View Full Version : Not-A-Virus Infection & Hotmail hacked
I left my computer connected (cable) & signed in to Hotmail & left my desk for awhile. Came back & someone had "replied" to an email that I had received. I knew because my recipient emailed me back wondering what they heck I meant! I called them and let them know it wasn't me. I noticed some strange entries in my security logs, so I ran Spybot- it was clean. Ran Kaspersky, & there were 3 viruses and a bunch of junk (I'm assuming the hacker had remote access, as a few key areas of remote connection permissions had been enabled when I had disabled them some time ago) I've already called my bank and put a hold on my accounts.
I have the Kaspersky scan, but it is too long for one post. I will not do anything else on my computer until I get help from you guys... let me know and I will post it and anything else you need. Thank you so much!
Hi Mokie
Click here (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to download HJTInstall.exe
Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
Thank you, Shaba. Here is the file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:55 PM, on 3/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\MNL\Desktop\HiJackThis(2).exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=c74008ee-9555-453f-81d3-057a3fa75449
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135544634484
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135548163312
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by110fd.bay110.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 9605 bytes
Hi
Please post next kaspersky report; you can include entries only with infected :)
Here it is, Shaba. I'm not sure what all is considered infected, so I will post in parts:
Monday, March 17, 2008 2:13:41 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/03/2008
Kaspersky Anti-Virus database records: 636025
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 68551
Number of viruses found 3
Number of infected objects 16
Number of suspicious objects 0
Duration of the scan process 01:54:13
Infected Object Name Virus Name Last Action
C:\17759a1fd0cec16ad0fe5388f0dad0c6\$shtdwn$.req Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\admparse.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\admparse.dll.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\advpack.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\advpack.dll.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\browseui.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\corpol.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\custsat.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\dxtmsft.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\dxtrans.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\extmgr.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\extmgr.dll.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\feeddisc.wav Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\hmmapi.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\hmmapi.dll.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\html.iec Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\html.iec.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\icardie.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\icardie.dll.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\icrav03.rat Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\ie4uinit.exe Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\ie4uinit.exe.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\ieakeng.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\ieakeng.dll.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\ieakmmc.chm Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\ieaksie.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\ieaksie.dll.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\ieakui.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\ieakui.dll.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\ieapfltr.dat Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\ieapfltr.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\iedkcs32.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\iedkcs32.dll.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\iedw.exe Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\iedw.exe.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\ieencode.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\ieeula.chm Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\ieframe.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\ieframe.dll.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\iepeers.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\iepeers.dll.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\ieproxy.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\iernonce.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\iernonce.dll.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\iertutil.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\iesetup.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\iesetup.dll.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\iesupp.chm Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\ieudinit.exe Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\ieui.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\ieui.dll.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\ieuinit.inf Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\ieunatt.exe.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\iexplore.chm Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\iexplore.exe Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\iexplore.exe.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\imgutil.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\inetcorp.iem Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\inetcpl.cpl Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\inetcpl.cpl.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\inetres.adm Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\inetset.iem Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\infobar.wav Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\inseng.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\inseng.dll.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\install.ins Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\jscript.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\jsproxy.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\licmgr10.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\licmgr10.dll.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\msfeeds.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\msfeeds.mof Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\msfeedsbs.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\msfeedsbs.dll.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\msfeedsbs.mof Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\msfeedssync.exe Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\mshta.exe Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\mshta.exe.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\mshtml.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\mshtml.dll.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\mshtml.tlb Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\mshtmled.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\mshtmled.dll.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\mshtmler.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\mshtmler.dll.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\msls31.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\msrating.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\msrating.dll.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\mstime.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\navstart.wav Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\occache.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\occache.dll.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\occache.ini Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\pngfilt.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\popupblk.wav Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\shdocvw.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\shlwapi.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\spmsg.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\spuninst.exe Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\spupdsvc.exe Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\tdc.ocx Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\ticrf.rat Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\update\eula.rtf Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\update\idndl.exe Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\update\ie7.cat Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\update\iecustom.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\update\iereseticons.exe Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\update\iesetup.exe Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\update\legitlibm.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\update\nlsdl.exe Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\update\update.exe Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\update\update.exe.manifest Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\update\update.inf Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\update\update.ver Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\update\updspapi.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\update\xmllitesetup.exe Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\url.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\urlmon.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\urlmon.dll.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\vbscript.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\vgx.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\webcheck.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\webcheck.dll.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\webcheck.ini Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\winfxdocobj.exe Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\winfxdocobj.exe.mui Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\wininet.dll Object is locked skipped
C:\17759a1fd0cec16ad0fe5388f0dad0c6\wininet.dll.mui Object is locked skipped
C:\Deckard\System Scanner\20080315165751\backup\DOCUME~1\MNL\LOCALS~1\Temp\NERO14399\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0be27fb6af4531b26b2714acd25cae54_286d3c58-485f-4de2-9900-95145d93583d Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5bbf2187d75bda3fdb0bb72ba71910ba_286d3c58-485f-4de2-9900-95145d93583d Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c02f08d91640e813e3c80ab79947b6b7_286d3c58-485f-4de2-9900-95145d93583d Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cb9e4616035c57425a3bc0f8a3088b98_286d3c58-485f-4de2-9900-95145d93583d Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d9a2f8cac7bc9e35f1ad85e3eb0fa90d_286d3c58-485f-4de2-9900-95145d93583d Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e8cb3c237dde34e3d7221332c24524ae_286d3c58-485f-4de2-9900-95145d93583d Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e9aea790f35d65abc33fe58ec30d0b39_286d3c58-485f-4de2-9900-95145d93583d Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-04022007-210409.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar.zip/wfpjphgl.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar1.zip/vfqpwdfy.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar10.zip/dtfpctnv.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar10.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar11.zip/cwhqpypj.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar11.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar12.zip/cpswimbx.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar12.zip ZIP: infected - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\MNL\Application Data\Mozilla\Firefox\Profiles\zlco6hkf.default\cert8.db Object is locked skipped
C:\Documents and Settings\MNL\Application Data\Mozilla\Firefox\Profiles\zlco6hkf.default\history.dat Object is locked skipped
C:\Documents and Settings\MNL\Application Data\Mozilla\Firefox\Profiles\zlco6hkf.default\key3.db Object is locked skipped
C:\Documents and Settings\MNL\Application Data\Mozilla\Firefox\Profiles\zlco6hkf.default\parent.lock Object is locked skipped
C:\Documents and Settings\MNL\Application Data\Mozilla\Firefox\Profiles\zlco6hkf.default\search.sqlite Object is locked skipped
C:\Documents and Settings\MNL\Application Data\Mozilla\Firefox\Profiles\zlco6hkf.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\MNL\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\MNL\Desktop\MEDIA\Nero-8.2.8.0_eng_update.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Documents and Settings\MNL\Desktop\MEDIA\Nero-8.2.8.0_eng_update.exe 7-Zip: infected - 1 skipped
C:\Documents and Settings\MNL\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\MNL\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\MNL\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\MNL\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\MNL\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{16E1E332-5620-405D-A740-4632CDD686A1} Object is locked skipped
C:\Documents and Settings\MNL\Local Settings\Application Data\Mozilla\Firefox\Profiles\zlco6hkf.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\MNL\Local Settings\Application Data\Mozilla\Firefox\Profiles\zlco6hkf.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\MNL\Local Settings\Application Data\Mozilla\Firefox\Profiles\zlco6hkf.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\MNL\Local Settings\Application Data\Mozilla\Firefox\Profiles\zlco6hkf.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\MNL\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\MNL\Local Settings\Temp\SQL.LOG Object is locked skipped
C:\Documents and Settings\MNL\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\MNL\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\MNL\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\MNL\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\InstallShield Installation Information\{698D7E61-E4BF-4CA6-8A09-CF6BDBFDEF65}\setup.ilg Object is locked skipped
C:\Program Files\Nero\Nero8\Nero BackItUp\BIU1.txt Object is locked skipped
C:\Program Files\support.com\temp\ComcastToolbar.exe/stream/data0141 Infected: not-a-virus:AdWare.Win32.BHO.aap skipped
C:\Program Files\support.com\temp\ComcastToolbar.exe/stream Infected: not-a-virus:AdWare.Win32.BHO.aap skipped
C:\Program Files\support.com\temp\ComcastToolbar.exe NSIS: infected - 2 skipped
C:\RECYCLER\S-1-5-21-1177238915-73586283-725345543-1004\Dc62.exe Object is locked skipped
C:\RECYCLER\S-1-5-21-1177238915-73586283-725345543-1004\Dc63.exe Object is locked skipped
C:\RECYCLER\S-1-5-21-1177238915-73586283-725345543-1004\Dc64.exe Object is locked skipped
C:\RECYCLER\S-1-5-21-1177238915-73586283-725345543-1004\Dc65.avi Object is locked skipped
C:\RECYCLER\S-1-5-21-1177238915-73586283-725345543-1004\Dc66.avi Object is locked skipped
C:\RECYCLER\S-1-5-21-1177238915-73586283-725345543-1004\Dc67.avi Object is locked skipped
C:\RECYCLER\S-1-5-21-1177238915-73586283-725345543-1004\Dc68.mpg Object is locked skipped
C:\RECYCLER\S-1-5-21-1177238915-73586283-725345543-1004\Dc69.mp3 Object is locked skipped
C:\RECYCLER\S-1-5-21-1177238915-73586283-725345543-1004\Dc70.m4a Object is locked skipped
C:\RECYCLER\S-1-5-21-1177238915-73586283-725345543-1004\Dc71.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-1177238915-73586283-725345543-1004\Dc72.lnk Object is locked skipped
C:\RECYCLER\S-1-5-21-1177238915-73586283-725345543-1004\Dc74.lnk Object is locked skipped
C:\RECYCLER\S-1-5-21-1177238915-73586283-725345543-1004\Dc75.lnk Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D0EF8276-C546-4DA1-92AD-C6F6B8228708}\RP6\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\TIMEWASTER.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{44796C5C-6E92-421F-8DDF-FE69B64D0599}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT07d1d.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT07d20.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
I'm thinking that maybe S&D DID isolate those files? Besides any infections that may still be present, I need to figure out how someone got into my hotmail account, would that be a another thread?
Hi
Empty this folder:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\
Delete this:
C:\Program Files\support.com\temp\ComcastToolbar.exe
Empty Recycle Bin.
"I'm thinking that maybe S&D DID isolate those files?"
Yes, it's possible.
"Besides any infections that may still be present, I need to figure out how someone got into my hotmail account, would that be a another thread?"
Well chances are that it can't be tracked but I can try if you like to?
Thank you. I emptied the folder and deleted the comcast path with toolbar.exe.
If everything else looks good, please tell me what you need to do to see if my hotmail was hacked. It was rather disturbing to have someone impersonating me and I sure would like to find out as much as I can without it being too extensive of a project...
Hi
Download OTScanIt.exe (http://download.bleepingcomputer.com/oldtimer/OTScanIt.exe) to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
In the Files Created Within group click 30 days
In the Files Modified Within group select 30 days
In the File String Search group select Non-Microsoft
Now click the Run Scan button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in.
Hi Shaba, thank you for your continuing assistance. Here is the file, Part 1:
[code]
OTScanIt logfile created on: 3/20/2008 10:26:26 AM
OTScanIt by OldTimer - Version 1.0.6.0 Folder = C:\Documents and Settings\MNL\Desktop\OTScanIt
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
510.73 Mb Total Physical Memory | 107.48 Mb Available Physical Memory | 21.04% Memory free
1.22 Gb Paging File | 0.86 Gb Available in Paging File | 70.32% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 186.30 Gb Total Space | 141.13 Gb Free Space | 75.75% Space Free | Partition Type: NTFS
Drive D: | 4.16 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: TIMEWASTER
Current User Name: MNL
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
[Processes - Non-Microsoft Only]
aawservice.exe -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft [Ver = 7,0,2,6 | Size = 587096 bytes | Modified Date = 1/15/2008 1:51:22 PM | Attr = ]
applemobiledeviceservice.exe -> %CommonProgramFiles%\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -> Apple, Inc. [Ver = 1, 14, 0, 0 | Size = 110592 bytes | Modified Date = 9/6/2007 1:28:18 PM | Attr = ]
avgamsvr.exe -> %ProgramFiles%\Grisoft\AVG Free\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.496 | Size = 418816 bytes | Modified Date = 10/23/2007 2:07:47 PM | Attr = ]
avgupsvc.exe -> %ProgramFiles%\Grisoft\AVG Free\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 49664 bytes | Modified Date = 1/6/2007 12:42:30 PM | Attr = ]
avgemc.exe -> %ProgramFiles%\Grisoft\AVG Free\avgemc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.510 | Size = 406528 bytes | Modified Date = 12/20/2007 6:04:22 PM | Attr = ]
nbservice.exe -> %ProgramFiles%\Nero\Nero8\Nero BackItUp\NBService.exe -> Nero AG [Ver = 3, 2, 3, 0 | Size = 869672 bytes | Modified Date = 12/3/2007 3:21:24 PM | Attr = ]
nvsvc32.exe -> %SystemRoot%\system32\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.7777 | Size = 127043 bytes | Modified Date = 7/20/2005 6:07:00 PM | Attr = ]
pnkbstra.exe -> %SystemRoot%\system32\PnkBstrA.exe -> [Ver = | Size = 66872 bytes | Modified Date = 3/1/2008 3:33:09 PM | Attr = ]
smagent.exe -> %ProgramFiles%\Analog Devices\SoundMAX\SMAgent.exe -> Analog Devices, Inc. [Ver = 3, 2, 6, 0 | Size = 45056 bytes | Modified Date = 9/20/2002 4:50:10 PM | Attr = ]
zlclient.exe -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlclient.exe -> Zone Labs, LLC [Ver = 7.0.462.000 | Size = 919016 bytes | Modified Date = 11/14/2007 5:05:06 PM | Attr = ]
jusched.exe -> %ProgramFiles%\Java\jre1.6.0_05\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.50.13 | Size = 144784 bytes | Modified Date = 2/22/2008 4:25:21 AM | Attr = ]
smax4pnp.exe -> %ProgramFiles%\Analog Devices\SoundMAX\SMax4PNP.exe -> Analog Devices, Inc. [Ver = 4, 0, 4, 11 | Size = 790528 bytes | Modified Date = 5/29/2003 5:28:32 PM | Attr = ]
smax4.exe -> %ProgramFiles%\Analog Devices\SoundMAX\SMax4.exe -> Analog Devices, Inc. [Ver = 4, 0, 4, 25 | Size = 585728 bytes | Modified Date = 5/30/2003 10:42:22 AM | Attr = ]
avgcc.exe -> %ProgramFiles%\Grisoft\AVG Free\avgcc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.504 | Size = 579072 bytes | Modified Date = 12/20/2007 6:04:20 PM | Attr = ]
apdproxy.exe -> %ProgramFiles%\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe -> Adobe Systems Incorporated [Ver = 3.2.0.77764 | Size = 63712 bytes | Modified Date = 3/9/2007 12:09:58 PM | Attr = ]
hpwuschd2.exe -> %ProgramFiles%\HP\HP Software Update\hpwuSchd2.exe -> Hewlett-Packard Co. [Ver = 90.0.43.000 | Size = 49152 bytes | Modified Date = 3/11/2007 10:34:40 PM | Attr = ]
asusprob.exe -> %ProgramFiles%\ASUS\Probe\AsusProb.exe -> [Ver = | Size = 617984 bytes | Modified Date = 12/6/2002 5:07:48 PM | Attr = ]
teatimer.exe -> %ProgramFiles%\Spybot - Search & Destroy\TeaTimer.exe -> Safer Networking Limited [Ver = 1, 4, 0, 2 | Size = 1415824 bytes | Modified Date = 5/31/2005 1:04:00 AM | Attr = ]
psfree.exe -> %ProgramFiles%\Panicware\Pop-Up Stopper Free Edition\PSFree.exe -> Panicware, Inc. [Ver = 3, 1, 0, 1014 | Size = 536576 bytes | Modified Date = 3/17/2005 12:10:32 PM | Attr = ]
nmindexstoresvr.exe -> %CommonProgramFiles%\Nero\Lib\NMIndexStoreSvr.exe -> Nero AG [Ver = 3.2.5.0 | Size = 1688872 bytes | Modified Date = 12/13/2007 8:10:56 PM | Attr = ]
nmindexingservice.exe -> %CommonProgramFiles%\Nero\Lib\NMIndexingService.exe -> Nero AG [Ver = 3.2.5.0 | Size = 447784 bytes | Modified Date = 12/13/2007 8:10:56 PM | Attr = ]
vsmon.exe -> %SystemRoot%\system32\ZoneLabs\vsmon.exe -> Zone Labs, LLC [Ver = 7.0.462.000 | Size = 75304 bytes | Modified Date = 11/14/2007 5:05:06 PM | Attr = ]
tgcmd.exe -> %ProgramFiles%\support.com\bin\tgcmd.exe -> SupportSoft, Inc. [Ver = 5,6,1125,0 | Size = 1773568 bytes | Modified Date = 3/7/2007 10:58:20 AM | Attr = ]
firefox.exe -> %ProgramFiles%\Mozilla Firefox\firefox.exe -> Mozilla Corporation [Ver = 1.8.1.12: 2008020121 | Size = 7655024 bytes | Modified Date = 2/29/2008 1:31:36 PM | Attr = ]
otscanit.exe -> %UserProfile%\Desktop\OTScanIt\OTScanIt.exe -> OldTimer Tools [Ver = 1.0.6.0 | Size = 311808 bytes | Modified Date = 3/19/2008 6:01:26 PM | Attr = ]
[Win32 Services - Non-Microsoft Only]
(aawservice) Ad-Aware 2007 Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft [Ver = 7,0,2,6 | Size = 587096 bytes | Modified Date = 1/15/2008 1:51:22 PM | Attr = ]
(Apple Mobile Device) Apple Mobile Device [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -> Apple, Inc. [Ver = 1, 14, 0, 0 | Size = 110592 bytes | Modified Date = 9/6/2007 1:28:18 PM | Attr = ]
(Avg7Alrt) AVG7 Alert Manager Server [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Free\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.496 | Size = 418816 bytes | Modified Date = 10/23/2007 2:07:47 PM | Attr = ]
(Avg7UpdSvc) AVG7 Update Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Free\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 49664 bytes | Modified Date = 1/6/2007 12:42:30 PM | Attr = ]
(AVGEMS) AVG E-mail Scanner [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Free\avgemc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.510 | Size = 406528 bytes | Modified Date = 12/20/2007 6:04:22 PM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %SystemRoot%\system32\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 12:56:48 AM | Attr = ]
(MSCSPTISRV) MSCSPTISRV [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Sony Shared\AVLib\MSCSPTISRV.exe -> Sony Corporation [Ver = 4.4.00.11241 | Size = 53337 bytes | Modified Date = 11/24/2005 6:03:22 PM | Attr = ]
(Nero BackItUp Scheduler 3) Nero BackItUp Scheduler 3 [Win32_Own | Auto | Running] -> %ProgramFiles%\Nero\Nero8\Nero BackItUp\NBService.exe -> Nero AG [Ver = 3, 2, 3, 0 | Size = 869672 bytes | Modified Date = 12/3/2007 3:21:24 PM | Attr = ]
(NetSvc) Intel NCS NetService [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Intel\NCS\Sync\NetSvc.exe -> Intel(R) Corporation [Ver = 1.2.26.0 | Size = 143360 bytes | Modified Date = 3/3/2003 2:33:40 PM | Attr = ]
(NMIndexingService) NMIndexingService [Win32_Own | On_Demand | Running] -> %CommonProgramFiles%\Nero\Lib\NMIndexingService.exe -> Nero AG [Ver = 3.2.5.0 | Size = 447784 bytes | Modified Date = 12/13/2007 8:10:56 PM | Attr = ]
(NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Running] -> %SystemRoot%\system32\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.7777 | Size = 127043 bytes | Modified Date = 7/20/2005 6:07:00 PM | Attr = ]
(PACSPTISVR) PACSPTISVR [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Sony Shared\AVLib\PACSPTISVR.exe -> Sony Corporation [Ver = 4.4.00.11241 | Size = 53337 bytes | Modified Date = 11/24/2005 5:57:44 PM | Attr = ]
(PnkBstrA) PnkBstrA [Win32_Own | Auto | Running] -> %SystemRoot%\system32\PnkBstrA.exe -> [Ver = | Size = 66872 bytes | Modified Date = 3/1/2008 3:33:09 PM | Attr = ]
(SoundMAX Agent Service (default)) SoundMAX Agent Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Analog Devices\SoundMAX\SMAgent.exe -> Analog Devices, Inc. [Ver = 3, 2, 6, 0 | Size = 45056 bytes | Modified Date = 9/20/2002 4:50:10 PM | Attr = ]
(SPTISRV) Sony SPTI Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Sony Shared\AVLib\SPTISRV.exe -> Sony Corporation [Ver = 4.4.00.11241 | Size = 69718 bytes | Modified Date = 11/24/2005 5:47:30 PM | Attr = ]
(vsmon) TrueVector Internet Monitor [Win32_Own | Auto | Running] -> %SystemRoot%\system32\ZoneLabs\vsmon.exe -> Zone Labs, LLC [Ver = 7.0.462.000 | Size = 75304 bytes | Modified Date = 11/14/2007 5:05:06 PM | Attr = ]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Adobe Photo Downloader -> %ProgramFiles%\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe -> Adobe Systems Incorporated [Ver = 3.2.0.77764 | Size = 63712 bytes | Modified Date = 3/9/2007 12:09:58 PM | Attr = ]
ASUS Probe -> %ProgramFiles%\ASUS\Probe\AsusProb.exe -> [Ver = | Size = 617984 bytes | Modified Date = 12/6/2002 5:07:48 PM | Attr = ]
AVG7_CC -> %ProgramFiles%\Grisoft\AVG Free\avgcc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.504 | Size = 579072 bytes | Modified Date = 12/20/2007 6:04:20 PM | Attr = ]
HP Software Update -> %ProgramFiles%\HP\HP Software Update\hpwuSchd2.exe -> Hewlett-Packard Co. [Ver = 90.0.43.000 | Size = 49152 bytes | Modified Date = 3/11/2007 10:34:40 PM | Attr = ]
NBKeyScan -> %ProgramFiles%\Nero\Nero8\Nero BackItUp\NBKeyScan.exe -> Nero AG [Ver = 3, 2, 3, 0 | Size = 2213160 bytes | Modified Date = 12/3/2007 3:21:24 PM | Attr = ]
NeroFilterCheck -> %CommonProgramFiles%\Nero\Lib\NeroCheck.exe -> Nero AG [Ver = 1, 0, 0, 6 | Size = 153136 bytes | Modified Date = 3/1/2007 3:57:24 PM | Attr = ]
NvCplDaemon -> %SystemRoot%\system32\nvcpl.dll -> NVIDIA Corporation [Ver = 6.14.10.7777 | Size = 7110656 bytes | Modified Date = 7/20/2005 6:07:00 PM | Attr = ]
NvMediaCenter -> %SystemRoot%\system32\nvmctray.dll -> NVIDIA Corporation [Ver = 6.14.10.7777 | Size = 86016 bytes | Modified Date = 7/20/2005 6:07:00 PM | Attr = ]
NWEReboot -> -> File not found
nwiz -> %SystemRoot%\system32\nwiz.exe -> NVIDIA Corporation [Ver = 6.14.10.10531 | Size = 1519616 bytes | Modified Date = 7/20/2005 6:07:00 PM | Attr = ]
PRONoMgr.exe -> %ProgramFiles%\Intel\NCS\PROSet\PRONoMgr.exe -> Intel(R) Corporation [Ver = 6.2.35.0 | Size = 86016 bytes | Modified Date = 3/11/2003 5:24:40 PM | Attr = ]
SoundMAX -> %ProgramFiles%\Analog Devices\SoundMAX\SMax4.exe -> Analog Devices, Inc. [Ver = 4, 0, 4, 25 | Size = 585728 bytes | Modified Date = 5/30/2003 10:42:22 AM | Attr = ]
SoundMAXPnP -> %ProgramFiles%\Analog Devices\SoundMAX\SMax4PNP.exe -> Analog Devices, Inc. [Ver = 4, 0, 4, 11 | Size = 790528 bytes | Modified Date = 5/29/2003 5:28:32 PM | Attr = ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_05\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.50.13 | Size = 144784 bytes | Modified Date = 2/22/2008 4:25:21 AM | Attr = ]
tgcmd -> %ProgramFiles%\support.com\bin\tgcmd.exe -> SupportSoft, Inc. [Ver = 5,6,1125,0 | Size = 1773568 bytes | Modified Date = 3/7/2007 10:58:20 AM | Attr = ]
ZoneAlarm Client -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlclient.exe -> Zone Labs, LLC [Ver = 7.0.462.000 | Size = 919016 bytes | Modified Date = 11/14/2007 5:05:06 PM | Attr = ]
< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL-> Installed = 1 ->
MAPI-> Installed = 1 ->
MSFS-> Installed = 1 ->
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} -> %CommonProgramFiles%\Nero\Lib\NMIndexStoreSvr.exe -> Nero AG [Ver = 3.2.5.0 | Size = 1688872 bytes | Modified Date = 12/13/2007 8:10:56 PM | Attr = ]
PopUpStopperFreeEdition -> %ProgramFiles%\Panicware\Pop-Up Stopper Free Edition\PSFree.exe -> Panicware, Inc. [Ver = 3, 1, 0, 1014 | Size = 536576 bytes | Modified Date = 3/17/2005 12:10:32 PM | Attr = ]
SpybotSD TeaTimer -> %ProgramFiles%\Spybot - Search & Destroy\TeaTimer.exe -> Safer Networking Limited [Ver = 1, 4, 0, 2 | Size = 1415824 bytes | Modified Date = 5/31/2005 1:04:00 AM | Attr = ]
< RunOnce [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ->
CheckNetworkConnection -> %ProgramFiles%\support.com\providerComcast\desktopdoctor.exe -> SupportSoft, Inc. [Ver = 6,2,399,0 | Size = 1286144 bytes | Modified Date = 5/19/2006 11:29:14 AM | Attr = ]
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
-> %AllUsersProfile%\Start Menu\Programs\Startup\AutorunsDisabled -> [Folder | Modified Date = 3/11/2008 11:47:30 AM | Attr = H ]
< MNL Startup Folder > -> C:\Documents and Settings\MNL\Start Menu\Programs\Startup ->
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 12/20/2006 1:55:48 PM | Attr = ]
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1046 | Size = 294912 bytes | Modified Date = 4/19/2007 1:41:36 PM | Attr = ]
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments\\ScanWithAntiVirus -> 2 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\\{17492023-C23A-453E-A040-C7C580BBF700} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> ->
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
< HOSTS File > (676160 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome ->
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_LOCAL_MACHINE\: Main\\Local Page -> C:\windows\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home ->
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKEY_LOCAL_MACHINE\: Search\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_CURRENT_USER\: Main\\Local Page -> C:\windows\system32\blank.htm ->
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_CURRENT_USER\: Main\\Start Page -> http://www.google.com/ ->
HKEY_CURRENT_USER\: SearchURL\\ -> http://home.microsoft.com/access/autosearch.asp?p=%s[Reg Error: Value provider does not exist or could not be read.] ->
HKEY_CURRENT_USER\: ProxyEnable -> 0 ->
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
OTScanit, Part II:
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 6296 domain(s) found. ->
www_adobe.com [https] -> Trusted sites ->
www_myspace.com [https] -> Trusted sites ->
45 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 7 range(s) found. ->
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{0347C33E-8762-4905-BF09-768834316C61} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\HP\Smart Web Printing\hpswp_printenhancer.dll [HP Print Enhancer] -> Hewlett-Packard Co. [Ver = 2.15.7.0 | Size = 1298024 bytes | Modified Date = 3/2/2007 5:52:24 PM | Attr = R ]
{053F9267-DC04-4294-A72C-58F732D338C0} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\HP\Smart Web Printing\hpswp_framework.dll [HP Print Clips] -> Hewlett-Packard Co. [Ver = 2.15.7.0 | Size = 177768 bytes | Modified Date = 3/2/2007 5:52:08 PM | Attr = R ]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKEY_LOCAL_MACHINE] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> File not found
{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [] -> Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 5/31/2005 1:04:00 AM | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_05\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.50.13 | Size = 509328 bytes | Modified Date = 2/22/2008 4:25:19 AM | Attr = ]
AutorunsDisabled [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_05\bin\npjpi160_05.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.50.13 | Size = 132496 bytes | Modified Date = 2/22/2008 4:25:19 AM | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} [HKEY_CURRENT_USER] -> %ProgramFiles%\Java\jre1.6.0_05\bin\ssv.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.50.13 | Size = 509328 bytes | Modified Date = 2/22/2008 4:25:19 AM | Attr = ]
{58ECB495-38F0-49cb-A538-10282ABF65E7}:{E763472E-A716-4CD9-89BD-DBDA6122F741} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\HP\Smart Web Printing\hpswp_extensions.dll [HP Clipbook] -> Hewlett-Packard Co. [Ver = 2.15.7.0 | Size = 153192 bytes | Modified Date = 3/2/2007 5:53:20 PM | Attr = R ]
{700259D7-1666-479a-93B1-3250410481E8}:{A93C41D8-01F8-4F8B-B14C-DE20B117E636} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\HP\Smart Web Printing\hpswp_extensions.dll [HP Smart Select] -> Hewlett-Packard Co. [Ver = 2.15.7.0 | Size = 153192 bytes | Modified Date = 3/2/2007 5:53:20 PM | Attr = R ]
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search && Destroy Configuration] -> Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 5/31/2005 1:04:00 AM | Attr = ]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_05\bin\npjpi160_05.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.50.13 | Size = 132496 bytes | Modified Date = 2/22/2008 4:25:19 AM | Attr = ]
CmdMapping\\{3369AF0D-62E9-4bda-8103-B4C75499B578} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
PluginsPageFriendlyName -> Microsoft ActiveX Gallery ->
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s ->
< User Agent Post Platform [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform ->
SV1 -> ->
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{2D82BF34-B926-41DA-96A1-6D82C8525C6F} -> (Intel(R) PRO/1000 CT Network Connection) ->
{54B85F49-84E3-45B6-845B-93A5232A47A3} -> (Motorola SURFboard SB5100 USB Cable Modem) ->
{D813479A-6272-4B0B-A726-09AF0AD5A984} -> (1394 Net Adapter) ->
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[Reg Error: Value does not exist or could not be read.] -> File not found
msdaipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[Reg Error: Value does not exist or could not be read.] -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}[HKEY_LOCAL_MACHINE] -> http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab[CKAVWebScan Object] ->
{17492023-C23A-453E-A040-C7C580BBF700}[HKEY_LOCAL_MACHINE] -> http://go.microsoft.com/fwlink/?linkid=39204[Windows Genuine Advantage Validation Tool] ->
{4F1E5B1A-2A80-42CA-8532-2D05CB959537}[HKEY_LOCAL_MACHINE] -> http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab[MSN Photo Upload Tool] ->
{6414512B-B978-451D-A0D8-FCFDF33E833C}[HKEY_LOCAL_MACHINE] -> http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135544634484[WUWebControl Class] ->
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}[HKEY_LOCAL_MACHINE] -> http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135548163312[MUWebControl Class] ->
{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab[Java Plug-in 1.6.0_05] ->
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}[HKEY_LOCAL_MACHINE] -> http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab[Reg Error: Key does not exist or could not be opened.] ->
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[Java Plug-in 1.6.0_03] ->
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab[Java Plug-in 1.6.0_05] ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab[Java Plug-in 1.6.0_05] ->
{D27CDB6E-AE6D-11CF-96B8-444553540000}[HKEY_LOCAL_MACHINE] -> http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[Reg Error: Key does not exist or could not be opened.] ->
{F04A8AE2-A59D-11D2-8792-00C04F8EF29D}[HKEY_LOCAL_MACHINE] -> http://by110fd.bay110.hotmail.msn.com/activex/HMAtchmt.ocx[Hotmail Attachments Control] ->
[Files/Folders - Created Within 30 days]
049a4e83d2f1253c9188f5d367 -> %SystemDrive%\049a4e83d2f1253c9188f5d367 -> [Folder | Created Date = 2/28/2008 8:36:14 PM | Attr = ]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Created Date = 2/28/2008 7:24:08 PM | Attr = H ]
Deckard -> %SystemDrive%\Deckard -> [Folder | Created Date = 3/15/2008 4:08:14 PM | Attr = ]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Created Date = 3/15/2008 1:18:07 PM | Attr = ]
PnkBstrK.sys -> %SystemRoot%\System32\drivers\PnkBstrK.sys -> [Ver = | Size = 22328 bytes | Created Date = 3/1/2008 3:37:01 PM | Attr = ]
java.exe -> %SystemRoot%\System32\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.50.13 | Size = 135168 bytes | Created Date = 3/11/2008 10:40:52 AM | Attr = ]
javaw.exe -> %SystemRoot%\System32\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.50.13 | Size = 135168 bytes | Created Date = 3/11/2008 10:40:52 AM | Attr = ]
javaws.exe -> %SystemRoot%\System32\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.50.13 | Size = 139264 bytes | Created Date = 3/11/2008 10:40:52 AM | Attr = ]
Kaspersky Lab -> %SystemRoot%\System32\Kaspersky Lab -> [Folder | Created Date = 3/17/2008 11:45:41 AM | Attr = ]
6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
PnkBstrB.exe -> %SystemRoot%\System32\PnkBstrB.exe -> [Ver = | Size = 107832 bytes | Created Date = 3/1/2008 3:33:26 PM | Attr = ]
xfcodec.dll -> %SystemRoot%\System32\xfcodec.dll -> [Ver = 30130 | Size = 54608 bytes | Created Date = 2/20/2008 6:57:30 PM | Attr = ]
ERDNT -> %SystemRoot%\ERDNT -> [Folder | Created Date = 3/15/2008 4:33:12 PM | Attr = ]
6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
EReg077.dat -> %SystemRoot%\EReg077.dat -> [Ver = | Size = 302 bytes | Created Date = 3/1/2008 8:02:41 PM | Attr = ]
hpoins17.dat -> %SystemRoot%\hpoins17.dat -> [Ver = | Size = 147275 bytes | Created Date = 2/29/2008 12:25:25 PM | Attr = ]
hpomdl17.dat -> %SystemRoot%\hpomdl17.dat -> [Ver = | Size = 8138 bytes | Created Date = 2/29/2008 12:25:25 PM | Attr = ]
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini -> [Ver = | Size = 69 bytes | Created Date = 3/3/2008 12:00:42 AM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Created Date = 2/25/2008 2:14:43 PM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Created Date = 2/25/2008 2:14:43 PM | Attr = H ]
[Files/Folders - Modified Within 30 days]
049a4e83d2f1253c9188f5d367 -> %SystemDrive%\049a4e83d2f1253c9188f5d367 -> [Folder | Modified Date = 2/28/2008 8:36:15 PM | Attr = ]
boot.ini -> %SystemDrive%\boot.ini -> [Ver = | Size = 211 bytes | Modified Date = 3/14/2008 9:44:56 PM | Attr = RHS]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Modified Date = 3/11/2008 10:40:59 AM | Attr = H ]
Deckard -> %SystemDrive%\Deckard -> [Folder | Modified Date = 3/15/2008 4:08:14 PM | Attr = ]
Documents and Settings -> %SystemDrive%\Documents and Settings -> [Folder | Modified Date = 3/11/2008 10:32:48 AM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 535613440 bytes | Modified Date = 3/20/2008 9:42:29 AM | Attr = HS]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 3/12/2008 7:12:55 PM | Attr = ]
RECYCLER -> %SystemDrive%\RECYCLER -> [Folder | Modified Date = 3/11/2008 10:35:14 AM | Attr = HS]
System Volume Information -> %SystemDrive%\System Volume Information -> [Folder | Modified Date = 3/11/2008 4:56:51 PM | Attr = HS]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Modified Date = 3/15/2008 1:18:07 PM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 3/17/2008 9:43:39 PM | Attr = ]
etc -> %SystemRoot%\System32\drivers\etc -> [Folder | Modified Date = 3/12/2008 7:21:17 PM | Attr = ]
HOSTS -> %SystemRoot%\System32\drivers\etc\HOSTS -> [Ver = | Size = 676160 bytes | Modified Date = 3/9/2008 1:49:00 AM | Attr = ]
HOSTS.MVP -> %SystemRoot%\System32\drivers\etc\HOSTS.MVP -> [Ver = | Size = 676160 bytes | Modified Date = 3/9/2008 1:49:00 AM | Attr = ]
fidbox.dat -> %SystemRoot%\System32\drivers\fidbox.dat -> [Ver = | Size = 15085088 bytes | Modified Date = 3/20/2008 10:21:02 AM | Attr = HS]
fidbox.idx -> %SystemRoot%\System32\drivers\fidbox.idx -> [Ver = | Size = 203012 bytes | Modified Date = 3/20/2008 1:10:30 AM | Attr = HS]
PnkBstrK.sys -> %SystemRoot%\System32\drivers\PnkBstrK.sys -> [Ver = | Size = 22328 bytes | Modified Date = 3/6/2008 7:49:32 PM | Attr = ]
CatRoot -> %SystemRoot%\System32\CatRoot -> [Folder | Modified Date = 3/2/2008 10:17:04 AM | Attr = ]
6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
CatRoot2 -> %SystemRoot%\System32\CatRoot2 -> [Folder | Modified Date = 3/20/2008 9:45:57 AM | Attr = ]
config -> %SystemRoot%\System32\config -> [Folder | Modified Date = 3/9/2008 8:18:52 PM | Attr = ]
DirectX -> %SystemRoot%\System32\DirectX -> [Folder | Modified Date = 2/28/2008 11:49:51 PM | Attr = ]
dllcache -> %SystemRoot%\System32\dllcache -> [Folder | Modified Date = 3/2/2008 12:13:21 AM | Attr = RHS]
drivers -> %SystemRoot%\System32\drivers -> [Folder | Modified Date = 3/1/2008 3:37:01 PM | Attr = ]
DRVSTORE -> %SystemRoot%\System32\DRVSTORE -> [Folder | Modified Date = 2/29/2008 12:35:56 PM | Attr = ]
java.exe -> %SystemRoot%\System32\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.50.13 | Size = 135168 bytes | Modified Date = 2/22/2008 1:23:35 AM | Attr = ]
javacpl.cpl -> %SystemRoot%\System32\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.50.13 | Size = 69632 bytes | Modified Date = 2/22/2008 2:33:31 AM | Attr = ]
javaw.exe -> %SystemRoot%\System32\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.50.13 | Size = 135168 bytes | Modified Date = 2/22/2008 1:23:39 AM | Attr = ]
javaws.exe -> %SystemRoot%\System32\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.50.13 | Size = 139264 bytes | Modified Date = 2/22/2008 2:33:32 AM | Attr = ]
Kaspersky Lab -> %SystemRoot%\System32\Kaspersky Lab -> [Folder | Modified Date = 3/17/2008 11:45:41 AM | Attr = ]
Macromed -> %SystemRoot%\System32\Macromed -> [Folder | Modified Date = 2/28/2008 8:30:42 PM | Attr = ]
nvapps.xml -> %SystemRoot%\System32\nvapps.xml -> [Ver = | Size = 29204 bytes | Modified Date = 3/20/2008 9:43:49 AM | Attr = ]
perfc009.dat -> %SystemRoot%\System32\perfc009.dat -> [Ver = | Size = 53608 bytes | Modified Date = 3/9/2008 8:24:33 PM | Attr = ]
perfh009.dat -> %SystemRoot%\System32\perfh009.dat -> [Ver = | Size = 383254 bytes | Modified Date = 3/9/2008 8:24:33 PM | Attr = ]
PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI -> [Ver = | Size = 443556 bytes | Modified Date = 3/9/2008 8:24:33 PM | Attr = ]
PnkBstrA.exe -> %SystemRoot%\System32\PnkBstrA.exe -> [Ver = | Size = 66872 bytes | Modified Date = 3/1/2008 3:33:09 PM | Attr = ]
PnkBstrB.exe -> %SystemRoot%\System32\PnkBstrB.exe -> [Ver = | Size = 107832 bytes | Modified Date = 3/6/2008 7:41:18 PM | Attr = ]
Restore -> %SystemRoot%\System32\Restore -> [Folder | Modified Date = 3/11/2008 4:56:51 PM | Attr = ]
vsconfig.xml -> %SystemRoot%\System32\vsconfig.xml -> [Ver = | Size = 353368 bytes | Modified Date = 3/20/2008 9:45:29 AM | Attr = H ]
wbem -> %SystemRoot%\System32\wbem -> [Folder | Modified Date = 3/9/2008 8:22:27 PM | Attr = ]
wpa.bak -> %SystemRoot%\System32\wpa.bak -> [Ver = | Size = 12540 bytes | Modified Date = 3/11/2008 11:27:19 AM | Attr = ]
wpa.dbl -> %SystemRoot%\System32\wpa.dbl -> [Ver = | Size = 12598 bytes | Modified Date = 3/20/2008 9:44:40 AM | Attr = ]
xfcodec.dll -> %SystemRoot%\System32\xfcodec.dll -> [Ver = 30130 | Size = 54608 bytes | Modified Date = 2/20/2008 6:57:30 PM | Attr = ]
BlendSettings.ini -> %SystemRoot%\BlendSettings.ini -> [Ver = | Size = 23 bytes | Modified Date = 3/10/2008 9:14:49 PM | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 3/20/2008 9:42:34 AM | Attr = S]
Cursors -> %SystemRoot%\Cursors -> [Folder | Modified Date = 2/28/2008 11:51:25 PM | Attr = ]
6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
Debug -> %SystemRoot%\Debug -> [Folder | Modified Date = 3/12/2008 2:14:49 PM | Attr = ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 3/17/2008 11:45:44 AM | Attr = S]
ERDNT -> %SystemRoot%\ERDNT -> [Folder | Modified Date = 3/15/2008 4:33:12 PM | Attr = ]
EReg077.dat -> %SystemRoot%\EReg077.dat -> [Ver = | Size = 302 bytes | Modified Date = 3/1/2008 8:02:41 PM | Attr = ]
And Part III:
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 3/12/2008 4:07:15 PM | Attr = ]
hpoins17.dat -> %SystemRoot%\hpoins17.dat -> [Ver = | Size = 147275 bytes | Modified Date = 2/29/2008 12:45:27 PM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 3/17/2008 11:45:41 AM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 3/11/2008 10:41:00 AM | Attr = HS]
Internet Logs -> %SystemRoot%\Internet Logs -> [Folder | Modified Date = 3/20/2008 10:23:51 AM | Attr = ]
Minidump -> %SystemRoot%\Minidump -> [Folder | Modified Date = 3/9/2008 3:54:45 PM | Attr = ]
mozver.dat -> %SystemRoot%\mozver.dat -> [Ver = | Size = 1840 bytes | Modified Date = 3/7/2008 9:30:56 AM | Attr = ]
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini -> [Ver = | Size = 69 bytes | Modified Date = 3/3/2008 1:13:18 AM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 3/20/2008 10:24:59 AM | Attr = ]
pss -> %SystemRoot%\pss -> [Folder | Modified Date = 3/11/2008 11:11:26 AM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Modified Date = 2/25/2008 2:14:43 PM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Modified Date = 2/25/2008 2:21:42 PM | Attr = H ]
Registration -> %SystemRoot%\Registration -> [Folder | Modified Date = 3/9/2008 8:18:22 PM | Attr = ]
security -> %SystemRoot%\security -> [Folder | Modified Date = 3/15/2008 1:40:19 AM | Attr = ]
system.ini -> %SystemRoot%\system.ini -> [Ver = | Size = 227 bytes | Modified Date = 3/14/2008 9:44:56 PM | Attr = ]
system32 -> %SystemRoot%\system32 -> [Folder | Modified Date = 3/17/2008 11:45:41 AM | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 3/20/2008 9:45:55 AM | Attr = S]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 3/20/2008 10:24:50 AM | Attr = ]
twain_32 -> %SystemRoot%\twain_32 -> [Folder | Modified Date = 2/29/2008 12:38:56 PM | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 659 bytes | Modified Date = 3/14/2008 9:44:56 PM | Attr = ]
WinSxS -> %SystemRoot%\WinSxS -> [Folder | Modified Date = 2/29/2008 12:01:14 AM | Attr = ]
Ad-Aware 2007.job -> %SystemRoot%\tasks\Ad-Aware 2007.job -> [Ver = | Size = 296 bytes | Modified Date = 3/20/2008 9:42:56 AM | Attr = ]
AVG Free Control Center.job -> %SystemRoot%\tasks\AVG Free Control Center.job -> [Ver = | Size = 286 bytes | Modified Date = 3/7/2008 6:00:00 PM | Attr = ]
MP Scheduled Scan.job -> %SystemRoot%\tasks\MP Scheduled Scan.job -> [Ver = | Size = 330 bytes | Modified Date = 3/20/2008 9:45:55 AM | Attr = H ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 3/20/2008 9:42:56 AM | Attr = H ]
hhcolreg.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help\hhcolreg.dat -> [Ver = | Size = 12784 bytes | Modified Date = 3/12/2008 4:19:09 PM | Attr = ]
qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat -> [Ver = | Size = 4232 bytes | Modified Date = 3/18/2008 12:41:27 PM | Attr = ]
qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat -> [Ver = | Size = 5454 bytes | Modified Date = 3/18/2008 12:41:27 PM | Attr = ]
opa11.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa11.dat -> [Ver = | Size = 11088 bytes | Modified Date = 12/27/2005 9:35:24 PM | Attr = ]
[File String Scan - Non-Microsoft Only]
Thawte Consulting , -> %SystemRoot%\System32\AbaleZip.dll -> Abale.com (info@abale.com) [Ver = 5.0.3.0 | Size = 287256 bytes | Modified Date = 3/18/2007 9:12:02 PM | Attr = R ]
UPX! , UPX0 , -> %SystemRoot%\System32\avisynth.dll -> The Public [Ver = 2, 5, 5, 0 | Size = 284672 bytes | Modified Date = 9/1/2004 7:49:56 AM | Attr = ]
PEC2 , -> %SystemRoot%\System32\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 3/31/2003 5:00:00 AM | Attr = ]
WSUD , -> %SystemRoot%\System32\nvoglnt.dll -> NVIDIA Corporation [Ver = 6.14.10.7777 | Size = 5140480 bytes | Modified Date = 7/20/2005 6:07:00 PM | Attr = ]
UPX! , UPX0 , -> %SystemRoot%\System32\SrchSTS.exe -> S!Ri [Ver = | Size = 288417 bytes | Modified Date = 4/27/2006 5:49:30 PM | Attr = ]
winsync , -> %SystemRoot%\System32\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 3/31/2003 5:00:00 AM | Attr = ]
WSUD , UPX0 , -> %SystemRoot%\System32\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 3/31/2003 5:00:00 AM | Attr = ]
PTech , -> %SystemRoot%\System32\dllcache\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/3/2004 10:41:37 PM | Attr = ]
UPX! , FSG! , PEC2 , aspack , -> %SystemRoot%\System32\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.498 | Size = 821856 bytes | Modified Date = 10/23/2007 2:07:38 PM | Attr = ]
PTech , -> %SystemRoot%\System32\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/3/2004 10:41:37 PM | Attr = ]
qoologic , PTech , SAHAgent , web-nex , ad-w-a-r-e.com , -> %SystemRoot%\System32\drivers\etc\HOSTS -> [Ver = | Size = 676160 bytes | Modified Date = 3/9/2008 1:49:00 AM | Attr = ]
qoologic , PTech , SAHAgent , web-nex , ad-w-a-r-e.com , -> %SystemRoot%\System32\drivers\etc\HOSTS.MVP -> [Ver = | Size = 676160 bytes | Modified Date = 3/9/2008 1:49:00 AM | Attr = ]
< End of report >
[/code]
Hi
I don't see anything bad there.
Did you save spybot scan report?
Unforunately, I didn't, although I did run one again, (yesterday, I think) and it was clean.
I sure wish I could figure out how someone got into my hotmail, but maybe I'll do a little research on that myself to see what made me vulnerable.
Just curious, on my OTScanit, what is this entry?
[File String Scan - Non-Microsoft Only]Thawte Consulting , -> %SystemRoot%\System32\AbaleZip.dll -> Abale.com (info@abale.com)
It installed in 2007, but I sure would like to know what it's for. Thank you for all your help!
Hi
It's related to this (http://www.abale.com/)
Any other concerns?
Thank you for that link. No, I think you have been extremely helpful in making sure that my system is clean. As I said, I will dig in and do my own research about Hotmail and vulnerabilities. I really appreciate your assistance. Until next time ;)
Mokie
Hi
Then you're clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Next we remove all used tools.
Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.
Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Re-enable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)
Happy surfing and stay clean! :bigthumb:
Thank you! I will follow your instructions as directed.
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.