View Full Version : Virtumonde and Smitfraud-C.
The Warden
2008-08-18, 06:41
Hi. I am a victom of Virtumonde and Smitfraud-C. and cannot remove them with a Spybot sweep. Spybot identifies them and cleans them, but they immediately return. I have run Spybot (advanced mode) in normal Windows operating mode and in Safe Mode. Same results for both. I am running Windows XP.
These programs have made my web access almost impossible to get on line.
Anyone's help on how to remove these will be greatly appreciated.
Thank you very much!
I JUST MOVED THIS THREAD TO THIS LOCATION AND PROVIDED A HIJACKTHIS STRING BELOW AS INSTRUCTED BY ONE OF YOUR SENIOR MEMBERS. THANK YOU FOR YOUR ASSISTANCE!!!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:31 PM, on 8/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\letgpgbo\bolynyzy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Ahead\Nero BackItUp\NBJ.exe
C:\WINDOWS\system32\fsvepgni.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\HOMECO~1\X10COM32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mark Fanjoy\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R800 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P32 "EPSON Stylus Photo R800 (Copy 1)" /O5 "LPT1:" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB001" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI8JA.EXE /FU "C:\DOCUME~1\MARKFA~1\LOCALS~1\Temp\E_S123.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [uiapiset] C:\WINDOWS\system32\fsvepgni.exe
O4 - HKLM\..\Policies\Explorer\Run: [6E5Gg3vDdM] C:\Documents and Settings\All Users\Application Data\letgpgbo\bolynyzy.exe
O4 - Startup: X10 Communications Link.lnk = C:\Program Files\Home Control\X10BURST.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/26.34/uploader2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192746063328
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1213762217531
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://longsdrugs.digitalcameradeveloping.com/upload/FujifilmUploadClient.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O21 - SSODL: setdbutil - {282DFFB1-C51A-000A-53E2-06B769136807} - C:\Program Files\vvkyowb\setdbutil.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\MARKFA~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
--
End of file - 10257 bytes
Baabiouz
2008-08-18, 07:15
Hello :)
I will be handling your log to help you get cleaned up. :greeting:
Step #1
Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
--------------------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Step #2
Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.exe)
Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)
Step #3
Please post a fresh hijackThis log, Combofix log and Smitfraudfix log back here :)
The Warden
2008-08-18, 10:10
Okay, thank you for your help. I followed your instructions. However, I cannot find the .txt report for Combofix. It just runs then re starts the computer. By the way, after running Combofix, things are worse. A new desktop background screen has replaced my original background saying "WARNING You have a Virus. Install Anti Virus Software..." Also, a program called AntiVirus XP 2008 is trying to install.
Here is the updated HiJackThis report after running Combofix.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:01, on 2008-08-18
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\letgpgbo\bolynyzy.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Ahead\Nero BackItUp\NBJ.exe
C:\WINDOWS\system32\fsvepgni.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\HOMECO~1\X10COM32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\lodedgni.exe
C:\Documents and Settings\Mark Fanjoy\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R800 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P32 "EPSON Stylus Photo R800 (Copy 1)" /O5 "LPT1:" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB001" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [uiapiset] C:\WINDOWS\system32\fsvepgni.exe
O4 - HKLM\..\Policies\Explorer\Run: [6E5Gg3vDdM] C:\Documents and Settings\All Users\Application Data\letgpgbo\bolynyzy.exe
O4 - Startup: X10 Communications Link.lnk = C:\Program Files\Home Control\X10BURST.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/26.34/uploader2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192746063328
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1213762217531
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://longsdrugs.digitalcameradeveloping.com/upload/FujifilmUploadClient.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O21 - SSODL: setdbutil - {282DFFB1-C51A-000A-53E2-06B769136807} - C:\Program Files\vvkyowb\setdbutil.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\MARKFA~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
--
End of file - 10075 bytes
Baabiouz
2008-08-18, 17:06
Hello
Please run Smitfraudfix and OtScanIt:
Please download OTScanIt.exe (http://download.bleepingcomputer.com/oldtimer/OTScanIt.exe) from Bleeping Computer by OldTimer and save it to your desktop.
Double click on OTScanIt.exe to run it.
Click on Extract. Once done, you will be prompted. Click OK and click Close.
Double click on the OTScanIt folder. Double click on OTScanIt.exe to run it.
Under Drivers section, select Non-Microsoft.
Click on the Run Scan button at the top left hand corner.
OTScanIt will start running. Once done, Notepad will open. Please post the contents of this Notepad file in your next reply.
The Warden
2008-08-19, 00:10
Hi. Sorry for the delay. I posted the reports you requested this morning, but I did not realize the string was too long and it did not post. Here is Smitfraud Report first. OTSScanIt report coming in next string...
Thank you!!
SmitFraudFix v2.338
Scan done at 14:03:53.12, 2008-08-18
Run from C:\Documents and Settings\Mark Fanjoy\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\letgpgbo\bolynyzy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\fsvepgni.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\lodedgni.exe
C:\Documents and Settings\Mark Fanjoy\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Mark Fanjoy
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Mark Fanjoy\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\MARKFA~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» RK
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D9E2E5DA-3A33-4029-AB04-5604BAF1F558}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D9E2E5DA-3A33-4029-AB04-5604BAF1F558}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{D9E2E5DA-3A33-4029-AB04-5604BAF1F558}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
The Warden
2008-08-19, 00:12
Okay, OTSScanIt Report is too long. I have to cut it in half. Here is first half...
OTSScanIt Report
[code]
OTScanIt logfile created on: 2008-08-18 14:05:04
OTScanIt by OldTimer - Version 1.0.16.2 Folder = C:\Documents and Settings\Mark Fanjoy\Desktop\OTScanIt
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy-MM-dd
2.00 Gb Total Physical Memory | 1.52 Gb Available Physical Memory | 76.20% Memory free
2.60 Gb Paging File | 2.36 Gb Available in Paging File | 90.62% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 41.15 Gb Free Space | 55.22% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 465.76 Gb Total Space | 344.15 Gb Free Space | 73.89% Space Free | Partition Type: NTFS
Drive G: | 279.47 Gb Total Space | 181.72 Gb Free Space | 65.02% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: MARKOFFICE
Current User Name: Mark Fanjoy
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
[Processes - Non-Microsoft Only]
ccsetmgr.exe -> %CommonProgramFiles%\Symantec Shared\ccSetMgr.exe -> Symantec Corporation [Ver = 2.2.0.577 | Size = 242808 bytes | Modified Date = 2004-02-29 16:44:54 | Attr = ]
ccevtmgr.exe -> %CommonProgramFiles%\Symantec Shared\ccEvtMgr.exe -> Symantec Corporation [Ver = 2.2.0.577 | Size = 255096 bytes | Modified Date = 2004-02-29 16:44:48 | Attr = ]
defwatch.exe -> %ProgramFiles%\Symantec AntiVirus\DefWatch.exe -> Symantec Corporation [Ver = 9.0.0.338 | Size = 29928 bytes | Modified Date = 2004-03-12 15:17:10 | Attr = ]
e_s40rp7.exe -> %AllUsersProfile%\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE -> SEIKO EPSON CORPORATION [Ver = 4.02 | Size = 113664 bytes | Modified Date = 2007-01-11 05:02:00 | Attr = ]
nvsvc32.exe -> %SystemRoot%\system32\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.11.6375 | Size = 155716 bytes | Modified Date = 2007-10-04 18:14:00 | Attr = ]
psiservice.exe -> %SystemRoot%\system32\PSIService.exe -> [Ver = 2.0.0.1 | Size = 174656 bytes | Modified Date = 2006-11-02 21:40:12 | Attr = ]
wacom_tablet.exe -> %SystemRoot%\system32\Wacom_Tablet.exe -> Wacom Technology, Corp. [Ver = 6.0.5-7 | Size = 1373480 bytes | Modified Date = 2007-09-07 11:40:04 | Attr = ]
x10nets.exe -> %CommonProgramFiles%\X10\Common\X10nets.exe -> X10 [Ver = 1, 0, 0, 1 | Size = 20480 bytes | Modified Date = 2001-11-12 14:31:48 | Attr = ]
wacom_tabletuser.exe -> %SystemRoot%\system32\WTablet\Wacom_TabletUser.exe -> Wacom Technology, Corp. [Ver = 6.0.5-7 | Size = 132392 bytes | Modified Date = 2007-09-07 11:40:34 | Attr = ]
wacom_tablet.exe -> %SystemRoot%\system32\Wacom_Tablet.exe -> Wacom Technology, Corp. [Ver = 6.0.5-7 | Size = 1373480 bytes | Modified Date = 2007-09-07 11:40:04 | Attr = ]
bolynyzy.exe -> %AllUsersProfile%\Application Data\letgpgbo\bolynyzy.exe -> [Ver = | Size = 61440 bytes | Modified Date = 2008-08-16 20:33:50 | Attr = ]
em_exec.exe -> %ProgramFiles%\Logitech\MouseWare\system\EM_EXEC.EXE -> Logitech Inc. [Ver = 9.79.019 | Size = 37888 bytes | Modified Date = 2003-11-14 09:50:00 | Attr = ]
fsvepgni.exe -> %SystemRoot%\system32\fsvepgni.exe -> [Ver = | Size = 86016 bytes | Modified Date = 2008-08-16 20:33:48 | Attr = ]
acrotray.exe -> %ProgramFiles%\Adobe\Acrobat 6.0\Distillr\acrotray.exe -> Adobe Systems Inc. [Ver = 6.0.1.2003102300 | Size = 217194 bytes | Modified Date = 2003-10-23 21:37:56 | Attr = ]
lodedgni.exe -> %SystemRoot%\system32\lodedgni.exe -> File not found
otscanit.exe -> %UserProfile%\Desktop\OTScanIt\OTScanIt.exe -> OldTimer Tools [Ver = 1.0.16.2 | Size = 397312 bytes | Modified Date = 2008-07-12 09:29:54 | Attr = ]
[Win32 Services - Non-Microsoft Only]
(Adobe LM Service) Adobe LM Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Adobe Systems Shared\Service\Adobelmsvc.exe -> Adobe Systems [Ver = 2.67.010 | Size = 72704 bytes | Modified Date = 2007-10-19 16:55:18 | Attr = ]
(ccEvtMgr) Symantec Event Manager [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\ccEvtMgr.exe -> Symantec Corporation [Ver = 2.2.0.577 | Size = 255096 bytes | Modified Date = 2004-02-29 16:44:48 | Attr = ]
(ccPwdSvc) Symantec Password Validation [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Symantec Shared\ccPwdSvc.exe -> Symantec Corporation [Ver = 2.2.0.577 | Size = 87160 bytes | Modified Date = 2004-02-29 16:44:52 | Attr = ]
(ccSetMgr) Symantec Settings Manager [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\ccSetMgr.exe -> Symantec Corporation [Ver = 2.2.0.577 | Size = 242808 bytes | Modified Date = 2004-02-29 16:44:54 | Attr = ]
(DefWatch) Symantec AntiVirus Definition Watcher [Win32_Own | Auto | Running] -> %ProgramFiles%\Symantec AntiVirus\DefWatch.exe -> Symantec Corporation [Ver = 9.0.0.338 | Size = 29928 bytes | Modified Date = 2004-03-12 15:17:10 | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %SystemRoot%\system32\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.5512.503.0 | Size = 224768 bytes | Modified Date = 2008-04-13 17:12:17 | Attr = ]
(EPSON_PM_RPCV4_01) EPSON V3 Service4(01) [Win32_Own | Auto | Running] -> %AllUsersProfile%\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE -> SEIKO EPSON CORPORATION [Ver = 4.02 | Size = 113664 bytes | Modified Date = 2007-01-11 05:02:00 | Attr = ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.711.37800.beta | Size = 136120 bytes | Modified Date = 2007-01-03 18:40:21 | Attr = ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 2005-04-04 01:41:10 | Attr = ]
(NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Running] -> %SystemRoot%\system32\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.11.6375 | Size = 155716 bytes | Modified Date = 2007-10-04 18:14:00 | Attr = ]
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\system32\hpzipm12.exe -> HP [Ver = 7, 0, 5, 0 | Size = 65536 bytes | Modified Date = 2003-10-22 10:19:22 | Attr = ]
(ProtexisLicensing) ProtexisLicensing [Win32_Own | Auto | Running] -> %SystemRoot%\system32\PSIService.exe -> [Ver = 2.0.0.1 | Size = 174656 bytes | Modified Date = 2006-11-02 21:40:12 | Attr = ]
(RoxLiveShare10) LiveShare P2P Server 10 [Win32_Own | Auto | Stopped] -> %CommonProgramFiles%\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe -> File not found
(SavRoam) SavRoam [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Symantec AntiVirus\SavRoam.exe -> symantec [Ver = 1.5.0.0 | Size = 169192 bytes | Modified Date = 2004-03-12 15:18:06 | Attr = ]
(SessionLauncher) SessionLauncher [Win32_Own | Auto | Stopped] -> %SystemDrive%\DOCUME~1\MARKFA~1\LOCALS~1\Temp\DX9\SessionLauncher.exe -> File not found
(SNDSrvc) Symantec Network Drivers Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Symantec Shared\SNDSrvc.exe -> Symantec Corporation [Ver = 5.3.0.46 | Size = 193760 bytes | Modified Date = 2004-03-11 14:58:32 | Attr = ]
(Symantec AntiVirus) Symantec AntiVirus [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Symantec AntiVirus\Rtvscan.exe -> Symantec Corporation [Ver = 9.0.0.338 | Size = 1221864 bytes | Modified Date = 2004-03-12 15:17:46 | Attr = ]
(TabletServiceWacom) TabletServiceWacom [Win32_Own | Auto | Running] -> %SystemRoot%\system32\Wacom_Tablet.exe -> Wacom Technology, Corp. [Ver = 6.0.5-7 | Size = 1373480 bytes | Modified Date = 2007-09-07 11:40:04 | Attr = ]
(x10nets) X10 Device Network Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\X10\Common\X10nets.exe -> X10 [Ver = 1, 0, 0, 1 | Size = 20480 bytes | Modified Date = 2001-11-12 14:31:48 | Attr = ]
[Driver Services - Non-Microsoft Only]
(ALCXWDM) Service for Realtek AC97 Audio (WDM) [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\alcxwdm.sys -> Realtek Semiconductor Corp. [Ver = 5.10.00.5930 built by: WinDDK | Size = 3727680 bytes | Modified Date = 2005-09-22 16:34:18 | Attr = ]
(AnyDVD) AnyDVD [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\AnyDVD.sys -> SlySoft, Inc. [Ver = 6.4.5.9 | Size = 99648 bytes | Modified Date = 2008-08-01 06:27:35 | Attr = ]
(Aspi32) Aspi32 [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\ASPI32.SYS -> Adaptec [Ver = 4.71 (0002) built by: WinDDK | Size = 16512 bytes | Modified Date = 2008-05-05 23:01:28 | Attr = ]
(catchme) catchme [Kernel | On_Demand | Stopped] -> %SystemDrive%\ComboFix\catchme.sys -> File not found
(cvspydr2) ColorVision Spyder 2 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\cvspydr2.sys -> Colorvision Inc [Ver = 1.0 built by: WinDDK | Size = 33024 bytes | Modified Date = 2002-04-02 17:30:16 | Attr = ]
(dmboot) dmboot [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\dmboot.sys -> Microsoft Corp., Veritas Software [Ver = 2600.5512.503.0 | Size = 799744 bytes | Modified Date = 2008-04-13 11:44:48 | Attr = ]
(dmio) Logical Disk Manager Driver [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\dmio.sys -> Microsoft Corp., Veritas Software [Ver = 2600.5512.503.0 | Size = 153344 bytes | Modified Date = 2008-04-13 11:44:46 | Attr = ]
(dmload) dmload [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\dmload.sys -> Microsoft Corp., Veritas Software. [Ver = 2600.0.503.0 | Size = 5888 bytes | Modified Date = 2003-11-08 05:00:00 | Attr = ]
(eeCtrl) Symantec Eraser Control driver [Kernel | System | Running] -> %CommonProgramFiles%\Symantec Shared\EENGINE\eeCtrl.sys -> Symantec Corporation [Ver = 107.4.1.2 | Size = 385072 bytes | Modified Date = 2008-04-14 01:00:00 | Attr = ]
(ElbyCDIO) ElbyCDIO Driver [Kernel | System | Running] -> %SystemRoot%\system32\drivers\ElbyCDIO.sys -> Elaborate Bytes AG [Ver = 6, 0, 1, 2 | Size = 24392 bytes | Modified Date = 2008-07-21 05:11:58 | Attr = ]
(giveio) giveio [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\giveio.sys -> [Ver = | Size = 5248 bytes | Modified Date = 2007-11-27 12:40:32 | Attr = ]
(L8042pr2) Logitech PS/2 Mouse Filter Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\L8042pr2.Sys -> Logitech, Inc. [Ver = 9.79.16.0 | Size = 51486 bytes | Modified Date = 2003-11-07 02:50:00 | Attr = ]
(LF30FS) LF30FS [Kernel | Auto | Running] -> %ProgramFiles%\Everstrike Software\Lock Folder XP 3.6\LF30XP.sys -> [Ver = | Size = 101488 bytes | Modified Date = 2004-11-19 18:07:00 | Attr = ]
(LMouFlt2) Logitech Mouse Class Filter Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\LMouFlt2.Sys -> Logitech, Inc. [Ver = 9.79.16.0 | Size = 70798 bytes | Modified Date = 2003-11-07 02:50:00 | Attr = ]
(MaxtorFrontPanel1) Maxtor 1394 Storage Front Panel Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\mxofwfp.sys -> Maxtor Corp. [Ver = 1,1,0,0 | Size = 19712 bytes | Modified Date = 2003-03-13 13:23:28 | Attr = ]
(mr7910) Photo Viewer [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\mr7910.sys -> Mars Semiconductor Corp. [Ver = v2.0 | Size = 113664 bytes | Modified Date = 2005-06-28 12:32:14 | Attr = ]
(MXOPSWD) Maxtor OneTouch Security Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\mxopswd.sys -> Maxtor Corp. [Ver = 1,0,6,0 | Size = 15360 bytes | Modified Date = 2004-10-07 10:21:22 | Attr = ]
(NAVENG) NAVENG [Kernel | On_Demand | Stopped] -> %CommonProgramFiles%\Symantec Shared\VirusDefs\20080816.003\NAVENG.SYS -> Symantec Corporation [Ver = 20081.1.1.13 | Size = 89936 bytes | Modified Date = 2008-08-16 01:00:00 | Attr = ]
(NAVEX15) NAVEX15 [Kernel | On_Demand | Stopped] -> %CommonProgramFiles%\Symantec Shared\VirusDefs\20080816.003\NAVEX15.SYS -> Symantec Corporation [Ver = 20081.1.1.13 | Size = 856336 bytes | Modified Date = 2008-08-16 01:00:00 | Attr = ]
(nv) nv [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\nv4_mini.sys -> NVIDIA Corporation [Ver = 6.14.11.6375 | Size = 6854464 bytes | Modified Date = 2007-10-04 18:14:00 | Attr = ]
(pcouffin) VSO Software pcouffin [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\pcouffin.sys -> VSO Software [Ver = 1.37 | Size = 47360 bytes | Modified Date = 2008-06-15 13:11:47 | Attr = ]
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ptilink.sys -> Parallel Technologies, Inc. [Ver = 1.10 (XPClient.010817-1148) | Size = 17792 bytes | Modified Date = 2003-11-08 05:00:00 | Attr = ]
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\pxhelp20.sys -> Sonic Solutions [Ver = 3.00.67a | Size = 43872 bytes | Modified Date = 2007-07-26 03:00:00 | Attr = ]
(rtl8139) Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\rtl8139.sys -> Realtek Semiconductor Corporation [Ver = 5.398.613.2003 built by: WinDDK | Size = 20992 bytes | Modified Date = 2004-08-03 22:31:32 | Attr = ]
(SAVRT) SAVRT [Kernel | On_Demand | Stopped] -> %ProgramFiles%\Symantec AntiVirus\savrt.sys -> Symantec Corporation [Ver = 9.3.0.28 | Size = 301200 bytes | Modified Date = 2004-02-09 15:43:56 | Attr = R ]
(SAVRTPEL) SAVRTPEL [Kernel | Auto | Running] -> %ProgramFiles%\Symantec AntiVirus\Savrtpel.sys -> Symantec Corporation [Ver = 9.3.0.28 | Size = 37008 bytes | Modified Date = 2004-02-09 15:43:56 | Attr = R ]
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\secdrv.sys -> Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. [Ver = 4.03.086 | Size = 20480 bytes | Modified Date = 2007-11-13 03:25:53 | Attr = ]
(SONYPVU1) Sony USB Filter Driver (SONYPVU1) [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\SONYPVU1.SYS -> Sony Corporation [Ver = 1.3.0526.0 (XPClient.010817-1148) | Size = 7552 bytes | Modified Date = 2001-08-17 14:56:16 | Attr = ]
(SymEvent) SymEvent [Kernel | On_Demand | Running] -> %ProgramFiles%\Symantec\SYMEVENT.SYS -> Symantec Corporation [Ver = 11.4.0.6 | Size = 82832 bytes | Modified Date = 2004-03-04 23:46:46 | Attr = ]
(SYMREDRV) SYMREDRV [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\symredrv.sys -> Symantec Corporation [Ver = 5.3.0.46 | Size = 16288 bytes | Modified Date = 2004-03-11 14:58:08 | Attr = ]
(SYMTDI) SYMTDI [Kernel | System | Running] -> %SystemRoot%\system32\drivers\symtdi.sys -> Symantec Corporation [Ver = 5.3.0.46 | Size = 263616 bytes | Modified Date = 2004-03-11 14:58:10 | Attr = ]
(TPkd) TPkd [Kernel | Boot | Running] -> %SystemRoot%\System32\drivers\TPkd.sys -> PACE Anti-Piracy, Inc. [Ver = 5.3.0.2339 | Size = 69920 bytes | Modified Date = 2005-09-27 00:00:02 | Attr = ]
(wacommousefilter) Wacom Mouse Filter Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\wacommousefilter.sys -> Wacom Technology [Ver = 1.2.0002.0 | Size = 11312 bytes | Modified Date = 2007-02-16 11:12:36 | Attr = ]
(wacomvhid) Wacom Virtual Hid Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\wacomvhid.sys -> Wacom Technology [Ver = 2.8.0000.0 | Size = 12848 bytes | Modified Date = 2007-02-16 10:30:12 | Attr = ]
(WacomVKHid) Virtual Keyboard Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\WacomVKHid.sys -> Wacom Technology [Ver = 1.1.0000.0 | Size = 11440 bytes | Modified Date = 2007-02-15 16:11:28 | Attr = ]
(XUIF) X10 USB Wireless Transceiver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\x10ufx2.sys -> X10 Wireless Technology, Inc. [Ver = 3.0.0.187 | Size = 17792 bytes | Modified Date = 2005-05-19 16:52:58 | Attr = ]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
{0228e555-4f9c-4e35-a3ec-b109a192b4c2} -> %ProgramFiles%\Google\Gmail Notifier\gnotify.exe [C:\Program Files\Google\Gmail Notifier\gnotify.exe] -> Google Inc. [Ver = 1.0.25.0 | Size = 479232 bytes | Modified Date = 2005-07-15 14:48:33 | Attr = ]
Adobe Photo Downloader -> %ProgramFiles%\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe ["C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"] -> Adobe Systems Incorporated [Ver = 3.0.0.66984 | Size = 61440 bytes | Modified Date = 2008-04-01 13:21:56 | Attr = R ]
EPSON Stylus Photo R800 -> %SystemRoot%\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE [C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB001" /M "Stylus Photo R800"] -> File not found
EPSON Stylus Photo R800 (Copy 1) -> %SystemRoot%\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE [C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P32 "EPSON Stylus Photo R800 (Copy 1)" /O5 "LPT1:" /M "Stylus Photo R800"] -> File not found
Logitech Utility -> %SystemRoot%\LOGI_MWX.EXE [Logi_MwX.Exe] -> Logitech Inc. [Ver = 9.79.016 | Size = 19968 bytes | Modified Date = 2003-11-07 02:50:00 | Attr = ]
NeroFilterCheck -> %SystemRoot%\system32\NeroCheck.exe [C:\WINDOWS\system32\NeroCheck.exe] -> Nero AG [Ver = 1, 0, 0, 5 | Size = 155648 bytes | Modified Date = 2006-01-12 17:40:44 | Attr = ]
NvCplDaemon -> %SystemRoot%\system32\nvcpl.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup] -> NVIDIA Corporation [Ver = 6.14.11.6375 | Size = 8491008 bytes | Modified Date = 2007-10-04 18:14:00 | Attr = ]
NvMediaCenter -> %SystemRoot%\system32\nvmctray.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit] -> NVIDIA Corporation [Ver = 6.14.11.6375 | Size = 81920 bytes | Modified Date = 2007-10-04 18:14:00 | Attr = ]
nwiz -> %SystemRoot%\system32\nwiz.exe [nwiz.exe /install] -> [Ver = | Size = 1626112 bytes | Modified Date = 2007-10-04 18:14:00 | Attr = ]
QuickTime Task -> %ProgramFiles%\QuickTime\QTTask.exe ["C:\Program Files\QuickTime\qttask.exe" -atboottime] -> Apple Inc. [Ver = 7.5 (861) | Size = 413696 bytes | Modified Date = 2008-05-27 10:50:30 | Attr = ]
< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL-> Installed = 1 ->
MAPI-> Installed = 1 ->
MSFS-> Installed = 1 ->
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
AnyDVD -> %ProgramFiles%\SlySoft\AnyDVD\AnyDVDtray.exe [C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe] -> SlySoft, Inc. [Ver = 6.4.5.9 | Size = 2161600 bytes | Modified Date = 2008-08-01 06:32:10 | Attr = ]
ISUSScheduler -> %CommonProgramFiles%\InstallShield\UpdateService\issch.exe ["C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start] -> Macrovision Corporation [Ver = 6, 0, 100, 54472 | Size = 86960 bytes | Modified Date = 2006-09-11 04:40:34 | Attr = ]
NBJ -> %ProgramFiles%\Ahead\Nero BackItUp\NBJ.exe ["C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"] -> Ahead Software AG [Ver = 1, 2, 0, 65 | Size = 2048000 bytes | Modified Date = 2006-09-15 15:27:00 | Attr = ]
SpybotSD TeaTimer -> %ProgramFiles%\Spybot - Search & Destroy\TeaTimer.exe [C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe] -> Safer Networking Limited [Ver = 1, 6, 1, 22 | Size = 1829712 bytes | Modified Date = 2008-07-30 14:45:44 | Attr = RHS]
uiapiset -> %SystemRoot%\system32\fsvepgni.exe [C:\WINDOWS\system32\fsvepgni.exe] -> [Ver = | Size = 86016 bytes | Modified Date = 2008-08-16 20:33:48 | Attr = ]
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersProfile%\Start Menu\Programs\Startup\Acrobat Assistant.lnk -> %ProgramFiles%\Adobe\Acrobat 6.0\Distillr\acrotray.exe -> Adobe Systems Inc. [Ver = 6.0.1.2003102300 | Size = 217194 bytes | Modified Date = 2003-10-23 21:37:56 | Attr = ]
< Mark Fanjoy Startup Folder > -> C:\Documents and Settings\Mark Fanjoy\Start Menu\Programs\Startup ->
%UserProfile%\Start Menu\Programs\Startup\X10 Communications Link.lnk -> %ProgramFiles%\Home Control\X10BURST.EXE -> X-10 (USA) Inc. [Ver = 2.1.0B2.0.70 | Size = 79617 bytes | Modified Date = 2001-01-12 11:49:12 | Attr = ]
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad ->
{282DFFB1-C51A-000A-53E2-06B769136807} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\vvkyowb\setdbutil.dll [setdbutil] -> [Ver = | Size = 106496 bytes | Modified Date = 2008-08-16 20:33:53 | Attr = ]
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell ->
Explorer.exe -> %SystemRoot%\explorer.exe -> Microsoft Corporation [Ver = 6.00.2900.5512 (xpsp.080413-2105) | Size = 1033728 bytes | Modified Date = 2008-04-13 17:12:19 | Attr = ]
*MultiFile Done* -> ->
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit ->
C:\WINDOWS\system32\userinit.exe -> %SystemRoot%\system32\userinit.exe -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 26112 bytes | Modified Date = 2008-04-13 17:12:38 | Attr = ]
*MultiFile Done* -> ->
*UIHost* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost ->
logonui.exe -> %SystemRoot%\system32\logonui.exe -> Microsoft Corporation [Ver = 6.00.2900.5512 (xpsp.080413-2105) | Size = 514560 bytes | Modified Date = 2008-04-13 17:12:24 | Attr = ]
*MultiFile Done* -> ->
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet ->
rundll32 shell32 -> %SystemRoot%\system32\shell32.dll -> Microsoft Corporation [Ver = 6.00.2900.5512 (xpsp.080413-2105) | Size = 8461312 bytes | Modified Date = 2008-04-13 17:12:05 | Attr = ]
Control_RunDLL "sysdm.cpl" -> %SystemRoot%\system32\sysdm.cpl -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2105) | Size = 300544 bytes | Modified Date = 2008-04-13 17:12:41 | Attr = ]
*MultiFile Done* -> ->
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
NavLogon -> %SystemRoot%\system32\NavLogon.dll -> Symantec Corporation [Ver = 9.0.0.338 | Size = 83176 bytes | Modified Date = 2004-03-12 15:17:24 | Attr = ]
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\6E5Gg3vDdM -> %AllUsersProfile%\Application Data\letgpgbo\bolynyzy.exe [C:\Documents and Settings\All Users\Application Data\letgpgbo\bolynyzy.exe] -> [Ver = | Size = 61440 bytes | Modified Date = 2008-08-16 20:33:50 | Attr = ]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\DisableRegistryTools -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\HideLegacyLogonScripts -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\HideLogoffScripts -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\RunLogonScriptSync -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\RunStartupScriptSync -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\HideStartupScripts -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> ->
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideLegacyLogonScripts -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideLogoffScripts -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunLogonScriptSync -> 1 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunStartupScriptSync -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideStartupScripts -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\NoDispBackgroundPage -> 1 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\NoDispScrSavPage -> 1 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> ->
< CDROM Autorun Settings > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\ -> ->
*DependOnGroup* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DependOnGroup ->
SCSI miniport -> -> File not found
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Group -> SCSI CDROM Class ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Start -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Tag -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Type -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DisplayName -> CD-ROM Driver ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ImagePath -> %SystemRoot%\system32\drivers\cdrom.sys [System32\DRIVERS\cdrom.sys] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2108) | Size = 62976 bytes | Modified Date = 2008-04-13 11:40:46 | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun -> 1 ->
*AutoRunAlwaysDisable* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRunAlwaysDisable ->
NEC MBR-7 -> -> File not found
NEC MBR-7.4 -> -> File not found
PIONEER CHANGR DRM-1804X -> -> File not found
PIONEER CD-ROM DRM-6324X -> -> File not found
PIONEER CD-ROM DRM-624X -> -> File not found
TORiSAN CD-ROM CDR_C36 -> -> File not found
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\0 -> IDE\CdRomHL-DT-ST_DVD-RAM_GSA-H22L_______________1.02____\5&63387ad&0&0.0.0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\Count -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\NextInstance -> 1 ->
< Drives - Autoruns > -> ->
AUTOEXEC.BAT [] -> %SystemDrive%\AUTOEXEC.BAT [ NTFS ] -> [Ver = | Size = 0 bytes | Modified Date = 2007-10-18 15:13:23 | Attr = ]
< HOSTS File > (27 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOWS\system32\blank.htm ->
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_CURRENT_USER\: Main\\Start Page -> http://www.google.com/ig?source=gama ->
HKEY_CURRENT_USER\: ProxyEnable -> 0 ->
HKEY_CURRENT_USER\: ProxyOverride -> *.local ->
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4744 domain(s) found. ->
44 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4755 domain(s) found. ->
44 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. ->
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] -> Adobe Systems Incorporated [Ver = 6.0.1.2003110300 | Size = 54248 bytes | Modified Date = 2003-11-03 15:17:44 | Attr = ]
{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] -> Safer Networking Limited [Ver = 1, 6, 0, 12 | Size = 1562448 bytes | Modified Date = 2008-07-30 14:45:34 | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 2007-09-25 01:11:33 | Attr = ]
{AE7CD045-E861-484f-8273-0445EE161910} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [AcroIEToolbarHelper Class] -> [Ver = | Size = 147456 bytes | Modified Date = 2003-05-15 01:03:46 | Attr = ]
< Internet Explorer Bars [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{182EC0BE-5110-49C8-A062-BEB1D02A220B} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> [Ver = | Size = 147456 bytes | Modified Date = 2003-05-15 01:03:46 | Attr = ]
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> [Ver = | Size = 147456 bytes | Modified Date = 2003-05-15 01:03:46 | Attr = ]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > ->
The Warden
2008-08-19, 00:13
Here is second half of OTSScanIt Report....
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\{A6E4A4EB-D169-4E99-8988-250FCBAFE767} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> [Ver = | Size = 147456 bytes | Modified Date = 2003-05-15 01:03:46 | Attr = ]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 2007-09-25 01:11:34 | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} [HKEY_CURRENT_USER] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 2007-09-25 01:11:33 | Attr = ]
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> Safer Networking Limited [Ver = 1, 6, 0, 12 | Size = 1562448 bytes | Modified Date = 2008-07-30 14:45:34 | Attr = ]
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
PluginsPageFriendlyName -> Microsoft ActiveX Gallery ->
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s ->
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{49515B9A-569E-47D8-9B37-CFFF8F5FE576} -> (1394 Net Adapter) ->
{BEE67631-AF88-4E19-9B26-EE5AE93EF00F} -> () ->
{D9E2E5DA-3A33-4029-AB04-5604BAF1F558} -> (Realtek RTL8139 Family PCI Fast Ethernet NIC) ->
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}[HKEY_LOCAL_MACHINE] -> http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab[QuickTime Object] ->
{406B5949-7190-4245-91A9-30A17DE16AD0}[HKEY_LOCAL_MACHINE] -> http://www.costcophotocenter.com/CostcoActivia.cab[Snapfish Activia] ->
{474F00F5-3853-492C-AC3A-476512BBC336}[HKEY_LOCAL_MACHINE] -> http://picasaweb.google.com/s/v/26.34/uploader2.cab[UploadListView Class] ->
{6414512B-B978-451D-A0D8-FCFDF33E833C}[HKEY_LOCAL_MACHINE] -> http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192746063328[WUWebControl Class] ->
{67A5F8DC-1A4B-4D66-9F24-A704AD929EEE}[HKEY_LOCAL_MACHINE] -> http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab[System Requirements Lab Class] ->
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}[HKEY_LOCAL_MACHINE] -> http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1213762217531[MUWebControl Class] ->
{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[Java Plug-in 1.6.0_03] ->
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}[HKEY_LOCAL_MACHINE] -> http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab[Reg Error: Key does not exist or could not be opened.] ->
{9600F64D-755F-11D4-A47F-0001023E6D5A}[HKEY_LOCAL_MACHINE] -> http://web1.shutterfly.com/downloads/Uploader.cab[Shutterfly Picture Upload Plugin] ->
{A8683C98-5341-421B-B23C-8514C05354F1}[HKEY_LOCAL_MACHINE] -> http://longsdrugs.digitalcameradeveloping.com/upload/FujifilmUploadClient.cab[FujifilmUploader Class] ->
{A93D84FD-641F-43AE-B963-E6FA84BE7FE7}[HKEY_LOCAL_MACHINE] -> http://www.linksysfix.com/netcheck/67/install/gtdownls.cab[LinkSys Content Update] ->
{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab[Java Plug-in 1.5.0_01] ->
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[Java Plug-in 1.6.0_03] ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[Java Plug-in 1.6.0_03] ->
{CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF}[HKEY_LOCAL_MACHINE] -> http://www.live365.com/players/play365.cab[Live365Player Class] ->
{D27CDB6E-AE6D-11CF-96B8-444553540000}[HKEY_LOCAL_MACHINE] -> http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab[Shockwave Flash Object] ->
{DBA230D1-8467-4e69-987E-5FAE815A3B45}[HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] ->
DirectAnimation Java Classes[HKEY_LOCAL_MACHINE] -> file://C:\WINDOWS\Java\classes\dajava.cab[Reg Error: Key does not exist or could not be opened.] ->
Microsoft XML Parser for Java[HKEY_LOCAL_MACHINE] -> file://C:\WINDOWS\Java\classes\xmldso.cab[Reg Error: Key does not exist or could not be opened.] ->
< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/FreeImage.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/FreeImage.dll\\.Owner -> {A8683C98-5341-421B-B23C-8514C05354F1} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/FreeImage.dll\\{A8683C98-5341-421B-B23C-8514C05354F1} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/FujifilmUploadClient.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/FujifilmUploadClient.dll\\.Owner -> {A8683C98-5341-421B-B23C-8514C05354F1} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/FujifilmUploadClient.dll\\{A8683C98-5341-421B-B23C-8514C05354F1} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/libcurl.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/libcurl.dll\\.Owner -> {A8683C98-5341-421B-B23C-8514C05354F1} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/libcurl.dll\\{A8683C98-5341-421B-B23C-8514C05354F1} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/Play365.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/Play365.dll\\.Owner -> {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/Play365.dll\\{CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/sfuploadplugin.ocx\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/sfuploadplugin.ocx\\.Owner -> {9600F64D-755F-11D4-A47F-0001023E6D5A} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/sfuploadplugin.ocx\\{9600F64D-755F-11D4-A47F-0001023E6D5A} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SnapfishActivia1000.ocx\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SnapfishActivia1000.ocx\\.Owner -> {406B5949-7190-4245-91A9-30A17DE16AD0} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SnapfishActivia1000.ocx\\{406B5949-7190-4245-91A9-30A17DE16AD0} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/sysreqlab2.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/sysreqlab2.dll\\.Owner -> {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/sysreqlab2.dll\\{67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/UploaderX.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/UploaderX.dll\\.Owner -> {474F00F5-3853-492C-AC3A-476512BBC336} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/UploaderX.dll\\{474F00F5-3853-492C-AC3A-476512BBC336} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/msvcp71.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/msvcp71.dll\\.Owner -> Unknown Owner ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/msvcp71.dll\\{A8683C98-5341-421B-B23C-8514C05354F1} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/msvcr71.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/msvcr71.dll\\.Owner -> Unknown Owner ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/msvcr71.dll\\{A8683C98-5341-421B-B23C-8514C05354F1} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/muweb.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/muweb.dll\\.Owner -> {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/muweb.dll\\{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/shfolder.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/shfolder.dll\\.Owner -> Unknown Owner ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/shfolder.dll\\{A8683C98-5341-421B-B23C-8514C05354F1} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/wuweb.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/wuweb.dll\\.Owner -> {6414512B-B978-451D-A0D8-FCFDF33E833C} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/wuweb.dll\\{6414512B-B978-451D-A0D8-FCFDF33E833C} -> ->
[Files/Folders - Created Within 30 days]
08.jpg -> %SystemDrive%\08.jpg -> [Ver = | Size = 172645 bytes | Created Date = 2008-08-15 13:28:08 | Attr = ]
11.jpg -> %SystemDrive%\11.jpg -> [Ver = | Size = 134167 bytes | Created Date = 2008-08-16 20:12:41 | Attr = ]
1217594129-Zr928H.jpg -> %SystemDrive%\1217594129-Zr928H.jpg -> [Ver = | Size = 100872 bytes | Created Date = 2008-08-03 23:32:44 | Attr = ]
1622624610_0ff31af956_o.jpg -> %SystemDrive%\1622624610_0ff31af956_o.jpg -> [Ver = | Size = 1055642 bytes | Created Date = 2008-08-05 22:04:50 | Attr = ]
22576300.jpg -> %SystemDrive%\22576300.jpg -> [Ver = | Size = 4114 bytes | Created Date = 2008-08-05 22:05:53 | Attr = ]
Acrobat Install Instructions.doc -> %SystemDrive%\Acrobat Install Instructions.doc -> [Ver = | Size = 25088 bytes | Created Date = 2008-08-17 13:12:16 | Attr = ]
Amanda-02.jpg -> %SystemDrive%\Amanda-02.jpg -> [Ver = | Size = 60631 bytes | Created Date = 2008-08-15 13:19:05 | Attr = ]
Apple Motion Tutorial.dmg -> %SystemDrive%\Apple Motion Tutorial.dmg -> [Ver = | Size = 272239960 bytes | Created Date = 2008-07-25 14:51:40 | Attr = ]
black.jpg -> %SystemDrive%\black.jpg -> [Ver = | Size = 68334 bytes | Created Date = 2008-08-11 13:56:27 | Attr = ]
bodyinmind_maya_6.jpg -> %SystemDrive%\bodyinmind_maya_6.jpg -> [Ver = | Size = 210157 bytes | Created Date = 2008-08-03 23:33:38 | Attr = ]
brown 2.jpg -> %SystemDrive%\brown 2.jpg -> [Ver = | Size = 60962 bytes | Created Date = 2008-08-03 23:39:26 | Attr = ]
brown.jpg -> %SystemDrive%\brown.jpg -> [Ver = | Size = 48189 bytes | Created Date = 2008-08-03 23:38:57 | Attr = ]
carin_ashley_getimage07_JWtCVLk_sized.jpg -> %SystemDrive%\carin_ashley_getimage07_JWtCVLk_sized.jpg -> [Ver = | Size = 102427 bytes | Created Date = 2008-08-05 12:50:08 | Attr = ]
chari 2.jpg -> %SystemDrive%\chari 2.jpg -> [Ver = | Size = 205888 bytes | Created Date = 2008-08-16 20:11:34 | Attr = ]
chari.jpg -> %SystemDrive%\chari.jpg -> [Ver = | Size = 219953 bytes | Created Date = 2008-08-16 20:10:24 | Attr = ]
ComboFix -> %SystemDrive%\ComboFix -> [Folder | Created Date = 2008-08-17 23:50:40 | Attr = ]
cpVPiK-1217854437.jpg -> %SystemDrive%\cpVPiK-1217854437.jpg -> [Ver = | Size = 46095 bytes | Created Date = 2008-08-04 22:19:11 | Attr = ]
fantasy.jpg -> %SystemDrive%\fantasy.jpg -> [Ver = | Size = 19838 bytes | Created Date = 2008-08-05 22:09:06 | Attr = ]
float.jpg -> %SystemDrive%\float.jpg -> [Ver = | Size = 136989 bytes | Created Date = 2008-08-06 11:22:50 | Attr = ]
Fonts -> %SystemDrive%\Fonts -> [Folder | Created Date = 2008-08-16 23:28:15 | Attr = R S]
hoot132006_028.jpg -> %SystemDrive%\hoot132006_028.jpg -> [Ver = | Size = 26695 bytes | Created Date = 2008-08-04 18:52:44 | Attr = ]
hRnyV5-1217854245.jpg -> %SystemDrive%\hRnyV5-1217854245.jpg -> [Ver = | Size = 34622 bytes | Created Date = 2008-08-04 22:18:00 | Attr = ]
k5FwKf-1218722829.jpg -> %SystemDrive%\k5FwKf-1218722829.jpg -> [Ver = | Size = 20624 bytes | Created Date = 2008-08-15 13:21:43 | Attr = ]
KuT8z2-1218553055.jpg -> %SystemDrive%\KuT8z2-1218553055.jpg -> [Ver = | Size = 59478 bytes | Created Date = 2008-08-15 13:30:20 | Attr = ]
lrg-8987-ic0855_115.jpg -> %SystemDrive%\lrg-8987-ic0855_115.jpg -> [Ver = | Size = 27991 bytes | Created Date = 2008-08-11 13:44:08 | Attr = ]
lrg-9174-wmk-_dsc0093.jpg -> %SystemDrive%\lrg-9174-wmk-_dsc0093.jpg -> [Ver = | Size = 45824 bytes | Created Date = 2008-08-15 13:17:03 | Attr = ]
moto.jpg -> %SystemDrive%\moto.jpg -> [Ver = | Size = 33563 bytes | Created Date = 2008-08-16 20:13:28 | Attr = ]
Movavi files -> %SystemDrive%\Movavi files -> [Folder | Created Date = 2008-08-14 17:21:40 | Attr = ]
Myrtle Beach 2008 Music -> %SystemDrive%\Myrtle Beach 2008 Music -> [Folder | Created Date = 2008-07-23 23:16:27 | Attr = ]
o76ovt-1218553058.jpg -> %SystemDrive%\o76ovt-1218553058.jpg -> [Ver = | Size = 38392 bytes | Created Date = 2008-08-15 13:29:56 | Attr = ]
Picture1.jpg -> %SystemDrive%\Picture1.jpg -> [Ver = | Size = 56280 bytes | Created Date = 2008-08-16 12:43:41 | Attr = ]
Picture1a.jpg -> %SystemDrive%\Picture1a.jpg -> [Ver = | Size = 60359 bytes | Created Date = 2008-08-16 12:52:04 | Attr = ]
Picture1aa.jpg -> %SystemDrive%\Picture1aa.jpg -> [Ver = | Size = 90693 bytes | Created Date = 2008-08-16 12:54:03 | Attr = ]
Picture1b.jpg -> %SystemDrive%\Picture1b.jpg -> [Ver = | Size = 51263 bytes | Created Date = 2008-08-16 12:52:17 | Attr = ]
Picture1c.jpg -> %SystemDrive%\Picture1c.jpg -> [Ver = | Size = 38370 bytes | Created Date = 2008-08-16 12:52:40 | Attr = ]
Picture1s.jpg -> %SystemDrive%\Picture1s.jpg -> [Ver = | Size = 80009 bytes | Created Date = 2008-08-16 12:55:10 | Attr = ]
Picture1ss.jpg -> %SystemDrive%\Picture1ss.jpg -> [Ver = | Size = 94583 bytes | Created Date = 2008-08-16 12:55:46 | Attr = ]
Picture1sss.jpg -> %SystemDrive%\Picture1sss.jpg -> [Ver = | Size = 72551 bytes | Created Date = 2008-08-16 12:56:01 | Attr = ]
Picture1ssss.jpg -> %SystemDrive%\Picture1ssss.jpg -> [Ver = | Size = 105311 bytes | Created Date = 2008-08-16 12:56:09 | Attr = ]
Picture1sssss.jpg -> %SystemDrive%\Picture1sssss.jpg -> [Ver = | Size = 95896 bytes | Created Date = 2008-08-16 12:56:28 | Attr = ]
Picture1ssssss.jpg -> %SystemDrive%\Picture1ssssss.jpg -> [Ver = | Size = 78725 bytes | Created Date = 2008-08-16 12:57:05 | Attr = ]
Picture1v.jpg -> %SystemDrive%\Picture1v.jpg -> [Ver = | Size = 50117 bytes | Created Date = 2008-08-16 12:59:31 | Attr = ]
Picture2.jpg -> %SystemDrive%\Picture2.jpg -> [Ver = | Size = 49821 bytes | Created Date = 2008-08-16 12:45:22 | Attr = ]
Picture3.jpg -> %SystemDrive%\Picture3.jpg -> [Ver = | Size = 65143 bytes | Created Date = 2008-08-16 12:45:28 | Attr = ]
Picture4.jpg -> %SystemDrive%\Picture4.jpg -> [Ver = | Size = 47869 bytes | Created Date = 2008-08-16 12:45:41 | Attr = ]
Picture5.jpg -> %SystemDrive%\Picture5.jpg -> [Ver = | Size = 50222 bytes | Created Date = 2008-08-16 12:46:10 | Attr = ]
Pierce -> %SystemDrive%\Pierce -> [Folder | Created Date = 2008-08-08 21:53:37 | Attr = ]
PqXMNV-1217861893.jpg -> %SystemDrive%\PqXMNV-1217861893.jpg -> [Ver = | Size = 28190 bytes | Created Date = 2008-08-04 22:17:45 | Attr = ]
QooBox -> %SystemDrive%\QooBox -> [Folder | Created Date = 2008-08-17 22:27:25 | Attr = ]
RwSMBB-1217861894.jpg -> %SystemDrive%\RwSMBB-1217861894.jpg -> [Ver = | Size = 25931 bytes | Created Date = 2008-08-04 22:19:58 | Attr = ]
S9aEaG-1217854558.jpg -> %SystemDrive%\S9aEaG-1217854558.jpg -> [Ver = | Size = 46507 bytes | Created Date = 2008-08-04 22:19:44 | Attr = ]
SCJh6s-1217942286.jpg -> %SystemDrive%\SCJh6s-1217942286.jpg -> [Ver = | Size = 51014 bytes | Created Date = 2008-08-06 11:29:38 | Attr = ]
SF -> %SystemDrive%\SF -> [Folder | Created Date = 2008-08-03 20:36:33 | Attr = ]
SF 2 -> %SystemDrive%\SF 2 -> [Folder | Created Date = 2008-08-03 21:39:45 | Attr = ]
TO Knights Tryouts Flyer DRAFT 1.pdf -> %SystemDrive%\TO Knights Tryouts Flyer DRAFT 1.pdf -> [Ver = | Size = 412396 bytes | Created Date = 2008-08-17 14:33:01 | Attr = ]
TO Knights Tryouts Flyer DRAFT 1.tif -> %SystemDrive%\TO Knights Tryouts Flyer DRAFT 1.tif -> [Ver = | Size = 15230516 bytes | Created Date = 2008-08-17 14:31:22 | Attr = ]
VIDEO_TS -> %SystemDrive%\VIDEO_TS -> [Folder | Created Date = 2008-08-05 16:04:00 | Attr = ]
VIDEO_TS_01 -> %SystemDrive%\VIDEO_TS_01 -> [Folder | Created Date = 2008-08-05 16:55:19 | Attr = ]
w31c1I-1217861896.jpg -> %SystemDrive%\w31c1I-1217861896.jpg -> [Ver = | Size = 27535 bytes | Created Date = 2008-08-04 22:20:17 | Attr = ]
xPEhUS-1217529253.jpg -> %SystemDrive%\xPEhUS-1217529253.jpg -> [Ver = | Size = 37217 bytes | Created Date = 2008-08-03 23:37:19 | Attr = ]
AnyDVD.sys -> %SystemRoot%\System32\drivers\AnyDVD.sys -> SlySoft, Inc. [Ver = 6.4.5.9 | Size = 99648 bytes | Created Date = 2008-08-01 06:27:35 | Attr = ]
ElbyCDIO.sys -> %SystemRoot%\System32\drivers\ElbyCDIO.sys -> Elaborate Bytes AG [Ver = 6, 0, 1, 2 | Size = 24392 bytes | Created Date = 2008-07-21 05:11:58 | Attr = ]
404Fix.exe -> %SystemRoot%\System32\404Fix.exe -> S!Ri.URZ [Ver = | Size = 82432 bytes | Created Date = 2008-08-18 12:17:50 | Attr = ]
blphc9t7j0epdv.scr -> %SystemRoot%\System32\blphc9t7j0epdv.scr -> Sysinternals [Ver = 3.2 | Size = 118784 bytes | Created Date = 2008-08-17 23:58:56 | Attr = ]
dumphive.exe -> %SystemRoot%\System32\dumphive.exe -> [Ver = | Size = 51200 bytes | Created Date = 2008-08-18 12:17:50 | Attr = ]
fsvepgni.exe -> %SystemRoot%\System32\fsvepgni.exe -> [Ver = | Size = 86016 bytes | Created Date = 2008-08-16 20:33:48 | Attr = ]
IEDFix.C.exe -> %SystemRoot%\System32\IEDFix.C.exe -> S!Ri.URZ [Ver = | Size = 82432 bytes | Created Date = 2008-08-18 12:17:50 | Attr = ]
IEDFix.exe -> %SystemRoot%\System32\IEDFix.exe -> S!Ri.URZ [Ver = | Size = 82944 bytes | Created Date = 2008-08-18 12:17:50 | Attr = ]
kxmjqleh.exe -> %SystemRoot%\System32\kxmjqleh.exe -> [Ver = | Size = 86016 bytes | Created Date = 2008-08-16 22:46:45 | Attr = ]
lklktclk.exe -> %SystemRoot%\System32\lklktclk.exe -> [Ver = | Size = 90112 bytes | Created Date = 2008-08-17 23:21:00 | Attr = ]
lphc9t7j0epdv.exe -> %SystemRoot%\System32\lphc9t7j0epdv.exe -> [Ver = | Size = 194560 bytes | Created Date = 2008-08-17 23:58:49 | Attr = ]
ojclujsr.exe -> %SystemRoot%\System32\ojclujsr.exe -> [Ver = | Size = 90112 bytes | Created Date = 2008-08-17 23:43:37 | Attr = ]
ojupcfwb.exe -> %SystemRoot%\System32\ojupcfwb.exe -> [Ver = | Size = 81920 bytes | Created Date = 2008-08-17 10:46:48 | Attr = ]
phc9t7j0epdv.bmp -> %SystemRoot%\System32\phc9t7j0epdv.bmp -> [Ver = | Size = 625208 bytes | Created Date = 2008-08-17 23:58:55 | Attr = ]
Process.exe -> %SystemRoot%\System32\Process.exe -> http://www.beyondlogic.org [Ver = 2, 0, 0, 0 | Size = 53248 bytes | Created Date = 2008-08-18 12:17:50 | Attr = ]
qrepqvsx.exe -> %SystemRoot%\System32\qrepqvsx.exe -> [Ver = | Size = 81920 bytes | Created Date = 2008-08-17 18:13:51 | Attr = ]
SrchSTS.exe -> %SystemRoot%\System32\SrchSTS.exe -> S!Ri [Ver = | Size = 288417 bytes | Created Date = 2008-08-18 12:17:50 | Attr = ]
swreg.exe -> %SystemRoot%\System32\swreg.exe -> SteelWerX [Ver = 2.0.1.0 | Size = 135168 bytes | Created Date = 2008-08-18 12:17:50 | Attr = ]
swsc.exe -> %SystemRoot%\System32\swsc.exe -> [Ver = | Size = 40960 bytes | Created Date = 2008-08-18 12:17:50 | Attr = ]
swxcacls.exe -> %SystemRoot%\System32\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 79360 bytes | Created Date = 2008-08-18 12:17:50 | Attr = ]
tmp.reg -> %SystemRoot%\System32\tmp.reg -> [Ver = | Size = 2894 bytes | Created Date = 2008-08-18 12:19:20 | Attr = ]
VACFix.exe -> %SystemRoot%\System32\VACFix.exe -> S!Ri.URZ [Ver = | Size = 86528 bytes | Created Date = 2008-08-18 12:17:50 | Attr = ]
VCCLSID.exe -> %SystemRoot%\System32\VCCLSID.exe -> S!Ri [Ver = | Size = 289144 bytes | Created Date = 2008-08-18 12:17:50 | Attr = ]
vufqhifs.exe -> %SystemRoot%\System32\vufqhifs.exe -> [Ver = | Size = 90112 bytes | Created Date = 2008-08-17 23:58:50 | Attr = ]
WS2Fix.exe -> %SystemRoot%\System32\WS2Fix.exe -> [Ver = | Size = 25600 bytes | Created Date = 2008-08-18 12:17:50 | Attr = ]
zafgfaxi.exe -> %SystemRoot%\System32\zafgfaxi.exe -> [Ver = | Size = 86016 bytes | Created Date = 2008-08-16 21:44:55 | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Created Date = 2008-08-17 22:28:06 | Attr = ]
4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
eSellerateEngine.dll -> %SystemRoot%\eSellerateEngine.dll -> eSellerate Inc. [Ver = 3.6.2.8 | Size = 356352 bytes | Created Date = 2008-08-14 17:34:49 | Attr = ]
fdsv.exe -> %SystemRoot%\fdsv.exe -> Smallfrogs Studio [Ver = 1, 2, 0, 22 | Size = 89504 bytes | Created Date = 2008-08-17 22:27:22 | Attr = ]
grep.exe -> %SystemRoot%\grep.exe -> [Ver = | Size = 80412 bytes | Created Date = 2008-08-17 22:27:22 | Attr = ]
Lisa Yellow.bmp -> %SystemRoot%\Lisa Yellow.bmp -> [Ver = | Size = 1934918 bytes | Created Date = 2008-08-09 18:48:39 | Attr = ]
Nircmd.exe -> %SystemRoot%\Nircmd.exe -> NirSoft [Ver = 2.10 | Size = 28672 bytes | Created Date = 2008-08-17 22:27:23 | Attr = ]
PSEXESVC.EXE -> %SystemRoot%\PSEXESVC.EXE -> Sysinternals [Ver = 1.70 | Size = 53248 bytes | Created Date = 2008-08-17 23:37:11 | Attr = ]
sed.exe -> %SystemRoot%\sed.exe -> [Ver = | Size = 98816 bytes | Created Date = 2008-08-17 22:27:22 | Attr = ]
swreg.exe -> %SystemRoot%\swreg.exe -> SteelWerX [Ver = 3.0.0.0 | Size = 161792 bytes | Created Date = 2008-08-17 22:27:22 | Attr = ]
swsc.exe -> %SystemRoot%\swsc.exe -> SteelWerX [Ver = 2.0.0.5 | Size = 136704 bytes | Created Date = 2008-08-17 22:27:22 | Attr = ]
swxcacls.exe -> %SystemRoot%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 2008-08-17 22:27:22 | Attr = ]
temp -> %SystemRoot%\temp -> [Folder | Created Date = 2008-08-17 23:53:24 | Attr = ]
VFind.exe -> %SystemRoot%\VFind.exe -> [Ver = | Size = 49152 bytes | Created Date = 2008-08-17 22:27:22 | Attr = ]
zip.exe -> %SystemRoot%\zip.exe -> [Ver = | Size = 68096 bytes | Created Date = 2008-08-17 22:27:22 | Attr = ]
[Files/Folders - Modified Within 30 days]
.DS_Store -> %SystemDrive%\.DS_Store -> [Ver = | Size = 24580 bytes | Modified Date = 2008-08-03 21:59:31 | Attr = H ]
08.jpg -> %SystemDrive%\08.jpg -> [Ver = | Size = 172645 bytes | Modified Date = 2008-08-15 13:27:45 | Attr = ]
11.jpg -> %SystemDrive%\11.jpg -> [Ver = | Size = 134167 bytes | Modified Date = 2008-08-16 20:12:25 | Attr = ]
1217594129-Zr928H.jpg -> %SystemDrive%\1217594129-Zr928H.jpg -> [Ver = | Size = 100872 bytes | Modified Date = 2008-08-03 23:32:29 | Attr = ]
1622624610_0ff31af956_o.jpg -> %SystemDrive%\1622624610_0ff31af956_o.jpg -> [Ver = | Size = 1055642 bytes | Modified Date = 2008-08-05 22:04:26 | Attr = ]
22576300.jpg -> %SystemDrive%\22576300.jpg -> [Ver = | Size = 4114 bytes | Modified Date = 2008-08-05 22:05:39 | Attr = ]
Acrobat Install Instructions.doc -> %SystemDrive%\Acrobat Install Instructions.doc -> [Ver = | Size = 25088 bytes | Modified Date = 2008-08-17 13:01:05 | Attr = ]
Amanda-02.jpg -> %SystemDrive%\Amanda-02.jpg -> [Ver = | Size = 60631 bytes | Modified Date = 2008-08-15 13:18:45 | Attr = ]
Apple Motion Tutorial.dmg -> %SystemDrive%\Apple Motion Tutorial.dmg -> [Ver = | Size = 272239960 bytes | Modified Date = 2008-07-25 15:34:38 | Attr = ]
black.jpg -> %SystemDrive%\black.jpg -> [Ver = | Size = 68334 bytes | Modified Date = 2008-08-11 13:56:12 | Attr = ]
bodyinmind_maya_6.jpg -> %SystemDrive%\bodyinmind_maya_6.jpg -> [Ver = | Size = 210157 bytes | Modified Date = 2008-08-03 23:33:33 | Attr = ]
brown 2.jpg -> %SystemDrive%\brown 2.jpg -> [Ver = | Size = 60962 bytes | Modified Date = 2008-08-03 23:39:08 | Attr = ]
brown.jpg -> %SystemDrive%\brown.jpg -> [Ver = | Size = 48189 bytes | Modified Date = 2008-08-03 23:38:46 | Attr = ]
carin_ashley_getimage07_JWtCVLk_sized.jpg -> %SystemDrive%\carin_ashley_getimage07_JWtCVLk_sized.jpg -> [Ver = | Size = 102427 bytes | Modified Date = 2008-08-05 12:49:54 | Attr = ]
chari 2.jpg -> %SystemDrive%\chari 2.jpg -> [Ver = | Size = 205888 bytes | Modified Date = 2008-08-16 20:11:20 | Attr = ]
chari.jpg -> %SystemDrive%\chari.jpg -> [Ver = | Size = 219953 bytes | Modified Date = 2008-08-16 20:09:58 | Attr = ]
ComboFix -> %SystemDrive%\ComboFix -> [Folder | Modified Date = 2008-08-17 23:56:08 | Attr = ]
cpVPiK-1217854437.jpg -> %SystemDrive%\cpVPiK-1217854437.jpg -> [Ver = | Size = 46095 bytes | Modified Date = 2008-08-04 22:19:03 | Attr = ]
Downloaded Programs -> %SystemDrive%\Downloaded Programs -> [Folder | Modified Date = 2008-08-17 14:09:20 | Attr = ]
fantasy.jpg -> %SystemDrive%\fantasy.jpg -> [Ver = | Size = 19838 bytes | Modified Date = 2008-08-05 22:08:59 | Attr = ]
float.jpg -> %SystemDrive%\float.jpg -> [Ver = | Size = 136989 bytes | Modified Date = 2008-08-06 11:22:35 | Attr = ]
Fonts -> %SystemDrive%\Fonts -> [Folder | Modified Date = 2008-08-16 23:29:44 | Attr = R S]
hoot132006_028.jpg -> %SystemDrive%\hoot132006_028.jpg -> [Ver = | Size = 26695 bytes | Modified Date = 2008-08-04 18:52:33 | Attr = ]
hRnyV5-1217854245.jpg -> %SystemDrive%\hRnyV5-1217854245.jpg -> [Ver = | Size = 34622 bytes | Modified Date = 2008-08-04 22:17:52 | Attr = ]
k5FwKf-1218722829.jpg -> %SystemDrive%\k5FwKf-1218722829.jpg -> [Ver = | Size = 20624 bytes | Modified Date = 2008-08-15 13:21:28 | Attr = ]
KuT8z2-1218553055.jpg -> %SystemDrive%\KuT8z2-1218553055.jpg -> [Ver = | Size = 59478 bytes | Modified Date = 2008-08-15 13:30:09 | Attr = ]
lrg-8987-ic0855_115.jpg -> %SystemDrive%\lrg-8987-ic0855_115.jpg -> [Ver = | Size = 27991 bytes | Modified Date = 2008-08-11 13:42:52 | Attr = ]
lrg-9174-wmk-_dsc0093.jpg -> %SystemDrive%\lrg-9174-wmk-_dsc0093.jpg -> [Ver = | Size = 45824 bytes | Modified Date = 2008-08-15 13:15:03 | Attr = ]
MB Slideshow Slates -> %SystemDrive%\MB Slideshow Slates -> [Folder | Modified Date = 2008-07-20 00:27:48 | Attr = ]
moto.jpg -> %SystemDrive%\moto.jpg -> [Ver = | Size = 33563 bytes | Modified Date = 2008-08-16 20:12:00 | Attr = ]
Movavi files -> %SystemDrive%\Movavi files -> [Folder | Modified Date = 2008-08-14 17:21:40 | Attr = ]
My Documents -> %SystemDrive%\My Documents -> [Folder | Modified Date = 2008-08-16 11:56:30 | Attr = ]
Myrtle Beach 2008 Music -> %SystemDrive%\Myrtle Beach 2008 Music -> [Folder | Modified Date = 2008-08-17 01:57:18 | Attr = ]
o76ovt-1218553058.jpg -> %SystemDrive%\o76ovt-1218553058.jpg -> [Ver = | Size = 38392 bytes | Modified Date = 2008-08-15 13:29:43 | Attr = ]
Picture1.jpg -> %SystemDrive%\Picture1.jpg -> [Ver = | Size = 56280 bytes | Modified Date = 2008-08-16 12:43:42 | Attr = ]
Picture1a.jpg -> %SystemDrive%\Picture1a.jpg -> [Ver = | Size = 60359 bytes | Modified Date = 2008-08-16 12:52:04 | Attr = ]
Picture1aa.jpg -> %SystemDrive%\Picture1aa.jpg -> [Ver = | Size = 90693 bytes | Modified Date = 2008-08-16 12:54:03 | Attr = ]
Picture1b.jpg -> %SystemDrive%\Picture1b.jpg -> [Ver = | Size = 51263 bytes | Modified Date = 2008-08-16 12:52:17 | Attr = ]
Picture1c.jpg -> %SystemDrive%\Picture1c.jpg -> [Ver = | Size = 38370 bytes | Modified Date = 2008-08-16 12:52:40 | Attr = ]
Picture1s.jpg -> %SystemDrive%\Picture1s.jpg -> [Ver = | Size = 80009 bytes | Modified Date = 2008-08-16 12:55:10 | Attr = ]
Picture1ss.jpg -> %SystemDrive%\Picture1ss.jpg -> [Ver = | Size = 94583 bytes | Modified Date = 2008-08-16 12:55:46 | Attr = ]
Picture1sss.jpg -> %SystemDrive%\Picture1sss.jpg -> [Ver = | Size = 72551 bytes | Modified Date = 2008-08-16 12:56:01 | Attr = ]
Picture1ssss.jpg -> %SystemDrive%\Picture1ssss.jpg -> [Ver = | Size = 105311 bytes | Modified Date = 2008-08-16 12:56:10 | Attr = ]
Picture1sssss.jpg -> %SystemDrive%\Picture1sssss.jpg -> [Ver = | Size = 95896 bytes | Modified Date = 2008-08-16 12:56:28 | Attr = ]
Picture1ssssss.jpg -> %SystemDrive%\Picture1ssssss.jpg -> [Ver = | Size = 78725 bytes | Modified Date = 2008-08-16 12:57:05 | Attr = ]
Picture1v.jpg -> %SystemDrive%\Picture1v.jpg -> [Ver = | Size = 50117 bytes | Modified Date = 2008-08-16 12:59:31 | Attr = ]
Picture2.jpg -> %SystemDrive%\Picture2.jpg -> [Ver = | Size = 49821 bytes | Modified Date = 2008-08-16 12:45:22 | Attr = ]
Picture3.jpg -> %SystemDrive%\Picture3.jpg -> [Ver = | Size = 65143 bytes | Modified Date = 2008-08-16 12:45:29 | Attr = ]
Picture4.jpg -> %SystemDrive%\Picture4.jpg -> [Ver = | Size = 47869 bytes | Modified Date = 2008-08-16 12:45:41 | Attr = ]
Picture5.jpg -> %SystemDrive%\Picture5.jpg -> [Ver = | Size = 50222 bytes | Modified Date = 2008-08-16 12:46:10 | Attr = ]
Pierce -> %SystemDrive%\Pierce -> [Folder | Modified Date = 2008-08-08 23:25:17 | Attr = ]
PqXMNV-1217861893.jpg -> %SystemDrive%\PqXMNV-1217861893.jpg -> [Ver = | Size = 28190 bytes | Modified Date = 2008-08-04 22:17:36 | Attr = ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 2008-08-17 14:08:01 | Attr = ]
QooBox -> %SystemDrive%\QooBox -> [Folder | Modified Date = 2008-08-17 23:39:33 | Attr = ]
RwSMBB-1217861894.jpg -> %SystemDrive%\RwSMBB-1217861894.jpg -> [Ver = | Size = 25931 bytes | Modified Date = 2008-08-04 22:19:51 | Attr = ]
S9aEaG-1217854558.jpg -> %SystemDrive%\S9aEaG-1217854558.jpg -> [Ver = | Size = 46507 bytes | Modified Date = 2008-08-04 22:19:38 | Attr = ]
SCJh6s-1217942286.jpg -> %SystemDrive%\SCJh6s-1217942286.jpg -> [Ver = | Size = 51014 bytes | Modified Date = 2008-08-06 11:29:29 | Attr = ]
SF -> %SystemDrive%\SF -> [Folder | Modified Date = 2008-08-03 21:23:10 | Attr = ]
SF 2 -> %SystemDrive%\SF 2 -> [Folder | Modified Date = 2008-08-03 21:47:52 | Attr = ]
System Volume Information -> %SystemDrive%\System Volume Information -> [Folder | Modified Date = 2008-08-17 23:59:00 | Attr = HS]
Thumbs.db -> %SystemDrive%\Thumbs.db -> [Ver = | Size = 2305024 bytes | Modified Date = 2008-08-17 16:28:02 | Attr = HS]
@Alternate Data Stream - 0 bytes -> %SystemDrive%\Thumbs.db:encryptable
TO Knights Tryouts Flyer DRAFT 1.pdf -> %SystemDrive%\TO Knights Tryouts Flyer DRAFT 1.pdf -> [Ver = | Size = 412396 bytes | Modified Date = 2008-08-17 16:21:26 | Attr = ]
TO Knights Tryouts Flyer DRAFT 1.tif -> %SystemDrive%\TO Knights Tryouts Flyer DRAFT 1.tif -> [Ver = | Size = 15230516 bytes | Modified Date = 2008-08-17 16:20:08 | Attr = ]
VIDEO_TS -> %SystemDrive%\VIDEO_TS -> [Folder | Modified Date = 2008-08-05 16:46:17 | Attr = ]
VIDEO_TS_01 -> %SystemDrive%\VIDEO_TS_01 -> [Folder | Modified Date = 2008-08-05 16:55:23 | Attr = ]
w31c1I-1217861896.jpg -> %SystemDrive%\w31c1I-1217861896.jpg -> [Ver = | Size = 27535 bytes | Modified Date = 2008-08-04 22:20:10 | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 2008-08-18 03:45:49 | Attr = ]
xPEhUS-1217529253.jpg -> %SystemDrive%\xPEhUS-1217529253.jpg -> [Ver = | Size = 37217 bytes | Modified Date = 2008-08-03 23:36:17 | Attr = ]
AnyDVD.sys -> %SystemRoot%\System32\drivers\AnyDVD.sys -> SlySoft, Inc. [Ver = 6.4.5.9 | Size = 99648 bytes | Modified Date = 2008-08-01 06:27:35 | Attr = ]
ElbyCDIO.sys -> %SystemRoot%\System32\drivers\ElbyCDIO.sys -> Elaborate Bytes AG [Ver = 6, 0, 1, 2 | Size = 24392 bytes | Modified Date = 2008-07-21 05:11:58 | Attr = ]
etc -> %SystemRoot%\System32\drivers\etc -> [Folder | Modified Date = 2008-08-17 23:55:58 | Attr = ]
hosts -> %SystemRoot%\System32\drivers\etc\hosts -> [Ver = | Size = 27 bytes | Modified Date = 2008-08-17 23:55:58 | Attr = ]
hosts.20080807-232149.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080807-232149.backup -> [Ver = | Size = 253288 bytes | Modified Date = 2008-07-20 10:02:06 | Attr = R ]
hosts.20080808-194634.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080808-194634.backup -> [Ver = | Size = 257976 bytes | Modified Date = 2008-08-07 23:21:49 | Attr = R ]
hosts.20080816-211611.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080816-211611.backup -> [Ver = | Size = 257976 bytes | Modified Date = 2008-08-08 19:46:34 | Attr = R ]
404Fix.exe -> %SystemRoot%\System32\404Fix.exe -> S!Ri.URZ [Ver = | Size = 82432 bytes | Modified Date = 2008-08-18 12:19:03 | Attr = ]
blphc9t7j0epdv.scr -> %SystemRoot%\System32\blphc9t7j0epdv.scr -> Sysinternals [Ver = 3.2 | Size = 118784 bytes | Modified Date = 2008-08-17 23:58:56 | Attr = ]
CatRoot2 -> %SystemRoot%\System32\CatRoot2 -> [Folder | Modified Date = 2008-08-15 20:53:29 | Attr = ]
12 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
config -> %SystemRoot%\System32\config -> [Folder | Modified Date = 2008-08-17 23:38:08 | Attr = ]
dllcache -> %SystemRoot%\System32\dllcache -> [Folder | Modified Date = 2008-08-14 15:32:42 | Attr = RHS]
drivers -> %SystemRoot%\System32\drivers -> [Folder | Modified Date = 2008-08-17 23:54:59 | Attr = ]
FNTCACHE.DAT -> %SystemRoot%\System32\FNTCACHE.DAT -> [Ver = | Size = 2067184 bytes | Modified Date = 2008-08-17 17:23:57 | Attr = ]
fsvepgni.exe -> %SystemRoot%\System32\fsvepgni.exe -> [Ver = | Size = 86016 bytes | Modified Date = 2008-08-16 20:33:48 | Attr = ]
IEDFix.C.exe -> %SystemRoot%\System32\IEDFix.C.exe -> S!Ri.URZ [Ver = | Size = 82432 bytes | Modified Date = 2008-08-14 21:52:23 | Attr = ]
kxmjqleh.exe -> %SystemRoot%\System32\kxmjqleh.exe -> [Ver = | Size = 86016 bytes | Modified Date = 2008-08-16 22:46:45 | Attr = ]
lklktclk.exe -> %SystemRoot%\System32\lklktclk.exe -> [Ver = | Size = 90112 bytes | Modified Date = 2008-08-17 23:21:00 | Attr = ]
lphc9t7j0epdv.exe -> %SystemRoot%\System32\lphc9t7j0epdv.exe -> [Ver = | Size = 194560 bytes | Modified Date = 2008-08-17 23:58:49 | Attr = ]
ojclujsr.exe -> %SystemRoot%\System32\ojclujsr.exe -> [Ver = | Size = 90112 bytes | Modified Date = 2008-08-17 23:43:37 | Attr = ]
ojupcfwb.exe -> %SystemRoot%\System32\ojupcfwb.exe -> [Ver = | Size = 81920 bytes | Modified Date = 2008-08-17 10:46:48 | Attr = ]
perfc009.dat -> %SystemRoot%\System32\perfc009.dat -> [Ver = | Size = 64372 bytes | Modified Date = 2008-08-15 10:31:20 | Attr = ]
perfh009.dat -> %SystemRoot%\System32\perfh009.dat -> [Ver = | Size = 409232 bytes | Modified Date = 2008-08-15 10:31:20 | Attr = ]
PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI -> [Ver = | Size = 478464 bytes | Modified Date = 2008-08-15 10:31:20 | Attr = ]
phc9t7j0epdv.bmp -> %SystemRoot%\System32\phc9t7j0epdv.bmp -> [Ver = | Size = 625208 bytes | Modified Date = 2008-08-17 23:58:55 | Attr = ]
qrepqvsx.exe -> %SystemRoot%\System32\qrepqvsx.exe -> [Ver = | Size = 81920 bytes | Modified Date = 2008-08-17 18:13:51 | Attr = ]
Restore -> %SystemRoot%\System32\Restore -> [Folder | Modified Date = 2008-08-17 23:59:00 | Attr = ]
Thumbs.db -> %SystemRoot%\System32\Thumbs.db -> [Ver = | Size = 6656 bytes | Modified Date = 2008-08-03 20:42:25 | Attr = HS]
@Alternate Data Stream - 0 bytes -> %SystemRoot%\System32\Thumbs.db:encryptable
tmp.reg -> %SystemRoot%\System32\tmp.reg -> [Ver = | Size = 2894 bytes | Modified Date = 2008-08-18 14:03:57 | Attr = ]
vufqhifs.exe -> %SystemRoot%\System32\vufqhifs.exe -> [Ver = | Size = 90112 bytes | Modified Date = 2008-08-17 23:58:50 | Attr = ]
wbem -> %SystemRoot%\System32\wbem -> [Folder | Modified Date = 2008-08-15 10:31:20 | Attr = ]
wpa.dbl -> %SystemRoot%\System32\wpa.dbl -> [Ver = | Size = 2206 bytes | Modified Date = 2008-08-17 23:58:19 | Attr = ]
zafgfaxi.exe -> %SystemRoot%\System32\zafgfaxi.exe -> [Ver = | Size = 86016 bytes | Modified Date = 2008-08-16 21:44:55 | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 2008-08-14 15:32:29 | Attr = H ]
4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
AppPatch -> %SystemRoot%\AppPatch -> [Folder | Modified Date = 2008-08-17 23:52:53 | Attr = ]
Easy DVD Creator.INI -> %SystemRoot%\Easy DVD Creator.INI -> [Ver = | Size = 67 bytes | Modified Date = 2008-07-24 16:18:37 | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Modified Date = 2008-08-17 23:37:25 | Attr = ]
eSellerateEngine.dll -> %SystemRoot%\eSellerateEngine.dll -> eSellerate Inc. [Ver = 3.6.2.8 | Size = 356352 bytes | Modified Date = 2008-08-14 17:34:50 | Attr = ]
Fonts -> %SystemRoot%\Fonts -> [Folder | Modified Date = 2008-08-16 13:38:48 | Attr = R S]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1374 bytes | Modified Date = 2008-08-14 15:32:35 | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 2008-08-14 15:32:46 | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 2008-08-14 17:34:00 | Attr = HS]
Lisa Yellow.bmp -> %SystemRoot%\Lisa Yellow.bmp -> [Ver = | Size = 1934918 bytes | Modified Date = 2008-08-18 03:49:24 | Attr = ]
MEMORY.DMP -> %SystemRoot%\MEMORY.DMP -> [Ver = | Size = 0 bytes | Modified Date = 2008-08-17 23:57:11 | Attr = ]
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini -> [Ver = | Size = 116 bytes | Modified Date = 2008-08-14 17:56:25 | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 2008-08-18 12:46:51 | Attr = ]
PSEXESVC.EXE -> %SystemRoot%\PSEXESVC.EXE -> Sysinternals [Ver = 1.70 | Size = 53248 bytes | Modified Date = 2008-08-17 23:53:29 | Attr = ]
system32 -> %SystemRoot%\system32 -> [Folder | Modified Date = 2008-08-18 14:03:57 | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 2008-08-05 17:23:36 | Attr = S]
temp -> %SystemRoot%\temp -> [Folder | Modified Date = 2008-08-18 03:45:49 | Attr = ]
Thumbs.db -> %SystemRoot%\Thumbs.db -> [Ver = | Size = 694272 bytes | Modified Date = 2008-08-17 16:28:01 | Attr = HS]
@Alternate Data Stream - 0 bytes -> %SystemRoot%\Thumbs.db:encryptable
Twain001.Mtx -> %SystemRoot%\Twain001.Mtx -> [Ver = | Size = 5 bytes | Modified Date = 2008-08-18 03:45:49 | Attr = ]
Twunk001.MTX -> %SystemRoot%\Twunk001.MTX -> [Ver = | Size = 156 bytes | Modified Date = 2008-08-18 03:45:49 | Attr = ]
vuepro32.ini -> %SystemRoot%\vuepro32.ini -> [Ver = | Size = 226 bytes | Modified Date = 2008-08-18 03:49:28 | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 112 bytes | Modified Date = 2008-08-14 15:25:41 | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 2008-08-17 23:57:34 | Attr = H ]
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Player\0x4veggBGp\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\Media Player\0x4veggBGp -> [Folder | Modified Date = 2007-12-25 22:27:33 | Attr = H ]
G8Ha8t3zNW.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Media Player\0x4veggBGp\G8Ha8t3zNW.dat -> [Ver = | Size = 879 bytes | Modified Date = 2005-03-15 02:44:40 | Attr = H ]
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader -> [Folder | Modified Date = 2007-10-18 15:21:30 | Attr = ]
qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat -> [Ver = | Size = 5517 bytes | Modified Date = 2008-08-17 23:58:42 | Attr = ]
qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat -> [Ver = | Size = 5517 bytes | Modified Date = 2008-08-17 23:58:42 | Attr = ]
C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA -> [Folder | Modified Date = 2008-06-17 21:05:07 | Attr = ]
opa11.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa11.dat -> [Ver = | Size = 8206 bytes | Modified Date = 2007-10-27 14:34:52 | Attr = ]
C:\Documents and Settings\Mark Fanjoy\Local Settings\temp\ -> C:\Documents and Settings\Mark Fanjoy\Local Settings\temp -> [Folder | Modified Date = 2008-08-18 14:04:32 | Attr = ]
CfgWin.dll -> C:\Documents and Settings\Mark Fanjoy\Local Settings\temp\CfgWin.dll -> [Ver = | Size = 122880 bytes | Modified Date = 2008-08-17 23:58:52 | Attr = ]
82 C:\Documents and Settings\Mark Fanjoy\Local Settings\temp\*.tmp files -> C:\Documents and Settings\Mark Fanjoy\Local Settings\temp\*.tmp ->
C:\Documents and Settings\Mark Fanjoy\Local Settings\temp\nsu10.tmp\ -> C:\Documents and Settings\Mark Fanjoy\Local Settings\temp\nsu10.tmp\ -> [Folder | Modified Date = 2008-08-17 23:59:27 | Attr = ]
euladlg.dll -> C:\Documents and Settings\Mark Fanjoy\Local Settings\temp\nsu10.tmp\euladlg.dll -> [Ver = | Size = 69632 bytes | Modified Date = 2008-08-17 23:59:27 | Attr = ]
< End of report >
[/code]
The Warden
2008-08-19, 09:01
Hi Baabiouz. Is there anything you are waiting for from me?
Thanks for your help with this virus issue.
Baabiouz
2008-08-19, 16:14
I'll check the logs and then see what need to do. I'm busy now but I'll do my best to get the logs read.
Baabiouz
2008-08-19, 21:36
Hello
Step #1
Please disable Teatimer as it may interfere with the fix.
First:
Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
Choose Exit Spybot S&D Resident
Second:
Open Spybot S&D
Click Mode, check Advanced Mode
Go To Left Panel, Click Tools, then also in left panel, click Resident
If your firewall raises a question, say OK
Uncheck the box labeled Resident Tea-Timer and OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.
Once your log is clean you can re-enable those settings in TeaTimer.
Step #2
Click Start | My Computer | Local Disk (C: ) .
In the menu bar at the top, go to File | New | Folder.
That will create a folder named "New Folder", which you can rename to "HijackThis". You have now created C:\HijackThis.
Now get your HijackThis.exe file and place it in your folder.
Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:
O4 - HKCU\..\Run: C:\WINDOWS\system32\fsvepgni.exe
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O21 - SSODL: setdbutil - {282DFFB1-C51A-000A-53E2-06B769136807} - C:\Program Files\vvkyowb\setdbutil.dll
Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
Step #3
Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).
Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
C:\Documents And Settings\All Users\Application Data\letgpgbo\bolynyzy.exe
C:\Windows\system32\fsvepgni.exe
C:\Windows\system32\lodedgni.exe
C:\Windows\System32\fsvepgni.exe
C:\Windows\System32\kxmjqleh.exe
C:\Windows\System32\lklktclk.exe
C:\Windows\System32\lphc9t7j0epdv.exe
C:\Windows\System32\ojclujsr.exe
C:\Windows\System32\ojupcfwb.exe
C:\Windows\System32\phc9t7j0epdv.bmp
C:\Windows\System32\qrepqvsx.exe
C:\Windows\System32\vufqhifs.exe
C:\Windows\System32\zafgfaxi.exe
C:\Program Files\vvkyowb
Return to OTMoveIt2, right click in the "Paste List Of Files/Folders to Move" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Step #4
Please download ATF-cleaner (http://www.atribune.org/ccount/click.php?id=1) and save it to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
[u]If you use Firefox browser:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Step #5
Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware here (http://www.besttechie.net/tools/mbam-setup.exe) and save to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
Note:
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Or via the Logs tab when Malwarebytes' Anti-Malware is started.
Step #6
Please post OtMoveit log, Mbam log and a fresh HijackThis log back here :)
The Warden
2008-08-20, 04:18
Hi Baabiouz. I followed your directions, but the Malwarebytes program re booted my computer and I lost the ITMoveIt2 report. Below is the Malwarebytes report. I hope this is okay.
I understand you are busy and I appreciate you helping me VERY MUCH!
Malwarebytes' Anti-Malware 1.25
Database version: 1071
Windows 5.1.2600 Service Pack 3
17:59:34 2008-08-19
mbam-log-08-19-2008 (17-59-34).txt
Scan type: Full Scan (C:\|F:\|G:\|)
Objects scanned: 231327
Time elapsed: 4 hour(s), 23 minute(s), 57 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 80
Registry Values Infected: 67
Registry Data Items Infected: 2
Folders Infected: 4
Files Infected: 199
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{4009f700-aeba-11d1-8344-00c04fb92eb7} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{480d5ca0-f032-11cf-a7d3-00a0c9056683} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{af7d8180-a8f9-11cf-9a46-00aa00b7dad1} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b4ca2970-dd2b-11d0-9dfa-00aa00af3494} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b4ca2971-dd2b-11d0-9dfa-00aa00af3494} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c83b5610-e0df-11d0-9e00-00aa00af3494} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{31345649-0000-0010-8000-00aa00389b71} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87ca6f02-49e4-11cf-a3fe-00aa003735be} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87ca6f04-49e4-11cf-a3fe-00aa003735be} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a2551f60-705f-11cf-a424-00aa003735be} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bd323430-ce94-11ce-82dd-0800095a5b55} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bd323431-ce94-11ce-82dd-0800095a5b55} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bd323432-ce94-11ce-82dd-0800095a5b55} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bd323433-ce94-11ce-82dd-0800095a5b55} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c69e8f40-d5c8-11d0-a520-145405c10000} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c69e8f41-d5c8-11d0-a520-145405c10000} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c69e8f42-d5c8-11d0-a520-145405c10000} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c69e8f43-d5c8-11d0-a520-145405c10000} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{81e9dd62-78d5-11d2-b47e-006097b3391b} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9b496ce1-811b-11cf-8c77-00aa006b6814} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a03cd5f0-3045-11cf-8c44-00aa006b6814} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b5730a90-1a2c-11cf-8c23-00aa006b6814} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{38be3000-dbf4-11d0-860e-00a024cfef6d} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{38be3001-dbf4-11d0-860e-00a024cfef6d} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{38be3002-dbf4-11d0-860e-00a024cfef6d} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8dd6c641-98cb-11d1-9846-00a024cfef6d} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{280a3020-86cf-11d1-abe6-00a0c905f375} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3ae86b20-7be8-11d1-abe6-00a0c905f375} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{afb6c280-2c41-11d3-8a60-0000f81e0e4a} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d5753bbb-c5a8-4f50-9d81-210bab0c5fb6} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{075bb8a1-b7d8-11d2-a1c6-00609778ea66} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{598eba02-b49a-11d2-a1c1-00609778ea66} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{82ccd3e0-f71a-11d0-9fe5-00609778ea66} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{22e24591-49d0-11d2-bb50-006008320064} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8fe7e181-bb96-11d2-a1cb-00609778ea66} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0dad2fdd-5fd7-11d3-8f50-00c04f7971e2} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{13b37a2a-546b-47bf-bbca-8ac97f1ebdcb} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{216c62df-6d7f-4e9a-8571-05f14edb766a} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{dc0c0fe7-0485-4266-b93f-68fbf80ed834} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fa4b375a-45b4-4d45-8440-263957b11623} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3301a7c2-0a8d-11d4-914d-00c04f610d24} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3301a7c4-0a8d-11d4-914d-00c04f610d24} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3301a7c5-0a8d-11d4-914d-00c04f610d24} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fc772ab0-0c7f-11d3-8ff2-00a0c9224cf4} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{370a1d5d-ddeb-418c-81cd-189e0d4fa443} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{814b9800-1c88-11d1-bad9-00609744111a} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{814b9801-1c88-11d1-bad9-00609744111a} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d8bd090d-3f39-45fd-b29a-7fc62c2e59c3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fac67227-e178-4fab-9fea-b4e77d3dbe7d} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bc7acb90-622b-11d2-829d-00c04f8ec183} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{521fb373-7654-49f2-bdb1-0c6e6660714f} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{06075fa6-f4b2-4052-a404-ea7d9d6ea633} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4facbba1-ffd8-4cd7-8228-61e2f65cb1ae} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9aada567-04e0-11d4-9148-00c04f610d24} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3baa3119-eca1-4a32-9a08-595e71ae9da9} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e63a3134-580c-4079-b551-f1c6d7c5b88c} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{12585bd1-22cd-47d0-a4f7-3f060130d152} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2298e50b-928a-436f-be7d-418609e1a85c} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4ca5da7c-766b-4b48-9c8c-ac968947a444} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7ad4a902-0fc5-467e-bc42-cfe1ebb70ca5} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{84d61430-959f-4146-8402-dda7019ef00a} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{97867603-a899-11d2-a6e6-0020af5c86d3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4950d6b-64dc-4215-a1b7-85f8c9366a87} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ad6c8933-f31b-4f43-b5e4-0541c1452f6f} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ad6c8934-f31b-4f43-b5e4-0541c1452f6f} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b245df02-bdb3-41aa-a531-86ed2a1367d9} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fb34e35d-d416-4d6c-8d5f-70c8aac726c1} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{17694d64-ab0c-11d2-a6e6-0020af5c86d3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17694d65-ab0c-11d2-a6e6-0020af5c86d3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17694d66-ab0c-11d2-a6e6-0020af5c86d3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{12686101-f7ce-4adf-937d-02a004b392c5} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{78718652-e991-4a50-ad84-595c6fad7abe} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{17694d67-ab0c-11d2-a6e6-0020af5c86d3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{17694d68-ab0c-11d2-a6e6-0020af5c86d3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\AppRegAgent.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\AtMgr.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\AtPlgUI.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\AtProj2.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\AtProxy2.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\AtPrvw.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\AuthorCode.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\BmpRef.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\CDMedia.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\CDWriter.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\ChinaEffects.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\DATCode.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\DevCtrl.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\DiscCopy.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\DiscEdit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\DiscRead.ax (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\DiscRite.ax (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\DsRead.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\DsReadWrite.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\DVDFormat.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\DVDMRWFormat.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\DVDPRWFormat.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\DVDRWMedia.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\dvProcs.ax (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\Editing.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\HDMedia.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\ImageTools.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\iviaenc.ax (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\iviaudio.ax (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\IviAuthorCtrl.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\IviAvCtl.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\IviAvSrc.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\IviBaseProxies.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\IVIdemux.ax (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\IVIdemxx.ax (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\iviDisc.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\IVIDownS.ax (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\iviMenuCtrl.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\IviMProf.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\ivimux.ax (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\IviOverlay.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\IviPlayerCtrlProxies.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\IVIScale.ax (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\IVIscapt.ax (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\IviScnDetect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\IviSpic.ax (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\IviStreamRenderer.ax (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\iviSurface.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\IviTrans.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\IVIVENC.ax (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\IVIVIDEO.ax (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\IVIwavex.ax (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\IVIwrite.ax (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\MEBase.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\MenuBase.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\MenuEditor.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\MenuMix.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\MijgJpeg.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\Mpeg2Parser.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\SmartRnd.ax (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\SmBuffer.ax (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\StorageTools.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\ThemeMgr.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Common\Bin\VCDFormat.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysrest32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\WINDOWS\Common (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\LocalizedProfiles (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\Common\Bin\acelpdec.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\AppRegAgent.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\ativdaxx.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\ativmvxx.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\AtMgr.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\AtPlgUI.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\AtProj2.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\AtProxy2.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\AtPrvw.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\AuthorCode.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\bdaplgin.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\BmpRef.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\CDMedia.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\CDWriter.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\ChinaEffects.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\DATCode.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\DevCtrl.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\DiscCopy.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\DiscEdit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\DiscRead.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\DiscRite.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\divxdec.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\divxenc.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\DivXMedia.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\dshowext.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\DsRead.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\DsReadWrite.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\DVDFormat.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\DVDMRWFormat.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\DVDPRWFormat.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\DVDRWMedia.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\dvProcs.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\Editing.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\g711codc.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\HDMedia.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\iac25_32.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\ImageTools.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\InstActivation.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\ipsink.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\ir41_32.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\ivfsrc.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\iviaenc.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\iviaudio.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\IviAuthorCtrl.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\IviAvCtl.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\IviAvSrc.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\IviBaseProxies.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\IVIdemux.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\IVIdemxx.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\iviDisc.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\IVIDownS.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\iviMenuCtrl.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\IviMProf.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\ivimux.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\IviOverlay.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\IviPlayerCtrlProxies.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\IVIresize.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\IVIScale.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\IVIscapt.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\IviScnDetect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\IviSpic.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\IviStreamRenderer.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\iviSurface.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\IviTrans.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\IVIVENC.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\IVIVIDEO.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\IVIwavex.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\IVIwrite.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\ksproxy.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\kstvtune.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\kswdmcap.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\ksxbar.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\l3codecx.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\lfbmp13n.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\LFCMP13n.DLL (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\lfdrw13n.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\lfeps13n.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\lffax13n.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\LFJ2K13n.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\lfmsp13n.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\lfpcd13n.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\lfpcx13n.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\Lfpng13n.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\lfpsd13n.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\lftga13n.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\lftif13n.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\Lfwmf13n.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\LTCLR13n.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\LTDIS13n.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\ltefx13n.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\ltfil13n.DLL (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\ltimg13n.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\ltkrn13n.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\MEBase.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\MenuBase.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\MenuEditor.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\MenuMix.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\MijgJpeg.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\mpeg2data.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\Mpeg2Parser.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\mpg2data.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\mpg2splt.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\mpg4ds32.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\msadds32.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\msdvbnp.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\msscds32.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\PCDLIB32.DLL (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\Pfc.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\Pfc.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\Pfc1028.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\Pfc1031.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\Pfc1033.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\Pfc1034.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\Pfc1036.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\Pfc1040.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\Pfc1041.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\Pfc2052.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\psisrndr.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\SmartRnd.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\SmBuffer.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\StorageTools.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\ThemeMgr.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\vbicodec.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\vbisurf.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\VCDFormat.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\vidcap.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\wiasf.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\wmv8ds32.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\wmvds32.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\wstpager.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\wstrenderer.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\wstrendr.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Bin\xvid.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\AVI.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DV-AVI.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD NTSC AC3 EP.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD NTSC AC3 GQ.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD NTSC AC3 HQ.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD NTSC AC3 LP.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD NTSC AC3 SP.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD NTSC EP.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD NTSC GQ.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD NTSC HQ.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD NTSC LP.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD NTSC LPCM EP.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD NTSC LPCM GQ.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD NTSC LPCM HQ.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD NTSC LPCM LP.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD NTSC LPCM SP.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD NTSC SP.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD PAL AC3 EP.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD PAL AC3 GQ.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD PAL AC3 HQ.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD PAL AC3 LP.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD PAL AC3 SP.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD PAL EP.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD PAL GQ.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD PAL HQ.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD PAL LP.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD PAL LPCM EP.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD PAL LPCM GQ.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD PAL LPCM HQ.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD PAL LPCM LP.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD PAL LPCM SP.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\DVD PAL SP.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\SVCD NTSC SP.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\SVCD PAL SP.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\VCD NTSC.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\VCD PAL.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\LocalizedProfiles\IviMProfARA.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\LocalizedProfiles\IviMProfCHS.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\LocalizedProfiles\IviMProfCHT.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\LocalizedProfiles\IviMProfCSY.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\LocalizedProfiles\IviMProfDAN.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\LocalizedProfiles\IviMProfDEU.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\LocalizedProfiles\IviMProfENU.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\LocalizedProfiles\IviMProfESM.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\LocalizedProfiles\IviMProfESN.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\LocalizedProfiles\IviMProfESP.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\LocalizedProfiles\IviMProfFIN.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\LocalizedProfiles\IviMProfFRA.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\LocalizedProfiles\IviMProfFRC.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\LocalizedProfiles\IviMProfHEB.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\LocalizedProfiles\IviMProfHUN.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\LocalizedProfiles\IviMProfITA.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\LocalizedProfiles\IviMProfJPN.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\LocalizedProfiles\IviMProfKOR.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\LocalizedProfiles\IviMProfNLD.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\LocalizedProfiles\IviMProfNOR.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\LocalizedProfiles\IviMProfPTB.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\LocalizedProfiles\IviMProfPTG.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\LocalizedProfiles\IviMProfRUS.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\LocalizedProfiles\IviMProfSKY.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\LocalizedProfiles\IviMProfSVE.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\LocalizedProfiles\IviMProfTHA.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Common\Profiles\LocalizedProfiles\IviMProfTRK.ipf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysrest32.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\blphc9t7j0epdv.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
Baabiouz
2008-08-20, 07:11
Hello :)
Would you please send a fresh HijackThis log back here ? :)
The Warden
2008-08-20, 08:03
Okay, here is a new HiJackThis scan...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:02:54, on 2008-08-19
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Ahead\Nero BackItUp\NBJ.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\HOMECO~1\X10COM32.EXE
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\DVDFab Platinum 4\DVDFabPlatinum.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R800 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P32 "EPSON Stylus Photo R800 (Copy 1)" /O5 "LPT1:" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB001" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Policies\Explorer\Run: [6E5Gg3vDdM] C:\Documents and Settings\All Users\Application Data\letgpgbo\bolynyzy.exe
O4 - Startup: X10 Communications Link.lnk = C:\Program Files\Home Control\X10BURST.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/26.34/uploader2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192746063328
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1213762217531
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://longsdrugs.digitalcameradeveloping.com/upload/FujifilmUploadClient.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\MARKFA~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
--
End of file - 9662 bytes
Baabiouz
2008-08-20, 15:40
Hello
Please rescan OtScanIt and upload it's log here:
http://rapidshare.de/
And post the link to the file here :)
The Warden
2008-08-20, 21:14
Okay, here is the OTSScanIT log file link...
http://rapidshare.de/files/40282128/OTScanIt.Txt.html
The Warden
2008-08-21, 07:24
Hi Baabiouz. So far today I appear to be clean from attacks. Nothing popping up and internet access is clean and fast again. I do not want to run anymore scans or add or delete any programs (or re set my clock and settings) until you review the last scan I sent and tell me if there is anything else you want me to do.
Thank you for your help and I will not do any changes until you say we are done.
Baabiouz
2008-08-21, 19:12
Hello :)
I'm sorry for the delay.
Step #1
Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:
O4 - HKLM\..\Policies\Explorer\Run: [6E5Gg3vDdM] C:\Documents and Settings\All Users\Application Data\letgpgbo\bolynyzy.exe
Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
Step #2
View Hidden Files & Folders Windows XP
To view Hidden Files & Folders do the following:
Click Start
Open My Computer
Select the Tools menu and click Folder Options
Select the View Tab
Under the Hidden files and folders heading select Show hidden files and folders
Uncheck the Hide protected operating system files (recommended) optio
Click Yes to confirm
Click OK
Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):
C:\Documents and Settings\All Users\Application Data\letgpgbo
Reboot your computer.
Step #3
Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Jotti
Please visit Jotti (http://virusscan.jotti.org/)
Copy/paste the the following file path into the window
C:\Program Files\Home Control\X10BURST.EXE
Click Submit/Send File
Please post back, to let me know the results.
If Jotti is too busy please try Virustotal (http://www.virustotal.com/en/indexf.html)
Step #4
Now we need run one scanner to make sure your computer is clean:
Please do a scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Click on the Accept button and install any components it needs.
The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
Save the file to your desktop.
Copy and paste that information in your next post.
Step #5
Please post Kaspersky's results, Jotti/Virustotal results and a fresh HijackThis log back here :)
The Warden
2008-08-22, 01:21
Thank you, Baabiouz. I have to go out of town until Sunday. I completed the first steps and the online test showed all clean. I will run the longer scan when I return and post the logs.
Thank you for all your hard work!!!
Baabiouz
2008-08-22, 09:02
Hello :)
That's Ok. Have fun :D:
The Warden
2008-08-23, 20:59
JOTTI REPORT...
Scan taken on 23 Aug 2008 17:50:07 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
SECOND HALF OF JOTTI REPORT STATISTICS SECTION...
Last file scanned at least one scanner reported something about: 17.exe (MD5: 0dda1ae71c1c6dcd8c1ba52d4ade4238, size: 7168 bytes), detected by:
Scanner Malware name
A-Squared X
AntiVir TR/Inject.GP.1
ArcaVir X
Avast X
AVG Antivirus X
BitDefender Trojan.Inject.HC
ClamAV X
CPsecure Troj.W32.Inject.t
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Ikarus X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X
KASPERSKY REPORT...
Saturday, August 23, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, August 22, 2008 18:44:27
Records in database: 1124860
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
F:\
G:\
L:\
Scan statistics
Files scanned 177666
Threat name 14
Infected objects 26
Suspicious objects 6
Duration of the scan 04:47:20
File name Threat name Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C700000.VBN Infected: Trojan-Downloader.Win32.Small.aapu 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C700002.VBN Infected: Trojan-Downloader.Win32.Small.aapu 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C700004.VBN Infected: Trojan-Downloader.Win32.Exchanger.lj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FB00000.VBN Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FB00002.VBN Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\Documents and Settings\Mark Fanjoy\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Mark Fanjoy\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Downloaded Programs\keyfinder\keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a 2
C:\Downloaded Programs\Permanent Installed Programs\DVDFabPlatinum4060.rar Infected: Trojan.Win32.Delf.bur 1
C:\Downloaded Programs\Permanent Installed Programs\Mero Update 5 - Version 6.6.1.15d_wch.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm 1
C:\My Documents\Outlook Archive\emailarchive.pst Suspicious: Exploit.HTML.Iframe.FileDownload 3
C:\WINDOWS\system32\1B.tmp Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\WINDOWS\system32\1C.tmp Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\WINDOWS\system32\1D.tmp Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\WINDOWS\system32\1E.tmp Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\WINDOWS\system32\1F.tmp Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\WINDOWS\system32\20.tmp Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\WINDOWS\system32\21.tmp Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\WINDOWS\system32\ncngzmjq.exe Infected: Trojan-Downloader.Win32.Small.abpq 1
F:\20082008_001504_BackUp G to F\G\Music\Love Train.wma Infected: Trojan-Downloader.WMA.Wimad.l 1
F:\20082208_003001_BackUp C to F\C\My Documents\Outlook Archive\emailarchive.pst Suspicious: Exploit.HTML.Iframe.FileDownload 3
F:\Photoshop Plugins\11Installed\Alien.Skin.Eye.Candy.v5.1.Impact.Retail.for.Adobe.Photoshop.Incl.KeyGen-SCOTCH\aseci51a.zip Infected: Trojan-Dropper.Win32.Agent.qgq 1
F:\Photoshop Plugins\Panopticum.AlphaStrip.v1.33.for.Adobe.Photoshop-SCOTCH\s-pas133.zip Infected: Trojan-Dropper.Win32.Agent.qgq 1
F:\Photoshop Plugins\Panopticum.Digitalizer.v1.24.for.Adobe.Photoshop.incl.KeyGen-SCOTCH\s-apd124.zip Infected: Trojan-Dropper.Win32.Agent.qgq 1
F:\Photoshop Plugins\Panopticum.IcePattern.v1.22.for.Adobe.Photoshop-SCOTCH\s-ip122b.zip Infected: Trojan-Dropper.Win32.Agent.uin 1
F:\Photoshop Plugins\Panopticum.Lens.Pro.III.v3.84.for.Adobe.Photoshop.incl.KeyGen-SCOTCH\s-lp384c.zip Infected: Trojan-Dropper.Win32.Agent.udo 1
G:\Music\Love Train.wma Infected: Trojan-Downloader.WMA.Wimad.l 1
The selected area was scanned.
HIJACKTHIS REPORT...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:17, on 2008-08-23
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\HOMECO~1\X10COM32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R800 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P32 "EPSON Stylus Photo R800 (Copy 1)" /O5 "LPT1:" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB001" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - Startup: X10 Communications Link.lnk = C:\Program Files\Home Control\X10BURST.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/26.34/uploader2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192746063328
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1213762217531
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://longsdrugs.digitalcameradeveloping.com/upload/FujifilmUploadClient.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\MARKFA~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
--
End of file - 9205 bytes
The Warden
2008-08-23, 21:01
Hi Baabiouz. Well, it looks like we still have some viruses floating around. The previous email has the three reports you requested.
Thanks!
Baabiouz
2008-08-23, 21:39
Hello
Yes, there is viruses and you may see where you have got them:
F:\Photoshop Plugins\Panopticum.AlphaStrip.v1.33.for.Adobe.Photoshop-SCOTCH
F:\Photoshop Plugins\11Installed\Alien.Skin.Eye.Candy.v5.1.Impact.Retail.for.Adobe.Photoshop.Incl.KeyGen-SCOTCH
F:\Photoshop Plugins\Panopticum.Digitalizer.v1.24.for.Adobe.Photoshop.incl.KeyGen-SCOTCH
C:\Downloaded Programs\Permanent Installed Programs\DVDFabPlatinum4060.rar
You should uninstall DVDFabPlatinum and Adobe.Photoshop and get them legally.
_________________
You should print out these instructions or copy them to a NotePad file so they will be accessible. Next step will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.
View Hidden Files & Folders Windows XP
To view Hidden Files & Folders do the following:
Click Start
Open My Computer
Select the Tools menu and click Folder Options
Select the View Tab
Under the Hidden files and folders heading select Show hidden files and folders
Uncheck the Hide protected operating system files (recommended) optio
Click Yes to confirm
Click OK
Reboot into Safe Mode (http://www.bleepingcomputer.com/forums/tutorial61.html) by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode.
Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):
C:\Downloaded Programs\keyfinder
C:\Downloaded Programs\Permanent Installed Programs\DVDFabPlatinum4060.rar
C:\Downloaded Programs\Permanent Installed Programs\Mero Update 5 - Version 6.6.1.15d_wch.exe
F:\20082008_001504_BackUp G to F\G\Music\Love Train.wma
F:\Photoshop Plugins\Panopticum.AlphaStrip.v1.33.for.Adobe.Photoshop-SCOTCH
F:\Photoshop Plugins\11Installed\Alien.Skin.Eye.Candy.v5.1.Impact.Retail.for.Adobe.Photoshop.Incl.KeyGen-SCOTCH
F:\Photoshop Plugins\Panopticum.Digitalizer.v1.24.for.Adobe.Photoshop.incl.KeyGen-SCOTCH
G:\Music\Love Train.wma
Then remove this file:
C:\WINDOWS\system32\ncngzmjq.exe
And empty next folder:
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine
Then reboot your computer normally.
_______________
Please run Mbam, update and do Full scan :)
Post a fresh HijackThis log and Mbam report back here :)
The Warden
2008-08-25, 06:17
Baabiouz, I followed your last instructions and have run the two new reports you requested. Thank you for your continued support.
KASPERSKY REPORT...
Sunday, August 24, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 24, 2008 05:22:18
Records in database: 1139029
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
F:\
G:\
L:\
Scan statistics
Files scanned 202990
Threat name 3
Infected objects 9
Suspicious objects 6
Duration of the scan 05:09:58
File name Threat name Threats count
C:\Documents and Settings\Mark Fanjoy\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Mark Fanjoy\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\My Documents\Outlook Archive\emailarchive.pst Suspicious: Exploit.HTML.Iframe.FileDownload 3
C:\WINDOWS\system32\1B.tmp Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\WINDOWS\system32\1C.tmp Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\WINDOWS\system32\1D.tmp Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\WINDOWS\system32\1E.tmp Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\WINDOWS\system32\1F.tmp Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\WINDOWS\system32\20.tmp Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\WINDOWS\system32\21.tmp Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
F:\20082308_203151_BackUp C to F\C\My Documents\Outlook Archive\emailarchive.pst Suspicious: Exploit.HTML.Iframe.FileDownload 3
The selected area was scanned.
MALWAREBYTES REPORT...
Malwarebytes' Anti-Malware 1.25
Database version: 1085
Windows 5.1.2600 Service Pack 3
20:13:20 2008-08-24
Malware Report
Scan type: Full Scan (C:\|F:\|G:\|)
Objects scanned: 239604
Time elapsed: 2 hour(s), 57 minute(s), 39 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\blphc9t7j0epdv.scr.vir (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\1B.tmp (Rogue.Agent) -> No action taken.
C:\WINDOWS\system32\1C.tmp (Rogue.Agent) -> No action taken.
C:\WINDOWS\system32\1D.tmp (Rogue.Agent) -> No action taken.
C:\WINDOWS\system32\1E.tmp (Rogue.Agent) -> No action taken.
C:\WINDOWS\system32\1F.tmp (Rogue.Agent) -> No action taken.
C:\WINDOWS\system32\20.tmp (Rogue.Agent) -> No action taken.
C:\WINDOWS\system32\21.tmp (Rogue.Agent) -> No action taken.
C:\WINDOWS\$NtServicePackUninstall$\hh.exe (Trojan.FakeHelp) -> No action taken.
Baabiouz
2008-08-26, 07:07
Hello
Did you complete this step in Mbam instructions?
When the scan is complete, click OK , then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
The Warden
2008-08-26, 14:26
No, I wasn't sure I should do that. But I kept the program open just in case until I heard from you. I just completed that step. Below is the log...
Malwarebytes' Anti-Malware 1.25
Database version: 1085
Windows 5.1.2600 Service Pack 3
04:23:28 2008-08-26
mbam-log-08-26-2008 (04-23-28).txt
Scan type: Full Scan (C:\|F:\|G:\|)
Objects scanned: 239604
Time elapsed: 2 hour(s), 57 minute(s), 39 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\blphc9t7j0epdv.scr.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1B.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1C.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1D.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1E.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1F.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\20.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\21.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\$NtServicePackUninstall$\hh.exe (Trojan.FakeHelp) -> Quarantined and deleted successfully.
Baabiouz
2008-08-26, 16:16
Now those should be gone. Would you please post a fresh HijackThis log? :)
The Warden
2008-08-26, 20:39
Okay, I also ran another MBAM report just to see. Here are both reports...
MBAM REPORT
Malwarebytes' Anti-Malware 1.25
Database version: 1085
Windows 5.1.2600 Service Pack 3
10:33:29 2008-08-26
mbam-log-08-26-2008 (10-33-29).txt
Scan type: Full Scan (C:\|F:\|G:\|)
Objects scanned: 243861
Time elapsed: 3 hour(s), 0 minute(s), 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
HIJACKTHIS REPORT...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38:12, on 2008-08-26
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R800 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P32 "EPSON Stylus Photo R800 (Copy 1)" /O5 "LPT1:" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB001" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - Startup: X10 Communications Link.lnk = C:\Program Files\Home Control\X10BURST.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/26.34/uploader2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192746063328
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1213762217531
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://longsdrugs.digitalcameradeveloping.com/upload/FujifilmUploadClient.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\MARKFA~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
--
End of file - 9272 bytes
Baabiouz
2008-08-26, 20:51
Hello
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) (http://java.sun.com/javase/downloads/index.jsp) and save it to your desktop.
Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7...allows end-users to run Java applications".
Click the "Download" button to the right.
Select your Platform: "Windows".
Select your Language: "Multi-language".
Read the License Agreement, and then check the box that says: "Accept License Agreement".
Click Continue and the page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs (http://www.bleepingcomputer.com/forums/topic42133.html) and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
To Clear the Java Runtime Environment (JRE) cache, do this:
Click Start > Settings > Control Panel.
Double-click the Java icon.
-The Java Control Panel appears.
Click "Settings" under Temporary Internet Files.
-The Temporary Files Settings dialog box appears.
Click "Delete Files".
-The Delete Temporary Files dialog box appears.
-There are three options on this window to clear the cache.
Delete Files
View Applications
View Applets
Click "OK" on Delete Temporary Files window.
-Note: This deletes all the Downloaded Applications and Applets from the cache.
Click "OK" on Temporary Files Settings window.
Close the Java Control Panel.
You can also view these instructions along with screenshots here (http://www.java.com/en/download/help/5000020300.xml).
How's your PC working now?
The Warden
2008-08-27, 07:15
Okay, I will update the JAVA. My PC is just flying along beautiful now!
Thank you so much for all your time and effort with me. I have contributed before, but I will happily donate again this week.
Thank you again and best wishes!!!
Baabiouz
2008-08-27, 07:23
Hello
You're Welcome. Nice to hear your computer is running well :)
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Next we remove all used tools.
Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.
Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.
Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Re-enable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:
Malwarebytes' Anti-Malware Setup Guide (http://www.bfccomputers.com/forum/index.php?showtopic=1644)
Malwarebytes' Anti-Malware Scanning Guide (http://www.bfccomputers.com/forum/index.php?showtopic=1645)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)
Happy surfing and stay clean!