03 10:23 1,333 ----a-w e:\windows\Fonts\hebl____.pfm
2009-01-03 10:23 1,062 ----a-w e:\windows\Fonts\hvk_____.pfm
2009-01-03 10:23 1,060 ----a-w e:\windows\Fonts\hlbi____.pfm
2009-01-03 10:23 1,054 ----a-w e:\windows\Fonts\hlhvo___.pfm
2009-01-03 10:21 1,405 ----a-w e:\windows\Fonts\hlmco___.pfm
2009-01-03 10:21 1,336 ----a-w e:\windows\Fonts\heblo___.pfm
2009-01-03 10:21 1,247 ----a-w e:\windows\Fonts\hlzco___.pfm
2009-01-03 10:21 1,244 ----a-w e:\windows\Fonts\hlzc____.pfm
2009-01-03 10:21 1,195 ----a-w e:\windows\Fonts\hllco___.pfm
2009-01-03 10:21 1,192 ----a-w e:\windows\Fonts\hllc____.pfm
2009-01-03 10:21 1,103 ----a-w e:\windows\Fonts\hvlo____.pfm
2009-01-03 10:21 1,101 ----a-w e:\windows\Fonts\hlbli___.pfm
2009-01-03 10:21 1,086 ----a-w e:\windows\Fonts\hlhi____.pfm
2009-01-03 10:21 1,065 ----a-w e:\windows\Fonts\hlli____.pfm
2009-01-03 10:21 1,051 ----a-w e:\windows\Fonts\hlavo___.pfm
2009-01-03 10:21 1,045 ----a-w e:\windows\Fonts\hllvo___.pfm
2009-01-03 10:20 1,096 ----a-w e:\windows\Fonts\hvl_____.pfm
2009-01-03 10:20 1,047 ----a-w e:\windows\Fonts\hlmvo___.pfm
2009-01-03 10:19 1,099 ----a-w e:\windows\Fonts\hlbl____.pfm
2009-01-03 10:19 1,060 ----a-w e:\windows\Fonts\hvek____.pfm
2009-01-03 10:19 1,051 ----a-w e:\windows\Fonts\hlhv____.pfm
2009-01-03 10:19 1,042 ----a-w e:\windows\Fonts\hlv_____.pfm
2009-01-03 10:18 1,780 ----a-w e:\windows\Fonts\hvc_____.pfm
2009-01-03 10:18 1,326 ----a-w e:\windows\Fonts\hltc____.pfm
2009-01-03 10:18 1,326 ----a-w e:\windows\Fonts\hla_____.pfm
2009-01-03 10:18 1,085 ----a-w e:\windows\Fonts\hluli___.pfm
2009-01-03 10:18 1,044 ----a-w e:\windows\Fonts\hlmv____.pfm
2009-01-03 10:17 1,862 ----a-w e:\windows\Fonts\hvfrb___.pfm
2009-01-03 10:17 1,858 ----a-w e:\windows\Fonts\hvfr____.pfm
2009-01-03 10:17 1,402 ----a-w e:\windows\Fonts\hlmc____.pfm
2009-01-03 10:17 1,341 ----a-w e:\windows\Fonts\hlhc____.pfm
2009-01-03 10:17 1,329 ----a-w e:\windows\Fonts\hltco___.pfm
2009-01-03 10:17 1,208 ----a-w e:\windows\Fonts\hlc_____.pfm
2009-01-03 10:17 1,093 ----a-w e:\windows\Fonts\hlm_____.pfm
2009-01-03 10:17 1,045 ----a-w e:\windows\Fonts\hlvo____.pfm
2009-01-03 10:16 1,329 ----a-w e:\windows\Fonts\hlao____.pfm
2009-01-03 10:16 1,218 ----a-w e:\windows\Fonts\hlbco___.pfm
2009-01-03 10:16 1,083 ----a-w e:\windows\Fonts\hlti____.pfm
2009-01-03 10:16 1,048 ----a-w e:\windows\Fonts\hltv____.pfm
2009-01-03 10:16 1,048 ----a-w e:\windows\Fonts\hlav____.pfm
2009-01-03 10:16 1,042 ----a-w e:\windows\Fonts\hllv____.pfm
2009-01-03 10:15 1,344 ----a-w e:\windows\Fonts\hlhco___.pfm
2009-01-03 10:15 1,052 ----a-w e:\windows\Fonts\hlbvo___.pfm
2008-12-21 11:13 8 --sh--r e:\documents and settings\All Users\Application Data\D7FC6FEF22.sys
2008-12-21 11:13 --------- d-----w e:\documents and settings\Save or Cancel\Application Data\Corel
2008-12-21 11:13 --------- d-----w e:\documents and settings\All Users\Application Data\Corel
2008-12-21 00:45 --------- d-----w e:\program files\Common Files\Protexis
2008-12-21 00:42 --------- d-----w e:\program files\Common Files\Corel
2008-12-21 00:40 --------- d-----w e:\program files\Corel
2008-12-15 22:05 410,984 ----a-w e:\windows\system32\deploytk.dll
2008-12-12 09:18 87,336 ----a-w e:\windows\system32\dns-sd.exe
2008-12-12 09:11 61,440 ----a-w e:\windows\system32\dnssd.dll
2008-12-04 23:45 952,913 ----a-w e:\windows\xlarge_08S.scr
2008-12-04 23:45 534,098 ----a-w e:\windows\xlarge_08SUninst.exe
2004-08-03 21:56 162,194 --sha-r e:\windows\system32\wgsbbjhv.dll
.

------- Sigcheck -------

2009-02-01 13:58 359040 3bb4b08619c111c7be8bda07aa0de6a2 e:\windows\system32\drivers\tcpip.sys

2009-02-13 14:43 213376 96da25b3aea08612323215ce1497b604 e:\windows\system32\dllcache\ndis.sys
2009-02-15 15:23 213376 96da25b3aea08612323215ce1497b604 e:\windows\system32\drivers\NDIS.sys

2004-08-03 23:56 1049600 c57d7935c6de5ff2bd29bd720838b71d e:\windows\explorer.exe

2004-08-03 23:56 32768 2016ac78ce691baed93bf46d4ebc524c e:\windows\system32\ctfmon.exe

2004-08-03 23:56 75264 80cfeb438763c44c0e04efc52b013dd4 e:\windows\system32\spoolsv.exe

2004-08-03 23:56 41984 2db3975548a650aa0e3a6f94ab21f14c e:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 09:20 143360 --a------ e:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 09:20 143360 --a------ e:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 09:20 143360 --a------ e:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
2007-12-13 21:02 96552 --a------ e:\program files\Nero\Nero8\InCD\NBHShx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RAMSaverPro"="c:\program files\WinTools\RAM Saver Pro\ramsaverpro.exe" [2008-06-07 105472]
"ctfmon.exe"="e:\windows\system32\ctfmon.exe" [2004-08-03 32768]
"ISUSPM"="e:\documents and settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]
"uTorrent"="e:\program files\uTorrent\uTorrent.exe" [2009-02-11 270128]
"SUPERAntiSpyware"="e:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1850608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="e:\program files\Java\jre6\bin\jusched.exe" [2008-12-16 136600]
"NvCplDaemon"="e:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"Adobe_ID0EYTHM"="e:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1904640]
"NvMediaCenter"="e:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"itype"="e:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelliPoint"="e:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-06 849280]
"NetActivator"="e:\program files\NetActivator\NetActivator.exe" [2008-08-13 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="e:\program files\QuickTime\qttask.exe" [2008-11-04 434176]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"AVP"="e:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 227856]
"nwiz"="nwiz.exe" [2007-06-28 e:\windows\system32\nwiz.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 e:\windows\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-28 e:\windows\RTHDCPL.EXE]

e:\documents and settings\Save or Cancel\Start Menu\Programs\Startup\
Dropbox.lnk - e:\program files\Dropbox\Dropbox.exe [2008-09-26 24096981]

e:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - e:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 11000]

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=e:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-10-01 11:57 111936 e:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-04-01 11:39 507336 e:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-26 23:47 31016 e:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-03-11 20:34 69632 e:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2007-12-13 21:02 1082152 e:\program files\Nero\Nero8\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-12-13 18:10 1688872 e:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 e:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-12-03 13:21 2213160 e:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 13:57 153136 e:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
--a------ 2007-12-13 21:02 2048808 e:\program files\Nero\Nero8\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
--a------ 2009-02-11 12:23 270128 e:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NOD32FiXTemDono"=2 (0x2)
"NeroRegInCDSrv"=2 (0x2)
"Nero BackItUp Scheduler 3"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\uTorrent\\uTorrent.exe"=
"e:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.321\\English\\setup.exe"=
"e:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"e:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"e:\\Program Files\\Graphisoft\\ArchiCAD 11\\ArchiCAD.exe"=
"e:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"e:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"e:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"e:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"2956:TCP"= 2956:TCP:uhbqi

R0 prxzzxep;prxzzxep; [x]
R1 ethuyddm;ethuyddm; [x]
R2 pygbcgtbd;sxpdkc;e:\windows\system32\svchost.exe [2009-02-04 14336]
R2 tjuyxdz;Microsoft Center;e:\windows\system32\svchost.exe [2009-02-04 14336]
R3 AVPsys;AVPsys;e:\windows\system32\drivers\cdaudio.sys [2009-02-13 137824]
R3 DualCoreCenter;DualCoreCenter; [x]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;e:\windows\system32\DRIVERS\klim5.sys [2007-12-13 24592]
R3 RushTopDevice2;RushTopDevice2; [x]
R3 W2kbhid;KBGear Tablet (USB);e:\windows\system32\DRIVERS\W2kbhid.sys [2000-12-15 23552]
R3 Wtcls2k;Wtcls2k;e:\windows\system32\DRIVERS\Wtcls2k.sys [2000-12-15 13824]
R4 NeroRegInCDSrv;Nero Registry InCD Service;e:\program files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [2007-12-13 50984]
R4 NOD32FiXTemDono;Eset Nod32 Boot;e:\windows\system32\regedt32.exe [2001-08-23 20992]
S0 xfilt;VIA SATA IDE Hot-plug Driver;e:\windows\system32\DRIVERS\xfilt.sys [2006-10-18 17920]
S1 SASDIFSV;SASDIFSV;e:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-01-15 8944]
S1 SASKUTIL;SASKUTIL;e:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-01-15 55024]
S3 SASENUM;SASENUM;e:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]


--- Other Services/Drivers In Memory ---

*Deregistered* - AudioSrv
*Deregistered* - AVP
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - Fastfat
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FLEXnet Licensing Service
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - gusvc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - hpqcxs08
*Deregistered* - hpqddsvc
*Deregistered* - InCDfs
*Deregistered* - InCDsrv
*Deregistered* - iPod Service
*Deregistered* - JavaQuickStarterService
*Deregistered* - Kbdclass
*Deregistered* - klif
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - MDM
*Deregistered* - mnmdd
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NdisTapi
*Deregistered* - Net Driver HPZ12
*Deregistered* - Netman
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NVSvc
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PCIIde
*Deregistered* - Pml Driver HPZ12
*Deregistered* - PQNTDrv
*Deregistered* - ProtectedStorage
*Deregistered* - PSI_SVC_2
*Deregistered* - pygbcgtbd
*Deregistered* - RasAcd
*Deregistered* - RasMan
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RDPWD
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SASDIFSV
*Deregistered* - SASENUM
*Deregistered* - SASKUTIL
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - TDTCP
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - tjuyxdz
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - ViaIde
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - WIBUKEY
*Deregistered* - winmgmt
*Deregistered* - Wintab32
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WudfPf
*Deregistered* - WudfSvc

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
pygbcgtbd
tjuyxdz

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{23KLN5J0-4OPM-11WE-AAX5-24EF1F387232}]
c:\recycler\k-1-3542-4232123213-7676767-8888886\root.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-16 e:\windows\Tasks\Ad-Aware Update (Weekly).job
- e:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-02-12 e:\windows\Tasks\AppleSoftwareUpdate.job
- e:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-17 e:\windows\Tasks\jojfdeat.job
- e:\windows\system32\fcccabXP.dll []

2009-02-17 e:\windows\Tasks\RegCure Program Check.job
- e:\program files\RegCure\RegCure.exe [2007-08-02 11:20]

2009-02-05 e:\windows\Tasks\RegCure.job
- e:\program files\RegCure\RegCure.exe [2007-08-02 11:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-reader_s - e:\documents and settings\Save or Cancel\reader_s.exe
HKLM-Run-reader_s - e:\windows\System32\reader_s.exe
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
SafeBoot-mfehuqvk.sys
SafeBoot-pdkzpmgj.sys
SafeBoot-prxzzxep.sys


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local;localhost
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
FF - ProfilePath - e:\documents and settings\Save or Cancel\Application Data\Mozilla\Firefox\Profiles\y89unupt.default\
FF - component: e:\documents and settings\Save or Cancel\Application Data\Mozilla\Firefox\Profiles\y89unupt.default\extensions\bkmrksync@nokia.com\components\BkMrkExt.dll
FF - component: e:\documents and settings\Save or Cancel\Application Data\Mozilla\Firefox\Profiles\y89unupt.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF - plugin: e:\program files\Google\Google Updater\2.4.1439.6872\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-17 14:03:19
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\pygbcgtbd]
"ServiceDll"="e:\windows\system32\wgsbbjhv.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\tjuyxdz]
"ServiceDll"="e:\windows\system32\wgsbbjhv.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1645522239-1563985344-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{63594757-9726-1169-FD16-BAE4AD973AEC}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oakdmpmjpijffphppkpikebkajpmam"=hex:6b,61,6a,6d,65,6b,6e,6a,64,6f,67,6f,6e,61,
6c,67,67,6f,6e,67,65,63,00,7c
"naeecombeephampgmdhnmpifnfnj"=hex:6b,61,6a,6d,65,6b,6e,6a,64,6f,67,6f,6e,61,
6c,67,67,6f,6e,67,65,63,00,7c

[HKEY_LOCAL_MACHINE\System\ControlSet003\Enum\Root\LEGACY_MFEHUQVK\0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(344)
e:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll
e:\windows\system32\klogon.dll
e:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\dnsq.dll
e:\windows\system32\WLDAP32.dll

- - - - - - - > 'lsass.exe'(400)
e:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\dnsq.dll
e:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll
e:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\fssync.dll
.
------------------------ Other Running Processes ------------------------
.
e:\windows\system32\wintab32.exe
e:\program files\Java\jre6\bin\jqs.exe
e:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
e:\windows\system32\nvsvc32.exe
e:\program files\Common Files\Protexis\License Service\PsiService_2.exe
e:\windows\system32\rundll32.exe
e:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
e:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2009-02-17 14:30:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-17 12:29:59
ComboFix2.txt 2009-02-12 22:59:03
ComboFix3.txt 2009-02-08 20:37:57
ComboFix4.txt 2009-02-06 21:52:05
ComboFix5.txt 2009-02-17 11:57:00

Pre-Run: 12,479,987,712 bytes free
Post-Run: 12,468,273,152 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
532

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:44 PM

Posted 17 February 2009 - 05:23 PM

Hello, NoStatic
Can you please explain why CF was run so many times?

We need to uninstall one or more programs
Please click on Start > Control Panel > Add/Remove Programs and uninstall the following programs(if present):
RAM Saver Pro

You appear to have a Registry Cleaner installed!
The following is referring to RegCure
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/t/201079/unsure-what-type-of-infection-multiple-threats-detected/
    collect::
    C:\Windows\System32\pygbcgtbd.dll
    C:\Windows\System32\tjuyxdz.dll
    folder::
    e:\windows\system32\3361
    e:\program files\Passcape
    e:\windows\SxsCaPendDel
    c:\recycler
    file::
    e:\windows\system32\43.tmp
    e:\windows\system32\21.tmp
    e:\documents and settings\Save or Cancel\dgwcje.exe
    e:\documents and settings\Save or Cancel\tykmyti.exe
    e:\windows\system32\3.tmp
    e:\windows\system32\acdb.err
    e:\windows\system32\C.tmp
    e:\windows\system32\D.tmp
    e:\documents and settings\Save or Cancel\jon.exe
    e:\windows\system32\57.tmp
    e:\windows\system32\secupdat.dat
    e:\documents and settings\Save or Cancel\deo.exe
    e:\windows\system32\55.tmp
    e:\windows\system32\51.tmp
    e:\windows\DUMP6793.tmp
    e:\windows\DUMP5e4c.tmp
    e:\windows\DUMP54b7.tmp
    e:\windows\DUMP4bdd.tmp
    e:\windows\DUMP4630.tmp
    e:\windows\system32\re3d.pf
    e:\windows\AhnRpta.exe
    E:\x2csvg.exe
    E:\ve.exe
    e:\windows\Fonts\FTC_____.PFM
    e:\windows\Fonts\FTUBL___.PFM
    e:\windows\Fonts\FTI_____.PFM
    e:\windows\Fonts\FTR_____.PFM
    e:\windows\Fonts\FTL_____.PFM
    e:\windows\Fonts\FTBLC___.PFM
    e:\windows\Fonts\FTBL____.PFM
    e:\windows\Fonts\FTBI____.PFM
    e:\windows\Fonts\hebl____.pfm
    e:\windows\Fonts\hvk_____.pfm
    e:\windows\Fonts\hlbi____.pfm
    e:\windows\system32\fcccabXP.dll
    e:\windows\Tasks\jojfdeat.job
    e:\windows\Fonts\hlhvo___.pfm
    e:\windows\Fonts\hlmco___.pfm
    e:\windows\Fonts\heblo___.pfm
    e:\windows\Fonts\hlzco___.pfm
    e:\windows\Fonts\hlzc____.pfm
    e:\windows\Fonts\hllco___.pfm
    e:\windows\Fonts\hllc____.pfm
    e:\windows\Fonts\hvlo____.pfm
    e:\windows\Fonts\hlbli___.pfm
    e:\windows\Fonts\hlhi____.pfm
    e:\windows\Fonts\hlli____.pfm
    e:\windows\Fonts\hlavo___.pfm
    e:\windows\Fonts\hllvo___.pfm
    e:\windows\Fonts\hvl_____.pfm
    e:\windows\Fonts\hlmvo___.pfm
    e:\windows\Fonts\hlbl____.pfm
    e:\windows\Fonts\hvek____.pfm
    e:\windows\Fonts\hlhv____.pfm
    e:\windows\Fonts\hlv_____.pfm
    e:\windows\Fonts\hvc_____.pfm
    e:\windows\Fonts\hltc____.pfm
    e:\windows\Fonts\hla_____.pfm
    e:\windows\Fonts\hluli___.pfm
    e:\windows\Fonts\hlmv____.pfm
    e:\windows\Fonts\hvfrb___.pfm
    e:\windows\Fonts\hvfr____.pfm
    e:\windows\Fonts\hlmc____.pfm
    e:\windows\Fonts\hlhc____.pfm
    e:\windows\Fonts\hltco___.pfm
    e:\windows\Fonts\hlc_____.pfm
    e:\windows\Fonts\hlm_____.pfm
    e:\windows\Fonts\hlvo____.pfm
    e:\windows\Fonts\hlao____.pfm
    e:\windows\Fonts\hlbco___.pfm
    e:\windows\Fonts\hlti____.pfm
    e:\windows\Fonts\hltv____.pfm
    e:\windows\Fonts\hlav____.pfm
    e:\windows\Fonts\hllv____.pfm
    e:\windows\Fonts\hlhco___.pfm
    e:\windows\Fonts\hlbvo___.pfm
    e:\documents and settings\All Users\Application Data\D7FC6FEF22.sys
    e:\windows\system32\dns-sd.exe
    e:\windows\system32\dnssd.dll
    e:\windows\xlarge_08S.scr
    e:\windows\xlarge_08SUninst.exe
    e:\windows\system32\wgsbbjhv.dll
    e:\windows\system32\drivers\cdaudio.sys
    driver::
    NOD32FiXTemDono
    prxzzxep
    ethuyddm
    DualCoreCenter
    RushTopDevice2
    pygbcgtbd
    tjuyxdz
    AVPsys
    netsvc::
    pygbcgtbd
    tjuyxdz
    registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "NOD32FiXTemDono"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "2956:TCP"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{23KLN5J0-4OPM-11WE-AAX5-24EF1F387232}]
    [-HKEY_CLASSES_ROOT\CLSID\{23KLN5J0-4OPM-11WE-AAX5-24EF1F387232}]
    DDS::
    Trusted Zone: com.tw\asia.msi
    Trusted Zone: com.tw\global.msi
    Trusted Zone: com.tw\www.msi
    REGNULL::
    [HKEY_USERS\S-1-5-21-1645522239-1563985344-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{63594757-9726-1169-FD16-BAE4AD973AEC}*]
    REGLOCK::
    [HKEY_LOCAL_MACHINE\System\ControlSet003\Enum\Root\LEGACY_MFEHUQVK\0000\LogConf]
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 NoStatic

NoStatic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:bucharest
  • Local time:09:44 PM

Posted 18 February 2009 - 06:27 AM

Hello Billy,

As I said in the first post of this thread: "I got Avast, ComboFix, RegCure, Malwarebyte's Anti-Malware and Ad-Aware and they all picked up different kind of threats" after searching on google for ways to clean the computer - if you are reffering to the previous ComboFix logs listed at the bottom of this last log. After your first reply I acted like you said and done nothing of the sort.
I will uninstall RamSaver and Ramcleaner right now and run the CFScript.
Thank you and I'll be back with the log ASAP.

Cristina.

#8 NoStatic

NoStatic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:bucharest
  • Local time:09:44 PM

Posted 18 February 2009 - 08:21 AM

This is the ComboFix log. How does it look?




ComboFix 09-02-15.01 - Save or Cancel 2009-02-18 13:37:10.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.272 [GMT 2:00]
Running from: e:\documents and settings\Save or Cancel\Desktop\ComboFix.exe
Command switches used :: e:\documents and settings\Save or Cancel\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
e:\documents and settings\All Users\Application Data\D7FC6FEF22.sys
e:\documents and settings\Save or Cancel\deo.exe
e:\documents and settings\Save or Cancel\dgwcje.exe
e:\documents and settings\Save or Cancel\jon.exe
e:\documents and settings\Save or Cancel\tykmyti.exe
E:\ve.exe
e:\windows\AhnRpta.exe
e:\windows\DUMP4630.tmp
e:\windows\DUMP4bdd.tmp
e:\windows\DUMP54b7.tmp
e:\windows\DUMP5e4c.tmp
e:\windows\DUMP6793.tmp
e:\windows\Fonts\FTBI____.PFM
e:\windows\Fonts\FTBL____.PFM
e:\windows\Fonts\FTBLC___.PFM
e:\windows\Fonts\FTC_____.PFM
e:\windows\Fonts\FTI_____.PFM
e:\windows\Fonts\FTL_____.PFM
e:\windows\Fonts\FTR_____.PFM
e:\windows\Fonts\FTUBL___.PFM
e:\windows\Fonts\hebl____.pfm
e:\windows\Fonts\heblo___.pfm
e:\windows\Fonts\hla_____.pfm
e:\windows\Fonts\hlao____.pfm
e:\windows\Fonts\hlav____.pfm
e:\windows\Fonts\hlavo___.pfm
e:\windows\Fonts\hlbco___.pfm
e:\windows\Fonts\hlbi____.pfm
e:\windows\Fonts\hlbl____.pfm
e:\windows\Fonts\hlbli___.pfm
e:\windows\Fonts\hlbvo___.pfm
e:\windows\Fonts\hlc_____.pfm
e:\windows\Fonts\hlhc____.pfm
e:\windows\Fonts\hlhco___.pfm
e:\windows\Fonts\hlhi____.pfm
e:\windows\Fonts\hlhv____.pfm
e:\windows\Fonts\hlhvo___.pfm
e:\windows\Fonts\hllc____.pfm
e:\windows\Fonts\hllco___.pfm
e:\windows\Fonts\hlli____.pfm
e:\windows\Fonts\hllv____.pfm
e:\windows\Fonts\hllvo___.pfm
e:\windows\Fonts\hlm_____.pfm
e:\windows\Fonts\hlmc____.pfm
e:\windows\Fonts\hlmco___.pfm
e:\windows\Fonts\hlmv____.pfm
e:\windows\Fonts\hlmvo___.pfm
e:\windows\Fonts\hltc____.pfm
e:\windows\Fonts\hltco___.pfm
e:\windows\Fonts\hlti____.pfm
e:\windows\Fonts\hltv____.pfm
e:\windows\Fonts\hluli___.pfm
e:\windows\Fonts\hlv_____.pfm
e:\windows\Fonts\hlvo____.pfm
e:\windows\Fonts\hlzc____.pfm
e:\windows\Fonts\hlzco___.pfm
e:\windows\Fonts\hvc_____.pfm
e:\windows\Fonts\hvek____.pfm
e:\windows\Fonts\hvfr____.pfm
e:\windows\Fonts\hvfrb___.pfm
e:\windows\Fonts\hvk_____.pfm
e:\windows\Fonts\hvl_____.pfm
e:\windows\Fonts\hvlo____.pfm
e:\windows\system32\21.tmp
e:\windows\system32\3.tmp
e:\windows\system32\43.tmp
e:\windows\system32\51.tmp
e:\windows\system32\55.tmp
e:\windows\system32\57.tmp
e:\windows\system32\acdb.err
e:\windows\system32\C.tmp
e:\windows\system32\D.tmp
e:\windows\system32\dns-sd.exe
e:\windows\system32\dnssd.dll
e:\windows\system32\drivers\cdaudio.sys
e:\windows\system32\fcccabXP.dll
e:\windows\system32\re3d.pf
e:\windows\system32\secupdat.dat
e:\windows\system32\wgsbbjhv.dll
e:\windows\Tasks\jojfdeat.job
e:\windows\xlarge_08S.scr
e:\windows\xlarge_08SUninst.exe
E:\x2csvg.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler
c:\recycler\k-1-3542-4232123213-7676767-8888886\Desktop.ini
c:\recycler\k-1-3542-4232123213-7676767-8888886\root.exe
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\recycler\S-1-5-21-1645522239-1563985344-682003330-1003\desktop.ini
c:\recycler\S-1-5-21-1645522239-1563985344-682003330-1003\INFO2
e:\documents and settings\All Users\Application Data\D7FC6FEF22.sys
e:\documents and settings\Save or Cancel\deo.exe
e:\documents and settings\Save or Cancel\dgwcje.exe
e:\documents and settings\Save or Cancel\jon.exe
e:\documents and settings\Save or Cancel\tykmyti.exe
e:\program files\Passcape
e:\program files\Passcape\MPR\combdic.pcd
e:\program files\Passcape\MPR\desktop.ini
e:\program files\Passcape\MPR\file_id.diz
e:\program files\Passcape\MPR\home.url
e:\program files\Passcape\MPR\license.txt
e:\program files\Passcape\MPR\loader.dll
e:\program files\Passcape\MPR\loader.exe
e:\program files\Passcape\MPR\mpr.chm
e:\program files\Passcape\MPR\mpr.pcd
e:\program files\Passcape\MPR\mpr_history.txt
e:\program files\Passcape\MPR\MPRppp.log
e:\program files\Passcape\MPR\msk\0-9.msk
e:\program files\Passcape\MPR\msk\000000-zzzzzz.msk
e:\program files\Passcape\MPR\msk\1980-2007.msk
e:\program files\Passcape\MPR\msk\a-z,0-9.msk
e:\program files\Passcape\MPR\msk\date.msk
e:\program files\Passcape\MPR\msk\links.msk
e:\program files\Passcape\MPR\msk\readme.txt
e:\program files\Passcape\MPR\msk\russian.msk
e:\program files\Passcape\MPR\msk\symbol14.msk
e:\program files\Passcape\MPR\msk\symbols.msk
e:\program files\Passcape\MPR\order.txt
e:\program files\Passcape\MPR\pcf\0-9, space.pcf
e:\program files\Passcape\MPR\pcf\0-9.pcf
e:\program files\Passcape\MPR\pcf\1-13.pcf
e:\program files\Passcape\MPR\pcf\a-z, 0-9, space.pcf
e:\program files\Passcape\MPR\pcf\a-z, 0-9, symbol14, space.pcf
e:\program files\Passcape\MPR\pcf\a-z, 0-9, symbol14.pcf
e:\program files\Passcape\MPR\pcf\a-z, 0-9.pcf
e:\program files\Passcape\MPR\pcf\a-z, A-Z, 0-9, space.pcf
e:\program files\Passcape\MPR\pcf\a-z, A-Z, 0-9, symbol14, space.pcf
e:\program files\Passcape\MPR\pcf\a-z, A-Z, 0-9, symbol14.pcf
e:\program files\Passcape\MPR\pcf\a-z, A-Z, 0-9.pcf
e:\program files\Passcape\MPR\pcf\a-z, A-Z.pcf
e:\program files\Passcape\MPR\pcf\a-z, space.pcf
e:\program files\Passcape\MPR\pcf\a-z.pcf
e:\program files\Passcape\MPR\pcf\all.pcf
e:\program files\Passcape\MPR\pcf\readme.txt
e:\program files\Passcape\MPR\pcf\upper, 0-9, space.pcf
e:\program files\Passcape\MPR\pcf\upper, 0-9, symbol14, space.pcf
e:\program files\Passcape\MPR\pcf\upper, 0-9, symbol14.pcf
e:\program files\Passcape\MPR\pcf\upper, 0-9.pcf
e:\program files\Passcape\MPR\pcf\upper, space.pcf
e:\program files\Passcape\MPR\pcf\upper.pcf
e:\program files\Passcape\MPR\phrases.pcd
e:\program files\Passcape\MPR\Readme.txt
e:\program files\Passcape\MPR\Uninstall.exe
E:\ve.exe
e:\windows\AhnRpta.exe
e:\windows\DUMP4630.tmp
e:\windows\DUMP4bdd.tmp
e:\windows\DUMP54b7.tmp
e:\windows\DUMP5e4c.tmp
e:\windows\DUMP6793.tmp
e:\windows\Fonts\FTBI____.PFM
e:\windows\Fonts\FTBL____.PFM
e:\windows\Fonts\FTBLC___.PFM
e:\windows\Fonts\FTC_____.PFM
e:\windows\Fonts\FTI_____.PFM
e:\windows\Fonts\FTL_____.PFM
e:\windows\Fonts\FTR_____.PFM
e:\windows\Fonts\FTUBL___.PFM
e:\windows\Fonts\hebl____.pfm
e:\windows\Fonts\heblo___.pfm
e:\windows\Fonts\hla_____.pfm
e:\windows\Fonts\hlao____.pfm
e:\windows\Fonts\hlav____.pfm
e:\windows\Fonts\hlavo___.pfm
e:\windows\Fonts\hlbco___.pfm
e:\windows\Fonts\hlbi____.pfm
e:\windows\Fonts\hlbl____.pfm
e:\windows\Fonts\hlbli___.pfm
e:\windows\Fonts\hlbvo___.pfm
e:\windows\Fonts\hlc_____.pfm
e:\windows\Fonts\hlhc____.pfm
e:\windows\Fonts\hlhco___.pfm
e:\windows\Fonts\hlhi____.pfm
e:\windows\Fonts\hlhv____.pfm
e:\windows\Fonts\hlhvo___.pfm
e:\windows\Fonts\hllc____.pfm
e:\windows\Fonts\hllco___.pfm
e:\windows\Fonts\hlli____.pfm
e:\windows\Fonts\hllv____.pfm
e:\windows\Fonts\hllvo___.pfm
e:\windows\Fonts\hlm_____.pfm
e:\windows\Fonts\hlmc____.pfm
e:\windows\Fonts\hlmco___.pfm
e:\windows\Fonts\hlmv____.pfm
e:\windows\Fonts\hlmvo___.pfm
e:\windows\Fonts\hltc____.pfm
e:\windows\Fonts\hltco___.pfm
e:\windows\Fonts\hlti____.pfm
e:\windows\Fonts\hltv____.pfm
e:\windows\Fonts\hluli___.pfm
e:\windows\Fonts\hlv_____.pfm
e:\windows\Fonts\hlvo____.pfm
e:\windows\Fonts\hlzc____.pfm
e:\windows\Fonts\hlzco___.pfm
e:\windows\Fonts\hvc_____.pfm
e:\windows\Fonts\hvek____.pfm
e:\windows\Fonts\hvfr____.pfm
e:\windows\Fonts\hvfrb___.pfm
e:\windows\Fonts\hvk_____.pfm
e:\windows\Fonts\hvl_____.pfm
e:\windows\Fonts\hvlo____.pfm
e:\windows\SxsCaPendDel
e:\windows\system32\21.tmp
e:\windows\system32\3.tmp
e:\windows\system32\3361
e:\windows\system32\3361\a
e:\windows\system32\3361\mlog
e:\windows\system32\43.tmp
e:\windows\system32\51.tmp
e:\windows\system32\55.tmp
e:\windows\system32\57.tmp
e:\windows\system32\acdb.err
e:\windows\system32\AutoRun.inf
e:\windows\system32\C.tmp
e:\windows\system32\D.tmp
e:\windows\system32\dns-sd.exe
e:\windows\system32\dnssd.dll
e:\windows\system32\drivers\cdaudio.sys
e:\windows\system32\re3d.pf
e:\windows\system32\secupdat.dat
e:\windows\system32\wgsbbjhv.dll
e:\windows\Tasks\jojfdeat.job
e:\windows\xlarge_08S.scr
e:\windows\xlarge_08SUninst.exe
E:\x2csvg.exe
G:\autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DUALCORECENTER
-------\Legacy_PRXZZXEP
-------\Legacy_PYGBCGTBD
-------\Legacy_RUSHTOPDEVICE2
-------\Legacy_TJUYXDZ
-------\Service_AVPsys
-------\Service_DualCoreCenter
-------\Service_ethuyddm
-------\Service_NOD32FiXTemDono
-------\Service_prxzzxep
-------\Service_pygbcgtbd
-------\Service_RushTopDevice2
-------\Service_tjuyxdz


((((((((((((((((((((((((( Files Created from 2009-01-18 to 2009-02-18 )))))))))))))))))))))))))))))))
.

2009-02-18 00:38 . 2009-02-18 00:38 <DIR> d-------- e:\documents and settings\All Users\Application Data\HP Product Assistant
2009-02-17 23:16 . 2009-02-17 23:15 141,048 --------- e:\windows\hpoins14.dat.temp
2009-02-17 23:16 . 2007-09-20 17:56 2,000 --------- e:\windows\hpomdl14.dat.temp
2009-02-17 23:14 . 2009-02-17 23:16 107,437 --a------ e:\windows\hpqins11.dat
2009-02-17 14:37 . 2009-02-18 13:36 <DIR> d-------- e:\windows\system32\CatRoot2
2009-02-15 15:23 . 2009-02-15 15:23 213,376 --a------ e:\windows\system32\drivers\NDIS.sys
2009-02-15 13:13 . 2009-02-15 14:22 250 --a------ e:\windows\gmer.ini
2009-02-15 02:18 . 2009-02-15 02:18 <DIR> d-------- e:\documents and settings\Save or Cancel\Application Data\vlc
2009-02-13 18:15 . 2009-02-15 13:33 1,748 --a------ e:\windows\system32\netsf.inf
2009-02-13 18:15 . 2009-02-15 13:33 695 --a------ e:\windows\system32\netsf_m.inf
2009-02-13 14:43 . 2009-02-13 14:43 213,376 --a--c--- e:\windows\system32\dllcache\ndis.sys
2009-02-13 14:27 . 2009-02-13 14:27 <DIR> d-------- E:\ERDNT
2009-02-13 12:47 . 2009-02-13 12:47 <DIR> d-------- e:\program files\SUPERAntiSpyware
2009-02-13 12:47 . 2009-02-15 23:28 <DIR> d-------- e:\documents and settings\Save or Cancel\Application Data\SUPERAntiSpyware.com
2009-02-13 12:47 . 2009-02-13 12:47 <DIR> d-------- e:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-08 21:16 . 2009-02-08 21:16 0 --a------ e:\windows\system32\AAWService_2009_02_08_21_16_26.dmp
2009-02-06 23:41 . 2009-02-06 23:41 <DIR> d-------- e:\program files\CCleaner
2009-02-06 00:49 . 2009-02-06 00:49 <DIR> d-------- e:\program files\Alwil Software
2009-02-05 22:38 . 2009-02-05 22:38 <DIR> d-------- e:\program files\NetActivator
2009-02-05 21:44 . 2009-02-10 18:25 <DIR> d-------- e:\windows\RegCure
2009-02-05 21:44 . 2009-02-18 13:28 <DIR> d-------- e:\program files\RegCure
2009-02-05 11:35 . 2009-02-07 15:52 2,184 --a------ e:\windows\system32\wpa.dbl
2009-02-04 20:44 . 2009-02-04 20:44 <DIR> d-------- e:\documents and settings\Save or Cancel\Application Data\Malwarebytes
2009-02-04 20:44 . 2009-02-04 20:44 <DIR> d-------- e:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-04 20:44 . 2009-01-14 16:11 38,496 --a------ e:\windows\system32\drivers\mbamswissarmy.sys
2009-02-04 20:44 . 2009-01-14 16:11 15,504 --a------ e:\windows\system32\drivers\mbam.sys
2009-02-04 20:43 . 2009-02-04 20:44 <DIR> d-------- e:\program files\Malwarebytes' Anti-Malware
2009-02-04 20:33 . 2009-02-13 22:19 <DIR> d-------- e:\program files\Lavasoft
2009-02-04 20:33 . 2009-02-13 22:19 <DIR> d-------- e:\documents and settings\All Users\Application Data\Lavasoft
2009-02-04 19:23 . 2009-02-05 14:27 <DIR> d-------- e:\windows\system32\inf
2009-02-04 16:44 . 2009-02-04 19:19 <DIR> d-------- e:\documents and settings\Administrator
2009-02-04 16:07 . 2009-02-04 16:07 32,768 --a------ e:\windows\system32\rer.wa
2009-02-04 16:07 . 2009-02-04 16:07 32,768 --a------ e:\windows\system32\qzhr1.ant
2009-02-04 16:07 . 2009-02-04 16:07 28,672 --a------ e:\windows\system32\do8d.sr
2009-02-04 16:07 . 2009-02-04 16:07 28,672 --a------ e:\windows\system32\dedwf.lp
2009-02-04 16:07 . 2009-02-04 16:07 0 --a------ e:\windows\mqcd.dbt
2009-02-04 16:06 . 2009-02-04 16:06 108,336 --a------ e:\windows\mswinsck.ocx
2009-02-04 12:25 . 2009-02-04 12:25 <DIR> d-------- e:\documents and settings\All Users\Application Data\Simply Super Software
2009-02-04 12:23 . 2009-02-04 12:23 <DIR> d-------- e:\documents and settings\Save or Cancel\Application Data\Thinstall
2009-02-03 21:41 . 2009-02-06 23:39 <DIR> d-------- e:\program files\SpywareBlaster
2009-02-03 21:24 . 2009-02-03 21:24 <DIR> d-------- e:\program files\Trend Micro
2009-02-03 14:32 . 2009-02-03 14:32 <DIR> d-------- e:\program files\Webroot
2009-02-03 14:32 . 2009-02-03 14:32 <DIR> d-------- e:\documents and settings\Save or Cancel\Application Data\Webroot
2009-02-03 14:32 . 2009-02-03 22:54 <DIR> d-------- e:\documents and settings\All Users\Application Data\Webroot
2009-02-01 23:25 . 2009-02-01 23:25 <DIR> d-------- e:\documents and settings\All Users\Application Data\Last.fm
2009-02-01 23:23 . 2009-02-04 00:16 <DIR> d-------- e:\program files\Last.fm
2009-01-31 15:14 . 2009-02-07 21:39 <DIR> d-------- e:\program files\Dropbox
2009-01-31 15:14 . 2009-02-18 13:42 <DIR> d-------- e:\documents and settings\Save or Cancel\Application Data\Dropbox

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-18 11:54 89,594,656 --sha-w e:\windows\system32\drivers\fidbox.dat
2009-02-18 11:42 --------- d-----w e:\documents and settings\Save or Cancel\Application Data\uTorrent
2009-02-18 11:41 1,008,672 --sha-w e:\windows\system32\drivers\fidbox2.dat
2009-02-18 11:40 97,676 --sha-w e:\windows\system32\drivers\fidbox2.idx
2009-02-18 11:40 1,203,800 --sha-w e:\windows\system32\drivers\fidbox.idx
2009-02-18 11:08 --------- d-----w e:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-02-18 11:07 --------- d-----w e:\documents and settings\All Users\Application Data\Google Updater
2009-02-17 22:38 --------- d-----w e:\documents and settings\All Users\Application Data\HP
2009-02-17 20:24 --------- d-----w e:\program files\Mozilla
2009-02-09 18:58 --------- d-----w e:\program files\Sony
2009-02-08 21:26 --------- d-----w e:\program files\MSBuild
2009-02-08 20:50 --------- d---a-w e:\documents and settings\All Users\Application Data\TEMP
2009-02-07 10:44 577,024 ----a-w e:\windows\system32\user32.DLL
2009-02-04 14:24 14,336 ----a-w e:\windows\system32\svchost.exe
2009-02-03 21:01 --------- d-----w e:\program files\FileZilla FTP Client
2009-02-02 08:12 --------- d-----w e:\documents and settings\Save or Cancel\Application Data\FileZilla
2009-02-01 21:25 --------- d-----w e:\program files\iTunes
2009-02-01 11:58 359,040 ----a-w e:\windows\system32\drivers\tcpip.sys
2009-01-27 19:45 --------- d-----w e:\documents and settings\Save or Cancel\Application Data\Publish Providers
2009-01-26 22:26 --------- d-----w e:\program files\Mozilla Thunderbird
2009-01-26 15:16 --------- d-----w e:\documents and settings\Save or Cancel\Application Data\mIRC
2009-01-25 15:07 --------- d-----w e:\program files\mIRC
2009-01-13 12:22 2,516 --sha-w e:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-01-09 21:10 --------- d-----w e:\program files\Google
2009-01-08 09:56 --------- d-----w e:\program files\Bonjour
2009-01-07 13:43 --------- d-----w e:\program files\Microsoft Research
2009-01-07 00:03 --------- d-----w e:\documents and settings\Save or Cancel\Application Data\Autodesk
2009-01-06 22:20 --------- d-----w e:\program files\Common Files\Autodesk Shared
2009-01-06 22:20 --------- d-----w e:\program files\AutoCAD 2007
2009-01-06 22:19 --------- d-----w e:\program files\AnswerWorks 4.0
2009-01-06 22:17 --------- d-----w e:\documents and settings\All Users\Application Data\Autodesk
2009-01-06 22:15 --------- d-----w e:\program files\Autodesk
2008-12-21 11:13 --------- d-----w e:\documents and settings\Save or Cancel\Application Data\Corel
2008-12-21 11:13 --------- d-----w e:\documents and settings\All Users\Application Data\Corel
2008-12-21 00:45 --------- d-----w e:\program files\Common Files\Protexis
2008-12-21 00:42 --------- d-----w e:\program files\Common Files\Corel
2008-12-21 00:40 --------- d-----w e:\program files\Corel
2008-12-15 22:05 410,984 ----a-w e:\windows\system32\deploytk.dll
.

------- Sigcheck -------

2009-02-01 13:58 359040 3bb4b08619c111c7be8bda07aa0de6a2 e:\windows\system32\drivers\tcpip.sys

2009-02-13 14:43 213376 96da25b3aea08612323215ce1497b604 e:\windows\system32\dllcache\ndis.sys
2009-02-15 15:23 213376 96da25b3aea08612323215ce1497b604 e:\windows\system32\drivers\NDIS.sys

2004-08-03 23:56 1049600 c57d7935c6de5ff2bd29bd720838b71d e:\windows\explorer.exe

2004-08-03 23:56 32768 2016ac78ce691baed93bf46d4ebc524c e:\windows\system32\ctfmon.exe

2004-08-03 23:56 75264 80cfeb438763c44c0e04efc52b013dd4 e:\windows\system32\spoolsv.exe

2004-08-03 23:56 41984 2db3975548a650aa0e3a6f94ab21f14c e:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-02-17_14.21.01.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-20 18:02:28 184,320 ----a-w e:\windows\ERDNT\subs\ERDNT.EXE
+ 2005-10-20 18:02:28 163,328 ----a-w e:\windows\ERDNT\subs\ERDNT.EXE
- 2008-10-30 12:33:08 141,048 ----a-w e:\windows\hpoins14.dat
+ 2009-02-17 22:55:45 140,947 ----a-w e:\windows\hpoins14.dat
- 2008-10-30 12:31:14 86,016 ----a-r e:\windows\Installer\{10E1E87C-656C-4D08-86D6-5443D28583BE}\NewShortcut1.A6CC6977_F7B4_4C0B_9510_BCD847D4BDB2.exe
+ 2009-02-17 22:47:28 86,016 ----a-r e:\windows\Installer\{10E1E87C-656C-4D08-86D6-5443D28583BE}\NewShortcut1.A6CC6977_F7B4_4C0B_9510_BCD847D4BDB2.exe
- 2009-02-17 12:02:44 32,768 ----a-w e:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-18 11:41:23 32,768 ----a-w e:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-17 12:02:44 344,064 ----a-w e:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-18 11:41:23 344,064 ----a-w e:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-17 12:02:44 720,896 ----a-w e:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-18 11:41:23 720,896 ----a-w e:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-02 05:21:54 319,456 ----a-w e:\windows\system32\difxapi.dll
+ 2007-03-08 19:20:45 309,760 ----a-w e:\windows\system32\difxapi.dll
- 2009-02-17 12:02:44 16,384 ----atw e:\windows\Temp\Perflib_Perfdata_414.dat
+ 2009-02-18 11:41:23 16,384 ----atw e:\windows\Temp\Perflib_Perfdata_414.dat
- 2008-10-30 12:30:31 1,230,336 ----a-w e:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.1.0.0_x-ww_b319d8da\msxml4.dll
+ 2009-02-17 22:33:54 1,230,336 ----a-w e:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.1.0.0_x-ww_b319d8da\msxml4.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 09:20 143360 --a------ e:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 09:20 143360 --a------ e:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 09:20 143360 --a------ e:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
2007-12-13 21:02 96552 --a------ e:\program files\Nero\Nero8\InCD\NBHShx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="e:\windows\system32\ctfmon.exe" [2004-08-03 32768]
"ISUSPM"="e:\documents and settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]
"uTorrent"="e:\program files\uTorrent\uTorrent.exe" [2009-02-11 270128]
"SUPERAntiSpyware"="e:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1850608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="e:\program files\Java\jre6\bin\jusched.exe" [2008-12-16 136600]
"NvCplDaemon"="e:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"Adobe_ID0EYTHM"="e:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1904640]
"NvMediaCenter"="e:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"itype"="e:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelliPoint"="e:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-06 849280]
"NetActivator"="e:\program files\NetActivator\NetActivator.exe" [2008-08-13 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="e:\program files\QuickTime\qttask.exe" [2008-11-04 434176]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"HP Software Update"="e:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 69632]
"nwiz"="nwiz.exe" [2007-06-28 e:\windows\system32\nwiz.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 e:\windows\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-28 e:\windows\RTHDCPL.EXE]

e:\documents and settings\Save or Cancel\Start Menu\Programs\Startup\
Dropbox.lnk - e:\program files\Dropbox\Dropbox.exe [2008-09-26 24096981]

e:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - e:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 11000]
HP Digital Imaging Monitor.lnk - e:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=e:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-10-01 11:57 111936 e:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-04-01 11:39 507336 e:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-26 23:47 31016 e:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-03-11 20:34 69632 e:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2007-12-13 21:02 1082152 e:\program files\Nero\Nero8\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-12-13 18:10 1688872 e:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 e:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-12-03 13:21 2213160 e:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 13:57 153136 e:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
--a------ 2007-12-13 21:02 2048808 e:\program files\Nero\Nero8\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
--a------ 2009-02-11 12:23 270128 e:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NeroRegInCDSrv"=2 (0x2)
"Nero BackItUp Scheduler 3"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\uTorrent\\uTorrent.exe"=
"e:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.321\\English\\setup.exe"=
"e:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"e:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"e:\\Program Files\\Graphisoft\\ArchiCAD 11\\ArchiCAD.exe"=
"e:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"e:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"e:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"e:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 xfilt;VIA SATA IDE Hot-plug Driver;e:\windows\system32\drivers\xfilt.sys [2006-10-18 17920]
R1 SASDIFSV;SASDIFSV;e:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;e:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R3 SASENUM;SASENUM;e:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;e:\windows\system32\drivers\klim5.sys [2007-12-13 24592]
S3 W2kbhid;KBGear Tablet (USB);e:\windows\system32\drivers\w2kbhid.sys [2008-11-13 23552]
S3 Wtcls2k;Wtcls2k;e:\windows\system32\drivers\wtcls2k.sys [2008-11-13 13824]
S4 NeroRegInCDSrv;Nero Registry InCD Service;e:\program files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [2007-12-13 50984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-02-16 e:\windows\Tasks\Ad-Aware Update (Weekly).job
- e:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-02-12 e:\windows\Tasks\AppleSoftwareUpdate.job
- e:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-18 e:\windows\Tasks\RegCure Program Check.job
- e:\program files\RegCure\RegCure.exe []

2009-02-05 e:\windows\Tasks\RegCure.job
- e:\program files\RegCure\RegCure.exe []
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local;localhost
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
FF - ProfilePath - e:\documents and settings\Save or Cancel\Application Data\Mozilla\Firefox\Profiles\y89unupt.default\
FF - component: e:\documents and settings\Save or Cancel\Application Data\Mozilla\Firefox\Profiles\y89unupt.default\extensions\bkmrksync@nokia.com\components\BkMrkExt.dll
FF - component: e:\documents and settings\Save or Cancel\Application Data\Mozilla\Firefox\Profiles\y89unupt.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF - plugin: e:\program files\Google\Google Updater\2.4.1439.6872\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-18 13:41:58
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(344)
e:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll
e:\windows\system32\klogon.dll
e:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\dnsq.dll
e:\windows\system32\WLDAP32.dll

- - - - - - - > 'lsass.exe'(400)
e:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\dnsq.dll
e:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll
e:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\fssync.dll

- - - - - - - > 'explorer.exe'(460)
e:\program files\Dropbox\DropboxExt.dll
e:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll
e:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\fssync.dll
e:\program files\Nero\Nero8\InCD\NBHShx.dll
e:\program files\Nero\Nero8\InCD\NBHStr.dll
e:\program files\Common Files\Nero\Shared\NL3\AdvrCntr3.dll
e:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\scrchpg.dll
.
------------------------ Other Running Processes ------------------------
.
e:\windows\system32\wintab32.exe
e:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
e:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
e:\program files\Nero\Nero8\InCD\InCDsrv.exe
e:\program files\Java\jre6\bin\jqs.exe
e:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
e:\windows\system32\nvsvc32.exe
e:\program files\Common Files\Protexis\License Service\PsiService_2.exe
e:\windows\system32\rundll32.exe
e:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
e:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
e:\program files\iPod\bin\iPodService.exe
e:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-02-18 14:39:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-18 12:39:33
ComboFix2.txt 2009-02-17 12:30:09
ComboFix3.txt 2009-02-12 22:59:03
ComboFix4.txt 2009-02-08 20:37:57
ComboFix5.txt 2009-02-18 11:36:13

Pre-Run: 10,828,398,592 bytes free
Post-Run: 12,008,128,512 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
579

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:44 PM

Posted 18 February 2009 - 07:46 PM

Hello, NoStatic
Still quite a bit left to do unfortunately :thumbup2:

2009-02-01 13:58 359040 3bb4b08619c111c7be8bda07aa0de6a2 e:\windows\system32\drivers\tcpip.sys

2009-02-13 14:43 213376 96da25b3aea08612323215ce1497b604 e:\windows\system32\dllcache\ndis.sys
2009-02-15 15:23 213376 96da25b3aea08612323215ce1497b604 e:\windows\system32\drivers\NDIS.sys

2004-08-03 23:56 1049600 c57d7935c6de5ff2bd29bd720838b71d e:\windows\explorer.exe

2004-08-03 23:56 32768 2016ac78ce691baed93bf46d4ebc524c e:\windows\system32\ctfmon.exe

2004-08-03 23:56 75264 80cfeb438763c44c0e04efc52b013dd4 e:\windows\system32\spoolsv.exe

2004-08-03 23:56 41984 2db3975548a650aa0e3a6f94ab21f14c e:\windows\system32\userinit.exe


These have been replaced with hacked copies. We need to restore legitimate copies. Do you have your Windows XP disk available?

Just an FYI: RegCure is not a malware diagnostic / disinfection tool. In fact:

Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:

  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.


BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:44 PM

Posted 22 February 2009 - 09:09 PM

Hello, NoStatic
Are you still here?

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:44 PM

Posted 23 February 2009 - 05:21 PM

Hello, NoStatic
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users