Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trend Micro Pcillan Telling Me Its Checking Out And In Messages When I'm Not Sending Or Recieving


  • Please log in to reply
16 replies to this topic

#1 leesteffy

leesteffy

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 21 May 2007 - 02:31 PM

I have a new laptop (3 months old). It uses Trend Micro PCillan. Lately it keeps telling me it is scanning incoming or outgoing messages when i'm not sending or recieving (i use outlook express). Around the same time, my computer started freezing on me occassionally. Not sure if it is connected, but if it is a sign of something, i'd like to fix it before it becomes a big problem. I'd like to make sure no one has hijacked my computer. Thanks a million for your help. Leesteffy

BC AdBot (Login to Remove)

 


m

#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:53 AM

Posted 22 May 2007 - 01:47 PM

  • Download HJTsetup.exe from here
  • Double click on HJTsetup.exe to start the install of HijackThis by merijn
  • Click Next>
  • Click Next>
  • Click Next>
  • Select the option to Create a desktop icon
  • Click Next>
  • Click Install
  • Click Finish
  • Click Do a system scan and save a logfile
  • It will produce a log for you, post the contents of that log as a reply to this topic
  • Note: To run HijackThis again in future, double click on the HijackThis shortcut on your desktop


#3 leesteffy

leesteffy
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 22 May 2007 - 04:45 PM

  • Download HJTsetup.exe from here
  • Double click on HJTsetup.exe to start the install of HijackThis by merijn
  • Click Next>
  • Click Next>
  • Click Next>
  • Select the option to Create a desktop icon
  • Click Next>
  • Click Install
  • Click Finish
  • Click Do a system scan and save a logfile
  • It will produce a log for you, post the contents of that log as a reply to this topic
  • Note: To run HijackThis again in future, double click on the HijackThis shortcut on your desktop



#4 leesteffy

leesteffy
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 22 May 2007 - 04:49 PM

hi, thanks. For some reason i didn't get notified that you responded. Not sure what i did wrong. Today, I started to get weird systems administrator messages. Like this: This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

ljenkins@harrellandharrell.com

This isn't my email address and i didn't send anything with this address.


Logfile of HijackThis v1.99.1
Scan saved at 5:40:21 PM, on 5/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OE.exe
c:\progra~1\common~1\instal~1\update~1\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070303
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070303
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\lee\Application Data\Mozilla\Firefox\Profiles\41nftdkr.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\lee\Application Data\Mozilla\Firefox\Profiles/41nftdkr.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

#5 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:53 AM

Posted 23 May 2007 - 05:38 AM

  • Download GMER by GMER from here
  • Unzip it to a folder on your desktop
  • Double click on gmer.exe to launch GMER
  • If asked, allow the gmer.sys driver load
  • If it warns you about rootkit activity and asks if you want to run scan, click OK
  • If you don't get a warning then
    • Click the rootkit tab
    • Click Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerrk.txt
  • Click on the >>> tab
  • This will open up the rest of the tabs for you
  • Click on the Autostart tab
  • Click on Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerautos.txt
  • Copy and paste the contents of gmerautos.txt and gmerrk.txt as a reply to this topic


#6 leesteffy

leesteffy
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 23 May 2007 - 09:15 AM

I'm glad one of us knows what they are doing! I followed your instructions but things didn't work out as they were supposed to (as you said they would.) First none of this happened: # If asked, allow the gmer.sys driver load
# If it warns you about rootkit activity and asks if you want to run scan, click OK
# If you don't get a warning then

* Click the rootkit tab
* Click Scan

The only choice i had when unzipped was to scan(i went back and looked an it already was in the rootkit tab) . When i finished i copied and it told me to press control V to paste it to my fav application, but i must not have notepad or else something is wrong bc control V did nothing. So i pasted it to word. And then copied it as instructed to desktop. But from there none of the instructions worked (maybe bc i was using word?) Anyway, ran the scan again and got a totally different result the second time. Pasted below are the two scans. Sorry, if ii seem like a computer dunce! I tried to follow the instructions exactly.

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-05-23 09:45:36
Windows 5.1.2600 Service Pack 2


---- Kernel code sections - GMER 1.0.12 ----

? C:\WINDOWS\system32\DRIVERS\update.sys

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3928] kernel32.dll!SetUnhandledExceptionFilter 7C84479D 5 Bytes JMP 32605375 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE B9F67C8A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE B9F647C8
Device \FileSystem\Fastfat \Fat IRP_MJ_READ B9F6060A
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE B9F60AED
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION B9F6B958
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION B9F6E821
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA B9F7738A
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA B9F76D49
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS B9F70BBE
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION B9F71331
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION B9F7F4F4
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL B9F67B37
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL B9F63948
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL B9F6D46B
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN B9F7E79D
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL B9F7DC4A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP B9F642FD
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP B9F7E1DB
Device \FileSystem\Fastfat \Fat FastIoCheckIfPossible B9F791F9
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [EC1F5912] DLAIFS_M.SYS

---- EOF - GMER 1.0.12 ----



GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-05-23 09:56:38
Windows 5.1.2600 Service Pack 2


---- Kernel code sections - GMER 1.0.12 ----

? C:\WINDOWS\system32\DRIVERS\update.sys

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [EC1F5912] DLAIFS_M.SYS

---- EOF - GMER 1.0.12 ----

#7 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:53 AM

Posted 23 May 2007 - 11:04 AM

You need to open notepad up first, and then use ctrl+v to paste the log in

You've posted gmerrk.txt, but I still need gmerautos.txt

#8 leesteffy

leesteffy
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 23 May 2007 - 09:20 PM

GMER 1.0.12.12244 - http://www.gmer.net
Autostart scan 2007-05-23 22:11:40
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
AtiExtEvent@DLLName = Ati2evxx.dll
WgaLogon@DLLName = WgaLogon.dll

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs = C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Ati HotKey Poller@ = %SystemRoot%\system32\Ati2evxx.exe
ehRecvr /*Media Center Receiver Service*/@ = C:\WINDOWS\eHome\ehRecvr.exe
ehSched /*Media Center Scheduler Service*/@ = C:\WINDOWS\eHome\ehSched.exe
Fax /*Fax*/@ = %systemroot%\system32\fxssvc.exe
McrdSvc /*Media Center Extender Service*/@ = C:\WINDOWS\ehome\mcrdsvc.exe
MDM /*Machine Debug Manager*/@ = "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
NICCONFIGSVC /*NICCONFIGSVC*/@ = C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
PcCtlCom /*Trend Micro Central Control Component*/@ = C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe
Tmntsrv /*Trend Micro Real-time Service*/@ = C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
TmPfw /*Trend Micro Personal Firewall*/@ = C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
tmproxy /*Trend Micro Proxy Service*/@ = C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
wltrysvc /*Dell Wireless WLAN Tray Service*/@ = %SystemRoot%\System32\WLTRYSVC.EXE %SystemRoot%\System32\bcmwltry.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ehTrayC:\WINDOWS\ehome\ehtray.exe = C:\WINDOWS\ehome\ehtray.exe
@ATICCC"C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" = "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
@SynTPEnhC:\Program Files\Synaptics\SynTP\SynTPEnh.exe = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
@Dell QuickSetC:\Program Files\Dell\QuickSet\quickset.exe = C:\Program Files\Dell\QuickSet\quickset.exe
@Broadcom Wireless Manager UIC:\WINDOWS\system32\WLTRAY.exe = C:\WINDOWS\system32\WLTRAY.exe
@SigmatelSysTrayAppstsystra.exe = stsystra.exe
@DVDLauncher"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" = "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
@pccguide.exe"C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" = "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
@DLAC:\WINDOWS\System32\DLA\DLACTRLW.EXE = C:\WINDOWS\System32\DLA\DLACTRLW.EXE
@ISUSPM StartupC:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup = C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
@ISUSScheduler"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start = "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
@Google Desktop Search"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup = "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
@Samsung Common SM"C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun = "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
@QuickTime Task"C:\Program Files\QuickTime\qttask.exe" -atboottime = "C:\Program Files\QuickTime\qttask.exe" -atboottime
@Kernel and Hardware Abstraction LayerKHALMNPR.EXE = KHALMNPR.EXE

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ModemOnHoldC:\Program Files\NetWaiting\netWaiting.exe = C:\Program Files\NetWaiting\netWaiting.exe
@OE_OEM"C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" = "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
@DellSupport"C:\Program Files\Dell Support\DSAgnt.exe" /startup = "C:\Program Files\Dell Support\DSAgnt.exe" /startup
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@swgC:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe = C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
@MSMSGS"C:\Program Files\Messenger\msmsgs.exe" /background = "C:\Program Files\Messenger\msmsgs.exe" /background
@Skype"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized = "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
RunOnce@FFTI = C:\Documents and Settings\lee\Application Data\Mozilla\Firefox\Profiles\41nftdkr.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\lee\Application Data\Mozilla\Firefox\Profiles/41nftdkr.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}" /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{2F603045-309F-11CF-9774-0020AFD0CFF6} /*Synaptics Control Panel*/C:\Program Files\Synaptics\SynTP\SynTPCpl.dll = C:\Program Files\Synaptics\SynTP\SynTPCpl.dll
@{48F45200-91E6-11CE-8A4F-0080C81A28D4} /*TMD Shell Extension*/C:\Program Files\Trend Micro\Internet Security 12\Tmdshell.dll = C:\Program Files\Trend Micro\Internet Security 12\Tmdshell.dll
@{771A9DA0-731A-11CE-993C-00AA004ADB6C} /*VBPropSheet*/C:\Program Files\Trend Micro\Internet Security 12\VBProp.dll = C:\Program Files\Trend Micro\Internet Security 12\VBProp.dll
@{5CA3D70E-1895-11CF-8E15-001234567890} /*DriveLetterAccess*/C:\WINDOWS\System32\DLA\DLASHX_W.DLL = C:\WINDOWS\System32\DLA\DLASHX_W.DLL
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL = C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MI1933~1\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MI1933~1\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MI1933~1\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MI1933~1\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\Office12\msohevi.dll = C:\Program Files\Microsoft Office\Office12\msohevi.dll
@{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C} /*Microsoft Office OneNote Namespace Extension for Windows Desktop Search*/C:\PROGRA~1\MI1933~1\Office12\ONFILTER.DLL = C:\PROGRA~1\MI1933~1\Office12\ONFILTER.DLL
@{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} /*Microsoft Office Metadata Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} /*Microsoft Office Thumbnail Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C} /*Logitech Setpoint Extension*/C:\Program Files\Logitech\SetPoint\kbcplext.dll = C:\Program Files\Logitech\SetPoint\kbcplext.dll
@{B9B9F083-2B04-452A-8691-83694AC1037B} /*Logitech Setpoint Extension*/C:\Program Files\Logitech\SetPoint\mcplext.dll = C:\Program Files\Logitech\SetPoint\mcplext.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{48F45200-91E6-11CE-8A4F-0080C81A28D4} = C:\Program Files\Trend Micro\Internet Security 12\Tmdshell.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{48F45200-91E6-11CE-8A4F-0080C81A28D4} = C:\Program Files\Trend Micro\Internet Security 12\Tmdshell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{5CA3D70E-1895-11CF-8E15-001234567890}C:\WINDOWS\System32\DLA\DLASHX_W.DLL = C:\WINDOWS\System32\DLA\DLASHX_W.DLL
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\program files\google\googletoolbar2.dll = c:\program files\google\googletoolbar2.dll
@{CA6319C0-31B7-401E-A518-A07C3DB8F777}C:\Program Files\BAE\BAE.dll = C:\Program Files\BAE\BAE.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\System32\logon.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.dell.com = http://www.dell.com
@Start Pagehttp://www.dell.com = http://www.dell.com
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLwww.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070303 = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070303
@Start Pagehttp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070303 = http://www.google.com/ig/dell?hl=en&cl...amp;ibd=2070303
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-help@CLSID = C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
ms-itss@CLSID = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
mso-offdap11@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
skype4com@CLSID = C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\system32\wiascr.dll

C:\Documents and Settings\lee\Start Menu\Programs\Startup = OneNote 2007 Screen Clipper and Launcher.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
Adobe Reader Speed Launch.lnk = Adobe Reader Speed Launch.lnk
Digital Line Detect.lnk = Digital Line Detect.lnk
Logitech SetPoint.lnk = Logitech SetPoint.lnk

---- EOF - GMER 1.0.12 ----

Sorry, i've never used notepad. Went online to get it and found out it is part of windows. Had to do a search to find it. It is not anywhere obvious on my computer. Thanks for your help.

#9 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:53 AM

Posted 24 May 2007 - 04:35 AM

Download this tool to your desktop:
http://www.uploads.ejvindh.net/rootchk.exe
Run the program. After a short time a logfile will turn up. Copy the contents of the log into the thread.

Notice: Some security-programs prevent the creation of dummy drivers with certain names. This may cause false positives. If the log of rootchk contains a lot of hidden drivers, you may want to turn of your security programs while rootchk is scanning (you should then unhook your network connection as well)

#10 leesteffy

leesteffy
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 24 May 2007 - 10:25 AM

********************************* ROOTCHK-(21-05-07)-LOG, by ejvindh
Thu 05/24/2007 11:15:11.98

The rootkits that are detected by this tool were not found.

********************************* ROOTCHK-LOG-end


catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-24 11:15:12
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

#11 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:53 AM

Posted 24 May 2007 - 10:41 AM

  • Download WinPFind by OldTimer here
  • Double click on winpfind.exe to extract it
  • Click extract
  • Wait for the message "All files have been extracted" and then click OK
  • This will create the folder winPFind on your desktop
  • Inside that folder is a file called WinPFind.exe
  • Double click on that file to launch WinPFind
  • This will launch a configuration screen
    • Under Driver Services change the selection to Non-Microsoft
    • Under File Created Within change the selection to 60 days
    • Leave the other settings as they are
  • Click Run Scan
  • During the scan WinPFind may appear to be not responding, this is normal
  • Wait for the scan to finish, this may take several minutes
  • A notepad window will open with WinPFind's log.
  • Copy and paste the contents of that window here.
  • Note: You may need several posts to post the entire log, or it might get cut off
Go here to run an online scannner from Kaspersky.
  • Click on "Kaspersky Online Scanner"
  • A new smaller window will pop up. Press on "Accept". After reading the contents.
  • Now Kaspersky will update the anti-virus database. Let it run.
  • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
  • Then click on "My Computer", and the scan will start.
  • Once finished, save the log as "KAV.txt" to the desktop.
Post back with the winpfind log, the kaspersky log and a new HijackThis log

#12 leesteffy

leesteffy
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 24 May 2007 - 12:43 PM

WinPFind logfile created on: 5/24/2007 1:34:17 PM
WinPFind by OldTimer - v2.0.3 Folder = C:\Documents and Settings\lee\Desktop\WinPFind\

Windows OS and Versions

Product Name: Microsoft Windows XP Service Pack 2 | Version: 5.1.2600
Internet Explorer Version: 6.0.2900.2180

Memory/Drive Info

893.98 Mb Total Physical Memory | 285.40 Mb Available Physical Memory | 31.92% Memory free
2.12 Gb Paging File | 1.63 Gb Available in Paging File | 77.03% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 51.19 Gb Total Space | 32.21 Gb Free Space | 62.92% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: LEESTEFFY
Current User Name: lee
Logged in as Administrator.
Current Boot Mode: Normal

Running Processes (Non-Microsoft)

C:\Documents and Settings\lee\Desktop\WinPFind\WinPFind.exe (OldTimer Tools)
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe (ATI Technologies Inc.)
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe (ATI Technologies Inc.)
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.exe (Logitech Inc.)
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe (CyberLink Corp.)
C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.)
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe (Dell Inc.)
C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc)
C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe ()
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe ()
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe ()
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (Google Inc.)
C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech Inc.)
C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
C:\Program Files\Skype\Phone\Skype.exe (Skype Technologies S.A.)
C:\Program Files\Skype\Plugin Manager\skypePM.exe (Skype Technologies)
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe (Trend Micro Incorporated.)
C:\Program Files\Trend Micro\Internet Security 12\PcCtlCom.exe (Trend Micro Incorporated.)
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
C:\Program Files\Trend Micro\Internet Security 12\Tmntsrv.exe (Trend Micro Incorporated.)
C:\Program Files\Trend Micro\Internet Security 12\TmPfw.exe (Trend Micro Inc.)
C:\Program Files\Trend Micro\Internet Security 12\tmproxy.exe (Trend Micro Inc.)
C:\WINDOWS\Samsung\ComSMMgr\SSMMgr.exe (Samsung Electronics.)
C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
C:\WINDOWS\system32\ati2evxx.exe (ATI Technologies Inc.)
C:\WINDOWS\system32\ati2evxx.exe (ATI Technologies Inc.)
C:\WINDOWS\system32\BCMWLTRY.EXE (Dell Inc.)
C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
C:\WINDOWS\system32\WLTRAY.EXE (Dell Inc.)
C:\WINDOWS\system32\WLTRYSVC.EXE ()

Win32 Services (Non-Microsoft)

(Ati HotKey Poller) Ati HotKey Poller [Win32_Own | Auto | Running]
= C:\WINDOWS\system32\ati2evxx.exe (ATI Technologies Inc.)

(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped]
= C:\WINDOWS\system32\dmadmin.exe (Microsoft Corp., Veritas Software)

(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped]
= C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)

(Macromedia Licensing Service) Macromedia Licensing Service [Win32_Own | On_Demand | Stopped]
= C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe ()

(NICCONFIGSVC) NICCONFIGSVC [Win32_Own | Auto | Running]
= C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe (Dell Inc.)

(PcCtlCom) Trend Micro Central Control Component [Win32_Own | Auto | Running]
= C:\Program Files\Trend Micro\Internet Security 12\PcCtlCom.exe (Trend Micro Incorporated.)

(Tmntsrv) Trend Micro Real-time Service [Win32_Own | Auto | Running]
= C:\Program Files\Trend Micro\Internet Security 12\Tmntsrv.exe (Trend Micro Incorporated.)

(TmPfw) Trend Micro Personal Firewall [Win32_Own | Auto | Running]
= C:\Program Files\Trend Micro\Internet Security 12\TmPfw.exe (Trend Micro Inc.)

(tmproxy) Trend Micro Proxy Service [Win32_Own | Auto | Running]
= C:\Program Files\Trend Micro\Internet Security 12\tmproxy.exe (Trend Micro Inc.)

(wltrysvc) Dell Wireless WLAN Tray Service [Win32_Own | Auto | Running]
= C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe (File not found)

Driver Services (Non-Microsoft)

(Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped]
= (File not found)

(AliIde) AliIde [Kernel | Disabled | Stopped]
= C:\WINDOWS\system32\drivers\aliide.sys (Acer Laboratories Inc.)

(amdagp) AMD AGP Bus Filter Driver [Kernel | Disabled | Stopped]
= C:\WINDOWS\system32\drivers\AMDAGP.SYS (Advanced Micro Devices, Inc.)

(AmdK8) AMD Processor Driver [Kernel | System | Running]
= C:\WINDOWS\system32\drivers\AmdK8.sys (Advanced Micro Devices)

(APPDRV) APPDRV [Kernel | System | Running]
= C:\WINDOWS\system32\drivers\APPDRV.SYS (Dell Inc)

(asc) asc [Kernel | Disabled | Stopped]
= C:\WINDOWS\system32\drivers\asc.sys (Advanced System Products, Inc.)

(asc3550) asc3550 [Kernel | Disabled | Stopped]
= C:\WINDOWS\system32\drivers\asc3550.sys (Advanced System Products, Inc.)

(Atdisk) Atdisk [Kernel | Disabled | Stopped]
= (File not found)

(ati2mtag) ati2mtag [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)

(BCM43XX) Dell Wireless WLAN Card Driver [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)

(bcm4sbxp) Broadcom 440x 10/100 Integrated Controller XP Driver [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\bcm4sbxp.sys (Broadcom Corporation)

(Changer) Changer [Kernel | System | Stopped]
= (File not found)

(CmdIde) CmdIde [Kernel | Disabled | Stopped]
= C:\WINDOWS\system32\drivers\cmdide.sys (CMD Technology, Inc.)

(dac2w2k) dac2w2k [Kernel | Disabled | Stopped]
= C:\WINDOWS\system32\drivers\dac2w2k.sys (Mylex Corporation)

(DgiVecp) Team MFP Comm Driver [Kernel | Auto | Stopped]
= C:\WINDOWS\system32\drivers\DGIVECP.SYS (DeviceGuys, Inc.)

(DLABOIOM) DLABOIOM [File_System | Auto | Running]
= C:\WINDOWS\system32\DLA\DLABOIOM.SYS (Sonic Solutions)

(DLACDBHM) DLACDBHM [File_System | System | Running]
= C:\WINDOWS\system32\drivers\DLACDBHM.SYS (Sonic Solutions)

(DLADResN) DLADResN [File_System | Auto | Running]
= C:\WINDOWS\system32\DLA\DLADResN.SYS (Sonic Solutions)

(DLAIFS_M) DLAIFS_M [File_System | Auto | Running]
= C:\WINDOWS\system32\DLA\DLAIFS_M.SYS (Sonic Solutions)

(DLAOPIOM) DLAOPIOM [File_System | Auto | Running]
= C:\WINDOWS\system32\DLA\DLAOPIOM.SYS (Sonic Solutions)

(DLAPoolM) DLAPoolM [File_System | Auto | Running]
= C:\WINDOWS\system32\DLA\DLAPoolM.SYS (Sonic Solutions)

(DLARTL_N) DLARTL_N [File_System | System | Running]
= C:\WINDOWS\system32\drivers\DLARTL_N.SYS (Sonic Solutions)

(DLAUDFAM) DLAUDFAM [File_System | Auto | Running]
= C:\WINDOWS\system32\DLA\DLAUDFAM.SYS (Sonic Solutions)

(DLAUDF_M) DLAUDF_M [File_System | Auto | Running]
= C:\WINDOWS\system32\DLA\DLAUDF_M.SYS (Sonic Solutions)

(dmboot) dmboot [Kernel | Disabled | Stopped]
= C:\WINDOWS\system32\drivers\dmboot.sys (Microsoft Corp., Veritas Software)

(dmio) Logical Disk Manager Driver [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\dmio.sys (Microsoft Corp., Veritas Software)

(dmload) dmload [Kernel | Disabled | Stopped]
= C:\WINDOWS\system32\drivers\dmload.sys (Microsoft Corp., Veritas Software.)

(DRVMCDB) DRVMCDB [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\DRVMCDB.SYS (Sonic Solutions)

(DRVNDDM) DRVNDDM [File_System | Auto | Running]
= C:\WINDOWS\system32\drivers\DRVNDDM.SYS (Sonic Solutions)

(DSproct) DSproct [Kernel | On_Demand | Running]
= C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys (GTek Technologies Ltd.)

(E100B) Intel® PRO Adapter Driver [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\e100b325.sys (Intel Corporation)

(gmer) gmer [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\gmer.sys (GMER)

(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\Hdaudbus.sys (Windows ® Server 2003 DDK provider)

(HSF_DPV) HSF_DPV [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\HSX_DPV.sys (Conexant Systems, Inc.)

(HSXHWAZL) HSXHWAZL [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\HSXHWAZL.sys (Conexant Systems, Inc.)

(lbrtfdc) lbrtfdc [Kernel | System | Stopped]
= (File not found)

(LHidFilt) Logitech SetPoint KMDF HID Filter Driver [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\LHidFilt.Sys (Logitech, Inc.)

(LMouFilt) Logitech SetPoint KMDF Mouse Filter Driver [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\LMouFilt.Sys (Logitech, Inc.)

(mdmxsdk) mdmxsdk [Kernel | Auto | Running]
= C:\WINDOWS\system32\drivers\mdmxsdk.sys (Conexant)

(mraid35x) mraid35x [Kernel | Disabled | Stopped]
= C:\WINDOWS\system32\drivers\mraid35x.sys (American Megatrends Inc.)

(nv) nv [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)

(PCIDump) PCIDump [Kernel | System | Stopped]
= (File not found)

(PDCOMP) PDCOMP [Kernel | On_Demand | Stopped]
= (File not found)

(PDFRAME) PDFRAME [Kernel | On_Demand | Stopped]
= (File not found)

(PDRELI) PDRELI [Kernel | On_Demand | Stopped]
= (File not found)

(PDRFRAME) PDRFRAME [Kernel | On_Demand | Stopped]
= (File not found)

(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)

(PxHelp20) PxHelp20 [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\pxhelp20.sys (Sonic Solutions)

(ql1080) ql1080 [Kernel | Disabled | Stopped]
= C:\WINDOWS\system32\drivers\ql1080.sys (QLogic Corporation)

(ql12160) ql12160 [Kernel | Disabled | Stopped]
= C:\WINDOWS\system32\drivers\ql12160.sys (QLogic Corporation)

(ql1280) ql1280 [Kernel | Disabled | Stopped]
= C:\WINDOWS\system32\drivers\ql1280.sys (QLogic Corporation)

(rimmptsk) rimmptsk [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\rimmptsk.sys (REDC)

(Secdrv) Secdrv [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\secdrv.sys ()

(Simbad) Simbad [Kernel | Disabled | Stopped]
= (File not found)

(sisagp) SIS AGP Bus Filter [Kernel | Disabled | Stopped]
= C:\WINDOWS\system32\drivers\SISAGP.SYS (Silicon Integrated Systems Corporation)

(Sparrow) Sparrow [Kernel | Disabled | Stopped]
= C:\WINDOWS\system32\drivers\sparrow.sys (Adaptec, Inc.)

(STHDA) SigmaTel High Definition Audio CODEC [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)

(symc810) symc810 [Kernel | Disabled | Stopped]
= C:\WINDOWS\system32\drivers\symc810.sys (Symbios Logic Inc.)

(symc8xx) symc8xx [Kernel | Disabled | Stopped]
= C:\WINDOWS\system32\drivers\symc8xx.sys (LSI Logic)

(sym_hi) sym_hi [Kernel | Disabled | Stopped]
= C:\WINDOWS\system32\drivers\sym_hi.sys (LSI Logic)

(sym_u3) sym_u3 [Kernel | Disabled | Stopped]
= C:\WINDOWS\system32\drivers\sym_u3.sys (LSI Logic)

(SynTP) Synaptics TouchPad Driver [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\SynTP.sys (Synaptics, Inc.)

(Tmfilter) Tmfilter [Kernel | Auto | Running]
= C:\WINDOWS\system32\drivers\tmxpflt.sys (Trend Micro Inc.)

(Tmpreflt) Tmpreflt [Kernel | Auto | Running]
= C:\WINDOWS\system32\drivers\tmpreflt.sys (Trend Micro Inc.)

(tmtdi) Trend Micro TDI Driver [Kernel | System | Running]
= C:\WINDOWS\system32\drivers\tmtdi.sys (Trend Micro Inc.)

(tm_cfw) Common Firewall Driver [Kernel | Auto | Running]
= C:\WINDOWS\system32\drivers\TM_CFW.sys (Trend Micro Inc.)

(ultra) ultra [Kernel | Disabled | Stopped]
= C:\WINDOWS\system32\drivers\ultra.sys (Promise Technology, Inc.)

(Vsapint) Vsapint [Kernel | Auto | Running]
= C:\WINDOWS\system32\drivers\VsapiNT.sys (Trend Micro Inc.)

(wanatw) WAN Miniport (ATW) [Kernel | On_Demand | Stopped]
= system32\DRIVERS\wanatw4.sys (File not found)

(WDICA) WDICA [Kernel | On_Demand | Stopped]
= (File not found)

(winachsf) winachsf [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\HSX_CNXT.sys (Conexant Systems, Inc.)

Registry Items (Non-Microsoft)

>>>>> Run Keys and Auto-Start Folders <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ATICCC = C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe ()
Broadcom Wireless Manager UI = C:\WINDOWS\system32\WLTRAY.EXE (Dell Inc.)
Dell QuickSet = C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc)
DLA = C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
DVDLauncher = C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe (CyberLink Corp.)
Google Desktop Search = C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe ()
ISUSPM Startup = C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
ISUSScheduler = C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
Kernel and Hardware Abstraction Layer = C:\WINDOWS\KHALMNPR.Exe (Logitech Inc.)
pccguide.exe = C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe (Trend Micro Incorporated.)
QuickTime Task = C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
Samsung Common SM = C:\WINDOWS\Samsung\ComSMMgr\SSMMgr.exe (Samsung Electronics.)
SigmatelSysTrayApp = C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
DellSupport = C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.)
ModemOnHold = C:\Program Files\NetWaiting\netWaiting.exe ()
OE_OEM = C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
Skype = C:\Program Files\Skype\Phone\Skype.exe (Skype Technologies S.A.)
swg = C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (Google Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
FFTI = B13721C7-F507-4982-B2E5-502A71474FED}" (File not found)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]*



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
Installed = 1

< Common Startup Folder = C:\Documents and Settings\All Users\Start Menu\Programs\Startup >
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
= C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
= C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
= C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech Inc.)

< User Startup Folder = C:\Documents and Settings\lee\Start Menu\Programs\Startup >
C:\Documents and Settings\lee\Start Menu\Programs\Startup\desktop.ini ()

>>>>> MsConfig Disabled Items <<<<<

>>>>> Disabled Startup Folder Items <<<<<

>>>>> Items Started Through Miscellaneous Registry Keys <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]
C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll ()



>>>>> Winlogon Keys <<<<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
DllName = C:\WINDOWS\system32\ati2evxx.dll (ATI Technologies Inc.)

>>>>> HOSTS File <<<<<

HOSTS file found at: C:\WINDOWS\System32\drivers\etc\Hosts (Size: 734 bytes | Modified Date: 8/10/2004 7:00:00 AM)
127.0.0.1 localhost

>>>>> Desktop Components <<<<<

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
FriendlyName = My Current Home Page
Source = About:Home
SubscribedURL = About:Home

>>>>> Internet Explorer Settings <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
Default_Page_URL = http://www.dell.com
Default_Search_URL = http://www.google.com/ie
Local Page = %SystemRoot%\system32\blank.htm
Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
Start Page = http://www.dell.com

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
Default_Search_URL = http://www.google.com/ie
SearchAssistant = http://www.google.com/ie

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070303
Local Page = C:\WINDOWS\system32\blank.htm
Search Bar = http://www.google.com/ie
Search Page = http://www.google.com
Start Page = http://www.google.com/ig/dell?hl=en&cl...amp;ibd=2070303

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]
SearchAssistant = http://www.google.com/ie


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
ProxyEnable = 0

>>>>> Browser Helper Objects <<<<<

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
- Adobe PDF Reader Link Helper ( HKLM = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
- DriveLetterAccess ( HKLM = C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
- SSVHelper Class ( HKLM = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
- Google Toolbar Helper ( HKLM = c:\program files\Google\googletoolbar2.dll (Google Inc.) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
- CBrowserHelperObject Object ( HKLM = C:\Program Files\BAE\BAE.dll (Dell Inc.) )

>>>>> HKLM Internet Explorer Bars <<<<<

>>>>> HKLM Internet Explorer ToolBars <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google ( HKLM = c:\program files\Google\googletoolbar2.dll (Google Inc.) )

>>>>> HKCU Internet Explorer ToolBars <<<<<

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\ToolBar\WebBrowser]
{2318C2B1-4965-11D4-9B18-009027A5CD4F} - &Google ( HKLM = c:\program files\Google\googletoolbar2.dll (Google Inc.) )

>>>>> HKCU Internet Explorer CmdMapping <<<<<

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} = 8192 - Reg Data - Value does not exist ( HKLM = Reg Data - Key not found (File not found) )
{2670000A-7350-4f3c-8081-5663EE0C6C49} = 8196 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{92780B25-18CC-41C8-B9BE-3C9C571A8263} = 8193 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} = 8194 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{FB5F1910-F110-11d2-BB9E-00C04F795683} = 8195 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
NextId = 8197>>>>> HKLM Internet Explorer Extensions <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}]
MenuText = Sun Java Console
ClsidExtension = {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - Java Plug-in 1.5.0_06 ( HKLM C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll (Sun Microsystems, Inc.) )
ClsidExtension = {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - Java Plug-in 1.5.0_06 ( HKCU C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.) )

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}]
ButtonText = Send to OneNote
MenuText = S&end to OneNote
ClsidExtension = {48E73304-E1D6-4330-914C-F5F514E3486C} - Send to OneNote from Internet Explorer button ( HKLM C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) )

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}]
ButtonText = Research

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}]
ButtonText = Real.com

>>>>> HKCU Internet Explorer Menu Extensions <<<<<

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel]
@ = 000 (File not found)

>>>>> HKLM Internet Explorer Plugins Extensions <<<<<

>>>>> HKLM Approved Shell Extensions <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} = Shell Autoplay for Slideshow ( HKLM = Reg Data - Key not found (File not found) )
{0DF44EAA-FF21-4412-828E-260A8728E7F1} = Taskbar and Start Menu ( HKLM = Reg Data - Key not found (File not found) )
{2F603045-309F-11CF-9774-0020AFD0CFF6} = Synaptics Control Panel ( HKLM = C:\Program Files\Synaptics\SynTP\SynTPCpl.dll (Synaptics, Inc.) )
{42071714-76d4-11d1-8b24-00a0c9068ff3} = Display Panning CPL Extension ( HKLM = deskpan.dll (File not found) )
{48F45200-91E6-11CE-8A4F-0080C81A28D4} = TMD Shell Extension ( HKLM = C:\Program Files\Trend Micro\Internet Security 12\Tmdshell.dll (Trend Micro Incorporated.) )
{5CA3D70E-1895-11CF-8E15-001234567890} = DriveLetterAccess ( HKLM = C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions) )
{764BF0E1-F219-11ce-972D-00AA00A14F56} = Shell extensions for file compression ( CLSID not found! )
{771A9DA0-731A-11CE-993C-00AA004ADB6C} = VBPropSheet ( HKLM = C:\Program Files\Trend Micro\Internet Security 12\VBProp.dll (Trend Micro Incorporated.) )
{7A9D77BD-5403-11d2-8785-2E0420524153} = User Accounts ( HKLM = Reg Data - Key not found (File not found) )
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} = Encryption Context Menu ( CLSID not found! )
{88895560-9AA2-1069-930E-00AA0030EBC8} = HyperTerminal Icon Ext ( HKLM = C:\WINDOWS\system32\hticons.dll (Hilgraeve, Inc.) )
{B9B9F083-2B04-452A-8691-83694AC1037B} = LogiExt Class ( HKLM = C:\Program Files\Logitech\SetPoint\mcplext.dll (Logitech Inc.) )
{DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C} = KbLogiExt Class ( HKLM = C:\Program Files\Logitech\SetPoint\kbcplext.dll (Logitech Inc.) )

>>>>> HKCU Approved Shell Extensions <<<<<

>>>>> Context Menu Handlers / Column Handlers <<<<<

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}]
- TMD Shell Extension ( HKLM = C:\Program Files\Trend Micro\Internet Security 12\Tmdshell.dll (Trend Micro Incorporated.) )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers\ACE]
@ = {5E2121EE-0300-11D4-8D3B-444553540000} ( HKLM = Reg Data - Key not found (File not found) )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}]
- TMD Shell Extension ( HKLM = C:\Program Files\Trend Micro\Internet Security 12\Tmdshell.dll (Trend Micro Incorporated.) )

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}]
- PDF Shell Extension ( HKLM = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\pdfshell.dll (Adobe Systems, Inc.) )

>>>>> Policy Keys <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]*

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = 1
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 1073741857
{0DF44EAA-FF21-4412-828E-260A8728E7F1} = 32

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
dontdisplaylastusername = 0
legalnoticecaption =
legalnoticetext =
shutdownwithoutlogon = 1
undockwithoutlogon = 1
InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.mss (File not found)
InstallTheme = C:\WINDOWS\Resources\Themes\Royale.the (File not found)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
NoCDBurning = 0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]*

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
NoDriveTypeAutoRun = 145

>>>>> Security Providers <<<<<

>>>>> Session Manager Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
BootExecute = autocheck autochk *;
ExcludeFromKnownDlls =


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
ComSpec = %SystemRoot%\system32\cmd.exe ( C:\WINDOWS\system32\cmd.exe (Microsoft Corporation) )
TEMP = %SystemRoot%\TEMP
TMP = %SystemRoot%\TEMP
windir = %SystemRoot%

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\\Path]
%SystemRoot%\system32
%SystemRoot%
%SystemRoot%\System32\Wbem
C:\Program Files\ATI Technologies\ATI.ACE\
C:\Program Files\Common Files\Roxio Shared\DLLShared\
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\\PATHEXT]
.COM
.EXE
.BAT
.CMD
.VBS
.VBE
.JS
.JSE
.WSF
.WSH

>>>>> WOW Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW]
cmdline = %SystemRoot%\system32\ntvdm.exe
wowcmdline = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386

>>>>> User Agent Post Platform <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

>>>>> File Associations <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\]
.bat [@ = batfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.cmd [@ = cmdfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.com [@ = comfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.cpl [@ = cplfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.exe [@ = exefile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.hta [@ = htafile] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20}
.html [@ = FirefoxHTML] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20}
.inf [@ = inffile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.ini [@ = inifile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.url [@ = InternetShortcut] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.js [@ = JSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.jse [@ = JSEFile] -> PersistentHandler = Reg Data - Key not found
.pif [@ = piffile] -> PersistentHandler = Reg Data - Key not found
.reg [@ = regfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.scr [@ = scrfile] -> PersistentHandler = Reg Data - Key not found
.txt [@ = txtfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.vbe [@ = VBEFile] -> PersistentHandler = Reg Data - Key not found
.vbs [@ = VBSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.wsf [@ = WSFFile] -> PersistentHandler = Reg Data - Key not found
.wsh [@ = WSHFile] -> PersistentHandler = Reg Data - Key not found

>>>>> Registry Shell Spawning <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -> "%1" %* (File not found)
batfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

cmdfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -> "%1" %* (File not found)
cmdfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

comfile [open] -> "%1" %* (File not found)

cplfile [cplopen] -> rundll32.exe shell32.dll,Control_RunDLL "%1",%* (Microsoft Corporation)

exefile [open] -> "%1" %* (File not found)

htafile [open] -> C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)

htmlfile [edit] -> "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -> "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -> "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -> "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)

http [open] -> C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1" -requestPending (Mozilla Corporation)

https [open] -> C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1" -requestPending (Mozilla Corporation)

inffile [install] -> %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

inifile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

InternetShortcut [open] -> rundll32.exe shdocvw.dll,OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -> rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)

jsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

jsefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

piffile [open] -> "%1" %* (File not found)

regfile [edit] -> %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -> regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -> Reg Data - Key not found
regfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

scrfile [config] -> "%1" (File not found)
scrfile [install] -> rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -> "%1" /S (File not found)

txtfile [edit] -> Reg Data - Key not found
txtfile [open] -> %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -> %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)

vbefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

vbsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

wsffile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

wshfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)

Unknown [openas] -> %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 (Microsoft Corporation)

Directory [find] -> %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -> C:\PROGRA~1\MI1933~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)

Folder [open] -> %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -> %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -> %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -> "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -> "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

>>>>> ActiveX StubPath settings <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{407408d4-94ed-4d86-ab69-a7f649d112ee}]
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection QuickLaunchShortcut 640 %systemroot%\inf\mcdftreg.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}]
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{73FA19D0-2D75-11D2-995D-00C04F98BBC9}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
StubPath = %SystemRoot%\system32\ie4uinit.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8b15971b-5355-4c82-8c07-7e181ea07608}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{94de52c8-2d59-4f1b-883e-79663d2d9a8c}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\KB910393]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\EasyCDBlock.inf,PerUserInstall

>>>>> TCP/IP Configuration <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1973C1C7-3C79-4A22-867D-9E79B47DFDED}] ( Dell Wireless 1390 WLAN Mini-Card )
DefaultGateway =
DhcpIPAddress = 169.254.69.193
DhcpServer = 255.255.255.255
DhcpSubnetMask = 255.255.0.0
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
IPAutoconfigurationAddress = 169.254.69.193
NameServer =
SubnetMask = 0.0.0.0;

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{820AD345-20DC-4BA8-AD69-9C1E9ACECD11}] ( Broadcom 440x 10/100 Integrated Controller )
DefaultGateway =
DhcpDefaultGateway = 192.168.0.1;
DhcpIPAddress = 192.168.0.3
DhcpNameServer = 192.168.0.1 216.165.129.157
DhcpServer = 192.168.0.1
DhcpSubnetMask = 255.255.255.0
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
IPAutoconfigurationAddress = 0.0.0.0
NameServer =
SubnetMask = 0.0.0.0;

>>>>> WinSock2 Parameters <<<<<

>>>>> Default Protocols [HKLM] <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@ivt - 1 = Local intranet
file - 3 = Internet
ftp - 3 = Internet
http - 3 = Internet
https - 3 = Internet
shell - 0 = My Computer

>>>>> Protocol Handlers <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\skype4com]
CLSID = {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - ( HKLM = C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) )

>>>>> Protocol Filters <<<<<

>>>>> Downloaded Program Files <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
INF =

Files / Folders Created Within 60 Days

C:\Documents and Settings\All Users\Application Data\Logitech [Folder | Created Date = 5/18/2007 7:04:15 PM | Attr = ]
C:\Documents and Settings\All Users\Application Data\Skype [Folder | Created Date = 4/16/2007 4:31:04 AM | Attr = ]
C:\Documents and Settings\lee\Application Data\Help [Folder | Created Date = 3/28/2007 2:12:12 PM | Attr = ]
C:\Documents and Settings\lee\Application Data\Logitech [Folder | Created Date = 5/18/2007 7:06:57 PM | Attr = ]
C:\Documents and Settings\lee\Application Data\Skype [Folder | Created Date = 4/16/2007 4:31:30 AM | Attr = ]
C:\Documents and Settings\lee\Application Data\Sun [Folder | Created Date = 3/28/2007 6:07:04 AM | Attr = ]
C:\Documents and Settings\lee\Local Settings\Application Data\Help [Folder | Created Date = 3/28/2007 2:12:12 PM | Attr = ]
C:\Documents and Settings\lee\My Documents\OneNote Notebooks [Folder | Created Date = 5/23/2007 8:56:31 PM | Attr = ]
C:\Documents and Settings\All Users\Desktop\Logitech Mouse and Keyboard Settings.lnk [Ver = | Size = 1681 bytes | Created Date = 5/18/2007 7:06:48 PM | Attr = ]
C:\Documents and Settings\All Users\Desktop\Skype.lnk [Ver = | Size = 692 bytes | Created Date = 4/16/2007 4:31:06 AM | Attr = ]
C:\Documents and Settings\lee\Desktop\gmer(2).zip [Ver = | Size = 495083 bytes | Created Date = 5/23/2007 9:09:12 PM | Attr = ]
C:\Documents and Settings\lee\Desktop\gmer.zip [Ver = | Size = 495083 bytes | Created Date = 5/23/2007 8:40:49 AM | Attr = ]
C:\Documents and Settings\lee\Desktop\GMERrk.txt.docx [Ver = | Size = 11160 bytes | Created Date = 5/23/2007 8:48:38 AM | Attr = ]
C:\Documents and Settings\lee\Desktop\Hijackthis.lnk [Ver = | Size = 650 bytes | Created Date = 5/22/2007 4:39:53 PM | Attr = ]
C:\Documents and Settings\lee\Desktop\HJTsetup(2).exe Soeperman Enterprises Ltd [Ver = | Size = 488144 bytes | Created Date = 5/22/2007 4:38:29 PM | Attr = ]
C:\Documents and Settings\lee\Desktop\HJTsetup.exe Soeperman Enterprises Ltd [Ver = | Size = 488144 bytes | Created Date = 5/22/2007 4:33:56 PM | Attr = ]
C:\Documents and Settings\lee\Desktop\rootchk.exe [Ver = | Size = 154826 bytes | Created Date = 5/24/2007 7:35:29 AM | Attr = ]
C:\Documents and Settings\lee\Desktop\Shockwave_Installer_Slim(2).exe [Ver = | Size = 2608368 bytes | Created Date = 3/28/2007 6:08:53 AM | Attr = ]
C:\Documents and Settings\lee\Desktop\SkypeSetup(2).exe Skype Technologies S.A. [Ver = 3.1.0.1 | Size = 20942920 bytes | Created Date = 4/16/2007 4:30:08 AM | Attr = ]
C:\Documents and Settings\lee\Desktop\WinPFind [Folder | Created Date = 5/24/2007 12:31:52 PM | Attr = ]
C:\Documents and Settings\lee\Desktop\winpfind.exe [Ver = | Size = 267222 bytes | Created Date = 5/24/2007 12:31:36 PM | Attr = ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk [Ver = | Size = 1501 bytes | Created Date = 5/18/2007 7:04:40 PM | Attr = ]
C:\Documents and Settings\lee\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk [Ver = | Size = 947 bytes | Created Date = 5/23/2007 8:56:31 PM | Attr = ]
C:\Program Files\Common Files\Logitech [Folder | Created Date = 5/18/2007 7:04:08 PM | Attr = ]
C:\Program Files\Common Files\Skype [Folder | Created Date = 4/16/2007 4:31:25 AM | Attr = ]
C:\WINDOWS\$NtUninstallKB925902$ [Folder | Created Date = 4/11/2007 2:02:27 AM | Attr = H ]
C:\WINDOWS\$NtUninstallKB927891$ [Folder | Created Date = 5/23/2007 10:03:31 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB930178$ [Folder | Created Date = 4/14/2007 2:02:15 AM | Attr = H ]
C:\WINDOWS\$NtUninstallKB930916$ [Folder | Created Date = 5/10/2007 4:11:24 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB931261$ [Folder | Created Date = 4/14/2007 2:03:21 AM | Attr = H ]
C:\WINDOWS\$NtUninstallKB931768$ [Folder | Created Date = 5/10/2007 4:13:34 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB931784$ [Folder | Created Date = 4/14/2007 2:03:29 AM | Attr = H ]
C:\WINDOWS\$NtUninstallKB932168$ [Folder | Created Date = 4/14/2007 2:02:05 AM | Attr = H ]
C:\WINDOWS\$NtUninstallWdf01005$ [Folder | Created Date = 5/18/2007 7:05:49 PM | Attr = H ]
C:\WINDOWS\gmer.dll [Ver = 1, 0, 12, 12244 | Size = 573503 bytes | Created Date = 5/23/2007 8:35:44 AM | Attr = ]
C:\WINDOWS\gmer.exe [Ver = 1, 0, 12, 12244 | Size = 577536 bytes | Created Date = 5/23/2007 8:35:44 AM | Attr = R ]
C:\WINDOWS\gmer.ini [Ver = | Size = 250 bytes | Created Date = 5/23/2007 8:35:44 AM | Attr = ]
C:\WINDOWS\gmer_uninstall.cmd [Ver = | Size = 80 bytes | Created Date = 5/23/2007 8:35:44 AM | Attr = ]
C:\WINDOWS\KHALMNPR.Exe Logitech Inc. [Ver = 3.30.152 | Size = 101136 bytes | Created Date = 5/18/2007 7:05:05 PM | Attr = ]
C:\WINDOWS\mozver.dat [Ver = | Size = 1168 bytes | Created Date = 3/31/2007 7:43:38 AM | Attr = ]
C:\WINDOWS\QTFont.for [Ver = | Size = 1409 bytes | Created Date = 5/7/2007 1:32:21 PM | Attr = ]
C:\WINDOWS\QTFont.qfn [Ver = | Size = 54156 bytes | Created Date = 5/7/2007 1:32:21 PM | Attr = H ]
C:\WINDOWS\Samsung [Folder | Created Date = 4/2/2007 7:23:35 AM | Attr = ]
C:\WINDOWS\Sun [Folder | Created Date = 3/28/2007 6:07:05 AM | Attr = ]
C:\WINDOWS\Uninstall.ico [Ver = | Size = 766 bytes | Created Date = 4/2/2007 7:24:48 AM | Attr = ]
C:\WINDOWS\System32\appmgmt [Folder | Created Date = 5/3/2007 8:58:11 AM | Attr = ]
C:\WINDOWS\System32\ipgina.dll iPass [Ver = 3, 36, 0, 2 | Size = 73728 bytes | Created Date = 3/28/2007 11:51:53 AM | Attr = ]
C:\WINDOWS\System32\kemutb.dll Logitech Inc. [Ver = 3.30.165 | Size = 163840 bytes | Created Date = 5/18/2007 7:04:49 PM | Attr = ]
C:\WINDOWS\System32\KemUtil.dll Logitech Inc. [Ver = 3.30.165 | Size = 135168 bytes | Created Date = 5/18/2007 7:04:49 PM | Attr = ]
C:\WINDOWS\System32\KemWnd.dll Logitech Inc. [Ver = 3.30.165 | Size = 110592 bytes | Created Date = 5/18/2007 7:04:49 PM | Attr = ]
C:\WINDOWS\System32\KemXML.dll Logitech Inc. [Ver = 3.30.165 | Size = 69632 bytes | Created Date = 5/18/2007 7:04:49 PM | Attr = ]
C:\WINDOWS\System32\SP119.ICO [Ver = | Size = 8478 bytes | Created Date = 4/2/2007 7:23:34 AM | Attr = ]
C:\WINDOWS\System32\SSCoInst.dll SEC [Ver = 0, 9, 0, 0 | Size = 57344 bytes | Created Date = 4/2/2007 7:15:27 AM | Attr = ]
C:\WINDOWS\System32\SSCoInst.exe Samsung Electronics Co., Ltd. [Ver = 1, 0, 0, 3 | Size = 151552 bytes | Created Date = 4/2/2007 7:15:27 AM | Attr = ]
C:\WINDOWS\System32\SSRemove.exe Samsung Electronics Co., Ltd. [Ver = 1, 0, 0, 0 | Size = 208896 bytes | Created Date = 4/2/2007 7:23:35 AM | Attr = ]
C:\WINDOWS\System32\SUGS2LMK.DLL Samsung Electronics. [Ver = 1.1.2.0 | Size = 20622 bytes | Created Date = 4/2/2007 7:15:27 AM | Attr = ]
C:\WINDOWS\System32\SUGS2LMK.SMT [Ver = | Size = 604 bytes | Created Date = 4/2/2007 7:15:27 AM | Attr = ]
C:\WINDOWS\System32\drivers\DGIVECP.SYS DeviceGuys, Inc. [Ver = 1.1.1.30 | Size = 41984 bytes | Created Date = 4/2/2007 7:15:51 AM | Attr = ]
C:\WINDOWS\System32\drivers\gmer.sys GMER [Ver = 1, 0, 12, 3868 | Size = 69905 bytes | Created Date = 5/23/2007 8:35:44 AM | Attr = ]
C:\WINDOWS\System32\drivers\LHidFilt.Sys Logitech, Inc. [Ver = 3.30.152.00 | Size = 34576 bytes | Created Date = 5/18/2007 7:05:05 PM | Attr = ]
C:\WINDOWS\System32\drivers\LMouFilt.Sys Logitech, Inc. [Ver = 3.30.152.00 | Size = 33296 bytes | Created Date = 5/18/2007 7:05:05 PM | Attr = ]
C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf [Ver = | Size = 0 bytes | Created Date = 5/18/2007 7:06:09 PM | Attr = H ]
C:\WINDOWS\System32\drivers\Msft_Kernel_LMouFilt_01005.Wdf [Ver = | Size = 0 bytes | Created Date = 5/18/2007 7:06:12 PM | Attr = H ]

Files / Folders Modified Within 30 Days

C:\hiberfil.sys [Ver = | Size = 937472000 bytes | Modified Date = 5/24/2007 6:38:22 AM | Attr = HS]
C:\Program Files [Folder | Modified Date = 5/22/2007 5:37:22 PM | Attr = R ]
C:\WINDOWS [Folder | Modified Date = 5/24/2007 6:39:16 AM | Attr = ]
C:\Documents and Settings\All Users\Application Data\Logitech [Folder | Modified Date = 5/18/2007 8:04:16 PM | Attr = ]
C:\Documents and Settings\All Users\Application Data\Microsoft Help [Folder | Modified Date = 5/10/2007 5:14:20 PM | Attr = ]
C:\Documents and Settings\lee\Application Data\Logitech [Folder | Modified Date = 5/18/2007 8:06:58 PM | Attr = ]
C:\Documents and Settings\lee\Application Data\Microsoft [Folder | Modified Date = 5/23/2007 9:56:36 PM | Attr = S]
C:\Documents and Settings\lee\Application Data\Skype [Folder | Modified Date = 5/24/2007 1:29:10 PM | Attr = ]
C:\Documents and Settings\lee\Local Settings\Application Data\Microsoft [Folder | Modified Date = 5/23/2007 9:56:32 PM | Attr = ]
C:\Documents and Settings\lee\My Documents\OneNote Notebooks [Folder | Modified Date = 5/23/2007 9:56:34 PM | Attr = ]
C:\Documents and Settings\All Users\Desktop\Logitech Mouse and Keyboard Settings.lnk [Ver = | Size = 1681 bytes | Modified Date = 5/18/2007 8:06:50 PM | Attr = ]
C:\Documents and Settings\lee\Desktop\gmer(2).zip [Ver = | Size = 495083 bytes | Modified Date = 5/23/2007 10:09:04 PM | Attr = ]
C:\Documents and Settings\lee\Desktop\gmer.zip [Ver = | Size = 495083 bytes | Modified Date = 5/23/2007 9:40:34 AM | Attr = ]
C:\Documents and Settings\lee\Desktop\GMERrk.txt.docx [Ver = | Size = 11160 bytes | Modified Date = 5/23/2007 9:48:40 AM | Attr = ]
C:\Documents and Settings\lee\Desktop\Hijackthis.lnk [Ver = | Size = 650 bytes | Modified Date = 5/22/2007 5:39:54 PM | Attr = ]
C:\Documents and Settings\lee\Desktop\HJTsetup(2).exe Soeperman Enterprises Ltd [Ver = | Size = 488144 bytes | Modified Date = 5/22/2007 5:38:22 PM | Attr = ]
C:\Documents and Settings\lee\Desktop\HJTsetup.exe Soeperman Enterprises Ltd [Ver = | Size = 488144 bytes | Modified Date = 5/22/2007 5:33:58 PM | Attr = ]
C:\Documents and Settings\lee\Desktop\Microsoft Office Word 2007.lnk [Ver = | Size = 2515 bytes | Modified Date = 5/23/2007 10:58:16 PM | Attr = ]
C:\Documents and Settings\lee\Desktop\rootchk.exe [Ver = | Size = 154826 bytes | Modified Date = 5/24/2007 8:35:22 AM | Attr = ]
C:\Documents and Settings\lee\Desktop\WinPFind [Folder | Modified Date = 5/24/2007 1:31:54 PM | Attr = ]
C:\Documents and Settings\lee\Desktop\winpfind.exe [Ver = | Size = 267222 bytes | Modified Date = 5/24/2007 1:31:34 PM | Attr = ]
C:\Program Files\Common Files\Logitech [Folder | Modified Date = 5/18/2007 8:05:04 PM | Attr = ]
C:\Program Files\Common Files\Microsoft Shared [Folder | Modified Date = 5/18/2007 8:06:48 PM | Attr = ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk [Ver = | Size = 1501 bytes | Modified Date = 5/18/2007 8:04:42 PM | Attr = ]
C:\Documents and Settings\lee\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk [Ver = | Size = 947 bytes | Modified Date = 5/23/2007 9:56:32 PM | Attr = ]
C:\WINDOWS\$hf_mig$ [Folder | Modified Date = 5/23/2007 11:03:16 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB927891$ [Folder | Modified Date = 5/23/2007 11:03:32 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB930916$ [Folder | Modified Date = 5/10/2007 5:11:28 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB931768$ [Folder | Modified Date = 5/10/2007 5:13:40 PM | Attr = H ]
C:\WINDOWS\$NtUninstallWdf01005$ [Folder | Modified Date = 5/18/2007 8:05:50 PM | Attr = H ]
C:\WINDOWS\bootstat.dat [Ver = | Size = 2048 bytes | Modified Date = 5/24/2007 6:38:26 AM | Attr = S]
C:\WINDOWS\Debug [Folder | Modified Date = 5/10/2007 5:10:28 PM | Attr = ]
C:\WINDOWS\gmer.dll [Ver = 1, 0, 12, 12244 | Size = 573503 bytes | Modified Date = 5/23/2007 9:35:46 AM | Attr = ]
C:\WINDOWS\gmer.ini [Ver = | Size = 250 bytes | Modified Date = 5/23/2007 10:09:40 PM | Attr = ]
C:\WINDOWS\gmer_uninstall.cmd [Ver = | Size = 80 bytes | Modified Date = 5/23/2007 9:35:46 AM | Attr = ]
C:\WINDOWS\Help [Folder | Modified Date = 5/21/2007 9:31:38 AM | Attr = ]
C:\WINDOWS\imsins.BAK [Ver = | Size = 1374 bytes | Modified Date = 5/18/2007 8:06:08 PM | Attr = ]
C:\WINDOWS\inf [Folder | Modified Date = 5/23/2007 11:03:42 PM | Attr = H ]
C:\WINDOWS\Installer [Folder | Modified Date = 5/18/2007 8:06:48 PM | Attr = HS]
C:\WINDOWS\Prefetch [Folder | Modified Date = 5/24/2007 1:31:58 PM | Attr = ]
C:\WINDOWS\QTFont.for [Ver = | Size = 1409 bytes | Modified Date = 5/7/2007 2:32:22 PM | Attr = ]
C:\WINDOWS\QTFont.qfn [Ver = | Size = 54156 bytes | Modified Date = 5/7/2007 2:32:22 PM | Attr = H ]
C:\WINDOWS\Registration [Folder | Modified Date = 5/24/2007 6:38:56 AM | Attr = ]
C:\WINDOWS\system32 [Folder | Modified Date = 5/24/2007 6:38:22 AM | Attr = ]
C:\WINDOWS\Temp [Folder | Modified Date = 5/24/2007 6:44:12 AM | Attr = ]
C:\WINDOWS\win.ini [Ver = | Size = 677 bytes | Modified Date = 5/10/2007 5:12:26 PM | Attr = ]
C:\WINDOWS\WinSxS [Folder | Modified Date = 5/18/2007 8:06:48 PM | Attr = ]
C:\WINDOWS\System32\appmgmt [Folder | Modified Date = 5/3/2007 9:58:12 AM | Attr = ]
C:\WINDOWS\System32\CatRoot2 [Folder | Modified Date = 5/23/2007 9:53:54 PM | Attr = ]
C:\WINDOWS\System32\dllcache [Folder | Modified Date = 5/18/2007 8:05:36 PM | Attr = RHS]
C:\WINDOWS\System32\drivers [Folder | Modified Date = 5/23/2007 9:35:46 AM | Attr = ]
C:\WINDOWS\System32\DRVSTORE [Folder | Modified Date = 5/18/2007 8:05:06 PM | Attr = ]
C:\WINDOWS\System32\ReinstallBackups [Folder | Modified Date = 5/18/2007 8:05:20 PM | Attr = ]
C:\WINDOWS\System32\wpa.dbl [Ver = | Size = 2206 bytes | Modified Date = 5/24/2007 6:39:06 AM | Attr = ]
C:\WINDOWS\System32\drivers\gmer.sys GMER [Ver = 1, 0, 12, 3868 | Size = 69905 bytes | Modified Date = 5/23/2007 9:35:46 AM | Attr = ]
C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf [Ver = | Size = 0 bytes | Modified Date = 5/18/2007 8:06:10 PM | Attr = H ]
C:\WINDOWS\System32\drivers\Msft_Kernel_LMouFilt_01005.Wdf [Ver = | Size = 0 bytes | Modified Date = 5/18/2007 8:06:14 PM | Attr = H ]

File String Scan (Non-Microsoft Only)
[PEC2 , ]C:\Documents and Settings\lee\Desktop\SkypeSetup(2).exe (Skype Technologies S.A. )
[PEC2 , ]C:\WINDOWS\System32\dfrg.msc ()
[winsync , ]C:\WINDOWS\System32\wbdbase.deu ()
[aspack , UPX! , ]C:\WINDOWS\System32\drivers\VsapiNT.sys (Trend Micro Inc.)

< End of report >

#13 leesteffy

leesteffy
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 24 May 2007 - 01:33 PM

Kaspersky to follow (it is taking a while to scan!)


Logfile of HijackThis v1.99.1
Scan saved at 2:22:19 PM, on 5/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCMAIN.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070303
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070303
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\lee\Application Data\Mozilla\Firefox\Profiles\41nftdkr.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\lee\Application Data\Mozilla\Firefox\Profiles/41nftdkr.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 24, 2007 4:26:59 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 24/05/2007
Kaspersky Anti-Virus database records: 308322
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 120733
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:14:58

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\lee\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\AUPNP.log Object is locked skipped
C:\Documents and Settings\lee\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\lee\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
C:\Documents and Settings\lee\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped
C:\Documents and Settings\lee\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
C:\Documents and Settings\lee\Application Data\Mozilla\Firefox\Profiles\41nftdkr.default\cert8.db Object is locked skipped
C:\Documents and Settings\lee\Application Data\Mozilla\Firefox\Profiles\41nftdkr.default\history.dat Object is locked skipped
C:\Documents and Settings\lee\Application Data\Mozilla\Firefox\Profiles\41nftdkr.default\key3.db Object is locked skipped
C:\Documents and Settings\lee\Application Data\Mozilla\Firefox\Profiles\41nftdkr.default\parent.lock Object is locked skipped
C:\Documents and Settings\lee\Application Data\Mozilla\Firefox\Profiles\41nftdkr.default\search.sqlite Object is locked skipped
C:\Documents and Settings\lee\Application Data\Mozilla\Firefox\Profiles\41nftdkr.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\lee\Application Data\Skype\leesteffy\call256.dbb Object is locked skipped
C:\Documents and Settings\lee\Application Data\Skype\leesteffy\callmember256.dbb Object is locked skipped
C:\Documents and Settings\lee\Application Data\Skype\leesteffy\chat512.dbb Object is locked skipped
C:\Documents and Settings\lee\Application Data\Skype\leesteffy\chat8192.dbb Object is locked skipped
C:\Documents and Settings\lee\Application Data\Skype\leesteffy\chatmember256.dbb Object is locked skipped
C:\Documents and Settings\lee\Application Data\Skype\leesteffy\chatmsg1024.dbb Object is locked skipped
C:\Documents and Settings\lee\Application Data\Skype\leesteffy\chatmsg2048.dbb Object is locked skipped
C:\Documents and Settings\lee\Application Data\Skype\leesteffy\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\lee\Application Data\Skype\leesteffy\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\lee\Application Data\Skype\leesteffy\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\lee\Application Data\Skype\leesteffy\index2.dat Object is locked skipped
C:\Documents and Settings\lee\Application Data\Skype\leesteffy\profile256.dbb Object is locked skipped
C:\Documents and Settings\lee\Application Data\Skype\leesteffy\user1024.dbb Object is locked skipped
C:\Documents and Settings\lee\Application Data\Skype\leesteffy\user256.dbb Object is locked skipped
C:\Documents and Settings\lee\Application Data\Skype\leesteffy\user4096.dbb Object is locked skipped
C:\Documents and Settings\lee\Application Data\Skype\leesteffy\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\lee\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\lee\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\lee\Local Settings\Application Data\Identities\{4E3254D7-522A-412A-9296-3F4767B3A2CB}\Microsoft\Outlook Express\Deleted Items.dbx Object is locked skipped
C:\Documents and Settings\lee\Local Settings\Application Data\Identities\{4E3254D7-522A-412A-9296-3F4767B3A2CB}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\lee\Local Settings\Application Data\Identities\{4E3254D7-522A-412A-9296-3F4767B3A2CB}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped
C:\Documents and Settings\lee\Local Settings\Application Data\Identities\{4E3254D7-522A-412A-9296-3F4767B3A2CB}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\lee\Local Settings\Application Data\Identities\{4E3254D7-522A-412A-9296-3F4767B3A2CB}\Microsoft\Outlook Express\Outbox.dbx Object is locked skipped
C:\Documents and Settings\lee\Local Settings\Application Data\Identities\{4E3254D7-522A-412A-9296-3F4767B3A2CB}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped
C:\Documents and Settings\lee\Local Settings\Application Data\Identities\{4E3254D7-522A-412A-9296-3F4767B3A2CB}\Microsoft\Outlook Express\Sent Items.dbx Object is locked skipped
C:\Documents and Settings\lee\Local Settings\Application Data\Identities\{4E3254D7-522A-412A-9296-3F4767B3A2CB}\Microsoft\Outlook Express\Spam Mail (1).dbx Object is locked skipped
C:\Documents and Settings\lee\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\lee\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\lee\Local Settings\Application Data\Mozilla\Firefox\Profiles\41nftdkr.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\lee\Local Settings\Application Data\Mozilla\Firefox\Profiles\41nftdkr.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\lee\Local Settings\Application Data\Mozilla\Firefox\Profiles\41nftdkr.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\lee\Local Settings\Application Data\Mozilla\Firefox\Profiles\41nftdkr.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\lee\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\lee\Local Settings\History\History.IE5\MSHist012007052420070525\index.dat Object is locked skipped
C:\Documents and Settings\lee\Local Settings\Temp\Perflib_Perfdata_1f4.dat Object is locked skipped
C:\Documents and Settings\lee\Local Settings\Temp\Perflib_Perfdata_d8.dat Object is locked skipped
C:\Documents and Settings\lee\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\lee\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\lee\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\users\{4E3254D7-522A-412A-9296-3F4767B3A2CB}\log\TMASUpdate.20070524.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP68\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Conexant HDA D110 MDC V.92 Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{0749F910-938F-4D58-9DFF-A259EDDD4F4C}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{8BC241AD-313E-4440-9FCE-1426C6D7DAED}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Edited by leesteffy, 24 May 2007 - 03:33 PM.


#14 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:53 AM

Posted 25 May 2007 - 11:23 AM

Download ATF Cleaner by Attribune
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Main at the top and choose Select All from the list.
  • Click the Empty Selected button.
If you use Firefox browser:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


3) Double click My Computer.
Right click the disc drive you wish to check.
Click Properties.
In the Properties dialog box, click the Tools Tab.
Under Error-checking, click the Check Now button.
In the "Check Disc Local Disk (C:)" dialog box, check both Automatically fix file system errors and Scan for and attempt recovery of bad sectors, and then click Start.

This will look for and attempt to repair any errors that your hard drive has.


To speed up your PC, some unnecessary startups can be removed, to do this:

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

Then close all windows except HijackThis and click Fix Checked

Let me know how the PC runs after this

#15 leesteffy

leesteffy
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 28 May 2007 - 08:41 AM

Download ATF Cleaner by Attribune

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Main at the top and choose Select All from the list.
  • Click the Empty Selected button.
If you use Firefox browser:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


3) Double click My Computer.
Right click the disc drive you wish to check.
Click Properties.
In the Properties dialog box, click the Tools Tab.
Under Error-checking, click the Check Now button.
In the "Check Disc Local Disk (C:)" dialog box, check both Automatically fix file system errors and Scan for and attempt recovery of bad sectors, and then click Start.

This will look for and attempt to repair any errors that your hard drive has.


To speed up your PC, some unnecessary startups can be removed, to do this:

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

Then close all windows except HijackThis and click Fix Checked

Let me know how the PC runs after this






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users