View Full Version : Got rid of Braviax, now have Brastk.exe
Fatboy_97
2008-10-28, 06:26
Similar problems with this virus. Reloads itself at startup after being deleted, messes with Spybot S&D, Killbox.exe, etc. Help! Thanks in advance. Here's the HJT log per instuctions.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:53 PM, on 10/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA7219] command /c del "C:\WINDOWS\system32\WinCtrl32.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8641] cmd /c del "C:\WINDOWS\system32\WinCtrl32.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7794] command /c del "C:\WINDOWS\system32\WinCtrl32.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1371] cmd /c del "C:\WINDOWS\system32\WinCtrl32.dll_old"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/default/PiratePoppers.1.0.0.39.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--584a3e87-b556-4d06-99f4-d3fef0181acd/online/Diner_Dash_3/en/ddfotg.1.0.0.37.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--b256506b-ac80-48e4-a440-84eccfa8b5f5/online/diner_dash/en/DinerDash.1.0.0.80.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O20 - AppInit_DLLs: karna.dat
O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alerter AlerterRasAutoAticlr_optimization_v2.0.50727_32 (AlerterRasAutoAticlr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\
O23 - Service: Alerter AlerterRpcSs (AlerterRpcSs) - Unknown owner - .exe (file missing)
O23 - Service: Application Management AppMgmtCiSvc (AppMgmtCiSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Application Management AppMgmtCiSvc AppMgmtCiSvcFastUserSwitchingCompatibility (AppMgmtCiSvcFastUserSwitchingCompatibility) - Unknown owner - C:\WINDOWS\
O23 - Service: Application Management AppMgmtFastUserSwitchingCompatibility (AppMgmtFastUserSwitchingCompatibility) - Unknown owner - C:\WINDOWS\
O23 - Service: Application Management AppMgmtFastUserSwitchingCompatibility AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService (AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService) - Unknown owner - C:\WINDOWS\
O23 - Service: Application Management AppMgmtFastUserSwitchingCompatibility AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService PMSP Service (AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService PMSP Service) - Unknown owner - C:\WINDOWS\
O23 - Service: Application Management AppMgmtFastUserSwitchingCompatibility AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService AppMgmtFastUserSwitchingCompatibilityTrkWksImapiServiceNetman (AppMgmtFastUserSwitchingCompatibilityTrkWksImapiServiceNetman) - Unknown owner - C:\WINDOWS\
O23 - Service: ASP.NET State Service aspnet_stateLmHosts (aspnet_stateLmHosts) - Unknown owner - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Ati HotKey Poller Aticlr_optimization_v2.0.50727_32 (Aticlr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\
O23 - Service: Ati HotKey Poller Aticlr_optimization_v2.0.50727_32 Aticlr_optimization_v2.0.50727_32AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService (Aticlr_optimization_v2.0.50727_32AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService) - Unknown owner - .exe (file missing)
O23 - Service: Windows Audio AudioSrvRDSessMgr (AudioSrvRDSessMgr) - Unknown owner - C:\WINDOWS\
O23 - Service: Computer Browser Browseraspnet_stateLmHosts (Browseraspnet_stateLmHosts) - Unknown owner - .exe (file missing)
O23 - Service: Computer Browser Browserwuauserv (Browserwuauserv) - Unknown owner - C:\WINDOWS\
O23 - Service: Computer Browser Browserwuauserv BrowserwuauservALG (BrowserwuauservALG) - Unknown owner - C:\WINDOWS\
O23 - Service: Computer Browser Browserwuauserv BrowserwuauservW32TimeSpoolerNVSvc (BrowserwuauservW32TimeSpoolerNVSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: ClipBook ClipSrvSSDPSRVEventSystemwuauservEventlogImapiServicegusvc (ClipSrvSSDPSRVEventSystemwuauservEventlogImapiServicegusvc) - Unknown owner - .exe (file missing)
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 clr_optimization_v2.0.50727_32RasMan (clr_optimization_v2.0.50727_32RasMan) - Unknown owner - C:\WINDOWS\
O23 - Service: COM+ System Application COMSysAppFastUserSwitchingCompatibility (COMSysAppFastUserSwitchingCompatibility) - Unknown owner - C:\WINDOWS\
O23 - Service: COM+ System Application COMSysAppFastUserSwitchingCompatibility COMSysAppFastUserSwitchingCompatibilityWMPNetworkSvcWebClient (COMSysAppFastUserSwitchingCompatibilityWMPNetworkSvcWebClient) - Unknown owner - C:\WINDOWS\
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DHCP Client DhcpNetman (DhcpNetman) - Unknown owner - .exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service dmadminEventlog (dmadminEventlog) - Unknown owner - C:\WINDOWS\
O23 - Service: DNS Client Dnscachegusvc (Dnscachegusvc) - Unknown owner - C:\WINDOWS\
O23 - Service: COM+ Event System EventSystemgusvc (EventSystemgusvc) - Unknown owner - C:\WINDOWS\
O23 - Service: COM+ Event System EventSystemgusvc EventSystemgusvcWMPNetworkSvc (EventSystemgusvcWMPNetworkSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Google Updater Service gusvcstisvc (gusvcstisvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Human Interface Device Access HidServaspnet_state (HidServaspnet_state) - Unknown owner - .exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TCP/IP NetBIOS Helper LmHostsNtLmSsp (LmHostsNtLmSsp) - Unknown owner - C:\WINDOWS\
O23 - Service: Messenger MessengerRSVP (MessengerRSVP) - Unknown owner - .exe (file missing)
O23 - Service: Distributed Transaction Coordinator MSDTCWZCSVC (MSDTCWZCSVC) - Unknown owner - C:\WINDOWS\
O23 - Service: Distributed Transaction Coordinator MSDTCWZCSVC MSDTCWZCSVCAppMgmtCiSvcFastUserSwitchingCompatibility (MSDTCWZCSVCAppMgmtCiSvcFastUserSwitchingCompatibility) - Unknown owner - .exe (file missing)
O23 - Service: Distributed Transaction Coordinator MSDTCWZCSVC MSDTCWZCSVCAppMgmtCiSvcFastUserSwitchingCompatibility MSDTCWZCSVCAppMgmtCiSvcFastUserSwitchingCompatibility Smart (MSDTCWZCSVCAppMgmtCiSvcFastUserSwitchingCompatibility Smart) - Unknown owner - .exe (file missing)
O23 - Service: Windows Installer MSIServerTrkWksALG (MSIServerTrkWksALG) - Unknown owner - .exe (file missing)
O23 - Service: Network DDE NetDDEclr_optimization_v2.0.50727_32 (NetDDEclr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\
O23 - Service: Network DDE DSDM NetDDEdsdm Smart (NetDDEdsdm Smart) - Unknown owner - C:\WINDOWS\
O23 - Service: Network DDE DSDM NetDDEdsdmgusvcstisvc (NetDDEdsdmgusvcstisvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Network Connections NetmanSamSs (NetmanSamSs) - Unknown owner - .exe (file missing)
O23 - Service: Network Connections NetmanWMPNetworkSvcNtmsSvc (NetmanWMPNetworkSvcNtmsSvc) - Unknown owner - .exe (file missing)
O23 - Service: Network Location Awareness (NLA) NlaSENS (NlaSENS) - Unknown owner - C:\WINDOWS\
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NVIDIA Driver Helper Service NVSvchkmsvc (NVSvchkmsvc) - Unknown owner - .exe (file missing)
O23 - Service: NVIDIA Driver Helper Service NVSvcRemoteAccess (NVSvcRemoteAccess) - Unknown owner - C:\WINDOWS\
O23 - Service: NVIDIA Driver Helper Service NVSvcRemoteAccess NVSvcRemoteAccessDhcpNetman (NVSvcRemoteAccessDhcpNetman) - Unknown owner - .exe (file missing)
O23 - Service: IPSEC Services PolicyAgentWebClient (PolicyAgentWebClient) - Unknown owner - C:\WINDOWS\
O23 - Service: IPSEC Services PolicyAgentWebClient PolicyAgentWebClientWmiApSrv (PolicyAgentWebClientWmiApSrv) - Unknown owner - .exe (file missing)
O23 - Service: Remote Access Auto Connection Manager RasAutoAticlr_optimization_v2.0.50727_32 (RasAutoAticlr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\
O23 - Service: Routing and Remote Access RemoteAccessNtLmSsp (RemoteAccessNtLmSsp) - Unknown owner - C:\WINDOWS\
O23 - Service: Remote Procedure Call (RPC) Locator RpcLocatorRemoteAccessNtLmSsp (RpcLocatorRemoteAccessNtLmSsp) - Unknown owner - C:\WINDOWS\
O23 - Service: Smart Card SCardSvrThemes (SCardSvrThemes) - Unknown owner - C:\WINDOWS\
O23 - Service: Secondary Logon seclogonALG (seclogonALG) - Unknown owner - .exe (file missing)
O23 - Service: Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) SharedAccessWMPNetworkSvcNtmsSvc (SharedAccessWMPNetworkSvcNtmsSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Shell Hardware Detection ShellHWDetection Service for CDROM Access (ShellHWDetection Service for CDROM Access) - Unknown owner - C:\WINDOWS\
O23 - Service: Shell Hardware Detection ShellHWDetectionIDriverT (ShellHWDetectionIDriverT) - Unknown owner - C:\WINDOWS\
O23 - Service: Shell Hardware Detection ShellHWDetectionIDriverT ShellHWDetectionIDriverTPlugPlay (ShellHWDetectionIDriverTPlugPlay) - Unknown owner - .exe (file missing)
O23 - Service: Shell Hardware Detection ShellHWDetectionIDriverT ShellHWDetectionIDriverTPlugPlay ShellHWDetectionIDriverTPlugPlayNVSvcRemoteAccess (ShellHWDetectionIDriverTPlugPlayNVSvcRemoteAccess) - Unknown owner - .exe (file missing)
O23 - Service: Shell Hardware Detection ShellHWDetectionIDriverT ShellHWDetectionIDriverTPlugPlay ShellHWDetectionIDriverTPlugPlayRpcLocatorRemoteAccessNtLmSsp (ShellHWDetectionIDriverTPlugPlayRpcLocatorRemoteAccessNtLmSsp) - Unknown owner - .exe (file missing)
O23 - Service: Print Spooler Spooler Smart (Spooler Smart) - Unknown owner - C:\WINDOWS\
O23 - Service: Print Spooler SpoolerAudioSrvRDSessMgr (SpoolerAudioSrvRDSessMgr) - Unknown owner - C:\WINDOWS\
O23 - Service: Print Spooler SpoolerNVSvc (SpoolerNVSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: SSDP Discovery Service SSDPSRVEventSystem (SSDPSRVEventSystem) - Unknown owner - C:\WINDOWS\
O23 - Service: SSDP Discovery Service SSDPSRVEventSystem SSDPSRVEventSystemwuauservEventlogImapiServicegusvc (SSDPSRVEventSystemwuauservEventlogImapiServicegusvc) - Unknown owner - .exe (file missing)
O23 - Service: MS Software Shadow Copy Provider SwPrvSharedAccess (SwPrvSharedAccess) - Unknown owner - C:\WINDOWS\
O23 - Service: Performance Logs and Alerts SysmonLogAppMgmtCiSvcFastUserSwitchingCompatibility (SysmonLogAppMgmtCiSvcFastUserSwitchingCompatibility) - Unknown owner - .exe (file missing)
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: Distributed Link Tracking Client TrkWksALG (TrkWksALG) - Unknown owner - C:\WINDOWS\
O23 - Service: Distributed Link Tracking Client TrkWksImapiService (TrkWksImapiService) - Unknown owner - C:\WINDOWS\
O23 - Service: Distributed Link Tracking Client TrkWkslanmanserver (TrkWkslanmanserver) - Unknown owner - .exe (file missing)
O23 - Service: Distributed Link Tracking Client TrkWksNetmanSamSs (TrkWksNetmanSamSs) - Unknown owner - .exe (file missing)
O23 - Service: Uninterruptible Power Supply UPSAudioSrvRDSessMgr (UPSAudioSrvRDSessMgr) - Unknown owner - C:\WINDOWS\
O23 - Service: Windows Time W32TimeSpoolerNVSvc (W32TimeSpoolerNVSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Portable Media Serial Number Service WmdmPmSNaspnet_stateLmHosts (WmdmPmSNaspnet_stateLmHosts) - Unknown owner - .exe (file missing)
O23 - Service: WMI Performance Adapter WmiApSrvAppMgmtCiSvcFastUserSwitchingCompatibility (WmiApSrvAppMgmtCiSvcFastUserSwitchingCompatibility) - Unknown owner - .exe (file missing)
O23 - Service: WMI Performance Adapter WmiApSrvRemoteAccessNtLmSsp (WmiApSrvRemoteAccessNtLmSsp) - Unknown owner - .exe (file missing)
O23 - Service: Windows Media Player Network Sharing Service WMPNetworkSvcNtmsSvc (WMPNetworkSvcNtmsSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Windows Media Player Network Sharing Service WMPNetworkSvcNtmsSvc WMPNetworkSvcNtmsSvcTermService (WMPNetworkSvcNtmsSvcTermService) - Unknown owner - .exe (file missing)
O23 - Service: Windows Media Player Network Sharing Service WMPNetworkSvcWebClient (WMPNetworkSvcWebClient) - Unknown owner - C:\WINDOWS\
O23 - Service: Windows Media Player Network Sharing Service WMPNetworkSvcWebClient WMPNetworkSvcWebClientDhcp (WMPNetworkSvcWebClientDhcp) - Unknown owner - .exe (file missing)
O23 - Service: Security Center wscsvc Service for CDROM Access (wscsvc Service for CDROM Access) - Unknown owner - C:\WINDOWS\
O23 - Service: Security Center wscsvcDhcp (wscsvcDhcp) - Unknown owner - .exe (file missing)
O23 - Service: Automatic Updates wuauservDhcp (wuauservDhcp) - Unknown owner - C:\WINDOWS\
O23 - Service: Automatic Updates wuauservEventlog (wuauservEventlog) - Unknown owner - C:\WINDOWS\
O23 - Service: Automatic Updates wuauservEventlog wuauservEventlogImapiService (wuauservEventlogImapiService) - Unknown owner - C:\WINDOWS\
O23 - Service: Automatic Updates wuauservEventlog wuauservEventlogImapiService wuauservEventlogImapiServicegusvc (wuauservEventlogImapiServicegusvc) - Unknown owner - C:\WINDOWS\
--
End of file - 20366 bytes
Hello & welcome :)
I am looking over your log & will return shortly with instructions.
Please do not run any removal/fixit apps till I tell you as they may interfere with our work.
Thanks
blender
Hello,
You remember the site that may have attacked you like this?
Or what file you ran before everything went crazy?
Something really odd going on with those services.
I want to get more info before we try fixing anything.
If anytime during our work you don't understand something.. please ask. Don't just keep going on.
And please stick with me till I give you the all clear. Even though the obvious symptoms may dissapear -- that don't mean all clean.
-----------------
1.) download ERUNT from Aumha:
http://www.aumha.org/downloads/erunt-setup.exe
Follow Step 4 onwards of this site to back up your registry.
http://www.silentrunners.org/sr_eruntuse.html
Your choice wether or not to have it create a startup option that will back up registry every boot.
Please then locate this folder:
C:\windows\EDRNT <-- this one
Right click it> properties> report back size of folder contents.
2.) Please download this tool and save it to your desktop:
http://oldtimer.geekstogo.com/OTViewIt.exe
Temporarily disable antimalware programs to prevent its interference with running of OTViewIt.exe
Double click OTViewIt.exe to run.
Click "run scan"
When done it will have produced 2 logs in same folder you saved OTViewit.exe to. (should be on desktop)
Please post contents of both logs. (OTViewIt.txt & Extras.txt)
Don't forget to re-enable antimalware programs when done.
I may ask for more logs and/or file samples later but the above should give us a good start.
3.) Click start> run> type msconfig and hit enter.
Click the boot.ini tab.
Checkmark ONLY /bootlog
Then hit "apply" and "close".
Don't mess with anything else in there!
Reboot when prompted.
At reboot you will get notification you used msconfig to change how windows starts.
Just check the box that says "dont tell me this again..." and OK.
Locate & delete:
C:\windows\ntbtlog.txt
Reboot
Post the new c:\windows\ntbtlog.txt
It may take a few posts to get all logs in without getting cut off.
I highly recommend you keep this machine offline while not actually working on fixes. It is most likely hammering out spam like crazy & your ISP may get upset not to mention more junk is likely getting installed.
Thanks
Fatboy_97
2008-10-29, 06:02
Thank you for your time Blender. Sorry, I don't know where this stuff came from; been battling it for a long time; shoulda came here first. :red:
First of all the ERDNT file is 48.1 MB; 12 files, 4 folders.
OTViewIt.Txt as follows:
OTViewIt logfile created on: 10/28/2008 8:50:08 PM - Run
OTViewIt by OldTimer - Version 1.0.19.0 Folder = C:\Documents and Settings\Dennis\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1023.48 Mb Total Physical Memory | 550.43 Mb Available Physical Memory | 53.78% Memory free
2.41 Gb Paging File | 2.01 Gb Available in Paging File | 83.60% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.32 Gb Total Space | 54.33 Gb Free Space | 71.19% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: DENNIS-JIF0Z43K
Current User Name: Dennis
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days
========== Processes ==========
[2008/09/19 14:22:21 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
[1999/12/13 01:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTSVCCDA.EXE
[2002/11/11 21:59:00 | 00,065,536 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
[2008/04/24 16:52:22 | 00,066,880 | ---- | M] (PC Tools) -- C:\Program Files\ThreatFire\TFService.exe
[2000/06/26 07:44:20 | 00,053,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\MsPMSPSv.exe
[2002/04/11 11:47:52 | 00,176,128 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Hardware\Mouse\point32.exe
[2001/10/16 08:08:48 | 00,086,016 | ---- | M] (Visioneer Inc) -- C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
[2005/08/12 14:43:58 | 00,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
[2008/04/24 16:52:28 | 00,259,392 | ---- | M] (PC Tools) -- C:\Program Files\ThreatFire\TFTray.exe
[2007/01/19 13:54:56 | 05,674,352 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\msnmsgr.exe
[2004/02/03 14:42:54 | 00,401,491 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
[2007/12/25 10:36:05 | 00,028,672 | ---- | M] (DataViz, Inc.) -- C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
[2004/06/09 15:27:34 | 00,471,040 | ---- | M] (PalmSource, Inc) -- C:\Program Files\Palm\Hotsync.exe
[2006/02/19 04:21:22 | 00,288,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
[2005/08/12 14:43:58 | 00,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
[2006/02/19 05:24:52 | 00,239,320 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
[2008/06/23 02:20:52 | 00,625,664 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
[2008/10/28 20:46:51 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dennis\Desktop\OTViewIt.exe
========== (O23) Win32 Services ==========
[2008/09/19 14:22:21 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice [Auto | Running])
[2006/07/30 12:49:12 | 00,072,704 | ---- | M] (Adobe Systems) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service [On_Demand | Stopped])
File not found -- -- (AlerterRasAutoAticlr_optimization_v2.0.50727_32 [Auto | Stopped])
File not found -- -- (AlerterRpcSs [Auto | Stopped])
File not found -- -- (AppMgmtCiSvc [Auto | Stopped])
File not found -- -- (AppMgmtCiSvcFastUserSwitchingCompatibility [Auto | Stopped])
File not found -- -- (AppMgmtFastUserSwitchingCompatibility [Auto | Stopped])
File not found -- -- (AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService [Auto | Stopped])
File not found -- -- (AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService PMSP Service [Auto | Stopped])
File not found -- -- (AppMgmtFastUserSwitchingCompatibilityTrkWksImapiServiceNetman [Auto | Stopped])
[2007/04/13 03:20:52 | 00,033,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
File not found -- -- (aspnet_stateLmHosts [Auto | Stopped])
[2007/12/20 19:57:27 | 00,512,000 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller [Auto | Stopped])
[2007/12/20 22:05:00 | 00,593,920 | ---- | M] () -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart [Auto | Stopped])
File not found -- -- (Aticlr_optimization_v2.0.50727_32 [Auto | Stopped])
File not found -- -- (Aticlr_optimization_v2.0.50727_32AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService [Auto | Stopped])
File not found -- -- (AudioSrvRDSessMgr [Auto | Stopped])
File not found -- -- (Browseraspnet_stateLmHosts [Auto | Stopped])
File not found -- -- (Browserwuauserv [Auto | Stopped])
File not found -- -- (BrowserwuauservALG [Auto | Stopped])
File not found -- -- (BrowserwuauservW32TimeSpoolerNVSvc [Auto | Stopped])
File not found -- -- (ClipSrvSSDPSRVEventSystemwuauservEventlogImapiServicegusvc [Auto | Stopped])
[2007/04/13 03:21:18 | 00,068,952 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
File not found -- -- (clr_optimization_v2.0.50727_32RasMan [Auto | Stopped])
File not found -- -- (COMSysAppFastUserSwitchingCompatibility [Auto | Stopped])
File not found -- -- (COMSysAppFastUserSwitchingCompatibilityWMPNetworkSvcWebClient [Auto | Stopped])
[1999/12/13 01:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTSVCCDA.EXE -- (Creative Service for CDROM Access [Auto | Running])
File not found -- -- (DhcpNetman [Auto | Stopped])
File not found -- -- (dmadminEventlog [Auto | Stopped])
File not found -- -- (Dnscachegusvc [Auto | Stopped])
File not found -- -- (EventSystemgusvc [Auto | Stopped])
File not found -- -- (EventSystemgusvcWMPNetworkSvc [Auto | Stopped])
[2008/09/17 17:00:24 | 00,138,168 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
File not found -- -- (gusvcstisvc [Auto | Stopped])
File not found -- -- (HidServaspnet_state [Auto | Stopped])
[2005/04/04 01:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
File not found -- -- (LmHostsNtLmSsp [Auto | Stopped])
File not found -- -- (MessengerRSVP [Auto | Stopped])
File not found -- -- (MSDTCWZCSVC [Auto | Stopped])
File not found -- -- (MSDTCWZCSVCAppMgmtCiSvcFastUserSwitchingCompatibility [Auto | Stopped])
File not found -- -- (MSDTCWZCSVCAppMgmtCiSvcFastUserSwitchingCompatibility Smart [Auto | Stopped])
File not found -- -- (MSIServerTrkWksALG [Auto | Stopped])
File not found -- -- (NetDDEclr_optimization_v2.0.50727_32 [Auto | Stopped])
File not found -- -- (NetDDEdsdm Smart [Auto | Stopped])
File not found -- -- (NetDDEdsdmgusvcstisvc [Auto | Stopped])
File not found -- -- (NetmanSamSs [Auto | Stopped])
File not found -- -- (NetmanWMPNetworkSvcNtmsSvc [Auto | Stopped])
File not found -- -- (NlaSENS [Auto | Stopped])
[2002/11/11 21:59:00 | 00,065,536 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
File not found -- -- (NVSvchkmsvc [Auto | Stopped])
File not found -- -- (NVSvcRemoteAccess [Auto | Stopped])
File not found -- -- (NVSvcRemoteAccessDhcpNetman [Auto | Stopped])
File not found -- -- (PolicyAgentWebClient [Auto | Stopped])
File not found -- -- (PolicyAgentWebClientWmiApSrv [Auto | Stopped])
File not found -- -- (RasAutoAticlr_optimization_v2.0.50727_32 [Auto | Stopped])
File not found -- -- (RemoteAccessNtLmSsp [Auto | Stopped])
File not found -- -- (RemoteAccessPolicyAgentWebClient [Auto | Stopped])
File not found -- -- (RpcLocatorRemoteAccessNtLmSsp [Auto | Stopped])
File not found -- -- (SCardSvrThemes [Auto | Stopped])
File not found -- -- (seclogonALG [Auto | Stopped])
File not found -- -- (SharedAccessWMPNetworkSvcNtmsSvc [Auto | Stopped])
File not found -- -- (ShellHWDetection Service for CDROM Access [Auto | Stopped])
File not found -- -- (ShellHWDetectionIDriverT [Auto | Stopped])
File not found -- -- (ShellHWDetectionIDriverTPlugPlay [Auto | Stopped])
File not found -- -- (ShellHWDetectionIDriverTPlugPlayNVSvcRemoteAccess [Auto | Stopped])
File not found -- -- (ShellHWDetectionIDriverTPlugPlayRpcLocatorRemoteAccessNtLmSsp [Auto | Stopped])
File not found -- -- (Spooler Smart [Auto | Stopped])
File not found -- -- (SpoolerAudioSrvRDSessMgr [Auto | Stopped])
File not found -- -- (SpoolerAudioSrvRDSessMgrTrkWksALGSSDPSRVEventSystemwuauservEventlogImapiServicegusvc [Auto | Stopped])
File not found -- -- (SpoolerNVSvc [Auto | Stopped])
File not found -- -- (SSDPSRVEventSystem [Auto | Stopped])
File not found -- -- (SSDPSRVEventSystemwuauservEventlogImapiServicegusvc [Auto | Stopped])
File not found -- -- (SwPrvSharedAccess [Auto | Stopped])
File not found -- -- (SysmonLogAppMgmtCiSvcFastUserSwitchingCompatibility [Auto | Stopped])
[2008/04/24 16:52:22 | 00,066,880 | ---- | M] (PC Tools) -- C:\Program Files\ThreatFire\TFService.exe -- (ThreatFire [Auto | Running])
File not found -- -- (TrkWksALG [Auto | Stopped])
File not found -- -- (TrkWksALGSSDPSRVEventSystemwuauservEventlogImapiServicegusvc [Auto | Stopped])
File not found -- -- (TrkWksImapiService [Auto | Stopped])
File not found -- -- (TrkWkslanmanserver [Auto | Stopped])
File not found -- -- (TrkWksNetmanSamSs [Auto | Stopped])
File not found -- -- (UPSAudioSrvRDSessMgr [Auto | Stopped])
[2007/01/19 13:54:14 | 00,097,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])
File not found -- -- (W32TimeSpoolerNVSvc [Auto | Stopped])
[2000/06/26 07:44:20 | 00,053,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\MsPMSPSv.exe -- (WMDM PMSP Service [Auto | Running])
File not found -- -- (WmdmPmSNaspnet_stateLmHosts [Auto | Stopped])
File not found -- -- (WmiApSrvAppMgmtCiSvcFastUserSwitchingCompatibility [Auto | Stopped])
File not found -- -- (WmiApSrvRemoteAccessNtLmSsp [Auto | Stopped])
[2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
File not found -- -- (WMPNetworkSvcNtmsSvc [Auto | Stopped])
File not found -- -- (WMPNetworkSvcNtmsSvcTermService [Auto | Stopped])
File not found -- -- (WMPNetworkSvcWebClient [Auto | Stopped])
File not found -- -- (WMPNetworkSvcWebClientDhcp [Auto | Stopped])
File not found -- -- (wscsvc Service for CDROM Access [Auto | Stopped])
File not found -- -- (wscsvcDhcp [Auto | Stopped])
File not found -- -- (wuauservDhcp [Auto | Stopped])
File not found -- -- (wuauservEventlog [Auto | Stopped])
File not found -- -- (wuauservEventlogImapiService [Auto | Stopped])
File not found -- -- (wuauservEventlogImapiServicegusvc [Auto | Stopped])
File not found -- -- (AppMgmtFastUserSwitchingCompatibilityTrkWksImapiServiceMessengerRSVP [Auto | Stopped])
========== Driver Services ==========
[2008/04/13 11:31:33 | 00,037,760 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\amdk7.sys -- (AmdK7 [System | Running])
[1997/04/22 10:16:00 | 00,006,272 | ---- | M] () -- C:\WINDOWS\system32\drivers\ASLM75.SYS -- (aslm75 [Auto | Running])
[2007/12/20 20:53:20 | 02,843,136 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag [On_Demand | Stopped])
[2008/10/28 18:29:22 | 00,027,648 | ---- | M] () -- C:\WINDOWS\System32\drivers\beep.sys -- (Beep [System | Running])
[2002/07/19 10:46:28 | 00,127,948 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k [On_Demand | Running])
[2002/07/19 10:47:52 | 00,837,548 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k [On_Demand | Running])
[2001/08/17 12:19:20 | 00,003,712 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\ctljystk.sys -- (ctljystk [On_Demand | Stopped])
[2002/07/19 10:48:08 | 00,011,068 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k [On_Demand | Running])
[2002/07/19 10:48:22 | 00,213,860 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k [On_Demand | Running])
[2002/08/13 06:27:22 | 00,074,338 | ---- | M] (3Com Corporation) -- C:\WINDOWS\system32\drivers\el90Xbc5.SYS -- (EL90Xbc [On_Demand | Running])
[2002/07/19 10:48:32 | 00,156,604 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia [On_Demand | Running])
[2008/04/13 11:45:29 | 00,010,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum [On_Demand | Running])
[2002/07/24 13:52:26 | 00,998,004 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k [On_Demand | Running])
[2002/04/11 11:47:52 | 00,011,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\ipfilter.sys -- (IPFilter [On_Demand | Running])
[2001/08/17 14:02:40 | 00,035,200 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\msgame.sys -- (msgame [On_Demand | Stopped])
[2001/08/17 07:00:04 | 00,002,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401 [On_Demand | Running])
[2003/05/26 16:41:29 | 00,006,912 | ---- | M] (NewTech Infosystems, Inc.) -- C:\WINDOWS\system32\drivers\NTIDrvr.sys -- (NTIDrvr [On_Demand | Running])
[2005/05/12 00:34:00 | 03,189,376 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv [On_Demand | Running])
[2002/12/04 21:01:00 | 00,013,056 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nvax.sys -- (nvax [On_Demand | Running])
[2002/09/22 19:37:00 | 00,080,896 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\NVENET.sys -- (NVENET [On_Demand | Running])
[2002/12/04 21:01:00 | 00,241,664 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nvapu.sys -- (nvnforce [On_Demand | Running])
[2002/09/05 20:24:00 | 00,013,568 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv_agp.SYS -- (nv_agp [Boot | Running])
[2002/07/19 10:48:04 | 00,195,432 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv [On_Demand | Running])
[2007/12/25 10:33:54 | 00,016,694 | ---- | M] (PalmSource, Inc.) -- C:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD [On_Demand | Stopped])
[2002/06/14 13:49:56 | 00,010,194 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\PFMODNT.SYS -- (PfModNT [Auto | Running])
[2002/08/29 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2007/11/13 03:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [Auto | Running])
[2005/11/10 18:00:48 | 00,102,400 | ---- | M] (Silicon Image, Inc) -- C:\WINDOWS\system32\drivers\SI3112r.sys -- (Si3112r [Boot | Running])
[2004/11/01 12:21:32 | 00,010,368 | ---- | M] (Silicon Image, Inc.) -- C:\WINDOWS\system32\drivers\SiWinAcc.sys -- (SiFilter [Boot | Running])
[2005/03/24 18:21:22 | 00,038,937 | ---- | M] (Service & Quality Technology.) -- C:\WINDOWS\system32\drivers\Capt905c.sys -- (SQTECH905C [On_Demand | Stopped])
[2008/04/24 16:52:38 | 00,051,520 | ---- | M] (PC Tools) -- C:\WINDOWS\system32\drivers\TfFsMon.sys -- (TfFsMon [Boot | Running])
[2008/04/24 16:52:42 | 00,033,088 | ---- | M] (PC Tools) -- C:\WINDOWS\system32\drivers\TfNetMon.sys -- (TfNetMon [On_Demand | Running])
[2008/04/24 16:52:44 | 00,038,208 | ---- | M] (PC Tools) -- C:\WINDOWS\system32\drivers\TfSysMon.sys -- (TfSysMon [Boot | Running])
[2003/12/22 10:28:18 | 00,104,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\wceusbsh.sys -- (wceusbsh [On_Demand | Stopped])
[2008/10/28 18:33:13 | 00,031,104 | ---- | M] () -- C:\WINDOWS\system32\drivers\Windi26.sys -- (Windi26 [Boot | Running])
========== (R ) Internet Explorer ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.yahoo.com
"Default_Search_URL"=http://www.google.com/ie
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://www.google.com
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://www.google.com
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"Default_Search_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"SearchAssistant"=http://www.google.com
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchURL]
""=http://home.microsoft.com/access/autosearch.asp?p=%s
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://www.google.com
"Start Page"=http://www.msn.com/
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"=http://www.google.com
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://home.microsoft.com/access/autosearch.asp?p=%s
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
========== (O1) Hosts File ==========
HOSTS File = (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
========== (O2) BHO's ==========
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{02478D38-C3F9-4efb-9B51-7695ECA05670} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{53707962-6F74-2D53-2644-206D7942484F} (HKLM) -- C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
{7E853D72-626A-48EC-A868-BA8D5E23E045} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{AA58ED58-01DD-4d91-8333-CF10577473F7} (HKLM) -- c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
========== (O3) Toolbars ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" (HKLM) -- c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{327C2873-E90D-4c37-AA9D-10AC9BABA46C}" (HKLM) -- C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" (HKLM) -- C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll File not found
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" (HKLM) -- C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll File not found
========== (O4) Run Keys ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay (ATI Technologies Inc.)
"nForce Tray Options"=sstray.exe /r (NVIDIA Corporation)
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
"OneTouch Monitor"=C:\PROGRA~1\VISION~1\ONETOU~2.EXE (Visioneer Inc)
"POINTER"=point32.exe File not found
"ThreatFire"=C:\Program Files\ThreatFire\TFTray.exe (PC Tools)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" (Microsoft Corporation)
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background (Microsoft Corporation)
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
========== (O4) RunOnce Keys ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Spybot - Search & Destroy"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck File not found
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"=cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (Microsoft Corporation)
========== (O4) Startup Folders ==========
[2005/09/23 23:05:26 | 00,029,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
[2005/08/12 14:43:58 | 00,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
[2007/12/25 10:36:05 | 00,028,672 | ---- | M] (DataViz, Inc.) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
[2004/06/09 15:27:34 | 00,471,040 | ---- | M] (PalmSource, Inc) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
[2006/02/19 04:21:22 | 00,288,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
[2001/02/13 02:01:04 | 00,083,360 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
========== (O6 & O7) Current Version Policies ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
""=
"NoDriveTypeAutoRun"=_ [binary data]
"NoActiveDesktopChanges"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableTaskMgr"=0
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=_ [binary data]
"NoSaveSettings"=0
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableTaskMgr"=0
"NoColorChoice"=0
"NoSizeChoice"=0
"NoVisualStyleChoice"=0
========== (O9) IE Extensions ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [2008/06/10 04:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}: Button: Spyware Doctor -- Reg Error: Key does not exist or could not be opened. File not found
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}: Button: Create Mobile Favorite -- %ProgramFiles%\Microsoft ActiveSync\INETREPL.DLL [2004/02/03 14:41:46 | 00,131,155 | ---- | M] (Microsoft Corporation)
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}: Menu: Create Mobile Favorite... -- %ProgramFiles%\Microsoft ActiveSync\INETREPL.DLL [2004/02/03 14:41:46 | 00,131,155 | ---- | M] (Microsoft Corporation)
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}: Menu: Spybot - Search & Destroy Configuration -- %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [2008/09/15 14:25:44 | 01,562,960 | RHS- | M] (Safer Networking Limited)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\network diagnostic\xpnetdiag.exe [2008/04/13 11:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/13 17:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/13 17:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Sun Java Console] -> [2008/06/10 04:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} [HKLM] -> [Spyware Doctor] -> File not found
CmdMapping\\{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} [HKLM] -> %ProgramFiles%\Microsoft ActiveSync\INETREPL.DLL [Create Mobile Favorite] -> [2004/02/03 14:41:46 | 00,131,155 | ---- | M] (Microsoft Corporation)
CmdMapping\\{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} [HKLM] -> %ProgramFiles%\Microsoft ActiveSync\INETREPL.DLL [Create Mobile Favorite...] -> [2004/02/03 14:41:46 | 00,131,155 | ---- | M] (Microsoft Corporation)
CmdMapping\\{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> %SystemRoot%\network diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/13 11:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 17:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
========== (O12) Internet Explorer Plugins ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery
Extension\.spop: -- C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll [2001/01/30 13:56:24 | 00,225,280 | ---- | M] (InterTrust Technologies Corporation, Inc.)
========== (O13) Default Prefixes ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://
========== (O15) Trusted Sites ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
: msn in My Computer
aol.com\free: http in Local intranet
24 domain(s) and sub-domain(s) not assigned to a zone.
========== (O16) DPF ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{166B1BCA-3F9C-11CF-8075-444553540000}: http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab -- Shockwave ActiveX Control
{233C1507-6A77-46A4-9443-F871F945D258}: http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab -- Shockwave ActiveX Control
{49E67060-2C0D-415E-94C7-52A49F73B2F1}: http://zone.msn.com/bingame/pppp/default/PiratePoppers.1.0.0.39.cab -- CPlayFirstPiratePoppersControl Object
{7E980B9B-8AE5-466A-B6D6-DA8CF814E78A}: http://zone.msn.com/bingame/luxr/default/mjolauncher.cab -- MJLauncherCtrl Class
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab -- Java Plug-in 1.6.0_07
{B8BE5E93-A60C-4D26-A2DC-220313175592}: http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab -- MSN Games - Installer
{BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19}: http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--584a3e87-b556-4d06-99f4-d3fef0181acd/online/Diner_Dash_3/en/ddfotg.1.0.0.37.cab -- CPlayFirstddfotgControl Object
{C86FF4B0-AA1D-46D4-8612-025FB86583C7}: http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10 -- AstoundLauncher Control
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab -- Java Plug-in 1.6.0_03
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab -- Java Plug-in 1.6.0_05
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab -- Java Plug-in 1.6.0_07
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab -- Java Plug-in 1.6.0_07
{D0C0F75C-683A-4390-A791-1ACFD5599AB8}: http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab -- Oberon Flash Game Host
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab -- Shockwave Flash Object
{DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6}: http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--b256506b-ac80-48e4-a440-84eccfa8b5f5/online/diner_dash/en/DinerDash.1.0.0.80.cab -- CPlayFirstDinerDashControl Object
{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}: http://zone.msn.com/bingame/popcaploader_v10.cab -- PopCapLoader Object
{FFB3A759-98B1-446F-BDA9-909C6EB18CC7}: http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll -- PCPitstop Exam
DirectAnimation Java Classes: file://C:\WINDOWS\Java\classes\dajava.cab -- Reg Error: Key does not exist or could not be opened.
Microsoft XML Parser for Java: file://C:\WINDOWS\Java\classes\xmldso.cab -- Reg Error: Key does not exist or could not be opened.
========== (O17) DNS Name Servers ==========
{0E43E730-3392-4C45-9E3A-62EAB853F739} (Servers: | Description: )
{184F51D8-B677-4C90-BB26-B5742A2D291D} (Servers: | Description: 1394 Net Adapter)
{357A4C7C-B510-48F5-BAAB-0A2FF5B437DC} (Servers: | Description: NVIDIA nForce MCP Networking Adapter)
{B2F7C348-34D7-4FD3-9785-055445281557} (Servers: | Description: 3Com 3C920B-EMB Integrated Fast Ethernet Controller)
========== (O19) User Style Sheets ==========
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles]
========== (O20) AppInit_DLLs ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_Dlls"=karna.datesheet
>[2008/10/28 18:31:29 | 00,006,144 | ---- | M] () -- C:\WINDOWS\system32\karna.dat
========== (O20) Winlogon Notify Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
AtiExtEvent: "DllName" = Ati2evxx.dll -- C:\WINDOWS\system32\ati2evxx.dll (ATI Technologies Inc.)
WinCtrl32: "DllName" = WinCtrl32.dll -- C:\WINDOWS\system32\WinCtrl32.dll ()
========== HKLM *SecurityProviders* ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
>[2001/09/18 18:37:34 | 00,016,973 | ---- | M] () -- C:\WINDOWS\system32\ZWebAuth.dll
========== Safeboot Options ==========
"AlternateShell"=cmd.exe
========== CDRom AutoRun Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1
========== Autorun Files on Drives ==========
AUTOEXEC.BAT []
[2003/05/08 11:53:30 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]
========== Files/Folders - Created Within 30 Days ==========
[5 C:\WINDOWS\*.tmp files]
[2008/10/28 20:46:50 | 00,422,400 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dennis\Desktop\OTViewIt.exe
[2008/10/28 20:43:24 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2008/10/28 20:41:53 | 00,000,635 | ---- | C] () -- C:\Documents and Settings\Dennis\Desktop\ERUNT.lnk
[2008/10/28 20:41:52 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2008/10/28 20:38:33 | 00,149,837 | ---- | C] () -- C:\Documents and Settings\Dennis\My Documents\ERUNT Use.pdf
[2008/10/28 20:33:02 | 00,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Dennis\Desktop\erunt-setup.exe
[2008/10/28 18:33:12 | 00,015,360 | ---- | C] () -- C:\WINDOWS\System32\WinCtrl32.dl_
[2008/10/28 18:31:29 | 00,009,728 | ---- | C] () -- C:\WINDOWS\brastk.exe
[2008/10/28 18:29:57 | 00,000,132 | ---- | C] () -- C:\WINDOWS\System32\delself.bat
[2008/10/27 21:17:27 | 00,001,777 | ---- | C] () -- C:\Documents and Settings\Dennis\Desktop\HijackThis.lnk
[2008/10/27 21:16:28 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Dennis\Desktop\HJTInstall.exe
[2008/10/27 20:10:44 | 00,015,360 | ---- | C] () -- C:\WINDOWS\System32\WinCtrl32.dll
[2008/10/24 23:23:38 | 00,027,648 | ---- | C] () -- C:\WINDOWS\System32\drivers\beep.sys
[2008/10/24 23:23:38 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\dllcache\beep.sys
[2008/10/24 22:36:52 | 00,009,728 | ---- | C] () -- C:\WINDOWS\System32\brastk.exe
[2008/10/24 22:34:21 | 00,000,000 | ---D | C] -- C:\New Folder
[2008/10/24 22:28:02 | 00,000,000 | ---D | C] -- C:\backups
[2008/10/18 17:57:16 | 00,000,664 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\ThreatFire.lnk
[2008/10/18 17:57:10 | 00,051,520 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfFsMon.sys
[2008/10/18 17:57:10 | 00,038,208 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfSysMon.sys
[2008/10/18 17:57:10 | 00,033,088 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfNetMon.sys
[2008/10/18 17:57:10 | 00,012,608 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfKbMon.sys
[2008/10/18 17:57:10 | 00,000,000 | ---D | C] -- C:\Program Files\ThreatFire
[2008/10/18 17:57:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2008/10/06 23:34:21 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\drivers\453.exe
[2008/10/06 22:19:37 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\drivers\312.exe
[2008/10/06 22:10:11 | 00,065,428 | ---- | C] () -- C:\WINDOWS\System32\wini10541.exe
[2008/10/06 22:09:24 | 00,006,144 | ---- | C] () -- C:\WINDOWS\System32\karna.dat
[2008/10/06 22:09:24 | 00,006,144 | ---- | C] () -- C:\WINDOWS\karna.dat
[2008/10/03 07:39:03 | 00,184,832 | ---- | C] () -- C:\WINDOWS\System32\drivers\531.exe
[2008/10/03 07:39:01 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\drivers\703.exe
[2008/10/03 00:40:33 | 00,186,368 | ---- | C] () -- C:\WINDOWS\System32\drivers\796.exe
[2008/10/02 22:50:02 | 00,186,368 | ---- | C] () -- C:\WINDOWS\System32\drivers\890.exe
[2008/10/02 22:37:50 | 00,186,368 | ---- | C] () -- C:\WINDOWS\System32\drivers\828.exe
[2008/10/02 22:37:47 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\drivers\921.exe
[2008/10/01 18:12:41 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\109.exe
[2008/09/30 18:34:32 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\953.exe
[2008/09/30 18:34:29 | 00,185,344 | ---- | C] () -- C:\WINDOWS\System32\drivers\437.exe
[2008/09/29 19:38:05 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\765.exe
========== Files - Modified Within 30 Days ==========
[9 C:\WINDOWS\System32\*.tmp files]
[5 C:\WINDOWS\*.tmp files]
[2008/10/28 20:46:51 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dennis\Desktop\OTViewIt.exe
[2008/10/28 20:41:53 | 00,000,635 | ---- | M] () -- C:\Documents and Settings\Dennis\Desktop\ERUNT.lnk
[2008/10/28 20:41:01 | 54,112,602 | -HS- | M] () -- C:\WINDOWS\System32\Adobeh.sys
[2008/10/28 20:38:33 | 00,149,837 | ---- | M] () -- C:\Documents and Settings\Dennis\My Documents\ERUNT Use.pdf
[2008/10/28 20:33:06 | 00,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Dennis\Desktop\erunt-setup.exe
[2008/10/28 20:18:46 | 00,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008/10/28 18:35:30 | 00,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{41111FB6-E87B-4712-9635-90034B0CC9F3}.job
[2008/10/28 18:33:36 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\dllcache\beep.sys
[2008/10/28 18:33:15 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\13i.sys
[2008/10/28 18:33:13 | 00,031,104 | ---- | M] () -- C:\WINDOWS\System32\drivers\Windi26.sys
[2008/10/28 18:33:12 | 00,015,360 | ---- | M] () -- C:\WINDOWS\System32\WinCtrl32.dl_
[2008/10/28 18:31:42 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008/10/28 18:31:33 | 00,015,360 | ---- | M] () -- C:\WINDOWS\System32\WinCtrl32.dll
[2008/10/28 18:31:33 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008/10/28 18:31:29 | 00,009,728 | ---- | M] () -- C:\WINDOWS\System32\brastk.exe
[2008/10/28 18:31:29 | 00,009,728 | ---- | M] () -- C:\WINDOWS\brastk.exe
[2008/10/28 18:31:29 | 00,006,144 | ---- | M] () -- C:\WINDOWS\System32\karna.dat
[2008/10/28 18:31:29 | 00,006,144 | ---- | M] () -- C:\WINDOWS\karna.dat
[2008/10/28 18:30:33 | 00,029,676 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000001-00000000-00000008-00001102-00000002-80651102}.rfx
[2008/10/28 18:30:33 | 00,029,676 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000001-00000000-00000008-00001102-00000002-80651102}.rfx
[2008/10/28 18:30:33 | 00,017,108 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000001-00000000-00000008-00001102-00000002-80651102}.rfx
[2008/10/28 18:30:33 | 00,017,108 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000001-00000000-00000008-00001102-00000002-80651102}.rfx
[2008/10/28 18:30:33 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2008/10/28 18:30:33 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2008/10/28 18:30:33 | 00,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCStateBkp-{00000001-00000000-00000008-00001102-00000002-80651102}.dat
[2008/10/28 18:30:33 | 00,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000001-00000000-00000008-00001102-00000002-80651102}.dat
[2008/10/28 18:29:57 | 00,000,132 | ---- | M] () -- C:\WINDOWS\System32\delself.bat
[2008/10/28 18:29:22 | 00,027,648 | ---- | M] () -- C:\WINDOWS\System32\drivers\beep.sys
[2008/10/28 00:25:08 | 10,815,0784 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2008/10/27 23:20:03 | 03,384,453 | ---- | M] () -- C:\WINDOWS\{00000001-00000000-00000008-00001102-00000002-80651102}.CDF
[2008/10/27 23:19:46 | 03,384,327 | ---- | M] () -- C:\WINDOWS\{00000001-00000000-00000008-00001102-00000002-80651102}.BAK
[2008/10/27 21:17:27 | 00,001,777 | ---- | M] () -- C:\Documents and Settings\Dennis\Desktop\HijackThis.lnk
[2008/10/27 21:16:30 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Dennis\Desktop\HJTInstall.exe
[2008/10/27 21:12:20 | 00,000,563 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2008/10/27 20:41:00 | 00,000,323 | --S- | M] () -- C:\WINDOWS\System32\2455993257.dat
[2008/10/27 19:04:25 | 00,000,140 | ---- | M] () -- C:\WINDOWS\msicpl.ini
[2008/10/20 17:13:19 | 00,000,025 | ---- | M] () -- C:\WINDOWS\popcinfo.dat
[2008/10/19 15:33:49 | 00,001,111 | ---- | M] () -- C:\WINDOWS\win.ini
[2008/10/19 13:37:41 | 00,000,225 | ---- | M] () -- C:\WINDOWS\QUICKEN.INI
[2008/10/18 17:57:16 | 00,000,664 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ThreatFire.lnk
[2008/10/06 23:34:27 | 00,065,428 | ---- | M] () -- C:\WINDOWS\System32\wini10541.exe
[2008/10/06 23:34:21 | 00,073,728 | ---- | M] () -- C:\WINDOWS\System32\drivers\453.exe
[2008/10/06 23:31:30 | 00,073,728 | ---- | M] () -- C:\WINDOWS\System32\drivers\703.exe
[2008/10/06 22:19:37 | 00,073,728 | ---- | M] () -- C:\WINDOWS\System32\drivers\312.exe
[2008/10/06 22:15:36 | 00,199,168 | ---- | M] () -- C:\WINDOWS\System32\drivers\734.exe
[2008/10/06 22:06:37 | 00,073,728 | ---- | M] () -- C:\WINDOWS\System32\drivers\921.exe
[2008/10/03 07:39:19 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2008/10/03 07:39:19 | 00,000,194 | -HS- | M] () -- C:\boot.ini
[2008/10/03 07:39:03 | 00,184,832 | ---- | M] () -- C:\WINDOWS\System32\drivers\531.exe
[2008/10/03 03:47:35 | 00,186,368 | ---- | M] () -- C:\WINDOWS\System32\drivers\125.exe
[2008/10/03 00:40:33 | 00,186,368 | ---- | M] () -- C:\WINDOWS\System32\drivers\796.exe
[2008/10/03 00:40:31 | 00,185,344 | ---- | M] () -- C:\WINDOWS\System32\drivers\437.exe
[2008/10/02 22:50:02 | 00,186,368 | ---- | M] () -- C:\WINDOWS\System32\drivers\890.exe
[2008/10/02 22:43:44 | 00,199,168 | ---- | M] () -- C:\WINDOWS\System32\drivers\578.exe
[2008/10/02 22:37:50 | 00,186,368 | ---- | M] () -- C:\WINDOWS\System32\drivers\828.exe
[2008/10/02 22:35:56 | 04,321,192 | -H-- | M] () -- C:\Documents and Settings\Dennis\Local Settings\Application Data\IconCache.db
[2008/10/02 19:04:07 | 06,619,752 | ---- | M] () -- C:\QDATA02.QDF
[2008/10/02 19:04:07 | 01,238,016 | ---- | M] () -- C:\QDATA02.QEL
[2008/10/01 18:12:41 | 00,061,440 | ---- | M] () -- C:\WINDOWS\System32\drivers\109.exe
[2008/09/30 18:34:32 | 00,061,440 | ---- | M] () -- C:\WINDOWS\System32\drivers\953.exe
[2008/09/29 19:38:05 | 00,061,440 | ---- | M] () -- C:\WINDOWS\System32\drivers\765.exe
[2008/09/29 02:12:11 | 00,199,168 | ---- | M] () -- C:\WINDOWS\System32\drivers\906.exe
< End of report >
Fatboy_97
2008-10-29, 06:04
Couldn't fit both on one reply, so here's the Extras.Txt:
Extras.Txt as follows:
OTViewIt Extras logfile created on: 10/28/2008 8:50:08 PM - Run
OTViewIt by OldTimer - Version 1.0.19.0 Folder = C:\Documents and Settings\Dennis\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1023.48 Mb Total Physical Memory | 550.43 Mb Available Physical Memory | 53.78% Memory free
2.41 Gb Paging File | 2.01 Gb Available in Paging File | 83.60% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.32 Gb Total Space | 54.33 Gb Free Space | 71.19% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: DENNIS-JIF0Z43K
Current User Name: Dennis
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days
"Use My Stylesheet"=
"User Stylesheet"=
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=1
"FirewallDisableNotify"=1
"UpdatesDisableNotify"=1
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=0
"DoNotAllowExceptions"=0
"DisableNotifications"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 17:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/04/13 11:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2007/01/19 13:54:56 | 05,674,352 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1
[2007/01/04 17:10:02 | 00,297,752 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/13 17:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
File not found -- C:\Program Files\NovaLogic\Joint Operations Demo\jodemo.exe:*:Enabled:jodemo
File not found -- C:\Program Files\NovaLogic\Delta Force Black Hawk Down\DFBHD.EXE:*:Enabled:DFBHD
[2008/06/23 02:20:52 | 00,625,664 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer
File not found -- C:\Program Files\DFPinger\DFBHDPinger\DFBHDPinger.exe:*:Enabled:DFBHDPinger
File not found -- C:\Program Files\LimeWire\LimeWire 4.2.3\LimeWire.exe:*:Enabled:LimeWire
File not found -- C:\Program Files\NovaLogic\Delta Force Black Hawk Down\update.exe:*:Enabled:update
File not found -- D:\Program Files\Duke Nukem - Manhattan Project\prism3d.exe:*:Enabled:prism3d
[2008/04/13 17:12:25 | 01,414,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console
File not found -- C:\Program Files\NovaLogic\Delta Force Black Hawk Down\Black Operations Mod.exe:*:Enabled:Black Operations Mod
File not found -- C:\Program Files\NovaLogic\Joint Operations Typhoon Rising\Jointops.exe:*:Enabled:Jointops
File not found -- C:\Program Files\NovaLogic\Joint Operations Typhoon Rising\UPDATE.EXE:*:Enabled:UPDATE
[2008/04/13 11:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
File not found -- C:\Program Files\Soulseek-Test\slsk.exe:*:Enabled:SoulSeek
[2004/02/03 14:42:04 | 00,962,642 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\WCESMGR.EXE:*:Enabled:ActiveSync Application
[2004/02/03 14:42:54 | 00,401,491 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE:*:Enabled:ActiveSync Connection Manager
[2008/04/13 17:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
[2007/08/16 11:23:52 | 00,850,944 | ---- | M] (Abacast, Inc.) -- C:\Documents and Settings\Dennis\Local Settings\Application Data\Abacast\Abaclient.exe:*:Enabled:Abaclient
[2007/09/27 14:18:36 | 01,400,832 | ---- | M] (Abacast, Inc.) -- C:\Documents and Settings\Dennis\Local Settings\Application Data\Abacast\Abaclient2.exe:*:Disabled:Abaclient
[2007/01/19 13:54:56 | 05,674,352 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1
[2007/01/04 17:10:02 | 00,297,752 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)
========== (O18) Protocol Handlers ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2001/01/22 04:25:24 | 00,872,448 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (cdo:{CD00020A-8B95-11D1-82DB-00C04FB1625D} (HKLM) [Microsoft PKM KnowledgePluggable Class])
ipp: [HKLM - No CLSID value]
[2001/02/12 04:25:24 | 01,187,840 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]
[2007/01/19 12:53:24 | 00,063,344 | ---- | M] (Microsoft Corporation) C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (livecall:{828030A1-22C1-4009-854F-8E305202313F} (HKLM) [Reg Error: Value does not exist or could not be read.])
[2004/02/03 14:43:36 | 00,077,903 | ---- | M] (Microsoft Corporation) C:\Program Files\Microsoft ActiveSync\AATP.DLL (mctp:{d7b95390-b1c5-11d0-b111-0080c712fe82} (HKLM) [mctp: Asynchronous Pluggable Protocol Handler])
msdaipp: [HKLM - No CLSID value]
[2001/02/12 04:25:24 | 01,187,840 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]
[2001/02/12 04:25:24 | 01,187,840 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]
[2000/04/19 19:47:36 | 00,520,117 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (ms-itss:{0A9007C0-4076-11D3-8789-0000F8105754} (HKLM) [Microsoft Infotech Storage Protocol for IE 4.0])
[2007/01/19 12:53:24 | 00,063,344 | ---- | M] (Microsoft Corporation) C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (msnim:{828030A1-22C1-4009-854F-8E305202313F} (HKLM) [Reg Error: Value does not exist or could not be read.])
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}"=Microsoft Office 2000 Premium
"{00040409-78E1-11D2-B60F-006097C998E7}"=Microsoft Office 2000 SR-1 Disc 2
"{03CDDD00-BD57-4326-9480-4C74449AF597}"=PhotoStitch
"{093625E3-7B87-49D3-AA53-AD0FCFABAF49}"=Camera Window
"{0C8EE4CE-981E-4E7C-A2B5-2EA68A645589}"=D4100_Help
"{0D2E80C8-0875-43EB-9623-47118E2DFBCA}"=Quicken 2007
"{1FD0C5C1-B01B-4B4C-9607-E5D3B3D1318F}"=Microsoft IntelliPoint 4.1
"{20B8FD81-A71D-42ea-B887-07A616069E63}"=D4100
"{2238A301-6A20-4bdb-A655-C84AB629F6B6}"=hph_readme
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"=Google Toolbar for Internet Explorer
"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}"=HPPhotoSmartExpress
"{3248F0A8-6813-11D6-A77B-00B0D0150060}"=J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160030}"=Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}"=Java(TM) 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}"=Java(TM) 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{363790D2-DA98-41DD-9C9F-69FA36B169DE}"=PanoStandAlone
"{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}"=Google Earth
"{45B8A76B-57EC-4242-B019-066400CD8428}"=BufferChm
"{48B82226-75E3-4E90-92CC-D30F79EA6380}"=Norton Security Scan
"{49140327-BEBF-43dd-B386-43311A065609}"=hph_ProductContext
"{49672EC2-171B-47B4-8CE7-50D7806360D7}"=Windows Live Sign-in Assistant
"{4EA684E9-5C81-4033-A696-3019EC57AC3A}"=HPProductAssistant
"{4F6DED87-B0E2-462F-A4FE-7DAE4A2CB774}"=Joint Operations: Typhoon Rising - Demo
"{571700F0-DB9D-4B3A-B03D-35A14BB5939F}"=Windows Live Messenger
"{5CE42363-EC4B-4D0D-A27B-9B48F253E556}"=LimeWire
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}"=Windows Genuine Advantage v1.3.0254.0
"{66910000-8B30-4973-A159-6371345AFFA5}"=WebReg
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}"=eSupportQFolder
"{6909F917-5499-482e-9AA1-FAD06A99F231}"=Toolbox
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}"=CustomerResearchQFolder
"{702F1CE2-2751-4E8A-AB2D-53262AE0EF05}"=ATI Catalyst Control Center
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}"=Microsoft .NET Framework 2.0
"{7148F0A8-6813-11D6-A77B-00B0D0142100}"=Java 2 Runtime Environment, SE v1.4.2_10
"{789289CA-F73A-4A16-A331-54D498CE069F}"=Ventrilo Client
"{81935798-5D0C-4892-832E-630E6CC07EAF}"=Morrowind
"{8245C111-D83F-4C66-BBC6-2424F6116944}"=TES Construction Set
"{8331C3EA-0C91-43AA-A4D4-27221C631139}"=Status
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}"=Microsoft Silverlight
"{8A5F34E2-37CF-4AD4-808C-2D413786E31A}"=Microsoft Visual C Runtime
"{8A62A068-3FD6-495A-9F66-26FE94F32EC9}"=Rhapsody Player Engine
"{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}"=Unload
"{9115E7DB-3B29-445A-802D-11E0AA945B7F}"=Sound Blaster Live!
"{911A0409-6000-11D3-8CFE-0050048383C9}"=Microsoft Outlook 2002
"{9D404F8F-05A1-4734-9550-6EC2FEE916B8}"=HP Photosmart and Deskjet 7.0 Software
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}"=Windows Defender Signatures
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}"=DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A70900000002}"=Adobe Reader 7.0.9
"{AD708DF0-9F04-4CB3-821A-85804A833B4D}"=ArcSoft Camera Suite
"{ADAED43C-BBD9-42C5-8B21-F4FBFA81E3C3}"=Palm
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1"=Spybot - Search & Destroy
"{B4FEA924-630D-11D4-B78E-005004566E4D}"=ViewSonic Monitor Drivers
"{B8DBED1E-8BC3-4d08-B94A-F9D7D88E9BBF}"=HPSSupply
"{BBEB5679-6E2C-47C6-A9B5-3C6D4CD19B60}"=hph_software_req
"{BEB03A1A-1EB6-48EB-9985-8B97315EE5C0}"=RemoteCapture 2.7.0
"{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}"=Canon Utilities ZoomBrowser EX
"{C438B7C4-B4F8-49C5-A4DF-FF6F1F242778}"=NTI CD-Maker
"{C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476}"=SolutionCenter
"{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}"=HP Update
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}"=Microsoft .NET Framework 1.1
"{D6346347-B8CD-4B52-BF5F-9676CDE79801}"=hph_software
"{DB093244-7D79-4384-0081-633D3B2C1244}"=LOTR The Return of the King (tm) Demo
"{DBC20735-34E6-4E97-A9E5-2066B66B243D}"=TrayApp
"{DBEA1034-5882-4A88-8033-81C4EF0CFA29}"=Google Toolbar for Internet Explorer
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}"=Ad-Aware
"{E1B80DEE-A795-4258-8445-074C06AE3AB8}"=MarketResearch
"{EB21A812-671B-4D08-B974-2A347F0D8F70}"=HP Photosmart Essential
"{EB807EB6-5179-48B7-98D4-7B4934A57A81}"=Documents To Go
"{EF0DD8B7-471C-463B-A298-6066C2FABAF5}"=File Viewer Utility 1.2
"{F157460F-720E-482f-8625-AD7843891E5F}"=InstantShareDevicesMFC
"{F445476A-42DE-11D4-80D0-00C04F2750A6}"=Epocrates Essentials
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}"=HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"3554AA4B-9B0B-451a-A269-2B5F53982209_is1"=ThreatFire 3.5
"Adobe Acrobat 5.0"=Adobe Acrobat 5.0
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player Plugin
"Adobe Photoshop 5.0 Limited Edition"=Adobe Photoshop 5.0 Limited Edition
"Adobe Shockwave Player"=Adobe Shockwave Player 11
"All ATI Software"=ATI - Software Uninstall Utility
"ASUS Probe V2.19.07"=ASUS Probe V2.19.07
"ATI Display Driver"=ATI Display Driver
"Charter"=Charter Pipeline Professor
"Creative PlayCenter 2.0"=Creative PlayCenter
"DIG Game Manager"=DIG Game Manager
"Easy-PhotoPrint"=Canon Utilities Easy-PhotoPrint
"Easy-WebPrint"=Easy-WebPrint
"ERUNT_is1"=ERUNT 1.1j
"HijackThis"=HijackThis 2.0.2
"HP Imaging Device Functions"=HP Imaging Device Functions 7.0
"HP Solution Center & Imaging Support Tools"=HP Solution Center 7.0
"HPExtendedCapabilities"=HP Customer Participation Program 7.0
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"InstallShield_{03CDDD00-BD57-4326-9480-4C74449AF597}"=Canon Utilities PhotoStitch 3.1
"InstallShield_{093625E3-7B87-49D3-AA53-AD0FCFABAF49}"=Canon Camera Window for ZoomBrowser EX
"InstallShield_{5CE42363-EC4B-4D0D-A27B-9B48F253E556}"=LimeWire
"InstallShield_{BEB03A1A-1EB6-48EB-9985-8B97315EE5C0}"=Canon Utilities RemoteCapture 2.7
"InstallShield_{C438B7C4-B4F8-49C5-A4DF-FF6F1F242778}"=NTI CD-Maker 6 Platinum
"InstallShield_{EF0DD8B7-471C-463B-A298-6066C2FABAF5}"=Canon Utilities File Viewer Utility 1.2
"JRE 1.3.1_04"=Java 2 Runtime Environment Standard Edition v1.3.1_04
"Microsoft .NET Framework 1.1 (1033)"=Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0"=Microsoft .NET Framework 2.0
"Microsoft Internet Gaming Zone"=MSN Gaming Zone
"Mozilla Firefox (3.0.3)"=Mozilla Firefox (3.0.3)
"MSCompPackV1"=Microsoft Compression Client Pack 1.0 for Windows XP
"MSN Music Assistant"=MSN Music Assistant
"MSN Toolbar"=MSN Toolbar
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"NVIDIA"=NVIDIA Windows 2000/XP Display Drivers
"NVIDIAnForce"=NVIDIA Windows 2000/XP nForce Drivers
"OneTouch Version 3.0"=OneTouch Version 3.0
"PaperPort 7.02"=PaperPort 7.02
"PhotoRecord"=Canon PhotoRecord
"QuickTime"=QuickTime
"Shockwave"=Shockwave
"Shop for HP Supplies"=Shop for HP Supplies
"Spybot - Search & Destroy_is1"=Spybot - Search & Destroy 1.3
"SSUtils"=NVIDIA nForce Utilities
"Support.com"=Support.com Software
"Windows CE Services"=Microsoft ActiveSync 3.7
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"Windows Media Player"=Windows Media Player 11
"Windows XP Service Pack"=Windows XP Service Pack 3
"WMFDist11"=Windows Media Format 11 runtime
"wmp11"=Windows Media Player 11
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Abacast Client"=Abacast Client
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 10/24/2008 9:00:18 PM | Computer Name = DENNIS-JIF0Z43K | Source = Application Error | ID = 1000
Description = Faulting application set31.tmp, version 9.1.0.429, faulting module
, version 0.0.0.0, fault address 0x00000000.
Error - 10/24/2008 9:00:28 PM | Computer Name = DENNIS-JIF0Z43K | Source = Application Error | ID = 1000
Description = Faulting application set33.tmp, version 9.1.0.429, faulting module
, version 0.0.0.0, fault address 0x00000000.
Error - 10/25/2008 2:35:23 AM | Computer Name = DENNIS-JIF0Z43K | Source = Application Error | ID = 1000
Description = Faulting application TFService.exe, version 3.8.4.24, faulting module
unknown, version 0.0.0.0, fault address 0x00eaa714.
Error - 10/25/2008 2:37:01 AM | Computer Name = DENNIS-JIF0Z43K | Source = Application Hang | ID = 1002
Description = Hanging application TFGui.exe, version 3.8.4.24, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.
Error - 10/25/2008 2:40:21 AM | Computer Name = DENNIS-JIF0Z43K | Source = Application Hang | ID = 1002
Description = Hanging application TFGui.exe, version 3.8.4.24, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.
Error - 10/25/2008 2:41:11 AM | Computer Name = DENNIS-JIF0Z43K | Source = Application Hang | ID = 1002
Description = Hanging application TFGui.exe, version 3.8.4.24, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.
Error - 10/25/2008 2:41:23 AM | Computer Name = DENNIS-JIF0Z43K | Source = Application Hang | ID = 1002
Description = Hanging application TFGui.exe, version 3.8.4.24, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.
Error - 10/25/2008 2:41:31 AM | Computer Name = DENNIS-JIF0Z43K | Source = Application Hang | ID = 1002
Description = Hanging application TFGui.exe, version 3.8.4.24, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.
Error - 10/25/2008 2:41:38 AM | Computer Name = DENNIS-JIF0Z43K | Source = Application Hang | ID = 1002
Description = Hanging application TFGui.exe, version 3.8.4.24, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.
Error - 10/25/2008 2:41:42 AM | Computer Name = DENNIS-JIF0Z43K | Source = Application Hang | ID = 1002
Description = Hanging application TFGui.exe, version 3.8.4.24, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.
[ System Events ]
Error - 10/28/2008 12:14:56 AM | Computer Name = DENNIS-JIF0Z43K | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
Error - 10/28/2008 2:41:57 AM | Computer Name = DENNIS-JIF0Z43K | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
Error - 10/28/2008 2:41:58 AM | Computer Name = DENNIS-JIF0Z43K | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
Error - 10/28/2008 2:42:00 AM | Computer Name = DENNIS-JIF0Z43K | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
Error - 10/28/2008 2:49:24 AM | Computer Name = DENNIS-JIF0Z43K | Source = RemoteAccess | ID = 20106
Description = Unable to add the interface {184F51D8-B677-4C90-BB26-B5742A2D291D}
with the Router Manager for the IP protocol. The following error occurred: Cannot
complete this function.
Error - 10/28/2008 3:04:57 AM | Computer Name = DENNIS-JIF0Z43K | Source = RemoteAccess | ID = 20106
Description = Unable to add the interface {184F51D8-B677-4C90-BB26-B5742A2D291D}
with the Router Manager for the IP protocol. The following error occurred: Cannot
complete this function.
Error - 10/28/2008 3:25:32 AM | Computer Name = DENNIS-JIF0Z43K | Source = RemoteAccess | ID = 20106
Description = Unable to add the interface {184F51D8-B677-4C90-BB26-B5742A2D291D}
with the Router Manager for the IP protocol. The following error occurred: Cannot
complete this function.
Error - 10/28/2008 3:34:51 AM | Computer Name = DENNIS-JIF0Z43K | Source = RemoteAccess | ID = 20106
Description = Unable to add the interface {184F51D8-B677-4C90-BB26-B5742A2D291D}
with the Router Manager for the IP protocol. The following error occurred: Cannot
complete this function.
Error - 10/28/2008 9:27:43 PM | Computer Name = DENNIS-JIF0Z43K | Source = RemoteAccess | ID = 20106
Description = Unable to add the interface {184F51D8-B677-4C90-BB26-B5742A2D291D}
with the Router Manager for the IP protocol. The following error occurred: Cannot
complete this function.
Error - 10/28/2008 9:32:00 PM | Computer Name = DENNIS-JIF0Z43K | Source = RemoteAccess | ID = 20106
Description = Unable to add the interface {184F51D8-B677-4C90-BB26-B5742A2D291D}
with the Router Manager for the IP protocol. The following error occurred: Cannot
complete this function.
< End of report >
Thanks again for your support.
Fatboy_97
2008-10-29, 06:30
And last, but not least, the contents of the ntbtlog.txt:
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Service Pack 310 28 2008 21:23:23.500
Loaded driver \WINDOWS\system32\ntoskrnl.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL
Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver ACPI.sys
Loaded driver \WINDOWS\System32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver ohci1394.sys
Loaded driver \WINDOWS\System32\DRIVERS\1394BUS.SYS
Loaded driver pciide.sys
Loaded driver \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Loaded driver pcmcia.sys
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver PartMgr.sys
Loaded driver VolSnap.sys
Loaded driver atapi.sys
Loaded driver si3112r.sys
Loaded driver \WINDOWS\System32\DRIVERS\SCSIPORT.SYS
Loaded driver disk.sys
Loaded driver \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Loaded driver Windi26.sys
Loaded driver fltmgr.sys
Loaded driver sr.sys
Loaded driver SiWinAcc.sys
Loaded driver TfFsMon.sys
Loaded driver TfSysMon.sys
Loaded driver KSecDD.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver nv_agp.sys
Loaded driver Mup.sys
Loaded driver \SystemRoot\System32\DRIVERS\amdk7.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbohci.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\System32\DRIVERS\NVENET.sys
Loaded driver \SystemRoot\system32\drivers\nvax.sys
Loaded driver \SystemRoot\system32\drivers\ctoss2k.sys
Loaded driver \SystemRoot\System32\drivers\ctprxy2k.sys
Loaded driver \SystemRoot\system32\drivers\ctaud2k.sys
Loaded driver \SystemRoot\System32\DRIVERS\gameenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\imapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\System32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\System32\DRIVERS\NTIDrvr.sys
Loaded driver \SystemRoot\System32\DRIVERS\el90Xbc5.SYS
Loaded driver \SystemRoot\System32\DRIVERS\nic1394.sys
Loaded driver \SystemRoot\system32\DRIVERS\nv4_mini.sys
Loaded driver \SystemRoot\System32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\System32\DRIVERS\serial.sys
Loaded driver \SystemRoot\System32\DRIVERS\serenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\parport.sys
Loaded driver \SystemRoot\System32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\System32\DRIVERS\IPFilter.sys
Loaded driver \SystemRoot\System32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\System32\Drivers\TfKbMon.sys
Loaded driver \SystemRoot\System32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\system32\drivers\msmpu401.sys
Loaded driver \SystemRoot\System32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\System32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\System32\DRIVERS\psched.sys
Loaded driver \SystemRoot\System32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\System32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\System32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\update.sys
Loaded driver \SystemRoot\System32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\system32\drivers\nvapu.sys
Loaded driver \SystemRoot\system32\drivers\ha10kx2k.sys
Loaded driver \SystemRoot\System32\drivers\ctac32k.sys
Loaded driver \SystemRoot\System32\drivers\emupia2k.sys
Loaded driver \SystemRoot\System32\drivers\ctsfm2k.sys
Loaded driver \SystemRoot\System32\DRIVERS\flpydisk.sys
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys
Did not load driver \SystemRoot\System32\DRIVERS\processr.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\System32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \SystemRoot\System32\DRIVERS\arp1394.sys
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \SystemRoot\System32\DRIVERS\ndisuio.sys
Did not load driver \SystemRoot\System32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \SystemRoot\system32\drivers\splitter.sys
Loaded driver \SystemRoot\system32\drivers\aec.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxdav.sys
Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS
Loaded driver \??\C:\WINDOWS\system32\drivers\aslm75.sys
Loaded driver \SystemRoot\System32\DRIVERS\srv.sys
Loaded driver \??\C:\WINDOWS\System32\PfModNT.sys
Loaded driver \SystemRoot\System32\DRIVERS\secdrv.sys
Did not load driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \??\C:\WINDOWS\system32\drivers\TfNetMon.sys
Loaded driver \??\C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Loaded driver \SystemRoot\System32\Drivers\HTTP.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Hi,
Thanks for the logs.
Thanks also for reporting erdnt folder size. Good deal.
At least one of your system files is infected and partly responsible for re-downloading alot of the junk.
It was a real treat by malware creators to create a blank copy in dllcache. :sad:
You have at least one trojan most likely spamming like mad.
few others I don't know what they are yet & will try & gather samples next round after this if the tool we are going to use next does not catch em.
Combofix should also find a good copy of system file to replace infected one.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Let me know how system is running.
There will most likely be more work to do.
Thanks :)
Fatboy_97
2008-10-30, 05:37
Ran into a big snag. Downloaded combofix.exe, but won't let me run it. When I double click the shortcut on the desktop or combofix.exe in the desktop folder it opens the "publisher could not be varified...... are you sure you want to run this software?" I click "run" and this pops up. "This file does not have a program associated with it for performing this action. Create an association in the Folder Options control panel.
On a side note when I started the computer up and before I disabled Tea timer, Threatfire, etc., before I downloaded combofix.exe, the Tea timer came up with about 20 different changes happening one after another. I did not allow any changes, but I am wondering if one of these is the cause of Combofix.exe not wanting to run? Help!?!
Thanks, Dennis
Fatboy_97
2008-10-30, 06:05
Found the resident.log for TeaTimer. Hope this is some help.
9/12/2008 1:37:06 AM Denied value "braviax" (new data: "") deleted in System Startup user entry!
9/12/2008 1:37:24 AM Denied value "MRT" (new data: ""C:\WINDOWS\system32\MRT.exe" /R") added in System Startup global entry!
9/12/2008 1:37:36 AM Denied value "braviax" (new data: "") deleted in System Startup global entry!
9/12/2008 1:43:23 AM Denied value "{53707962-6F74-2D53-2644-206D7942484F}" (new data: "") added in Browser Helper Object!
9/12/2008 1:46:49 AM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
9/12/2008 1:50:50 AM Allowed value "Start Page" (new data: "http://www.msn.com/") changed in Browser page!
9/12/2008 1:56:45 AM Allowed value "NWEReboot" (new data: "") deleted in System Startup global entry!
9/12/2008 1:57:03 AM Allowed value "NWEReboot" (new data: "") added in System Startup global entry!
9/12/2008 2:08:14 AM Allowed value "NWEReboot" (new data: "") deleted in System Startup global entry!
9/12/2008 2:09:06 AM Denied value "MSConfig" (new data: "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto") added in System Startup global entry!
9/12/2008 2:19:37 AM Allowed value "braviax" (new data: "") deleted in System Startup user entry!
9/12/2008 2:23:26 AM Denied value "braviax" (new data: "C:\WINDOWS\system32\braviax.exe") added in System Startup user entry!
9/12/2008 2:23:35 AM Denied value "NWEReboot" (new data: "") added in System Startup global entry!
9/12/2008 2:59:39 AM Denied value "ISTray" (new data: ""C:\Program Files\Spyware Doctor\pctsTray.exe"") added in System Startup global entry!
9/14/2008 10:34:18 AM Allowed value "ISTray" (new data: "") deleted in System Startup global entry!
9/16/2008 7:59:52 PM Allowed (based on user decision) value "WinCtrl32" (new data: "") deleted in Winlogon Notifiers!
9/16/2008 8:00:44 PM Allowed (based on user decision) value "SpybotDeletingB2896" (new data: "command /c del "C:\WINDOWS\system32\WinCtrl32.dll_old"") added in System Startup user entry!
9/16/2008 8:01:05 PM Allowed (based on user decision) value "SpybotDeletingD1203" (new data: "cmd /c del "C:\WINDOWS\system32\WinCtrl32.dll_old"") added in System Startup user entry!
9/16/2008 8:01:16 PM Allowed (based on user decision) value "SpybotDeletingA2136" (new data: "command /c del "C:\WINDOWS\system32\WinCtrl32.dll_old"") added in System Startup global entry!
9/16/2008 8:01:29 PM Allowed (based on user decision) value "SpybotDeletingC4334" (new data: "cmd /c del "C:\WINDOWS\system32\WinCtrl32.dll_old"") added in System Startup global entry!
9/16/2008 8:01:44 PM Allowed (based on user decision) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
9/16/2008 8:23:13 PM Denied (based on user decision) value "SpybotDeletingB7962" (new data: "command /c del "C:\WINDOWS\system32\phc9g6j0e9fj.bmp"") added in System Startup user entry!
9/16/2008 8:23:18 PM Denied (based on user decision) value "SpybotDeletingD8752" (new data: "cmd /c del "C:\WINDOWS\system32\phc9g6j0e9fj.bmp"") added in System Startup user entry!
9/16/2008 8:23:23 PM Denied (based on user decision) value "SpybotDeletingB1280" (new data: "command /c del "C:\WINDOWS\system32\WinCtrl32.dll"") added in System Startup user entry!
9/16/2008 8:23:27 PM Denied (based on user decision) value "SpybotDeletingD2756" (new data: "cmd /c del "C:\WINDOWS\system32\WinCtrl32.dll"") added in System Startup user entry!
9/16/2008 8:23:32 PM Denied (based on user decision) value "SpybotDeletingA6358" (new data: "command /c del "C:\WINDOWS\system32\phc9g6j0e9fj.bmp"") added in System Startup global entry!
9/16/2008 8:23:37 PM Denied (based on user decision) value "SpybotDeletingC8315" (new data: "cmd /c del "C:\WINDOWS\system32\phc9g6j0e9fj.bmp"") added in System Startup global entry!
9/16/2008 8:23:39 PM Denied (based on user decision) value "SpybotDeletingA6489" (new data: "command /c del "C:\WINDOWS\system32\WinCtrl32.dll"") added in System Startup global entry!
9/16/2008 8:23:41 PM Denied (based on user decision) value "SpybotDeletingC6243" (new data: "cmd /c del "C:\WINDOWS\system32\WinCtrl32.dll"") added in System Startup global entry!
9/16/2008 8:26:37 PM Denied (based on user decision) value "SpybotDeletingB2896" (new data: "") deleted in System Startup user entry!
9/16/2008 8:26:39 PM Denied (based on user decision) value "SpybotDeletingD1203" (new data: "") deleted in System Startup user entry!
9/16/2008 8:26:40 PM Denied (based on user decision) value "SpybotDeletingA2136" (new data: "") deleted in System Startup global entry!
9/16/2008 8:26:41 PM Denied (based on user decision) value "SpybotDeletingC4334" (new data: "") deleted in System Startup global entry!
9/16/2008 8:31:18 PM Allowed (based on user decision) value "Start Page" (new data: "about:blank") changed in Browser page!
9/16/2008 8:32:00 PM Allowed (based on user decision) value "Start Page" (new data: "http://www.msn.com/") changed in Browser page!
9/16/2008 9:25:25 PM Denied (based on user decision) value "SpybotDeletingB2896" (new data: "") deleted in System Startup user entry!
9/16/2008 9:25:32 PM Denied (based on user decision) value "SpybotDeletingD1203" (new data: "") deleted in System Startup user entry!
9/16/2008 9:25:33 PM Denied (based on user decision) value "SpybotDeletingA2136" (new data: "") deleted in System Startup global entry!
9/16/2008 9:25:34 PM Denied (based on user decision) value "SpybotDeletingC4334" (new data: "") deleted in System Startup global entry!
9/17/2008 12:11:41 AM Denied (based on user decision) value "SpybotDeletingB2896" (new data: "") deleted in System Startup user entry!
9/17/2008 12:11:43 AM Denied (based on user decision) value "SpybotDeletingD1203" (new data: "") deleted in System Startup user entry!
9/17/2008 12:11:44 AM Denied (based on user decision) value "SpybotDeletingA2136" (new data: "") deleted in System Startup global entry!
9/17/2008 12:11:45 AM Denied (based on user decision) value "SpybotDeletingC4334" (new data: "") deleted in System Startup global entry!
9/17/2008 12:57:24 AM Allowed (based on user decision) value "scrnsave.exe" (new data: "C:\WINDOWS\System32\ssstars.scr") changed in Desktop settings!
9/17/2008 12:58:54 AM Denied (based on user decision) value "SpybotDeletingB2896" (new data: "") deleted in System Startup user entry!
9/17/2008 12:58:55 AM Denied (based on user decision) value "SpybotDeletingD1203" (new data: "") deleted in System Startup user entry!
9/17/2008 12:58:55 AM Denied (based on user decision) value "SpybotDeletingA2136" (new data: "") deleted in System Startup global entry!
9/17/2008 12:58:56 AM Denied (based on user decision) value "SpybotDeletingC4334" (new data: "") deleted in System Startup global entry!
9/17/2008 12:59:20 AM Denied (based on user decision) value "scrnsave.exe" (new data: "C:\WINDOWS\system32\blphc9g6j0e9fj.scr") changed in Desktop settings!
9/17/2008 1:05:27 AM Denied (based on user decision) value "SpybotDeletingB2896" (new data: "") deleted in System Startup user entry!
9/17/2008 1:05:29 AM Denied (based on user decision) value "SpybotDeletingD1203" (new data: "") deleted in System Startup user entry!
9/17/2008 1:05:31 AM Denied (based on user decision) value "SpybotDeletingA2136" (new data: "") deleted in System Startup global entry!
9/17/2008 1:05:32 AM Denied (based on user decision) value "SpybotDeletingC4334" (new data: "") deleted in System Startup global entry!
9/17/2008 1:05:41 AM Denied (based on user decision) value "scrnsave.exe" (new data: "C:\WINDOWS\system32\blphc9g6j0e9fj.scr") changed in Desktop settings!
9/17/2008 1:43:33 AM Denied (based on user decision) value "SpybotDeletingB8202" (new data: "command /c del "C:\WINDOWS\system32\WinCtrl32.dll_old"") added in System Startup user entry!
9/17/2008 1:43:36 AM Denied (based on user decision) value "SpybotDeletingD5947" (new data: "cmd /c del "C:\WINDOWS\system32\WinCtrl32.dll_old"") added in System Startup user entry!
9/17/2008 1:43:37 AM Denied (based on user decision) value "SpybotDeletingA1967" (new data: "command /c del "C:\WINDOWS\system32\WinCtrl32.dll_old"") added in System Startup global entry!
9/17/2008 1:43:38 AM Denied (based on user decision) value "SpybotDeletingC7752" (new data: "cmd /c del "C:\WINDOWS\system32\WinCtrl32.dll_old"") added in System Startup global entry!
9/17/2008 1:46:08 AM Denied (based on user decision) value "SpybotDeletingB2896" (new data: "") deleted in System Startup user entry!
9/17/2008 1:46:12 AM Denied (based on user decision) value "SpybotDeletingD1203" (new data: "") deleted in System Startup user entry!
9/17/2008 1:46:13 AM Denied (based on user decision) value "SpybotDeletingA2136" (new data: "") deleted in System Startup global entry!
9/17/2008 1:46:14 AM Denied (based on user decision) value "SpybotDeletingC4334" (new data: "") deleted in System Startup global entry!
9/17/2008 1:46:24 AM Denied (based on user decision) value "scrnsave.exe" (new data: "C:\WINDOWS\system32\blphc9g6j0e9fj.scr") changed in Desktop settings!
9/17/2008 8:24:23 PM Denied (based on user decision) value "SpybotDeletingB2896" (new data: "") deleted in System Startup user entry!
9/17/2008 8:24:28 PM Denied (based on user decision) value "SpybotDeletingD1203" (new data: "") deleted in System Startup user entry!
9/17/2008 8:24:28 PM Denied (based on user decision) value "SpybotDeletingA2136" (new data: "") deleted in System Startup global entry!
9/17/2008 8:24:31 PM Denied (based on user decision) value "SpybotDeletingC4334" (new data: "") deleted in System Startup global entry!
9/17/2008 8:24:51 PM Allowed (based on user decision) value "scrnsave.exe" (new data: "C:\WINDOWS\system32\blphc9g6j0e9fj.scr") changed in Desktop settings!
9/17/2008 10:11:06 PM Denied (based on user decision) value "SpybotDeletingB2896" (new data: "") deleted in System Startup user entry!
9/17/2008 10:11:08 PM Denied (based on user decision) value "SpybotDeletingD1203" (new data: "") deleted in System Startup user entry!
9/17/2008 10:11:09 PM Denied (based on user decision) value "SpybotDeletingA2136" (new data: "") deleted in System Startup global entry!
9/17/2008 10:11:10 PM Denied (based on user decision) value "SpybotDeletingC4334" (new data: "") deleted in System Startup global entry!
9/17/2008 11:31:44 PM Denied (based on user decision) value "SpybotDeletingB2896" (new data: "") deleted in System Startup user entry!
9/17/2008 11:31:47 PM Denied (based on user decision) value "SpybotDeletingD1203" (new data: "") deleted in System Startup user entry!
9/17/2008 11:31:50 PM Denied (based on user decision) value "SpybotDeletingA2136" (new data: "") deleted in System Startup global entry!
9/17/2008 11:31:52 PM Denied (based on user decision) value "SpybotDeletingC4334" (new data: "") deleted in System Startup global entry!
9/19/2008 6:29:00 PM Denied (based on user decision) value "SpybotDeletingB2896" (new data: "") deleted in System Startup user entry!
9/19/2008 6:29:05 PM Denied (based on user decision) value "SpybotDeletingD1203" (new data: "") deleted in System Startup user entry!
9/19/2008 6:29:06 PM Denied (based on user decision) value "SpybotDeletingA2136" (new data: "") deleted in System Startup global entry!
9/19/2008 6:29:08 PM Denied (based on user decision) value "SpybotDeletingC4334" (new data: "") deleted in System Startup global entry!
9/19/2008 7:41:19 PM Denied (based on user decision) value "SpybotDeletingB2896" (new data: "") deleted in System Startup user entry!
9/19/2008 7:41:20 PM Denied (based on user decision) value "SpybotDeletingD1203" (new data: "") deleted in System Startup user entry!
9/19/2008 7:41:22 PM Denied (based on user decision) value "SpybotDeletingA2136" (new data: "") deleted in System Startup global entry!
9/19/2008 7:41:22 PM Denied (based on user decision) value "SpybotDeletingC4334" (new data: "") deleted in System Startup global entry!
9/19/2008 7:46:58 PM Allowed (based on user whitelist) value "scrnsave.exe" (new data: "C:\WINDOWS\System32\ssstars.scr") changed in Desktop settings!
9/19/2008 8:03:51 PM Denied (based on user decision) value "SpybotDeletingB9505" (new data: "command /c del "C:\WINDOWS\system32\WinCtrl32.dll_old"") added in System Startup user entry!
9/19/2008 8:03:52 PM Denied (based on user decision) value "SpybotDeletingD1290" (new data: "cmd /c del "C:\WINDOWS\system32\WinCtrl32.dll_old"") added in System Startup user entry!
9/19/2008 8:03:53 PM Denied (based on user decision) value "SpybotDeletingA3649" (new data: "command /c del "C:\WINDOWS\system32\WinCtrl32.dll_old"") added in System Startup global entry!
9/19/2008 8:03:54 PM Denied (based on user decision) value "SpybotDeletingC2274" (new data: "cmd /c del "C:\WINDOWS\system32\WinCtrl32.dll_old"") added in System Startup global entry!
9/19/2008 10:30:06 PM Denied (based on user decision) value "SpybotDeletingB2896" (new data: "") deleted in System Startup user entry!
9/19/2008 10:30:13 PM Denied (based on user decision) value "SpybotDeletingD1203" (new data: "") deleted in System Startup user entry!
9/19/2008 10:30:17 PM Denied (based on user decision) value "SpybotDeletingA2136" (new data: "") deleted in System Startup global entry!
9/19/2008 10:30:18 PM Denied (based on user decision) value "SpybotDeletingC4334" (new data: "") deleted in System Startup global entry!
9/19/2008 10:30:40 PM Denied (based on user decision) value "scrnsave.exe" (new data: "C:\WINDOWS\system32\blphc9g6j0e9fj.scr") changed in Desktop settings!
9/19/2008 11:00:27 PM Denied (based on user decision) value "SpybotDeletingB2896" (new data: "") deleted in System Startup user entry!
9/19/2008 11:00:28 PM Denied (based on user decision) value "SpybotDeletingD1203" (new data: "") deleted in System Startup user entry!
9/19/2008 11:00:30 PM Denied (based on user decision) value "SpybotDeletingA2136" (new data: "") deleted in System Startup global entry!
9/19/2008 11:00:45 PM Denied (based on user decision) value "SpybotDeletingC4334" (new data: "") deleted in System Startup global entry!
9/19/2008 11:13:55 PM Allowed (based on user decision) value "SpybotDeletingB2896" (new data: "") deleted in System Startup user entry!
9/19/2008 11:14:01 PM Allowed (based on user decision) value "SpybotDeletingD1203" (new data: "") deleted in System Startup user entry!
9/19/2008 11:14:08 PM Allowed (based on user decision) value "SpybotDeletingA2136" (new data: "") deleted in System Startup global entry!
9/19/2008 11:14:18 PM Allowed (based on user decision) value "SpybotDeletingC4334" (new data: "") deleted in System Startup global entry!
9/20/2008 1:46:38 PM Denied (based on user decision) value "scrnsave.exe" (new data: "C:\WINDOWS\system32\blphc9g6j0e9fj.scr") changed in Desktop settings!
9/20/2008 3:00:00 PM Denied (based on user decision) value "scrnsave.exe" (new data: "C:\WINDOWS\system32\blphc9g6j0e9fj.scr") changed in Desktop settings!
9/23/2008 9:25:45 PM Denied (based on user decision) value "scrnsave.exe" (new data: "C:\WINDOWS\system32\blphc9g6j0e9fj.scr") changed in Desktop settings!
9/23/2008 11:30:02 PM Denied (based on user decision) value "swg" (new data: "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe") added in System Startup user entry!
9/24/2008 7:41:47 PM Denied (based on user decision) value "scrnsave.exe" (new data: "C:\WINDOWS\system32\blphc9g6j0e9fj.scr") changed in Desktop settings!
9/25/2008 5:37:23 PM Denied (based on user decision) value "scrnsave.exe" (new data: "C:\WINDOWS\system32\blphc9g6j0e9fj.scr") changed in Desktop settings!
9/25/2008 6:53:11 PM Denied (based on user decision) value "scrnsave.exe" (new data: "C:\WINDOWS\system32\blphc9g6j0e9fj.scr") changed in Desktop settings!
9/25/2008 8:53:45 PM Denied (based on user decision) value "scrnsave.exe" (new data: "C:\WINDOWS\system32\blphc9g6j0e9fj.scr") changed in Desktop settings!
9/26/2008 9:02:11 PM Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
lsdelete
sprecovr \SystemRoot\sprecovr.txt
") changed in Session manager!
9/26/2008 9:09:05 PM Allowed (based on user decision) value "TSClientMSIUninstaller" (new data: "cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"") added in System Startup user entry!
9/26/2008 9:09:35 PM Allowed (based on user decision) value "TSClientAXDisabler" (new data: "cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"") added in System Startup user entry!
9/26/2008 9:09:53 PM Allowed (based on user decision) value "dimsntfy" (new data: "") added in Winlogon Notifiers!
9/26/2008 9:10:24 PM Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
lsdelete
") changed in Session manager!
9/26/2008 10:19:25 PM Denied (based on user decision) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
9/26/2008 10:19:36 PM Denied (based on user decision) value "TSClientAXDisabler" (new data: "") deleted in System Startup user entry!
9/26/2008 10:19:36 PM Allowed (based on lassh blacklist) value "{7E853D72-626A-48EC-A868-BA8D5E23E045}" (new data: "") added in Browser Helper Object!
9/26/2008 10:38:58 PM Denied (based on user decision) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
9/26/2008 10:39:05 PM Denied (based on user decision) value "TSClientAXDisabler" (new data: "") deleted in System Startup user entry!
9/26/2008 11:32:57 PM Allowed (based on user decision) value "WinCtrl32" (new data: "") deleted in Winlogon Notifiers!
9/26/2008 11:33:19 PM Denied (based on user decision) value "SpybotDeletingB2860" (new data: "command /c del "C:\WINDOWS\system32\WinCtrl32.dll_old"") added in System Startup user entry!
9/26/2008 11:33:24 PM Denied (based on user decision) value "SpybotDeletingD5243" (new data: "cmd /c del "C:\WINDOWS\system32\WinCtrl32.dll_old"") added in System Startup user entry!
9/26/2008 11:33:39 PM Denied (based on user decision) value "SpybotDeletingA4756" (new data: "command /c del "C:\WINDOWS\system32\WinCtrl32.dll_old"") added in System Startup global entry!
9/26/2008 11:33:47 PM Denied (based on user decision) value "SpybotDeletingC1256" (new data: "cmd /c del "C:\WINDOWS\system32\WinCtrl32.dll_old"") added in System Startup global entry!
9/26/2008 11:33:50 PM Denied (based on user decision) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
9/26/2008 11:34:27 PM Denied (based on user decision) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
9/26/2008 11:34:36 PM Denied (based on user decision) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
9/26/2008 11:35:17 PM Denied (based on user decision) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
9/26/2008 11:35:32 PM Denied (based on user decision) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
9/26/2008 11:37:03 PM Denied (based on user decision) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
9/26/2008 11:37:13 PM Denied (based on user decision) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
9/26/2008 11:37:21 PM Denied (based on user decision) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
9/27/2008 12:05:55 AM Denied (based on user decision) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
9/27/2008 12:06:02 AM Denied (based on user decision) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
9/27/2008 12:06:13 AM Denied (based on user decision) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
9/27/2008 12:06:25 AM Denied (based on user decision) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
9/27/2008 12:06:34 AM Denied (based on user decision) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
9/27/2008 12:06:52 AM Allowed (based on user decision) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
9/28/2008 9:43:31 AM Denied (based on user decision) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
9/28/2008 9:43:32 AM Denied (based on user decision) value "TSClientAXDisabler" (new data: "") deleted in System Startup user entry!
9/29/2008 12:36:59 AM Denied (based on user decision) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
9/29/2008 12:37:02 AM Denied (based on user decision) value "TSClientAXDisabler" (new data: "") deleted in System Startup user entry!
9/29/2008 12:44:16 AM Allowed (based on user decision) value "lphc9g6j0e9fj" (new data: "") deleted in System Startup global entry!
9/29/2008 12:44:25 AM Allowed (based on lassh blacklist) value "MSConfig" (new data: "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto") added in System Startup global entry!
9/29/2008 12:49:13 AM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
9/29/2008 12:49:17 AM Denied (based on user blacklist) value "TSClientAXDisabler" (new data: "") deleted in System Startup user entry!
9/29/2008 12:49:46 AM Denied (based on user decision) value "lphc9g6j0e9fj" (new data: "C:\WINDOWS\system32\lphc9g6j0e9fj.exe") added in System Startup global entry!
9/29/2008 12:51:30 AM Allowed (based on user whitelist) value "scrnsave.exe" (new data: "C:\WINDOWS\system32\ssstars.scr") changed in Desktop settings!
9/29/2008 2:09:00 AM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
9/29/2008 2:09:17 AM Denied (based on user blacklist) value "TSClientAXDisabler" (new data: "") deleted in System Startup user entry!
9/29/2008 2:12:59 AM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
9/29/2008 2:12:59 AM Denied (based on user blacklist) value "TSClientAXDisabler" (new data: "") deleted in System Startup user entry!
9/29/2008 2:13:13 AM Denied (based on user decision) value "lphc9g6j0e9fj" (new data: "C:\WINDOWS\system32\lphc9g6j0e9fj.exe") added in System Startup global entry!
9/29/2008 7:38:36 PM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
9/29/2008 7:38:37 PM Denied (based on user blacklist) value "TSClientAXDisabler" (new data: "") deleted in System Startup user entry!
9/29/2008 7:38:53 PM Denied (based on user decision) value "lphc9g6j0e9fj" (new data: "C:\WINDOWS\system32\lphc9g6j0e9fj.exe") added in System Startup global entry!
9/30/2008 9:11:18 PM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
9/30/2008 9:11:19 PM Denied (based on user blacklist) value "TSClientAXDisabler" (new data: "") deleted in System Startup user entry!
9/30/2008 9:11:26 PM Denied (based on user decision) value "lphc9g6j0e9fj" (new data: "C:\WINDOWS\system32\lphc9g6j0e9fj.exe") added in System Startup global entry!
10/2/2008 6:38:16 PM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
10/2/2008 6:38:16 PM Denied (based on user blacklist) value "TSClientAXDisabler" (new data: "") deleted in System Startup user entry!
10/2/2008 6:38:24 PM Denied (based on user decision) value "lphc9g6j0e9fj" (new data: "C:\WINDOWS\system32\lphc9g6j0e9fj.exe") added in System Startup global entry!
10/2/2008 6:38:38 PM Denied (based on user decision) value "scrnsave.exe" (new data: "C:\WINDOWS\system32\blphc9g6j0e9fj.scr") changed in Desktop settings!
10/2/2008 10:35:39 PM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
10/2/2008 10:35:43 PM Denied (based on user blacklist) value "TSClientAXDisabler" (new data: "") deleted in System Startup user entry!
10/2/2008 10:38:33 PM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
10/2/2008 10:38:33 PM Denied (based on user blacklist) value "TSClientAXDisabler" (new data: "") deleted in System Startup user entry!
10/2/2008 10:38:44 PM Denied (based on user decision) value "lphc9g6j0e9fj" (new data: "C:\WINDOWS\system32\lphc9g6j0e9fj.exe") added in System Startup global entry!
10/2/2008 10:42:09 PM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
10/2/2008 10:42:21 PM Denied (based on user blacklist) value "TSClientAXDisabler" (new data: "") deleted in System Startup user entry!
10/2/2008 10:50:14 PM Denied (based on user decision) value "lphc9g6j0e9fj" (new data: "C:\WINDOWS\system32\lphc9g6j0e9fj.exe") added in System Startup global entry!
10/3/2008 12:40:57 AM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
10/3/2008 12:40:57 AM Denied (based on user blacklist) value "TSClientAXDisabler" (new data: "") deleted in System Startup user entry!
10/3/2008 12:41:04 AM Denied (based on user decision) value "lphc9g6j0e9fj" (new data: "C:\WINDOWS\system32\lphc9g6j0e9fj.exe") added in System Startup global entry!
10/3/2008 3:42:52 AM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
10/3/2008 3:42:59 AM Denied (based on user blacklist) value "TSClientAXDisabler" (new data: "") deleted in System Startup user entry!
10/3/2008 3:47:42 AM Denied (based on user decision) value "lphc9g6j0e9fj" (new data: "C:\WINDOWS\system32\lphc9g6j0e9fj.exe") added in System Startup global entry!
10/3/2008 7:39:21 AM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
10/3/2008 7:39:21 AM Denied (based on user blacklist) value "TSClientAXDisabler" (new data: "") deleted in System Startup user entry!
10/3/2008 7:39:28 AM Denied (based on user decision) value "lphc9g6j0e9fj" (new data: "C:\WINDOWS\system32\lphc9g6j0e9fj.exe") added in System Startup global entry!
10/3/2008 7:39:28 AM Allowed (based on lassh blacklist) value "MSConfig" (new data: "") deleted in System Startup global entry!
10/4/2008 10:23:35 AM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
10/4/2008 10:23:35 AM Denied (based on user blacklist) value "TSClientAXDisabler" (new data: "") deleted in System Startup user entry!
10/4/2008 12:14:05 PM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
10/4/2008 12:14:06 PM Denied (based on user blacklist) value "TSClientAXDisabler" (new data: "") deleted in System Startup user entry!
10/5/2008 1:01:30 AM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
10/5/2008 1:01:30 AM Denied (based on user blacklist) value "TSClientAXDisabler" (new data: "") deleted in System Startup user entry!
10/5/2008 3:06:10 AM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
10/5/2008 3:06:10 AM Denied (based on user blacklist) value "TSClientAXDisabler" (new data: "") deleted in System Startup user entry!
10/5/2008 3:32:42 PM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
10/5/2008 3:32:42 PM Denied (based on user blacklist) value "TSClientAXDisabler" (new data: "") deleted in System Startup user entry!
10/6/2008 10:10:42 PM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
10/6/2008 10:10:42 PM Denied (based on user blacklist) value "TSClientAXDisabler" (new data: "") deleted in System Startup user entry!
10/6/2008 10:10:43 PM Denied (based on Spybot-S&D scan) value "braviax" (new data: "C:\WINDOWS\system32\braviax.exe") added in System Startup global entry!
10/6/2008 10:10:50 PM Encountered and terminated Fraud.AntiMalwares in C:\WINDOWS\system32\braviax.exe!
10/6/2008 10:12:16 PM Denied (based on user decision) value "Start Page" (new data: "http://www.google.com") changed in Browser page!
10/6/2008 10:13:47 PM Denied (based on Spybot-S&D scan) value "braviax" (new data: "C:\WINDOWS\system32\braviax.exe") added in System Startup global entry!
10/6/2008 10:59:15 PM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
10/6/2008 10:59:15 PM Denied (based on user blacklist) value "TSClientAXDisabler" (new data: "") deleted in System Startup user entry!
10/6/2008 10:59:35 PM Denied (based on user decision) value "braviax" (new data: "C:\WINDOWS\system32\braviax.exe") added in System Startup global entry!
10/6/2008 10:59:39 PM Denied (based on user decision) value "Start Page" (new data: "http://www.google.com") changed in Browser page!
10/6/2008 11:34:35 PM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
10/6/2008 11:55:30 PM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
10/6/2008 11:55:30 PM Denied (based on user blacklist) value "braviax" (new data: "C:\WINDOWS\system32\braviax.exe") added in System Startup global entry!
10/6/2008 11:55:34 PM Denied (based on user decision) value "Start Page" (new data: "http://www.google.com") changed in Browser page!
10/7/2008 12:17:54 AM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
10/7/2008 12:17:58 AM Denied (based on user decision) value "Start Page" (new data: "http://www.google.com") changed in Browser page!
10/22/2008 8:53:48 PM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
10/22/2008 8:54:22 PM Allowed (based on user decision) value "ThreatFire" (new data: "C:\Program Files\ThreatFire\TFTray.exe") added in System Startup global entry!
10/22/2008 8:54:42 PM Denied (based on user decision) value "brastk" (new data: "brastk.exe") added in System Startup global entry!
10/24/2008 5:58:46 PM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
10/24/2008 5:58:47 PM Denied (based on user blacklist) value "brastk" (new data: "brastk.exe") added in System Startup global entry!
10/24/2008 8:51:46 PM Denied (based on user blacklist) value "brastk" (new data: "brastk.exe") added in System Startup global entry!
10/24/2008 8:55:27 PM Denied (based on user decision) value "FlashPlayerUpdate" (new data: "C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe") added in System Startup user entry!
10/24/2008 10:37:53 PM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
10/24/2008 10:37:54 PM Denied (based on user blacklist) value "brastk" (new data: "brastk.exe") added in System Startup global entry!
10/24/2008 10:51:46 PM Allowed (based on user decision) value "Spybot - Search & Destroy" (new data: ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck") added in System Startup global entry!
10/24/2008 11:26:29 PM Allowed (based on user decision) value "WinCtrl32" (new data: "") deleted in Winlogon Notifiers!
10/24/2008 11:26:48 PM Denied (based on user decision) value "SpybotDeletingB5548" (new data: "command /c del "C:\WINDOWS\system32\WinCtrl32.dll_old"") added in System Startup user entry!
10/24/2008 11:26:52 PM Denied (based on user decision) value "SpybotDeletingD6004" (new data: "cmd /c del "C:\WINDOWS\system32\WinCtrl32.dll_old"") added in System Startup user entry!
10/24/2008 11:26:55 PM Denied (based on user decision) value "SpybotDeletingA1143" (new data: "command /c del "C:\WINDOWS\system32\WinCtrl32.dll_old"") added in System Startup global entry!
10/24/2008 11:26:58 PM Denied (based on user decision) value "SpybotDeletingC9689" (new data: "cmd /c del "C:\WINDOWS\system32\WinCtrl32.dll_old"") added in System Startup global entry!
10/24/2008 11:27:03 PM Denied (based on user decision) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:27:23 PM Denied (based on user decision) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:27:32 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:27:42 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:27:52 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:28:02 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:28:12 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:28:22 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:28:32 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:28:42 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:28:52 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:29:01 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:29:11 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:29:21 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:29:35 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:29:42 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:29:52 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:30:02 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:30:12 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:30:22 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:30:32 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:30:42 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:30:52 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:31:02 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:31:13 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:31:22 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:31:33 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:31:47 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:32:05 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:32:12 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:32:23 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:32:32 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:32:44 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:32:53 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:33:02 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:33:12 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:33:23 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:33:33 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:33:43 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:33:52 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:34:03 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:34:13 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:34:22 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:34:33 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:34:42 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:34:53 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:35:02 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:35:20 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:35:30 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:35:41 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:35:50 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:36:11 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:36:21 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:36:32 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:36:48 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:37:01 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:37:09 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:37:19 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:37:29 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:37:39 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:37:49 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:37:59 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:38:09 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:38:19 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:38:29 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:38:39 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:38:49 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:39:00 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:39:10 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:39:20 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:39:30 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:39:40 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:39:49 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:39:59 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:40:09 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:40:23 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:40:30 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:40:40 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:40:50 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:40:59 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:41:13 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:41:24 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:41:38 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:41:49 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:41:59 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:42:09 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:42:19 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:42:29 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:42:39 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:42:50 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:43:00 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/24/2008 11:43:10 PM Denied (based on user blacklist) value "WinCtrl32" (new data: "") added in Winlogon Notifiers!
10/27/2008 7:01:00 PM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
10/27/2008 7:01:49 PM Denied (based on user decision) value "Spybot - Search & Destroy" (new data: "") deleted in System Startup global entry!
10/27/2008 7:20:40 PM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
10/27/2008 7:20:41 PM Denied (based on user blacklist) value "Spybot - Search & Destroy" (new data: "") deleted in System Startup global entry!
10/27/2008 11:50:23 PM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
10/27/2008 11:50:26 PM Denied (based on user blacklist) value "Spybot - Search & Destroy" (new data: "") deleted in System Startup global entry!
10/28/2008 12:06:00 AM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
10/28/2008 12:06:02 AM Denied (based on user blacklist) value "Spybot - Search & Destroy" (new data: "") deleted in System Startup global entry!
10/28/2008 8:19:12 PM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
10/28/2008 8:19:12 PM Denied (based on user blacklist) value "brastk" (new data: "brastk.exe") added in System Startup global entry!
10/28/2008 8:19:13 PM Denied (based on user blacklist) value "Spybot - Search & Destroy" (new data: "") deleted in System Startup global entry!
10/28/2008 9:21:07 PM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
10/28/2008 9:21:07 PM Denied (based on user blacklist) value "brastk" (new data: "brastk.exe") added in System Startup global entry!
10/28/2008 9:21:07 PM Denied (based on user blacklist) value "Spybot - Search & Destroy" (new data: "") deleted in System Startup global entry!
10/28/2008 9:26:49 PM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
10/28/2008 9:26:50 PM Denied (based on user blacklist) value "brastk" (new data: "brastk.exe") added in System Startup global entry!
10/28/2008 9:26:50 PM Denied (based on user blacklist) value "Spybot - Search & Destroy" (new data: "") deleted in System Startup global entry!
10/28/2008 9:27:18 PM Denied (based on user blacklist) value "brastk" (new data: "brastk.exe") added in System Startup global entry!
10/29/2008 7:45:39 PM Denied (based on user blacklist) value "TSClientMSIUninstaller" (new data: "") deleted in System Startup user entry!
10/29/2008 7:45:41 PM Denied (based on user blacklist) value "brastk" (new data: "brastk.exe") added in System Startup global entry!
10/29/2008 7:45:41 PM Denied (based on user blacklist) value "Spybot - Search & Destroy" (new data: "") deleted in System Startup global entry!
10/29/2008 7:57:25 PM Denied (based on user decision) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
10/29/2008 7:57:29 PM Allowed (based on lassh blacklist) value "msnmsgr" (new data: ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background") added in System Startup user entry!
10/29/2008 7:57:34 PM Allowed (based on lassh blacklist) value "H/PC Connection Agent" (new data: ""C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"") added in System Startup user entry!
10/29/2008 7:57:40 PM Allowed (based on authenticode whitelist) value "SpybotSD TeaTimer" (new data: "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe") added in System Startup user entry!
10/29/2008 7:57:40 PM Allowed (based on lassh blacklist) value "POINTER" (new data: "point32.exe") added in System Startup global entry!
10/29/2008 7:58:11 PM Denied (based on user decision) value "OneTouch Monitor" (new data: "C:\PROGRA~1\VISION~1\ONETOU~2.EXE") added in System Startup global entry!
10/29/2008 7:58:20 PM Allowed (based on lassh blacklist) value "nForce Tray Options" (new data: "sstray.exe /r") added in System Startup global entry!
10/29/2008 7:58:26 PM Allowed (based on lassh blacklist) value "ATICCC" (new data: ""C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay") added in System Startup global entry!
10/29/2008 7:58:51 PM Denied (based on user decision) value "NvCplDaemon" (new data: "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup") added in System Startup global entry!
10/29/2008 7:59:32 PM Denied (based on user decision) value "ThreatFire" (new data: "C:\Program Files\ThreatFire\TFTray.exe") added in System Startup global entry!
10/29/2008 7:59:33 PM Denied (based on user blacklist) value "brastk" (new data: "brastk.exe") added in System Startup global entry!
10/29/2008 7:59:57 PM Denied (based on user decision) value "Local Page" (new data: "C:\WINDOWS\system32\blank.htm") added in Browser page!
10/29/2008 8:00:02 PM Denied (based on user decision) value "Search Page" (new data: "http://www.google.com") added in Browser page!
10/29/2008 8:00:06 PM Denied (based on user decision) value "Search Bar" (new data: "http://www.google.com/ie") added in Browser page!
10/29/2008 8:00:14 PM Denied (based on user decision) value "Start Page" (new data: "http://www.msn.com/") added in Browser page!
10/29/2008 8:00:17 PM Denied (based on user decision) value "SearchAssistant" (new data: "http://www.google.com") added in Browser page!
10/29/2008 8:00:21 PM Denied (based on user decision) value "" (new data: "http://home.microsoft.com/access/autosearch.asp?p=%s") added in Browser page!
10/29/2008 8:00:27 PM Denied (based on user decision) value "Local Page" (new data: "%SystemRoot%\system32\blank.htm") added in Browser page!
10/29/2008 8:00:30 PM Denied (based on user decision) value "Search Page" (new data: "http://www.google.com") added in Browser page!
10/29/2008 8:00:34 PM Denied (based on user decision) value "Search Bar" (new data: "http://home.microsoft.com/search/lobby/search.asp") added in Browser page!
10/29/2008 8:00:37 PM Denied (based on user decision) value "Start Page" (new data: "http://www.google.com") added in Browser page!
10/29/2008 8:00:40 PM Denied (based on user decision) value "Default_Page_URL" (new data: "http://www.yahoo.com") added in Browser page!
10/29/2008 8:00:43 PM Denied (based on user decision) value "Default_Search_URL" (new data: "http://www.google.com/ie") added in Browser page!
10/29/2008 8:00:46 PM Denied (based on user decision) value "SearchAssistant" (new data: "http://www.google.com") added in Browser page!
10/29/2008 8:00:50 PM Denied (based on user decision) value "CustomizeSearch" (new data: "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm") added in Browser page!
10/29/2008 8:00:53 PM Denied (based on user decision) value "" (new data: "http://home.microsoft.com/access/autosearch.asp?p=%s") added in Browser page!
10/29/2008 8:00:58 PM Denied (based on user decision) value "" (new data: ""%1" %*") added in BAT Extension handler!
10/29/2008 8:01:01 PM Denied (based on user decision) value "" (new data: ""%1" %*") added in COM Extension handler!
10/29/2008 8:01:04 PM Denied (based on user decision) value "" (new data: ""%1" %*") added in EXE Extension handler!
10/29/2008 8:01:07 PM Denied (based on user decision) value "" (new data: ""%1" %*") added in PIF Extension handler!
10/29/2008 8:01:10 PM Denied (based on user decision) value "" (new data: ""%1" /S") added in SCR Extension handler!
10/29/2008 8:01:24 PM Denied (based on user decision) value "" (new data: "regedit.exe "%1"") added in REG Extension handler!
10/29/2008 8:01:27 PM Denied (based on user decision) value "" (new data: ""%1" %*") added in CMD Extension handler!
10/29/2008 8:01:30 PM Denied (based on user decision) value "AutoRun" (new data: "") added in Command processor!
10/29/2008 8:01:34 PM Denied (based on user decision) value "load" (new data: "") added in NT startup!
10/29/2008 8:01:40 PM Denied (based on user decision) value "programs" (new data: "com exe bat pif cmd") added in NT startup!
10/29/2008 8:01:52 PM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,") added in Winlogon!
10/29/2008 8:02:01 PM Denied (based on user decision) value "Shell" (new data: "Explorer.exe") added in Winlogon!
10/29/2008 8:02:05 PM Denied (based on user decision) value "System" (new data: "") added in Winlogon!
10/29/2008 8:02:08 PM Denied (based on user decision) value "DefaultUserName" (new data: "Dennis") added in Winlogon!
10/29/2008 8:02:20 PM Denied (based on user decision) value "PostBootReminder" (new data: "{7849596a-48ea-486e-8937-a2a3009f31a9}") added in Shell services!
10/29/2008 8:02:30 PM Denied (based on user decision) value "CDBurn" (new data: "{fbeb8a05-beee-4442-804e-409d6c4515e9}") added in Shell services!
10/29/2008 8:02:41 PM Denied (based on user decision) value "WebCheck" (new data: "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}") added in Shell services!
10/29/2008 8:02:53 PM Denied (based on user decision) value "SysTray" (new data: "{35CEC8A3-2BE6-11D2-8773-92E220524153}") added in Shell services!
10/29/2008 8:03:04 PM Denied (based on user decision) value "WPDShServiceObj" (new data: "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}") added in Shell services!
10/29/2008 8:03:08 PM Denied (based on user decision) value "BootExecute" (new data: "autocheck autochk *
") added in Session manager!
10/29/2008 8:03:14 PM Denied (based on user decision) value "ExcludeFromKnownDlls" (new data: "") added in Session manager!
10/29/2008 8:03:18 PM Denied (based on user decision) value "BootExecute" (new data: "autocheck autochk *
lsdelete
") added in Session manager!
10/29/2008 8:03:21 PM Denied (based on user decision) value "ExcludeFromKnownDlls" (new data: "") added in Session manager!
10/29/2008 8:03:23 PM Denied (based on user decision) value "BootExecute" (new data: "autocheck autochk *
lsdelete
") added in Session manager!
10/29/2008 8:03:27 PM Denied (based on user decision) value "ExcludeFromKnownDlls" (new data: "") added in Session manager!
10/29/2008 8:03:33 PM Allowed (based on user whitelist) value "scrnsave.exe" (new data: "C:\WINDOWS\system32\ssstars.scr") added in Desktop settings!
10/29/2008 8:03:44 PM Denied (based on user decision) value "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (new data: "") added in Internet Explorer searches!
10/29/2008 8:03:45 PM Denied (based on user blacklist) value "brastk" (new data: "brastk.exe") added in System Startup global entry!
Hi,
Ok.. TeaTimer is really going to interfere bad with ComboFix.
Combofix is doing alot of repairs the malware trashed.
Combofix deletes known bad registry entries and files and does repairs to the system.
It is really important you allow this to happen but TeaTimer is stopping the repair process!
Some files if deleted and its associated registry entry is not repaired the system may not boot up properly.
Make sure TeaTimer is disabled till we are done & have reset it so it starts out as if brand new with only good known trusted entries allowed.
How to disable TeaTimer:
http://russelltexas.com/malware/teatimer.htm
Once disabled & you have rebooted please download & run this:
http://downloads.subratam.org/ResetTeaTimer.bat
It will only take a few seconds to complete.
Make sure the above is complete before running ComboFix again please.
If you can't stop it -- let me know before you continue.
Once done disable antimalware programs and run ComboFix again please.
Make sure they are disabled so they don't interfere when CF (combofix) reboots the machine. Not just shut off because full protection is there at boot again & will interfere with CF.
More detailed guide here:
http://www.bleepingcomputer.com/forums/topic114351.html
follow same instructions as my previous post for running combofix.
Post the C:\combofix.txt and let me know how system is running.
Don't turn on TeaTimer yet please! but you can turn on other antimalware.
Thanks :)
Fatboy_97
2008-10-31, 05:35
Can't log on now; not even in "safe mode". :sad:
Sorry for delay.
For some reason I am not getting notified of replies.
What exactly happens when you try?
At which point does login fail please?
Did you run anything else before running combofix? If so -- what?
Did you allow install of the recovery console when you ran Combofix?
Don't try anything else yet please. ComboFix set us up with a couple options for recovery so we should be able to get things back in order.
I just need more info about what you are seeing etc to figure out our next step.
If you did not install recovery console -- do you have your XP CD?
Thanks
Blender
Also...
When CF was running... see any error messages?
CF reboot the machine then finish or was it at this point log-in failed so CF did not complete?
Try tell me as much details as you can please.
Thanks,
blender
Fatboy_97
2008-10-31, 17:27
Thanks for your time Blender. To answer several of your questions all at once, combofix did not run. I downloaded it, but when I double-clicked on the desktop icon I would get the error message as stated in my previous post.
As to the login problem, the system boots up just fine & I can click on my name, type in my password, then it will flash my wallpaper for just a millisecond, then say "logging out, saving your settings". It does the same thing on any sign in including my wife's login, guest, or even as administrator in safe mode. :oops:
Just about to head off to work, so I'll be back later this evening.
Thanks, Dennis. :red:
Hi,
Thanks for the info :)
One of 2 things happend & both are recoverable.
1. Userinit.exe was deleted/replaced by something
2. Registry entry that loads userinit.exe is broken/missing.
Don't let anyone else try anything just yet.
First thing I want you to try is "last known good"
Restart system as if going to safe mode.
Instead of choosing safe mode choose "last known good configuration" then hit enter.
If good will be with us -- system will start.
If it starts -- please make another erunt backup.
Please also post a new set of logs from OTViewIt.
Don't do anything further yet.
And keep TeaTimer off till I get back to you please!
Can you also tell me what version is your Spybot?
If system still displays same symptoms when logging in -- do nothing further. but let me know.
Thanks.
Fatboy_97
2008-11-01, 03:35
Well poop, same symptoms even after starting from "last known good configuration". Thanks for your patience. :red:
I think I see what happened.
When you saw all these changes happening that TeaTimer (TT) was warning you about (when ThreatFire (TF) was running) you denied alot of these changes. TF was making changes for the good fixing up stuff..
Alot of these changes that were denied were important to how the system boots and how it runs.
Your file associations all got borked, login got borked plus many other things.
I mean like 30 or more important registry keys/values got deleted.
It looks like TF deletes the bad registry value then rebuilds it when it fixes stuff so when you got the TT warnings... instead of any of them getting fixed all got deleted.
Now... remember that ERUNT backup I made you do before we started working? This is what we are after. Restoring that.
We made that backup before I had you download/run combofix or anything so It *should* work.
Yes it will restore some bad stuff but we should be able to finish up repairs after that.
You have your XP CD (the real deal not some restore cd thing from whoever made your computer) or do you have the recovery console (RC) installed?
How you can tell if recovery console is installed is if when you first boot up you see 2 OS choices.
One being Microsoft Windows XP and the other being Windows Recovery Console.
Let me know please.
Thanks :)
Fatboy_97
2008-11-01, 17:59
Threatfire was fixing stuff, but I denied it 'cause I thought TeaTimer was detecting bad stuff. Makes me feel kinda like Homer Simpson. DOH!:oops:
Anyway, I do have the original Windows XP disk so it should have a recovery mode on it? Thanks again for your patience.
OK. Good on the XP disk. Yes it does have RC on it. We're going to boot with it.
I'll be back in a few with further instructions. :)
Sorry.. uptown business took longer than expected.
Ok...
One thing to understand here is the recovery console is all commands. Kinda like "DOS". No pretty pics here & no mouse.
Insert XP CD & reboot the machine.
If you get onscreen message to "press any key to boot with cd..." just hit enter.
If it tries to boot right through to XP on system you will need to go into your BIOS and set it up to boot with CD first.
Usually there is onscreen message displayed how to enter "setup" or "boot order" (often f10, f2, del, f12)
Once in "setup/BIOS or boot order screen" there should be onscreen instructions how to move around in bios.
No mouse here .. usually only have access to arrow keys, few f keys, enter key and the tab key.
You are looking for "boot order"
You want to change it to boot with CD first, hard drive next & if you have floppy that be last.
Make no other changes.
Save changes & reboot again.
Hit "enter" when you see the "boot with cd" message.
You will see windows loading drivers and such on blue screen..
Then you get a screen with several choices.
Install XP
Repair XP
Exit
You want "repair". Type R & hit enter.
You should next get a black screen asking what OS to log into.
Normally only 1 listed.
1 Windows
Type 1 & hit enter.
You are next asked for admin password.
If no password on administrator account just hit enter. Otherwise type in the admin password & hit enter.
Next you see this prompt:
c:\Windows>
Now -- make sure you type in these commands exactly as you see em or there will be errors.
Note where I have spaces and so on. (commands to type are in bold)(hit enter after each line)
Type cd erdnt
dir
Now you should see at least 2 directories listed.
We want the one where I had you create the backup.
I am not sure if you did it the 28th ot the 29th. (I am assuming the 29th for illustration purposes. If it was the 28th then change accordingly)
autobackup <-- created automatically if you have this option set when you installed erunt.
10-29-08 <-- Our puter saver
type cd 10-29-08
ERDNT.con
You will see several "1 files copied" messages
Once done type exit and hit enter.
System reboots.
Don't hit any keys at the "boot with cd..."
XP Should start.
This will get us back before CF tried to run & before ThreatFire did anything.
Once you get in... please make sure to disable TeaTimer before doing anything else.
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts. You MUST allow the change.
6. Restart your computer.
Make sure TeaTimer is not running.
Download ResetTeaTimer.bat to the Desktop
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).
Assuming this went as expected....
Create a new ERUNT backup & please post a new set of logs from OTVIewIt.
Let me know at this point how things are.
Verify for me size of C:\ERDNT\11-01-08 <-- this folder (assuming you did it today)
If you had any problems above or still cannot boot -- post in detail what the problems are and what you see when you try to boot.
Thanks :)
Fatboy_97
2008-11-01, 23:09
Well got as far as windows\erdnt>dir and this is what came up: :sad:
Directory of C:\WINDOWS\ERDNT
10/28/08 08:43p d------- 0 .
10/28/08 08:43p d------- 0 ..
10/28/08 08:43p d------- 0 10-28-2008
3 file(s) 0 bytes
59765456896 bytes free
So of course typing cd 10-28-08 came up with:
"The system cannot find the file or directory specified."
You ever have to put in as much time on one of these fixes as you have with this one? :) Thanks so much for your patience.
Sorry my bad ..
Only mistake made here was typing in the directory wrong.
I should have seen that (duh on me) even after looking in my own erdnt folder. :red:
Once in the ERDNT directory & you see the list after typing in dir
Now type these commands hitting enter after each. Give ERDNT.Con time to finish its job before exiting recovery console.
cd 10-28-2008
ERDNT.CON
exit
don't worry. We'll get there. :)
Fatboy_97
2008-11-02, 04:25
We got one step closer, but only one........:) Here we go:
C:\WINDOWS\ERDNT>cd 10-28-2008
C:\WINDOWS\ERDNT\10-28-2008>ERDNT.CON
The command is not recognized Type HELP for a list of supported commands.
I tried all caps, all lowercase, and a mixture of both for erdnt.con, but to no avail. Got the same response. :eek:
OK... My bad again. Lack of coffee moment.
I guess I cant remember as much stuff by heart as I thought. :oops:
Instead of ERDNT.con command do this:
BATCH ERDNT.con
The rest is all the same. It does not matter if you type in upper or lower case.
cd erdnt
cd 10-28-2008
batch erdnt.con
exit
Fatboy_97
2008-11-02, 21:46
Got sign on after doing cd batch erdnt.con! :bigthumb:
Can't use anything after signing on! :sad:
Internet Explorer, Firefox, Spybot, or anything with an .exe extension.
Trying these just gives the warning:
"This file does not have a program associated with it for performing this action. Create an association in the Folder Options control panel."
Baby steps, just try to think baby steps. :D: :red:
Kewl!!
We're logged in == progress
Ok --- you get TeaTimer disabled and reset? Leave it off till I say. OK?
Make sure you can see all your file extensions.
Open your control panel & then "folder options"
Hit the "view" tab
Under "hidden files & folders" UNcheck "hide file extensions for known file types"
Apply & OK.
Download this tool to your desktop.
http://www.techsupportforum.com/sectools/Deckard/daft.exe
Right click "daft.exe" and choose "rename"
Call it daft.com
Once done it should look like a generic white/blue icon.
Double click it, OK the disclaimer & choose "scan"
Save log file & post the log here.
Make no changes yet please.
Also --- that TeaTimer log you posted.
Can you zip up & send me the whole log?
If not possible -- I imagine it is huge so you can upload it here please (even if just the text):
http://www.bleepingcomputer.com/submit-malware.php?channel=19
Put URL from this thread in space provided so I know who the log came from.
It will likely be alot easier for me to read than trying to in the posts.
Also -- your XP CD.. What service pack is it bundled with?
Thanks :)
Fatboy_97
2008-11-03, 02:07
As for the TeaTimer I can't get it or IE or anything else to open even after UNchecking the hide file extension line in folder options. Still getting the same message as in previous post. :sad:
OK. So .com files give same message?
Does explorer start? Meaning you get the desktop loaded, see your icons, task bar and so on?
C:\program files\Spybot - Search & Destroy <-- go to this folder & rename TeaTimer.exe to TeaTimer.OLD
That is just to prevent it from running once we fix file associations.
We'll rename it back when we are done fixin stuff.
Now -- may need to use another machione since IE don't work..
Go to this site:
http://www.symantec.com/security_response/writeup.jsp?docid=2004-050614-0532-99
Right click on the "UnHookExec.inf" file and choose "save target as"
Save it to whatever media you are using to transfer stuff to busted computer.
copy it to broken computer.
Right click it & choose install
It should only take a few seconds then be done.
You should be able to run exes and such now.
If not -- reboot.
If you can please post new set of OTViewIt logs and do the teatimer disable/reset instructions.
If above is successful -- make ERUNT backup please.
I have to go for a bit & will come back later to check on you.
Thanks :)
Fatboy_97
2008-11-03, 04:58
Well I tried............:sad: I got the "daft.txt" log, had it loaded in a reply thread, went to get some other info you requested & the damn thing just logged off! (On a side note I have been communicating with you on a laptop; just switching the connection cable to the "infected" computer when you instruct me to.)
So after logging back on a few times & having it log itself off, I switched the cable back here & now it doesn't log off?
Frustration is mounting!!! :D:
You have some method to transfer logs?
What was listed in the daft log? You can run it again and see what is listed.
I wanna see if we got all the extensions fixed.
Some of the infections is likely what keeps logging you on/off.
Did you get TeaTimer renamed OK? Obviously can run exes and stuff now?
And you made new ERUNT backup?
Can you get to safe mode with network support & run OTViewIt so you can post logs? (less junkaroo should run in safe mode making system a bit more stable)
However -- don't be online long in safe mode cus no AV or firewall to help protect you against more junk.
Just be on long enough to get those logs done/posted and get offline with that machine.
As soon as you have it connected to the net it is either downloading more junk or spamming or something so you don't want it online unless posting logs/downloading stuff we need.
Thanks :)
Fatboy_97
2008-11-03, 05:22
On another side note, the Spybot files are screwed up also. I can't start up Spybot to change settings, turn off TeaTimer or anything. :red:
What exactly happens when you try to start Spybot?
Can you get OTViewIt to run? Post logs from it if you can please.
Thanks :)
Fatboy_97
2008-11-05, 06:35
Basically nothing happens when I try to run Spybot. Also, some of the file names in the Spybot folder seem to have been renamed or deleted, including the .exe files. I'll try to run the OTview it & post results.
Sorry for the slow responce, but I could not log onto this forum yesterday at all. Just timed out. Other web sites were working fine. This happened last week too. Thanks again. Dennis.
Hi,
Some of Spybot exe files are hidden.
How to view Hidden files/folders.
http://www.bleepingcomputer.com/tutorials/tutorial62.html
don't forget to hide files/folders when we are finished cleaning.
Yes. Part of yesterday & the other day the forum was having trouble. I couldn't get here either.
If you can't get OTViewIt to run -- try downloading a new copy to overwrite the old one.
Your CD .. what service pack does it have on it (if any)?
Thanks
Fatboy_97
2008-11-06, 06:28
I think the XP disk has service pack 1.
When using the XP disk yesterday to be able to log on & stay logged on I inadvertantly reloaded Windows. :red: Big panic; thought I wiped everything out! The biggest problem I have now is that after it boots up, goes through all the checks, the monitor clicks off after reading something about status: over.
Fortunately I can still log on in "safe mode" & I did mange to run a new OTViewIt log, but can't get IE or FireFox to load so I can post it. I tried to copy it to disk, but I'm having problems with the CD drive in the infected computer. I'm gonna try again now, so keep your fingers crossed.
Thanks again, Dennis. :)
PS I did also manage to open Spybot in safe mode & turn off TeaTimer.
Hi,
Sorry for delay.
You get IE/FF working to get those logs yet? Can you get to safe mode with network support? If so try & post those logs please.
How about IE or FF without add-ons?
start> programs> accessories> system tools> Internet Explorer (no add-ons)
start> Mozilla Firefox (safe mode) <-- just means no add-ons
Still same monitor issue? Not sure I understand the monitor issue. :scratch:
What is happening with the cd drive?
Fatboy_97
2008-11-08, 05:03
Can't get IE or FF to connect to the web in safe mode. The monitor starts up while booting, then shuts down saying status: over in regular mode. I think that when I re-installed Windows the drivers got corrupted or not installed, so the monitor is set at some high refresh rate or something.
The CD rom shows files on it, but when I try to write files to it from the infected computer (like the OTViewIt files) it says insert a disk?
Fatboy_97
2008-11-08, 05:05
Can't get IE or FF to connect to the web in safe mode. The monitor starts up while booting, then shuts down saying status: over in regular mode. I think that when I re-installed Windows the drivers got corrupted or not installed, so the monitor is set at some high refresh rate or something.
The CD rom shows files on it, but when I try to write files to it from the infected computer (like the OTViewIt files) it says insert a disk?
All in all it seems the harder I try the farther behind I get. :red: :sad:
Fatboy_97
2008-11-09, 01:04
So after many trials & tribulations I got the monitor & internet connection bugs worked out. Here are the logs you requested:
Daft log:
DAFT Log saved on 2008-11-08 10:24:07
-----------------------------------------------------------------------
All associations okay!
OTViewIt log (in 2 parts):
OTViewIt logfile created on: 11/8/2008 10:05:58 AM - Run 2
OTViewIt by OldTimer - Version 1.0.19.0 Folder = C:\Documents and Settings\Dennis\Desktop
Windows XP Home Edition Service Pack 1 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1023.48 Mb Total Physical Memory | 697.14 Mb Available Physical Memory | 68.11% Memory free
2.41 Gb Paging File | 2.14 Gb Available in Paging File | 89.11% Paging File free
Paging file location(s): c:\pagefile.sys 1536 3072;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.32 Gb Total Space | 56.14 Gb Free Space | 73.55% Space Free | Partition Type: NTFS
Drive D: | 40.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: DENNIS-JIF0Z43K
Current User Name: Dennis
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days
========== Processes ==========
[2008/09/19 13:22:21 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
[1999/12/13 00:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTSVCCDA.EXE
[2006/10/22 12:22:00 | 00,159,810 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
[2008/04/24 15:52:22 | 00,066,880 | ---- | M] (PC Tools) -- C:\Program Files\ThreatFire\TFService.exe
[2007/03/15 17:17:08 | 00,336,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\WgaTray.exe
[2002/04/11 10:47:52 | 00,176,128 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Hardware\Mouse\point32.exe
[2001/10/16 07:08:48 | 00,086,016 | ---- | M] (Visioneer Inc) -- C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
[2005/08/12 13:43:58 | 00,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
[2008/04/24 15:52:28 | 00,259,392 | ---- | M] (PC Tools) -- C:\Program Files\ThreatFire\TFTray.exe
[2002/08/29 04:00:00 | 00,031,744 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rundll32.exe
[2007/01/19 12:54:56 | 05,674,352 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\msnmsgr.exe
[2004/02/03 13:42:54 | 00,401,491 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
[2007/12/25 09:36:05 | 00,028,672 | ---- | M] (DataViz, Inc.) -- C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
[2004/06/09 14:27:34 | 00,471,040 | ---- | M] (PalmSource, Inc) -- C:\Program Files\Palm\Hotsync.exe
[2006/02/19 03:21:22 | 00,288,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
[2005/08/12 13:43:58 | 00,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
[2006/02/19 04:24:52 | 00,239,320 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
[2008/10/28 19:46:51 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dennis\Desktop\OTViewIt.exe
========== (O23) Win32 Services ==========
[2008/09/19 13:22:21 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice [Auto | Running])
[2006/07/30 11:49:12 | 00,072,704 | ---- | M] (Adobe Systems) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service [On_Demand | Stopped])
File not found -- -- (AlerterRasAutoAticlr_optimization_v2.0.50727_32 [Auto | Stopped])
File not found -- -- (AlerterRpcSs [Auto | Stopped])
File not found -- -- (AppMgmtCiSvc [Auto | Stopped])
File not found -- -- (AppMgmtCiSvcFastUserSwitchingCompatibility [Auto | Stopped])
File not found -- -- (AppMgmtFastUserSwitchingCompatibility [Auto | Stopped])
File not found -- -- (AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService [Auto | Stopped])
File not found -- -- (AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService PMSP Service [Auto | Stopped])
File not found -- -- (AppMgmtFastUserSwitchingCompatibilityTrkWksImapiServiceMessengerRSVP [Auto | Stopped])
File not found -- -- (AppMgmtFastUserSwitchingCompatibilityTrkWksImapiServiceNetman [Auto | Stopped])
[2007/04/13 02:20:52 | 00,033,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
File not found -- -- (aspnet_stateLmHosts [Auto | Stopped])
[2007/12/20 18:57:27 | 00,512,000 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller [Auto | Stopped])
[2007/12/20 21:05:00 | 00,593,920 | ---- | M] () -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart [Auto | Stopped])
File not found -- -- (Aticlr_optimization_v2.0.50727_32 [Auto | Stopped])
File not found -- -- (Aticlr_optimization_v2.0.50727_32AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService [Auto | Stopped])
File not found -- -- (AudioSrvRDSessMgr [Auto | Stopped])
File not found -- -- (Browseraspnet_stateLmHosts [Auto | Stopped])
File not found -- -- (Browserwuauserv [Auto | Stopped])
File not found -- -- (BrowserwuauservALG [Auto | Stopped])
File not found -- -- (BrowserwuauservW32TimeSpoolerNVSvc [Auto | Stopped])
File not found -- -- (ClipSrvSSDPSRVEventSystemwuauservEventlogImapiServicegusvc [Auto | Stopped])
[2007/04/13 02:21:18 | 00,068,952 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
File not found -- -- (clr_optimization_v2.0.50727_32RasMan [Auto | Stopped])
File not found -- -- (COMSysAppFastUserSwitchingCompatibility [Auto | Stopped])
File not found -- -- (COMSysAppFastUserSwitchingCompatibilityWMPNetworkSvcWebClient [Auto | Stopped])
[1999/12/13 00:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTSVCCDA.EXE -- (Creative Service for CDROM Access [Auto | Running])
File not found -- -- (DhcpNetman [Auto | Stopped])
File not found -- -- (dmadminEventlog [Auto | Stopped])
File not found -- -- (Dnscachegusvc [Auto | Stopped])
File not found -- -- (EventSystemgusvc [Auto | Stopped])
File not found -- -- (EventSystemgusvcWMPNetworkSvc [Auto | Stopped])
[2008/09/17 16:00:24 | 00,138,168 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
File not found -- -- (gusvcstisvc [Auto | Stopped])
File not found -- -- (HidServaspnet_state [Auto | Stopped])
[2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
File not found -- -- (LmHostsNtLmSsp [Auto | Stopped])
File not found -- -- (MessengerRSVP [Auto | Stopped])
File not found -- -- (MSDTCWZCSVC [Auto | Stopped])
File not found -- -- (MSDTCWZCSVCAppMgmtCiSvcFastUserSwitchingCompatibility [Auto | Stopped])
File not found -- -- (MSDTCWZCSVCAppMgmtCiSvcFastUserSwitchingCompatibility Smart [Auto | Stopped])
File not found -- -- (MSIServerTrkWksALG [Auto | Stopped])
File not found -- -- (NetDDEclr_optimization_v2.0.50727_32 [Auto | Stopped])
File not found -- -- (NetDDEdsdm Smart [Auto | Stopped])
File not found -- -- (NetDDEdsdmgusvcstisvc [Auto | Stopped])
File not found -- -- (NetmanSamSs [Auto | Stopped])
File not found -- -- (NetmanWMPNetworkSvcNtmsSvc [Auto | Stopped])
File not found -- -- (NlaSENS [Auto | Stopped])
[2006/10/22 12:22:00 | 00,159,810 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
File not found -- -- (NVSvchkmsvc [Auto | Stopped])
File not found -- -- (NVSvcRemoteAccess [Auto | Stopped])
File not found -- -- (NVSvcRemoteAccessDhcpNetman [Auto | Stopped])
File not found -- -- (PolicyAgentWebClient [Auto | Stopped])
File not found -- -- (PolicyAgentWebClientWmiApSrv [Auto | Stopped])
File not found -- -- (RasAutoAticlr_optimization_v2.0.50727_32 [Auto | Stopped])
File not found -- -- (RemoteAccessNtLmSsp [Auto | Stopped])
File not found -- -- (RemoteAccessPolicyAgentWebClient [Auto | Stopped])
File not found -- -- (RpcLocatorRemoteAccessNtLmSsp [Auto | Stopped])
File not found -- -- (SCardSvrThemes [Auto | Stopped])
File not found -- -- (seclogonALG [Auto | Stopped])
File not found -- -- (SharedAccessWMPNetworkSvcNtmsSvc [Auto | Stopped])
File not found -- -- (ShellHWDetection Service for CDROM Access [Auto | Stopped])
File not found -- -- (ShellHWDetectionIDriverT [Auto | Stopped])
File not found -- -- (ShellHWDetectionIDriverTPlugPlay [Auto | Stopped])
File not found -- -- (ShellHWDetectionIDriverTPlugPlayNVSvcRemoteAccess [Auto | Stopped])
File not found -- -- (ShellHWDetectionIDriverTPlugPlayRpcLocatorRemoteAccessNtLmSsp [Auto | Stopped])
File not found -- -- (Spooler Smart [Auto | Stopped])
File not found -- -- (SpoolerAudioSrvRDSessMgr [Auto | Stopped])
File not found -- -- (SpoolerAudioSrvRDSessMgrTrkWksALGSSDPSRVEventSystemwuauservEventlogImapiServicegusvc [Auto | Stopped])
File not found -- -- (SpoolerNVSvc [Auto | Stopped])
File not found -- -- (SSDPSRVEventSystem [Auto | Stopped])
File not found -- -- (SSDPSRVEventSystemwuauservEventlogImapiServicegusvc [Auto | Stopped])
File not found -- -- (SwPrvSharedAccess [Auto | Stopped])
File not found -- -- (SysmonLogAppMgmtCiSvcFastUserSwitchingCompatibility [Auto | Stopped])
[2008/04/24 15:52:22 | 00,066,880 | ---- | M] (PC Tools) -- C:\Program Files\ThreatFire\TFService.exe -- (ThreatFire [Auto | Running])
File not found -- -- (TrkWksALG [Auto | Stopped])
File not found -- -- (TrkWksALGSSDPSRVEventSystemwuauservEventlogImapiServicegusvc [Auto | Stopped])
File not found -- -- (TrkWksImapiService [Auto | Stopped])
File not found -- -- (TrkWkslanmanserver [Auto | Stopped])
File not found -- -- (TrkWksNetmanSamSs [Auto | Stopped])
[2005/01/28 13:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [On_Demand | Stopped])
File not found -- -- (UPSAudioSrvRDSessMgr [Auto | Stopped])
[2007/01/19 12:54:14 | 00,097,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])
File not found -- -- (W32TimeSpoolerNVSvc [Auto | Stopped])
File not found -- -- (WmdmPmSNaspnet_stateLmHosts [Auto | Stopped])
File not found -- -- (WmiApSrvAppMgmtCiSvcFastUserSwitchingCompatibility [Auto | Stopped])
File not found -- -- (WmiApSrvRemoteAccessNtLmSsp [Auto | Stopped])
[2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
File not found -- -- (WMPNetworkSvcNtmsSvc [Auto | Stopped])
File not found -- -- (WMPNetworkSvcNtmsSvcTermService [Auto | Stopped])
File not found -- -- (WMPNetworkSvcWebClient [Auto | Stopped])
File not found -- -- (WMPNetworkSvcWebClientDhcp [Auto | Stopped])
File not found -- -- (wscsvc Service for CDROM Access [Auto | Stopped])
File not found -- -- (wscsvcDhcp [Auto | Stopped])
File not found -- -- (wuauservDhcp [Auto | Stopped])
File not found -- -- (wuauservEventlog [Auto | Stopped])
File not found -- -- (wuauservEventlogImapiService [Auto | Stopped])
File not found -- -- (wuauservEventlogImapiServicegusvc [Auto | Stopped])
========== Driver Services ==========
[2002/08/29 04:00:00 | 00,032,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\amdk7.sys -- (AmdK7 [System | Stopped])
[1997/04/22 09:16:00 | 00,006,272 | ---- | M] () -- C:\WINDOWS\system32\drivers\ASLM75.SYS -- (aslm75 [Auto | Running])
[2007/12/20 19:53:20 | 02,843,136 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag [On_Demand | Stopped])
[2002/07/19 09:46:28 | 00,127,948 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k [On_Demand | Running])
[2002/07/19 09:47:52 | 00,837,548 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k [On_Demand | Running])
[2001/08/17 11:19:20 | 00,003,712 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\ctljystk.sys -- (ctljystk [On_Demand | Stopped])
[2002/07/19 09:48:08 | 00,011,068 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k [On_Demand | Running])
[2002/07/19 09:48:22 | 00,213,860 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k [On_Demand | Running])
[2002/07/19 09:48:32 | 00,156,604 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia [On_Demand | Running])
[2002/08/29 04:00:00 | 00,009,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum [On_Demand | Running])
[2002/07/24 12:52:26 | 00,998,004 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k [On_Demand | Running])
[2002/04/11 10:47:52 | 00,011,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\ipfilter.sys -- (IPFilter [On_Demand | Running])
[2001/08/17 13:02:40 | 00,035,200 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\msgame.sys -- (msgame [On_Demand | Stopped])
[2001/08/17 06:00:04 | 00,002,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401 [On_Demand | Running])
[2003/05/26 15:41:29 | 00,006,912 | ---- | M] (NewTech Infosystems, Inc.) -- C:\WINDOWS\system32\drivers\NTIDrvr.sys -- (NTIDrvr [On_Demand | Running])
[2006/10/22 12:22:00 | 03,994,624 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv [On_Demand | Running])
[2002/12/04 20:01:00 | 00,013,056 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nvax.sys -- (nvax [On_Demand | Stopped])
[2002/09/22 18:37:00 | 00,080,896 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\NVENET.sys -- (NVENET [On_Demand | Stopped])
[2002/12/04 20:01:00 | 00,241,664 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nvapu.sys -- (nvnforce [On_Demand | Stopped])
[2002/09/05 19:24:00 | 00,013,568 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv_agp.SYS -- (nv_agp [Boot | Running])
[2002/07/19 09:48:04 | 00,195,432 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv [On_Demand | Running])
[2007/12/25 09:33:54 | 00,016,694 | ---- | M] (PalmSource, Inc.) -- C:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD [On_Demand | Stopped])
[2002/06/14 12:49:56 | 00,010,194 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\PFMODNT.SYS -- (PfModNT [Auto | Running])
[2002/08/29 04:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2002/08/29 04:00:00 | 00,027,440 | ---- | M] () -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2005/11/10 17:00:48 | 00,102,400 | ---- | M] (Silicon Image, Inc) -- C:\WINDOWS\system32\drivers\SI3112r.sys -- (Si3112r [Boot | Running])
[2004/11/01 11:21:32 | 00,010,368 | ---- | M] (Silicon Image, Inc.) -- C:\WINDOWS\system32\drivers\SiWinAcc.sys -- (SiFilter [Boot | Running])
[2005/03/24 17:21:22 | 00,038,937 | ---- | M] (Service & Quality Technology.) -- C:\WINDOWS\system32\drivers\Capt905c.sys -- (SQTECH905C [On_Demand | Stopped])
[2008/04/24 15:52:38 | 00,051,520 | ---- | M] (PC Tools) -- C:\WINDOWS\system32\drivers\TfFsMon.sys -- (TfFsMon [Boot | Running])
[2008/04/24 15:52:42 | 00,033,088 | ---- | M] (PC Tools) -- C:\WINDOWS\system32\drivers\TfNetMon.sys -- (TfNetMon [On_Demand | Running])
[2008/04/24 15:52:44 | 00,038,208 | ---- | M] (PC Tools) -- C:\WINDOWS\system32\drivers\TfSysMon.sys -- (TfSysMon [Boot | Running])
[2002/08/29 04:00:00 | 00,030,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\wceusbsh.sys -- (wceusbsh [On_Demand | Stopped])
[2008/11/02 18:30:28 | 00,031,104 | ---- | M] () -- C:\WINDOWS\system32\drivers\Windi26.sys -- (Windi26 [Boot | Running])
========== (R ) Internet Explorer ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
"Default_Search_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"Default_Search_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchURL]
""=http://home.microsoft.com/access/autosearch.asp?p=%s
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Page_Transitions"=
"Start Page"=http://msn.com/
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
========== (O1) Hosts File ==========
HOSTS File = (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
========== (O2) BHO's ==========
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{02478D38-C3F9-4efb-9B51-7695ECA05670} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{7E853D72-626A-48EC-A868-BA8D5E23E045} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{AA58ED58-01DD-4d91-8333-CF10577473F7} (HKLM) -- c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
========== (O3) Toolbars ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" (HKLM) -- c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{327C2873-E90D-4c37-AA9D-10AC9BABA46C}" (HKLM) -- C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{8E718888-423F-11D2-876E-00A0C9082467}" (HKLM) -- C:\WINDOWS\system32\msdxm.ocx ()
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" (HKLM) -- C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll File not found
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" (HKLM) -- C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll File not found
========== (O4) Run Keys ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay (ATI Technologies Inc.)
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k File not found
"nForce Tray Options"=sstray.exe /r (NVIDIA Corporation)
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup (NVIDIA Corporation)
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
"nwiz"=nwiz.exe /install ()
"OneTouch Monitor"=C:\PROGRA~1\VISION~1\ONETOU~2.EXE (Visioneer Inc)
"POINTER"=point32.exe File not found
"ThreatFire"=C:\Program Files\ThreatFire\TFTray.exe (PC Tools)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" (Microsoft Corporation)
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background (Microsoft Corporation)
========== (O4) Startup Folders ==========
[2005/09/23 22:05:26 | 00,029,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
[2005/08/12 13:43:58 | 00,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
[2007/12/25 09:36:05 | 00,028,672 | ---- | M] (DataViz, Inc.) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
[2004/06/09 14:27:34 | 00,471,040 | ---- | M] (PalmSource, Inc) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
[2006/02/19 03:21:22 | 00,288,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
[2001/02/13 01:01:04 | 00,083,360 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
========== (O6 & O7) Current Version Policies ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
""=
"NoDriveTypeAutoRun"=_ [binary data]
"NoActiveDesktopChanges"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableTaskMgr"=0
"DisableCAD"=0
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=_ [binary data]
"NoSaveSettings"=0
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableTaskMgr"=0
"NoColorChoice"=0
"NoSizeChoice"=0
"NoVisualStyleChoice"=0
========== (O9) IE Extensions ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [2008/06/10 03:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}: Button: Spyware Doctor -- Reg Error: Key does not exist or could not be opened. File not found
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}: Button: Create Mobile Favorite -- %ProgramFiles%\Microsoft ActiveSync\INETREPL.DLL [2004/02/03 13:41:46 | 00,131,155 | ---- | M] (Microsoft Corporation)
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}: Menu: Create Mobile Favorite... -- %ProgramFiles%\Microsoft ActiveSync\INETREPL.DLL [2004/02/03 13:41:46 | 00,131,155 | ---- | M] (Microsoft Corporation)
{c95fe080-8f5d-11d2-a20b-00aa003c157a}: Button: @shdoclc.dll,-866 -- %SystemRoot%\Web\related.htm [2002/08/29 04:00:00 | 00,000,654 | ---- | M] ()
{c95fe080-8f5d-11d2-a20b-00aa003c157a}: Menu: @shdoclc.dll,-864 -- %SystemRoot%\Web\related.htm [2002/08/29 04:00:00 | 00,000,654 | ---- | M] ()
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\network diagnostic\xpnetdiag.exe [2008/04/13 10:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/13 16:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/13 16:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %SystemRoot%\system32\msjava.dll [Web Browser Applet Control] -> [2002/08/29 04:00:00 | 00,945,693 | ---- | M] (Microsoft Corporation)
CmdMapping\\{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} [HKLM] -> [Spyware Doctor] -> File not found
CmdMapping\\{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} [HKLM] -> %ProgramFiles%\Microsoft ActiveSync\INETREPL.DLL [Create Mobile Favorite] -> [2004/02/03 13:41:46 | 00,131,155 | ---- | M] (Microsoft Corporation)
CmdMapping\\{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} [HKLM] -> %ProgramFiles%\Microsoft ActiveSync\INETREPL.DLL [Create Mobile Favorite...] -> [2004/02/03 13:41:46 | 00,131,155 | ---- | M] (Microsoft Corporation)
CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} [HKLM] -> [@shdoclc.dll,-866] -> File not found
CmdMapping\\{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> %SystemRoot%\network diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/13 10:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 16:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
========== (O12) Internet Explorer Plugins ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery
Extension\.spop: -- C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll [2001/01/30 12:56:24 | 00,225,280 | ---- | M] (InterTrust Technologies Corporation, Inc.)
========== (O13) Default Prefixes ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://
========== (O15) Trusted Sites ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
: msn in My Computer
aol.com\free: http in Local intranet
24 domain(s) and sub-domain(s) not assigned to a zone.
========== (O16) DPF ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{166B1BCA-3F9C-11CF-8075-444553540000}: http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab -- Shockwave ActiveX Control
{233C1507-6A77-46A4-9443-F871F945D258}: http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab -- Shockwave ActiveX Control
{49E67060-2C0D-415E-94C7-52A49F73B2F1}: http://zone.msn.com/bingame/pppp/default/PiratePoppers.1.0.0.39.cab -- CPlayFirstPiratePoppersControl Object
{7E980B9B-8AE5-466A-B6D6-DA8CF814E78A}: http://zone.msn.com/bingame/luxr/default/mjolauncher.cab -- MJLauncherCtrl Class
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab -- Java Plug-in 1.6.0_07
{B8BE5E93-A60C-4D26-A2DC-220313175592}: http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab -- MSN Games - Installer
{BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19}: http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--584a3e87-b556-4d06-99f4-d3fef0181acd/online/Diner_Dash_3/en/ddfotg.1.0.0.37.cab -- CPlayFirstddfotgControl Object
{C86FF4B0-AA1D-46D4-8612-025FB86583C7}: http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10 -- AstoundLauncher Control
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab -- Java Plug-in 1.6.0_03
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab -- Java Plug-in 1.6.0_05
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab -- Java Plug-in 1.6.0_07
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab -- Java Plug-in 1.6.0_07
{D0C0F75C-683A-4390-A791-1ACFD5599AB8}: http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab -- Oberon Flash Game Host
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab -- Shockwave Flash Object
{DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6}: http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--b256506b-ac80-48e4-a440-84eccfa8b5f5/online/diner_dash/en/DinerDash.1.0.0.80.cab -- CPlayFirstDinerDashControl Object
{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}: http://zone.msn.com/bingame/popcaploader_v10.cab -- PopCapLoader Object
{FFB3A759-98B1-446F-BDA9-909C6EB18CC7}: http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll -- PCPitstop Exam
DirectAnimation Java Classes: file://C:\WINDOWS\Java\classes\dajava.cab -- Reg Error: Key does not exist or could not be opened.
Microsoft XML Parser for Java: file://C:\WINDOWS\Java\classes\xmldso.cab -- Reg Error: Key does not exist or could not be opened.
========== (O17) DNS Name Servers ==========
{0E43E730-3392-4C45-9E3A-62EAB853F739} (Servers: | Description: )
{184F51D8-B677-4C90-BB26-B5742A2D291D} (Servers: | Description: 1394 Net Adapter)
========== (O19) User Style Sheets ==========
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles]
========== (O20) AppInit_DLLs ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_Dlls"=karna.datesheet
>[2008/11/02 18:25:59 | 00,006,144 | ---- | M] () -- C:\WINDOWS\system32\karna.dat
========== (O20) Winlogon Notify Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
AtiExtEvent: "DllName" = Ati2evxx.dll -- C:\WINDOWS\system32\ati2evxx.dll (ATI Technologies Inc.)
WinCtrl32: "DllName" = WinCtrl32.dll -- C:\WINDOWS\system32\WinCtrl32.dll ()
========== HKLM *SecurityProviders* ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
>[2001/09/18 17:37:34 | 00,016,973 | ---- | M] () -- C:\WINDOWS\system32\ZWebAuth.dll
========== Safeboot Options ==========
"AlternateShell"=cmd.exe
========== CDRom AutoRun Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1
========== Autorun Files on Drives ==========
AUTOEXEC.BAT []
[2003/05/08 10:53:30 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]
========== Files/Folders - Created Within 30 Days ==========
Fatboy_97
2008-11-09, 01:12
Part 2 of 3:
[9 C:\WINDOWS\*.tmp files]
[2008/11/08 09:59:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\nView_Profiles
[2008/11/08 09:35:53 | 00,088,566 | ---- | C] () -- C:\WINDOWS\System32\nvapps.xml
[2008/11/08 09:35:49 | 00,017,056 | ---- | C] () -- C:\WINDOWS\System32\nvdisp.nvu
[2008/11/07 17:53:38 | 00,057,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\drmk.sys
[2008/11/07 17:53:38 | 00,022,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wdmaud.drv
[2008/11/07 17:53:38 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ksuser.dll
[2008/11/07 17:53:36 | 00,134,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\portcls.sys
[2008/11/07 17:53:36 | 00,045,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\stream.sys
[2008/11/06 15:04:22 | 00,001,779 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Windows Live Messenger.lnk
[2008/11/06 11:53:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dennis\My Documents\SRSWOWHD_1_12_1_0
[2008/11/04 23:01:14 | 00,000,468 | ---- | C] () -- C:\Documents and Settings\Dennis\Desktop\Shortcut to OTViewIt.lnk
[2008/11/04 20:49:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2008/11/04 20:39:58 | 00,150,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\winzm.ime
[2008/11/04 20:39:58 | 00,150,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\winsp.ime
[2008/11/04 20:39:58 | 00,150,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\winpy.ime
[2008/11/04 20:39:57 | 00,069,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wingb.ime
[2008/11/04 20:39:57 | 00,061,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\winime.ime
[2008/11/04 20:39:56 | 00,074,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\winar30.ime
[2008/11/04 20:39:55 | 00,041,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\weitekp9.dll
[2008/11/04 20:39:55 | 00,031,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\weitekp9.sys
[2008/11/04 20:39:52 | 00,048,256 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\w32.dll
[2008/11/04 20:39:51 | 00,426,042 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\voicepad.dll
[2008/11/04 20:39:51 | 00,086,074 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\voicesub.dll
[2008/11/04 20:39:47 | 00,072,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\uniime.dll
[2008/11/04 20:39:47 | 00,061,440 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\unicdime.ime
[2008/11/04 20:39:46 | 00,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tsprof.exe
[2008/11/04 20:39:45 | 00,010,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tmigrate.dll
[2008/11/04 20:39:44 | 00,574,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tintlgnt.ime
[2008/11/04 20:39:44 | 00,455,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tintsetp.exe
[2008/11/04 20:39:44 | 00,185,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\thawbrkr.dll
[2008/11/04 20:39:44 | 00,044,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tintlphr.exe
[2008/11/04 20:39:43 | 00,021,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tdipx.sys
[2008/11/04 20:39:43 | 00,019,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tdspx.sys
[2008/11/04 20:39:43 | 00,013,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tdasync.sys
[2008/11/04 20:39:39 | 00,101,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\srusbusd.dll
[2008/11/04 20:39:37 | 00,143,422 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\softkey.dll
[2008/11/04 20:39:36 | 00,182,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\snmpsmir.dll
[2008/11/04 20:39:36 | 00,036,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\snmpthrd.dll
[2008/11/04 20:39:36 | 00,010,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\snmpstup.dll
[2008/11/04 20:39:36 | 00,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\snmptrap.exe
[2008/11/04 20:39:36 | 00,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_snprfdll.dll
[2008/11/04 20:39:36 | 00,005,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\snmpmib.dll
[2008/11/04 20:39:35 | 00,431,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\smtpsvc.dll
[2008/11/04 20:39:35 | 00,345,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\snmpincl.dll
[2008/11/04 20:39:35 | 00,246,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\snmpcl.dll
[2008/11/04 20:39:35 | 00,029,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\snmp.exe
[2008/11/04 20:39:34 | 00,015,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\smierrsm.dll
[2008/11/04 20:39:34 | 00,012,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_smtpctrs.dll
[2008/11/04 20:39:34 | 00,009,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_smtpapi.dll
[2008/11/04 20:39:34 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\smimsgif.dll
[2008/11/04 20:39:34 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\smierrsy.dll
[2008/11/04 20:39:33 | 00,226,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\smi2smir.exe
[2008/11/04 20:39:33 | 00,038,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm9aw.dll
[2008/11/04 20:39:33 | 00,031,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\smb6w.dll
[2008/11/04 20:39:33 | 00,031,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sma3w.dll
[2008/11/04 20:39:33 | 00,026,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm93w.dll
[2008/11/04 20:39:33 | 00,026,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm92w.dll
[2008/11/04 20:39:32 | 00,030,208 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm87w.dll
[2008/11/04 20:39:32 | 00,030,208 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm81w.dll
[2008/11/04 20:39:32 | 00,029,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm8cw.dll
[2008/11/04 20:39:32 | 00,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm90w.dll
[2008/11/04 20:39:32 | 00,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm8dw.dll
[2008/11/04 20:39:32 | 00,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm8aw.dll
[2008/11/04 20:39:32 | 00,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm89w.dll
[2008/11/04 20:39:31 | 00,025,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm59w.dll
[2008/11/04 20:39:31 | 00,018,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\simptcp.dll
[2008/11/04 20:39:26 | 00,205,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_seo.dll
[2008/11/04 20:39:26 | 00,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_seos.dll
[2008/11/04 20:39:25 | 00,057,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_scripto.dll
[2008/11/04 20:39:24 | 00,009,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_rwnh.dll
[2008/11/04 20:39:23 | 00,079,872 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rwia330.dll
[2008/11/04 20:39:23 | 00,079,872 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rwia001.dll
[2008/11/04 20:39:23 | 00,026,624 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rw330ext.dll
[2008/11/04 20:39:23 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rw001ext.dll
[2008/11/04 20:39:21 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\romanime.ime
[2008/11/04 20:39:20 | 00,023,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_regtrace.exe
[2008/11/04 20:39:20 | 00,014,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\register.exe
[2008/11/04 20:39:18 | 00,073,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\quick.ime
[2008/11/04 20:39:18 | 00,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\quser.exe
[2008/11/04 20:39:17 | 00,009,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\query.exe
[2008/11/04 20:39:15 | 00,131,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pmxviceo.dll
[2008/11/04 20:39:15 | 00,067,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pmigrate.dll
[2008/11/04 20:39:15 | 00,011,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pmxmcro.dll
[2008/11/04 20:39:15 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pmxgl.dll
[2008/11/04 20:39:14 | 00,479,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pintlgnt.ime
[2008/11/04 20:39:14 | 00,175,104 | ---- | C] () -- C:\WINDOWS\System32\dllcache\pintlcsa.dll
[2008/11/04 20:39:14 | 00,070,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pintlphr.exe
[2008/11/04 20:39:14 | 00,053,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pintlcsd.dll
[2008/11/04 20:39:13 | 00,075,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\phon.ime
[2008/11/04 20:39:12 | 00,036,927 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\padrs411.dll
[2008/11/04 20:39:12 | 00,015,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\padrs404.dll
[2008/11/04 20:39:12 | 00,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\padrs804.dll
[2008/11/04 20:39:12 | 00,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\padrs412.dll
[2008/11/04 20:39:07 | 00,038,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_ntfsdrv.dll
[2008/11/04 20:39:01 | 00,229,439 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\multibox.dll
[2008/11/04 20:39:01 | 00,111,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mtstocom.exe
[2008/11/04 20:38:55 | 01,875,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msir3jp.lex
[2008/11/04 20:38:55 | 00,098,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msir3jp.dll
[2008/11/04 20:38:48 | 00,006,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\migregdb.exe
[2008/11/04 20:38:47 | 00,092,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mga.sys
[2008/11/04 20:38:47 | 00,092,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mga.dll
[2008/11/04 20:38:46 | 00,065,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_mailmsg.dll
[2008/11/04 20:38:45 | 00,020,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lpdsvc.dll
[2008/11/04 20:38:45 | 00,017,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lprmon.dll
[2008/11/04 20:38:44 | 00,029,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lmmib2.dll
[2008/11/04 20:38:43 | 01,158,818 | ---- | C] () -- C:\WINDOWS\System32\dllcache\korwbrkr.lex
[2008/11/04 20:38:43 | 00,070,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\korwbrkr.dll
[2008/11/04 20:38:43 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdvntc.dll
[2008/11/04 20:38:42 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdth3.dll
[2008/11/04 20:38:42 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdth2.dll
[2008/11/04 20:38:42 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdusa.dll
[2008/11/04 20:38:42 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdurdu.dll
[2008/11/04 20:38:41 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdth1.dll
[2008/11/04 20:38:41 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdth0.dll
[2008/11/04 20:38:41 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdsyr2.dll
[2008/11/04 20:38:41 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdsyr1.dll
[2008/11/04 20:38:40 | 00,009,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdnecat.dll
[2008/11/04 20:38:40 | 00,007,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdnecnt.dll
[2008/11/04 20:38:40 | 00,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdnec95.dll
[2008/11/04 20:38:40 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdlk41j.dll
[2008/11/04 20:38:39 | 00,006,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdlk41a.dll
[2008/11/04 20:38:39 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdinpun.dll
[2008/11/04 20:38:39 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdintel.dll
[2008/11/04 20:38:39 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdintam.dll
[2008/11/04 20:38:39 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdinmar.dll
[2008/11/04 20:38:38 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdinkan.dll
[2008/11/04 20:38:38 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdinhin.dll
[2008/11/04 20:38:38 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdinguj.dll
[2008/11/04 20:38:38 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdindev.dll
[2008/11/04 20:38:37 | 00,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdibm02.dll
[2008/11/04 20:38:37 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdheb.dll
[2008/11/04 20:38:37 | 00,005,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdgeo.dll
[2008/11/04 20:38:36 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdfa.dll
[2008/11/04 20:38:36 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbddiv2.dll
[2008/11/04 20:38:36 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbddiv1.dll
[2008/11/04 20:38:35 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdax2.dll
[2008/11/04 20:38:35 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbda3.dll
[2008/11/04 20:38:35 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbda2.dll
[2008/11/04 20:38:35 | 00,005,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdarmw.dll
[2008/11/04 20:38:35 | 00,005,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdarme.dll
[2008/11/04 20:38:34 | 00,018,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jupiw.dll
[2008/11/04 20:38:34 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd106n.dll
[2008/11/04 20:38:34 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd101a.dll
[2008/11/04 20:38:34 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd101.dll
[2008/11/04 20:38:34 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbda1.dll
[2008/11/04 20:38:32 | 00,033,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iprip.dll
[2008/11/04 20:38:31 | 00,471,102 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imskdic.dll
[2008/11/04 20:38:31 | 00,315,452 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imskf.dll
[2008/11/04 20:38:31 | 00,059,392 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imscinst.exe
[2008/11/04 20:38:30 | 00,274,490 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjputyc.dll
[2008/11/04 20:38:30 | 00,262,201 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjputy.exe
[2008/11/04 20:38:30 | 00,102,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imlang.dll
[2008/11/04 20:38:30 | 00,059,904 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imkrinst.exe
[2008/11/04 20:38:30 | 00,045,109 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjpuex.exe
[2008/11/04 20:38:29 | 00,233,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjprw.exe
[2008/11/04 20:38:29 | 00,208,953 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjpmig.exe
[2008/11/04 20:38:29 | 00,196,666 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imjpinst.exe
[2008/11/04 20:38:29 | 00,155,706 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjpdsvr.exe
[2008/11/04 20:38:28 | 00,716,857 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjpcus.dll
[2008/11/04 20:38:28 | 00,360,494 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjpcic.dll
[2008/11/04 20:38:28 | 00,307,258 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjpdct.exe
[2008/11/04 20:38:28 | 00,081,977 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjpdct.dll
[2008/11/04 20:38:28 | 00,057,398 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjpdadm.exe
[2008/11/04 20:38:27 | 00,827,438 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjp81k.dll
[2008/11/04 20:38:27 | 00,340,013 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjp81.ime
[2008/11/04 20:38:27 | 00,311,359 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imepadsv.exe
[2008/11/04 20:38:27 | 00,102,463 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imepadsm.dll
[2008/11/04 20:38:26 | 00,134,339 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imekr.lex
[2008/11/04 20:38:26 | 00,099,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imekrcic.dll
[2008/11/04 20:38:26 | 00,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imekr61.ime
[2008/11/04 20:38:26 | 00,080,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imekrmbx.dll
[2008/11/04 20:38:26 | 00,044,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imekrmig.exe
[2008/11/04 20:38:20 | 10,129,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hwxkor.dll
[2008/11/04 20:38:14 | 13,463,552 | ---- | C] () -- C:\WINDOWS\System32\dllcache\hwxjpn.dll
[2008/11/04 20:38:09 | 10,096,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hwxcht.dll
[2008/11/04 20:38:09 | 00,035,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hostmib.dll
[2008/11/04 20:38:07 | 00,108,827 | ---- | C] () -- C:\WINDOWS\System32\dllcache\hanja.lex
[2008/11/04 20:38:07 | 00,036,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hanjadic.dll
[2008/11/04 20:38:06 | 00,395,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsxp32.dll
[2008/11/04 20:38:06 | 00,391,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxstiff.dll
[2008/11/04 20:38:06 | 00,236,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxst30.dll
[2008/11/04 20:38:06 | 00,185,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxswzrd.dll
[2008/11/04 20:38:06 | 00,149,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsui.dll
[2008/11/04 20:38:05 | 00,559,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsst.dll
[2008/11/04 20:38:05 | 00,250,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxssvc.exe
[2008/11/04 20:38:05 | 00,031,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsroute.dll
[2008/11/04 20:38:05 | 00,011,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxssend.exe
[2008/11/04 20:38:05 | 00,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsperf.dll
[2008/11/04 20:38:05 | 00,006,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsres.dll
[2008/11/04 20:38:04 | 00,271,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxscomex.dll
[2008/11/04 20:38:04 | 00,216,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxscover.exe
[2008/11/04 20:38:04 | 00,053,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsevent.dll
[2008/11/04 20:38:04 | 00,024,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsdrv.dll
[2008/11/04 20:38:04 | 00,022,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsmon.dll
[2008/11/04 20:38:04 | 00,020,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsext32.dll
[2008/11/04 20:38:03 | 00,443,392 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsapi.dll
[2008/11/04 20:38:03 | 00,132,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsclntr.dll
[2008/11/04 20:38:03 | 00,130,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsclnt.exe
[2008/11/04 20:38:03 | 00,111,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxscfgwz.dll
[2008/11/04 20:38:03 | 00,068,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxscom.dll
[2008/11/04 20:38:02 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ftlx041e.dll
[2008/11/04 20:38:00 | 00,043,520 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_fcachdll.dll
[2008/11/04 20:38:00 | 00,014,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\flattemp.exe
[2008/11/04 20:38:00 | 00,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\f3ahvoas.dll
[2008/11/04 20:37:59 | 00,096,256 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\evntagnt.dll
[2008/11/04 20:37:59 | 00,084,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\evntwin.exe
[2008/11/04 20:37:59 | 00,045,056 | ---- | C] (SEIKO EPSON CORP.) -- C:\WINDOWS\System32\dllcache\esunid.dll
[2008/11/04 20:37:59 | 00,025,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\et4000.sys
[2008/11/04 20:37:59 | 00,022,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\evntcmd.exe
[2008/11/04 20:37:58 | 00,057,856 | ---- | C] (SEIKO EPSON CORP.) -- C:\WINDOWS\System32\dllcache\esuimgd.dll
[2008/11/04 20:37:58 | 00,031,744 | ---- | C] (SEIKO EPSON CORP.) -- C:\WINDOWS\System32\dllcache\esucmd.dll
[2008/11/04 20:37:52 | 00,074,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dayi.ime
[2008/11/04 20:37:51 | 00,018,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cprofile.exe
[2008/11/04 20:37:50 | 00,057,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cplexe.exe
[2008/11/04 20:37:48 | 00,480,256 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cintsetp.exe
[2008/11/04 20:37:48 | 00,201,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cintime.dll
[2008/11/04 20:37:48 | 00,021,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cintlgnt.ime
[2008/11/04 20:37:47 | 00,838,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\chtbrkr.dll
[2008/11/04 20:37:47 | 00,173,568 | ---- | C] () -- C:\WINDOWS\System32\dllcache\chtskf.dll
[2008/11/04 20:37:47 | 00,097,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\chtmbx.dll
[2008/11/04 20:37:47 | 00,056,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\chtskdic.dll
[2008/11/04 20:37:46 | 01,677,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\chsbrkr.dll
[2008/11/04 20:37:46 | 00,015,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\chgport.exe
[2008/11/04 20:37:46 | 00,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\chgusr.exe
[2008/11/04 20:37:45 | 00,074,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\chajei.ime
[2008/11/04 20:37:45 | 00,013,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\chglogon.exe
[2008/11/04 20:37:45 | 00,009,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\change.exe
[2008/11/04 20:37:44 | 00,218,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\c_g18030.dll
[2008/11/04 20:37:44 | 00,054,528 | ---- | C] (Philips Semiconductors GmbH) -- C:\WINDOWS\System32\dllcache\cap7146.sys
[2008/11/04 20:37:44 | 00,010,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\c_iscii.dll
[2008/11/04 20:37:44 | 00,006,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\c_is2022.dll
[2008/11/04 20:37:32 | 00,312,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_aqueue.dll
[2008/11/04 20:37:31 | 00,045,056 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_aqadmin.dll
[2008/11/04 20:37:31 | 00,019,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\agt0804.dll
[2008/11/04 20:37:31 | 00,019,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\agt0412.dll
[2008/11/04 20:37:31 | 00,019,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\agt0411.dll
[2008/11/04 20:37:30 | 00,019,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\agt040d.dll
[2008/11/04 20:37:30 | 00,019,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\agt0404.dll
[2008/11/04 20:37:30 | 00,019,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\agt0401.dll
[2008/11/04 20:37:29 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_adsiisex.dll
[2008/11/04 20:37:23 | 02,134,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_smtpsnap.dll
[2008/11/04 20:37:23 | 00,175,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_smtpadm.dll
[2008/11/04 20:36:04 | 00,023,392 | ---- | C] () -- C:\WINDOWS\System32\nscompat.tlb
[2008/11/04 20:36:04 | 00,016,832 | ---- | C] () -- C:\WINDOWS\System32\amcompat.tlb
[2008/11/04 20:34:00 | 00,106,562 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\srchctls.dll
[2008/11/04 20:33:59 | 03,346,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msgr3en.dll
[2008/11/04 20:33:55 | 00,028,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msoobe.exe
[2008/11/04 20:33:55 | 00,028,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msobshel.dll
[2008/11/04 20:33:55 | 00,016,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msobweb.dll
[2008/11/04 20:33:55 | 00,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msobdl.dll
[2008/11/04 20:33:53 | 00,348,160 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msinfo.dll
[2008/11/04 20:33:53 | 00,138,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\uploadm.exe
[2008/11/04 20:33:53 | 00,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\safrslv.dll
[2008/11/04 20:33:53 | 00,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\safrslv.dll
[2008/11/04 20:33:53 | 00,039,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\safrcdlg.dll
[2008/11/04 20:33:53 | 00,039,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\safrcdlg.dll
[2008/11/04 20:33:53 | 00,033,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\racpldlg.dll
[2008/11/04 20:33:53 | 00,033,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\racpldlg.dll
[2008/11/04 20:33:53 | 00,026,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\safrdm.dll
[2008/11/04 20:33:53 | 00,026,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\safrdm.dll
[2008/11/04 20:33:50 | 00,076,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wabimp.dll
[2008/11/04 20:33:50 | 00,076,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\directdb.dll
[2008/11/04 20:33:50 | 00,045,056 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\confmrsl.dll
[2008/11/04 20:33:50 | 00,043,008 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab.exe
[2008/11/04 20:33:50 | 00,032,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mnmsrvc.exe
[2008/11/04 20:33:50 | 00,032,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mnmsrvc.exe
[2008/11/04 20:33:50 | 00,030,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wabfind.dll
[2008/11/04 20:33:50 | 00,027,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wabmig.exe
[2008/11/04 20:33:49 | 02,479,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msoeres.dll
[2008/11/04 20:33:49 | 00,092,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\oeimport.dll
[2008/11/04 20:33:49 | 00,047,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\inetres.dll
[2008/11/04 20:33:49 | 00,047,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\inetres.dll
[2008/11/04 20:33:48 | 00,266,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\inetcfg.dll
[2008/11/04 20:33:48 | 00,266,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\inetcfg.dll
[2008/11/04 20:33:48 | 00,077,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\isign32.dll
[2008/11/04 20:33:48 | 00,077,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\isign32.dll
[2008/11/04 20:33:48 | 00,069,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\icwdial.dll
[2008/11/04 20:33:48 | 00,069,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\icwdial.dll
[2008/11/04 20:33:48 | 00,061,440 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\icwphbk.dll
[2008/11/04 20:33:48 | 00,061,440 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\icwphbk.dll
[2008/11/04 20:33:48 | 00,055,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\oemig50.exe
[2008/11/04 20:33:48 | 00,032,256 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\oemiglib.dll
[2008/11/04 20:33:47 | 00,061,440 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\icwres.dll
[2008/11/04 20:33:47 | 00,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\trialoc.dll
[2008/11/04 20:33:47 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\icwrmind.exe
[2008/11/04 20:33:47 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\icwdl.dll
[2008/11/04 20:33:46 | 00,557,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dao360.dll
[2008/11/04 20:33:46 | 00,155,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\icwhelp.dll
[2008/11/04 20:33:46 | 00,077,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\icwconn2.exe
[2008/11/04 20:33:46 | 00,073,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\icwtutor.exe
[2008/11/04 20:33:46 | 00,057,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\icwconn.dll
[2008/11/04 20:33:46 | 00,045,056 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\icwutil.dll
[2008/11/04 20:33:46 | 00,020,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\inetwiz.exe
[2008/11/04 20:33:46 | 00,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\isignup.exe
[2008/11/04 20:33:45 | 00,065,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\oledb32r.dll
[2008/11/04 20:33:45 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msader15.dll
[2008/11/04 20:33:45 | 00,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msdasqlr.dll
[2008/11/04 20:33:45 | 00,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msdaorar.dll
[2008/11/04 20:33:44 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msaddsr.dll
[2008/11/04 20:33:44 | 00,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msdaremr.dll
[2008/11/04 20:33:44 | 00,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msdaprsr.dll
[2008/11/04 20:33:44 | 00,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msadcor.dll
[2008/11/04 20:33:44 | 00,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msadcfr.dll
[2008/11/04 20:33:43 | 00,020,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msadcer.dll
[2008/11/04 20:33:42 | 00,802,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\vgx.dll
[2008/11/04 20:33:42 | 00,798,782 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\srchui.dll
[2008/11/04 20:33:41 | 00,294,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dlimport.exe
[2008/11/04 20:33:40 | 00,806,969 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe
[2008/11/04 20:33:40 | 00,221,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qmgr.dll
[2008/11/04 20:33:40 | 00,221,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\qmgr.dll
[2008/11/04 20:33:40 | 00,017,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qmgrprxy.dll
[2008/11/04 20:33:40 | 00,017,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\qmgrprxy.dll
[2008/11/04 20:33:39 | 00,536,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msobmain.dll
[2008/11/04 20:33:39 | 00,112,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msobcomm.dll
[2008/11/04 20:33:39 | 00,049,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\oobebaln.exe
[2008/11/04 20:33:38 | 00,029,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pchsvc.dll
[2008/11/04 20:33:37 | 00,097,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pchshell.dll
[2008/11/04 20:33:36 | 00,145,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msconfig.exe
[2008/11/04 20:33:35 | 00,742,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpctr.exe
[2008/11/04 20:33:35 | 00,703,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
[2008/11/04 20:33:35 | 00,370,688 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rstrui.exe
[2008/11/04 20:33:34 | 00,226,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\srrstr.dll
[2008/11/04 20:33:34 | 00,226,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\srrstr.dll
[2008/11/04 20:33:34 | 00,217,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\npdrmv2.dll
[2008/11/04 20:33:34 | 00,158,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\srsvc.dll
[2008/11/04 20:33:34 | 00,158,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\srsvc.dll
[2008/11/04 20:33:34 | 00,069,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\sr.sys
[2008/11/04 20:33:34 | 00,069,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sr.sys
[2008/11/04 20:33:34 | 00,063,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\srclient.dll
[2008/11/04 20:33:34 | 00,063,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\srclient.dll
Fatboy_97
2008-11-09, 01:14
Part 3:
[2008/11/04 20:33:33 | 00,184,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msh261.drv
[2008/11/04 20:33:33 | 00,073,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ils.dll
[2008/11/04 20:33:33 | 00,073,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ils.dll
[2008/11/04 20:33:33 | 00,032,256 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mnmdd.dll
[2008/11/04 20:33:33 | 00,032,256 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mnmdd.dll
[2008/11/04 20:33:33 | 00,009,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\npwmsdrm.dll
[2008/11/04 20:33:33 | 00,004,639 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplayer2.exe
[2008/11/04 20:33:32 | 00,217,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\nmas.dll
[2008/11/04 20:33:32 | 00,065,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msconf.dll
[2008/11/04 20:33:32 | 00,065,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msconf.dll
[2008/11/04 20:33:32 | 00,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dcap32.dll
[2008/11/04 20:33:32 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\nmmkcert.dll
[2008/11/04 20:33:32 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\nmmkcert.dll
[2008/11/04 20:33:32 | 00,020,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\nmasnt.dll
[2008/11/04 20:33:31 | 00,360,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\callcont.dll
[2008/11/04 20:33:31 | 00,208,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\nac.dll
[2008/11/04 20:33:31 | 00,069,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\nmcom.dll
[2008/11/04 20:33:31 | 00,057,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rrcm.dll
[2008/11/04 20:33:31 | 00,053,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\h323cc.dll
[2008/11/04 20:33:30 | 00,249,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mst120.dll
[2008/11/04 20:33:30 | 00,180,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\nmwb.dll
[2008/11/04 20:33:30 | 00,163,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\nmoldwb.dll
[2008/11/04 20:33:30 | 00,143,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\nmft.dll
[2008/11/04 20:33:30 | 00,077,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\nmchat.dll
[2008/11/04 20:33:30 | 00,049,152 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mst123.dll
[2008/11/04 20:33:29 | 00,995,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\conf.exe
[2008/11/04 20:33:29 | 00,459,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab32.dll
[2008/11/04 20:33:29 | 00,228,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msoeacct.dll
[2008/11/04 20:33:29 | 00,228,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msoeacct.dll
[2008/11/04 20:33:29 | 00,081,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msoert2.dll
[2008/11/04 20:33:29 | 00,081,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msoert2.dll
[2008/11/04 20:33:28 | 01,174,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msoe.dll
[2008/11/04 20:33:28 | 00,587,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\inetcomm.dll
[2008/11/04 20:33:28 | 00,587,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\inetcomm.dll
[2008/11/04 20:33:28 | 00,249,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab32res.dll
[2008/11/04 20:33:28 | 00,057,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msimn.exe
[2008/11/04 20:33:27 | 00,250,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mstask.dll
[2008/11/04 20:33:27 | 00,250,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mstask.dll
[2008/11/04 20:33:27 | 00,159,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\schedsvc.dll
[2008/11/04 20:33:27 | 00,159,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\schedsvc.dll
[2008/11/04 20:33:27 | 00,067,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\setup50.exe
[2008/11/04 20:33:27 | 00,009,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mstinit.exe
[2008/11/04 20:33:27 | 00,009,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mstinit.exe
[2008/11/04 20:33:23 | 00,413,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\oledb32.dll
[2008/11/04 20:33:23 | 00,196,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sqlxmlx.dll
[2008/11/04 20:33:23 | 00,086,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msdatl3.dll
[2008/11/04 20:33:22 | 00,303,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msdasql.dll
[2008/11/04 20:33:22 | 00,188,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msdaps.dll
[2008/11/04 20:33:22 | 00,073,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msdaosp.dll
[2008/11/04 20:33:22 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msxactps.dll
[2008/11/04 20:33:22 | 00,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msdatt.dll
[2008/11/04 20:33:22 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msdaurl.dll
[2008/11/04 20:33:21 | 00,221,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msdaora.dll
[2008/11/04 20:33:21 | 00,090,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msjro.dll
[2008/11/04 20:33:21 | 00,053,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msadrh15.dll
[2008/11/04 20:33:21 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msdasc.dll
[2008/11/04 20:33:21 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msdaer.dll
[2008/11/04 20:33:21 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msdaenum.dll
[2008/11/04 20:33:21 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msdadc.dll
[2008/11/04 20:33:20 | 00,487,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msado15.dll
[2008/11/04 20:33:20 | 00,180,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msadox.dll
[2008/11/04 20:33:20 | 00,159,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msadomd.dll
[2008/11/04 20:33:20 | 00,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msado26.tlb
[2008/11/04 20:33:20 | 00,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msado25.tlb
[2008/11/04 20:33:20 | 00,061,440 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msado21.tlb
[2008/11/04 20:33:20 | 00,061,440 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msado20.tlb
[2008/11/04 20:33:20 | 00,049,152 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msador15.dll
[2008/11/04 20:33:19 | 00,180,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msdaprst.dll
[2008/11/04 20:33:19 | 00,147,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msadds.dll
[2008/11/04 20:33:19 | 00,131,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msadco.dll
[2008/11/04 20:33:19 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msdarem.dll
[2008/11/04 20:33:19 | 00,053,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msadcs.dll
[2008/11/04 20:33:19 | 00,032,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msdfmap.dll
[2008/11/04 20:33:18 | 00,307,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msadce.dll
[2008/11/04 20:33:18 | 00,146,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\triedit.dll
[2008/11/04 20:33:18 | 00,117,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dhtmled.ocx
[2008/11/04 20:33:18 | 00,091,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iexplore.exe
[2008/11/04 20:33:18 | 00,057,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msadcf.dll
[2008/11/04 20:33:18 | 00,036,352 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hmmapi.dll
[2008/11/04 20:31:48 | 00,272,896 | ---- | C] (Cinematronics) -- C:\WINDOWS\System32\dllcache\pinball.exe
[2008/11/04 20:31:48 | 00,179,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\accwiz.exe
[2008/11/04 20:31:48 | 00,179,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\accwiz.exe
[2008/11/04 20:31:48 | 00,066,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\access.cpl
[2008/11/04 20:31:48 | 00,066,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\access.cpl
[2008/11/04 20:31:47 | 00,522,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dialer.exe
[2008/11/04 20:31:47 | 00,124,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\sndrec32.exe
[2008/11/04 20:31:47 | 00,124,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sndrec32.exe
[2008/11/04 20:31:47 | 00,061,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdshost.exe
[2008/11/04 20:31:47 | 00,061,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rdshost.exe
[2008/11/04 20:31:47 | 00,020,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\tdtcp.sys
[2008/11/04 20:31:47 | 00,020,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tdtcp.sys
[2008/11/04 20:31:47 | 00,018,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qprocess.exe
[2008/11/04 20:31:47 | 00,018,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\qprocess.exe
[2008/11/04 20:31:47 | 00,011,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\tdpipe.sys
[2008/11/04 20:31:47 | 00,011,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tdpipe.sys
[2008/11/04 20:31:46 | 00,869,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdtctm.dll
[2008/11/04 20:31:46 | 00,869,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msdtctm.dll
[2008/11/04 20:31:46 | 00,151,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdtcuiu.dll
[2008/11/04 20:31:46 | 00,151,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msdtcuiu.dll
[2008/11/04 20:31:46 | 00,083,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mtxoci.dll
[2008/11/04 20:31:46 | 00,083,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mtxoci.dll
[2008/11/04 20:31:45 | 00,054,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdtclog.dll
[2008/11/04 20:31:45 | 00,054,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msdtclog.dll
[2008/11/04 20:31:45 | 00,009,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xolehlp.dll
[2008/11/04 20:31:45 | 00,009,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xolehlp.dll
[2008/11/04 20:31:45 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdtc.exe
[2008/11/04 20:31:45 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msdtc.exe
[2008/11/04 20:31:45 | 00,005,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comrereg.exe
[2008/11/04 20:31:44 | 00,085,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\catsrvps.dll
[2008/11/04 20:31:44 | 00,085,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\catsrvps.dll
[2008/11/04 20:31:44 | 00,082,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comrepl.dll
[2008/11/04 20:31:44 | 00,082,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comrepl.dll
[2008/11/04 20:31:44 | 00,056,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\colbact.dll
[2008/11/04 20:31:44 | 00,056,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\colbact.dll
[2008/11/04 20:31:44 | 00,054,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\stclient.dll
[2008/11/04 20:31:44 | 00,054,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\stclient.dll
[2008/11/04 20:31:44 | 00,025,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comaddin.dll
[2008/11/04 20:31:44 | 00,025,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comaddin.dll
[2008/11/04 20:31:44 | 00,025,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mtxlegih.dll
[2008/11/04 20:31:44 | 00,025,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mtxlegih.dll
[2008/11/04 20:31:44 | 00,020,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mtxdm.dll
[2008/11/04 20:31:44 | 00,020,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mtxdm.dll
[2008/11/04 20:31:44 | 00,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comrepl.exe
[2008/11/04 20:31:44 | 00,005,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dcomcnfg.exe
[2008/11/04 20:31:44 | 00,005,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dcomcnfg.exe
[2008/11/04 20:31:44 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mtxex.dll
[2008/11/04 20:31:44 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mtxex.dll
[2008/11/04 20:31:43 | 00,495,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comuid.dll
[2008/11/04 20:31:43 | 00,495,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comuid.dll
[2008/11/04 20:31:43 | 00,468,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\clbcatq.dll
[2008/11/04 20:31:43 | 00,468,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\clbcatq.dll
[2008/11/04 20:31:43 | 00,215,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\catsrv.dll
[2008/11/04 20:31:43 | 00,215,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\catsrv.dll
[2008/11/04 20:31:43 | 00,147,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comsnap.dll
[2008/11/04 20:31:43 | 00,147,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comsnap.dll
[2008/11/04 20:31:43 | 00,100,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\clbcatex.dll
[2008/11/04 20:31:43 | 00,100,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\clbcatex.dll
[2008/11/04 20:31:42 | 00,124,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmipdskq.dll
[2008/11/04 20:31:42 | 00,117,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiapsrv.exe
[2008/11/04 20:31:42 | 00,059,904 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmipjobj.dll
[2008/11/04 20:31:42 | 00,058,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmipiprt.dll
[2008/11/04 20:31:41 | 00,183,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiadap.exe
[2008/11/04 20:31:41 | 00,167,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wbemdisp.dll
[2008/11/04 20:31:41 | 00,157,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wbemtest.exe
[2008/11/04 20:31:41 | 00,082,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiaprpl.dll
[2008/11/04 20:31:41 | 00,048,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wbemsvc.dll
[2008/11/04 20:31:41 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiapres.dll
[2008/11/04 20:31:40 | 00,226,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\provthrd.dll
[2008/11/04 20:31:40 | 00,183,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wbemcntl.dll
[2008/11/04 20:31:40 | 00,125,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\viewprov.dll
[2008/11/04 20:31:40 | 00,066,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wbemcons.dll
[2008/11/04 20:31:40 | 00,033,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\scrcons.exe
[2008/11/04 20:31:39 | 00,203,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntevt.dll
[2008/11/04 20:31:39 | 00,174,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\framedyn.dll
[2008/11/04 20:31:39 | 00,053,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\servdeps.dll
[2008/11/04 20:31:39 | 00,053,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\servdeps.dll
[2008/11/04 20:31:39 | 00,023,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\krnlprov.dll
[2008/11/04 20:31:39 | 00,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mmfutil.dll
[2008/11/04 20:31:39 | 00,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mmfutil.dll
[2008/11/04 20:31:38 | 00,174,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cmprops.dll
[2008/11/04 20:31:38 | 00,174,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cmprops.dll
[2008/11/04 20:31:37 | 00,200,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2008/11/04 20:31:37 | 00,116,736 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mplay32.exe
[2008/11/04 20:31:37 | 00,116,736 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mplay32.exe
[2008/11/04 20:31:36 | 00,534,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spider.exe
[2008/11/04 20:31:36 | 00,534,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\spider.exe
[2008/11/04 20:31:36 | 00,339,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mspaint.exe
[2008/11/04 20:31:36 | 00,339,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mspaint.exe
[2008/11/04 20:31:36 | 00,139,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuauclt.exe
[2008/11/04 20:31:36 | 00,139,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuauclt.exe
[2008/11/04 20:31:36 | 00,098,816 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\clipbrd.exe
[2008/11/04 20:31:36 | 00,098,816 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\clipbrd.exe
[2008/11/04 20:31:35 | 00,598,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mstscax.dll
[2008/11/04 20:31:35 | 00,598,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mstscax.dll
[2008/11/04 20:31:35 | 00,388,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mstsc.exe
[2008/11/04 20:31:35 | 00,388,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mstsc.exe
[2008/11/04 20:31:35 | 00,189,440 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuaueng.dll
[2008/11/04 20:31:35 | 00,189,440 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuaueng.dll
[2008/11/04 20:31:35 | 00,115,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\rdpwd.sys
[2008/11/04 20:31:35 | 00,115,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rdpwd.sys
[2008/11/04 20:31:35 | 00,088,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tscfgwmi.dll
[2008/11/04 20:31:35 | 00,088,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tscfgwmi.dll
[2008/11/04 20:31:35 | 00,009,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuauserv.dll
[2008/11/04 20:31:35 | 00,009,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuauserv.dll
[2008/11/04 20:31:34 | 00,200,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\termsrv.dll
[2008/11/04 20:31:34 | 00,200,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\termsrv.dll
[2008/11/04 20:31:34 | 00,135,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdchost.dll
[2008/11/04 20:31:34 | 00,135,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rdchost.dll
[2008/11/04 20:31:34 | 00,129,024 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\sessmgr.exe
[2008/11/04 20:31:34 | 00,129,024 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sessmgr.exe
[2008/11/04 20:31:34 | 00,075,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpwsx.dll
[2008/11/04 20:31:34 | 00,075,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rdpwsx.dll
[2008/11/04 20:31:34 | 00,056,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\remotepg.dll
[2008/11/04 20:31:34 | 00,056,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\remotepg.dll
[2008/11/04 20:31:34 | 00,044,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpclip.exe
[2008/11/04 20:31:34 | 00,044,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rdpclip.exe
[2008/11/04 20:31:34 | 00,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tscupgrd.exe
[2008/11/04 20:31:34 | 00,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tscupgrd.exe
[2008/11/04 20:31:34 | 00,014,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpsnd.dll
[2008/11/04 20:31:34 | 00,014,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rdpsnd.dll
[2008/11/04 20:31:34 | 00,012,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdsaddin.exe
[2008/11/04 20:31:34 | 00,012,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rdsaddin.exe
[2008/11/04 20:31:34 | 00,009,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\icaapi.dll
[2008/11/04 20:31:34 | 00,009,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\icaapi.dll
[2008/11/04 20:31:33 | 00,582,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\catsrvut.dll
[2008/11/04 20:31:33 | 00,582,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\catsrvut.dll
[2008/11/04 20:31:33 | 00,359,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdtcprx.dll
[2008/11/04 20:31:33 | 00,359,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msdtcprx.dll
[2008/11/04 20:31:33 | 00,186,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comadmin.dll
[2008/11/04 20:31:33 | 00,032,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cfgbkend.dll
[2008/11/04 20:31:33 | 00,032,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cfgbkend.dll
[2008/11/04 20:31:32 | 01,172,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comsvcs.dll
[2008/11/04 20:31:32 | 01,172,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comsvcs.dll
[2008/11/04 20:31:32 | 00,203,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2008/11/04 20:31:32 | 00,101,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmisvc.dll
[2008/11/04 20:31:32 | 00,096,256 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiutils.dll
[2008/11/04 20:31:32 | 00,038,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmipsess.dll
[2008/11/04 20:31:31 | 00,408,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2008/11/04 20:31:31 | 00,149,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmipcima.dll
[2008/11/04 20:31:31 | 00,138,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmidcprv.dll
[2008/11/04 20:31:31 | 00,122,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprov.dll
[2008/11/04 20:31:31 | 00,111,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wbemupgd.dll
[2008/11/04 20:31:31 | 00,055,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmicookr.dll
[2008/11/04 20:31:30 | 00,480,256 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wbemcore.dll
[2008/11/04 20:31:30 | 00,259,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wbemess.dll
[2008/11/04 20:31:30 | 00,215,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wbemcomn.dll
[2008/11/04 20:31:30 | 00,080,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\stdprov.dll
[2008/11/04 20:31:30 | 00,028,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wbemprox.dll
[2008/11/04 20:31:29 | 00,138,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\repdrvfs.dll
[2008/11/04 20:31:29 | 00,104,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mofd.dll
[2008/11/04 20:31:29 | 00,060,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ncprov.dll
[2008/11/04 20:31:29 | 00,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mofcomp.exe
[2008/11/04 20:31:28 | 01,267,712 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cimwin32.dll
[2008/11/04 20:31:28 | 00,565,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2008/11/04 20:31:28 | 00,235,520 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\esscli.dll
[2008/11/04 20:31:27 | 00,057,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\licwmi.dll
[2008/11/04 20:31:27 | 00,057,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\licwmi.dll
[2008/11/04 20:31:24 | 00,182,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\rdpdr.sys
[2008/11/04 20:26:12 | 00,050,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\DMusic.sys
[2008/11/04 20:26:08 | 00,005,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\splitter.sys
[2008/11/04 20:11:04 | 00,024,661 | ---- | C] (Perle Systems Ltd.) -- C:\WINDOWS\System32\spxcoins.dll
[2008/11/04 20:11:04 | 00,024,661 | ---- | C] (Perle Systems Ltd.) -- C:\WINDOWS\System32\dllcache\spxcoins.dll
[2008/11/04 20:11:04 | 00,013,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\irclass.dll
[2008/11/04 20:11:04 | 00,013,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\irclass.dll
[2008/11/04 12:36:56 | 00,056,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\redbook.sys
[2008/11/04 12:32:53 | 00,038,024 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\termdd.sys
[2008/11/04 12:31:10 | 00,696,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sapi.dll
[2008/11/04 12:31:10 | 00,147,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sapi.cpl
[2008/11/04 12:31:09 | 00,019,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\agt041f.dll
[2008/11/04 12:31:09 | 00,019,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\agt0419.dll
[2008/11/04 12:31:08 | 00,022,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\agt0408.dll
[2008/11/04 12:31:08 | 00,019,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\agt040e.dll
[2008/11/04 12:31:08 | 00,019,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\agt0415.dll
[2008/11/04 12:31:08 | 00,019,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\agt0405.dll
[2008/11/04 12:31:04 | 00,132,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\WINSPOOL.DRV
[2008/11/04 12:31:04 | 00,010,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\irenum.sys
[2008/11/04 12:31:04 | 00,010,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\irenum.sys
[2008/11/04 12:31:02 | 00,071,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\storprop.dll
[2008/11/04 12:30:42 | 00,657,548 | ---- | C] () -- C:\WINDOWS\System32\dllcache\CLASSES.CAT
[2008/11/04 12:30:42 | 00,056,081 | ---- | C] () -- C:\WINDOWS\System32\dllcache\DAJAVAC.CAT
[2008/11/04 12:30:42 | 00,052,311 | ---- | C] () -- C:\WINDOWS\System32\dllcache\DX3.CAT
[2008/11/04 12:30:42 | 00,037,484 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MW770.CAT
[2008/11/04 12:30:42 | 00,031,405 | ---- | C] () -- C:\WINDOWS\System32\dllcache\FP4.CAT
[2008/11/04 12:30:42 | 00,014,031 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MSJDBC.CAT
[2008/11/04 12:30:42 | 00,013,608 | ---- | C] () -- C:\WINDOWS\System32\dllcache\IMS.CAT
[2008/11/04 12:30:42 | 00,010,881 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MSMSGS.CAT
[2008/11/04 12:30:42 | 00,008,574 | ---- | C] () -- C:\WINDOWS\System32\dllcache\IASNT4.CAT
[2008/11/04 12:30:42 | 00,007,382 | ---- | C] () -- C:\WINDOWS\System32\dllcache\OEMBIOS.CAT
[2008/11/04 12:30:42 | 00,007,369 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MSTSWEB.CAT
[2008/11/04 12:30:41 | 02,049,999 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5.CAT
[2008/11/04 12:30:41 | 01,086,182 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NTPRINT.CAT
[2008/11/04 12:30:41 | 00,797,189 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5IIS.CAT
[2008/11/04 12:30:41 | 00,399,645 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MAPIMIG.CAT
[2008/11/04 12:30:40 | 00,342,618 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5INF.CAT
[2008/11/02 18:04:32 | 00,245,902 | ---- | C] () -- C:\Documents and Settings\Dennis\Desktop\daft.com
[2008/10/29 19:22:09 | 03,022,150 | ---- | C] () -- C:\Documents and Settings\Dennis\Desktop\ComboFix.exe
[2008/10/29 19:10:17 | 00,020,992 | -HS- | C] () -- C:\WINDOWS\System32\accwizh.dll
[2008/10/28 19:46:50 | 00,422,400 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dennis\Desktop\OTViewIt.exe
[2008/10/28 19:43:24 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2008/10/28 19:41:53 | 00,000,635 | ---- | C] () -- C:\Documents and Settings\Dennis\Desktop\ERUNT.lnk
[2008/10/28 19:41:52 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2008/10/28 19:38:33 | 00,149,837 | ---- | C] () -- C:\Documents and Settings\Dennis\My Documents\ERUNT Use.pdf
[2008/10/28 19:33:02 | 00,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Dennis\Desktop\erunt-setup.exe
[2008/10/28 17:31:29 | 00,009,728 | ---- | C] () -- C:\WINDOWS\brastk.exe
[2008/10/28 17:29:57 | 00,000,132 | ---- | C] () -- C:\WINDOWS\System32\delself.bat
[2008/10/27 20:17:27 | 00,001,777 | ---- | C] () -- C:\Documents and Settings\Dennis\Desktop\HijackThis.lnk
[2008/10/27 20:16:28 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Dennis\Desktop\HJTInstall.exe
[2008/10/27 19:10:44 | 00,015,360 | ---- | C] () -- C:\WINDOWS\System32\WinCtrl32.dll
[2008/10/24 21:36:52 | 00,009,728 | ---- | C] () -- C:\WINDOWS\System32\brastk.exe
[2008/10/24 21:34:21 | 00,000,000 | ---D | C] -- C:\New Folder
[2008/10/24 21:28:02 | 00,000,000 | ---D | C] -- C:\backups
[2008/10/18 16:57:16 | 00,000,664 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\ThreatFire.lnk
[2008/10/18 16:57:10 | 00,051,520 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfFsMon.sys
[2008/10/18 16:57:10 | 00,038,208 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfSysMon.sys
[2008/10/18 16:57:10 | 00,033,088 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfNetMon.sys
[2008/10/18 16:57:10 | 00,012,608 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfKbMon.sys
[2008/10/18 16:57:10 | 00,000,000 | ---D | C] -- C:\Program Files\ThreatFire
[2008/10/18 16:57:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
========== Files - Modified Within 30 Days ==========
[10 C:\WINDOWS\System32\*.tmp files]
[9 C:\WINDOWS\*.tmp files]
[2008/11/08 10:05:00 | 00,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{41111FB6-E87B-4712-9635-90034B0CC9F3}.job
[2008/11/08 09:50:44 | 00,000,140 | ---- | M] () -- C:\WINDOWS\msicpl.ini
[2008/11/08 09:48:34 | 00,088,566 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2008/11/08 09:48:19 | 00,001,374 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008/11/08 09:47:51 | 00,001,374 | ---- | M] () -- C:\WINDOWS\System32\wpa.bak
[2008/11/08 09:39:07 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008/11/08 09:37:37 | 00,015,360 | ---- | M] () -- C:\WINDOWS\System32\WinCtrl32.dll
[2008/11/08 09:37:37 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008/11/08 08:36:39 | 00,025,296 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000001-00000000-00000008-00001102-00000002-80651102}.rfx
[2008/11/08 08:36:39 | 00,025,296 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000001-00000000-00000008-00001102-00000002-80651102}.rfx
[2008/11/08 08:36:39 | 00,016,516 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000001-00000000-00000008-00001102-00000002-80651102}.rfx
[2008/11/08 08:36:39 | 00,016,516 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000001-00000000-00000008-00001102-00000002-80651102}.rfx
[2008/11/08 08:36:39 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2008/11/08 08:36:39 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2008/11/08 08:36:39 | 00,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCStateBkp-{00000001-00000000-00000008-00001102-00000002-80651102}.dat
[2008/11/08 08:36:39 | 00,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000001-00000000-00000008-00001102-00000002-80651102}.dat
[2008/11/07 17:09:20 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2008/11/06 15:04:22 | 00,001,779 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Windows Live Messenger.lnk
[2008/11/06 14:30:01 | 00,000,102 | ---- | M] () -- C:\WINDOWS\VSWizard.ini
[2008/11/05 19:53:24 | 00,065,288 | ---- | M] () -- C:\Documents and Settings\Dennis\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/11/04 23:01:14 | 00,000,468 | ---- | M] () -- C:\Documents and Settings\Dennis\Desktop\Shortcut to OTViewIt.lnk
[2008/11/04 21:12:55 | 00,440,998 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2008/11/04 21:12:55 | 00,078,258 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2008/11/04 20:51:08 | 00,527,410 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2008/11/04 20:47:56 | 00,239,144 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/11/04 20:42:18 | 00,000,287 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf
[2008/11/04 20:36:52 | 00,001,111 | ---- | M] () -- C:\WINDOWS\win.ini
[2008/11/04 20:36:23 | 00,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2008/11/04 20:36:11 | 00,000,084 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
[2008/11/04 20:36:09 | 00,004,858 | ---- | M] () -- C:\WINDOWS\iexplore.ini
[2008/11/04 20:36:05 | 00,025,065 | ---- | M] () -- C:\WINDOWS\System32\wmpscheme.xml
[2008/11/04 20:36:04 | 00,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2008/11/04 20:36:04 | 00,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2008/11/04 20:36:02 | 00,299,552 | ---- | M] () -- C:\WINDOWS\WMSysPrx.prx
[2008/11/04 20:35:45 | 00,004,161 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI
[2008/11/04 20:32:57 | 00,023,348 | ---- | M] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/11/04 20:30:41 | 00,000,203 | -HS- | M] () -- C:\boot.ini
[2008/11/04 20:10:51 | 00,000,138 | -HS- | M] () -- C:\Documents and Settings\All Users\Documents\desktop.ini
[2008/11/04 20:10:51 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2008/11/04 12:37:07 | 00,198,605 | ---- | M] () -- C:\WINDOWS\setupapi.old
[2008/11/04 12:31:24 | 00,001,344 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2008/11/02 18:30:36 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\13i.sys
[2008/11/02 18:30:28 | 00,031,104 | ---- | M] () -- C:\WINDOWS\System32\drivers\Windi26.sys
[2008/11/02 18:29:30 | 00,009,728 | ---- | M] () -- C:\WINDOWS\System32\brastk.exe
[2008/11/02 18:29:30 | 00,009,728 | ---- | M] () -- C:\WINDOWS\brastk.exe
[2008/11/02 18:27:34 | 00,000,132 | ---- | M] () -- C:\WINDOWS\System32\delself.bat
[2008/11/02 18:25:59 | 00,006,144 | ---- | M] () -- C:\WINDOWS\System32\karna.dat
[2008/11/02 18:25:59 | 00,006,144 | ---- | M] () -- C:\WINDOWS\karna.dat
[2008/11/02 18:04:33 | 00,245,902 | ---- | M] () -- C:\Documents and Settings\Dennis\Desktop\daft.com
[2008/11/02 11:13:43 | 00,000,328 | --S- | M] () -- C:\WINDOWS\System32\2455993257.dat
[2008/10/29 19:22:23 | 03,022,150 | ---- | M] () -- C:\Documents and Settings\Dennis\Desktop\ComboFix.exe
[2008/10/29 19:10:17 | 00,020,992 | -HS- | M] () -- C:\WINDOWS\System32\accwizh.dll
[2008/10/29 18:55:37 | 12,020,9408 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2008/10/28 20:17:40 | 54,129,930 | -HS- | M] () -- C:\WINDOWS\System32\Adobeh.sys
[2008/10/28 19:46:51 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dennis\Desktop\OTViewIt.exe
[2008/10/28 19:41:53 | 00,000,635 | ---- | M] () -- C:\Documents and Settings\Dennis\Desktop\ERUNT.lnk
[2008/10/28 19:38:33 | 00,149,837 | ---- | M] () -- C:\Documents and Settings\Dennis\My Documents\ERUNT Use.pdf
[2008/10/28 19:33:06 | 00,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Dennis\Desktop\erunt-setup.exe
[2008/10/27 22:20:03 | 03,384,453 | ---- | M] () -- C:\WINDOWS\{00000001-00000000-00000008-00001102-00000002-80651102}.CDF
[2008/10/27 22:19:46 | 03,384,327 | ---- | M] () -- C:\WINDOWS\{00000001-00000000-00000008-00001102-00000002-80651102}.BAK
[2008/10/27 20:17:27 | 00,001,777 | ---- | M] () -- C:\Documents and Settings\Dennis\Desktop\HijackThis.lnk
[2008/10/27 20:16:30 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Dennis\Desktop\HJTInstall.exe
[2008/10/27 20:12:20 | 00,000,563 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2008/10/20 16:13:19 | 00,000,025 | ---- | M] () -- C:\WINDOWS\popcinfo.dat
[2008/10/19 12:37:41 | 00,000,225 | ---- | M] () -- C:\WINDOWS\QUICKEN.INI
[2008/10/18 16:57:16 | 00,000,664 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ThreatFire.lnk
< End of report >
Fatboy_97
2008-11-09, 01:17
And finally the Extras log:
OTViewIt Extras logfile created on: 11/8/2008 10:05:58 AM - Run 2
OTViewIt by OldTimer - Version 1.0.19.0 Folder = C:\Documents and Settings\Dennis\Desktop
Windows XP Home Edition Service Pack 1 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1023.48 Mb Total Physical Memory | 697.14 Mb Available Physical Memory | 68.11% Memory free
2.41 Gb Paging File | 2.14 Gb Available in Paging File | 89.11% Paging File free
Paging file location(s): c:\pagefile.sys 1536 3072;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.32 Gb Total Space | 56.14 Gb Free Space | 73.55% Space Free | Partition Type: NTFS
Drive D: | 40.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: DENNIS-JIF0Z43K
Current User Name: Dennis
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days
"Use My Stylesheet"=
"User Stylesheet"=
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=1
"FirewallDisableNotify"=1
"UpdatesDisableNotify"=1
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=0
"DoNotAllowExceptions"=0
"DisableNotifications"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2002/08/29 04:00:00 | 00,129,024 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/04/13 10:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2007/01/19 12:54:56 | 05,674,352 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1
[2007/01/04 16:10:02 | 00,297,752 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2002/08/29 04:00:00 | 00,129,024 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
File not found -- C:\Program Files\NovaLogic\Joint Operations Demo\jodemo.exe:*:Enabled:jodemo
File not found -- C:\Program Files\NovaLogic\Delta Force Black Hawk Down\DFBHD.EXE:*:Enabled:DFBHD
[2002/08/29 04:00:00 | 00,091,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer
File not found -- C:\Program Files\DFPinger\DFBHDPinger\DFBHDPinger.exe:*:Enabled:DFBHDPinger
File not found -- C:\Program Files\LimeWire\LimeWire 4.2.3\LimeWire.exe:*:Enabled:LimeWire
File not found -- C:\Program Files\NovaLogic\Delta Force Black Hawk Down\update.exe:*:Enabled:update
File not found -- D:\Program Files\Duke Nukem - Manhattan Project\prism3d.exe:*:Enabled:prism3d
[2002/08/29 04:00:00 | 00,774,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console
File not found -- C:\Program Files\NovaLogic\Delta Force Black Hawk Down\Black Operations Mod.exe:*:Enabled:Black Operations Mod
File not found -- C:\Program Files\NovaLogic\Joint Operations Typhoon Rising\Jointops.exe:*:Enabled:Jointops
File not found -- C:\Program Files\NovaLogic\Joint Operations Typhoon Rising\UPDATE.EXE:*:Enabled:UPDATE
[2008/04/13 10:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
File not found -- C:\Program Files\Soulseek-Test\slsk.exe:*:Enabled:SoulSeek
[2004/02/03 13:42:04 | 00,962,642 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\WCESMGR.EXE:*:Enabled:ActiveSync Application
[2004/02/03 13:42:54 | 00,401,491 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE:*:Enabled:ActiveSync Connection Manager
[2008/04/13 16:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
[2007/08/16 10:23:52 | 00,850,944 | ---- | M] (Abacast, Inc.) -- C:\Documents and Settings\Dennis\Local Settings\Application Data\Abacast\Abaclient.exe:*:Enabled:Abaclient
[2007/09/27 13:18:36 | 01,400,832 | ---- | M] (Abacast, Inc.) -- C:\Documents and Settings\Dennis\Local Settings\Application Data\Abacast\Abaclient2.exe:*:Disabled:Abaclient
[2007/01/19 12:54:56 | 05,674,352 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1
[2007/01/04 16:10:02 | 00,297,752 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)
========== (O18) Protocol Handlers ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2001/01/22 03:25:24 | 00,872,448 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (cdo:{CD00020A-8B95-11D1-82DB-00C04FB1625D} (HKLM) [Microsoft PKM KnowledgePluggable Class])
ipp: [HKLM - No CLSID value]
[2001/02/12 03:25:24 | 01,187,840 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]
[2007/01/19 12:53:24 | 00,063,344 | ---- | M] (Microsoft Corporation) C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (livecall:{828030A1-22C1-4009-854F-8E305202313F} (HKLM) [Reg Error: Value does not exist or could not be read.])
[2004/02/03 13:43:36 | 00,077,903 | ---- | M] (Microsoft Corporation) C:\Program Files\Microsoft ActiveSync\AATP.DLL (mctp:{d7b95390-b1c5-11d0-b111-0080c712fe82} (HKLM) [mctp: Asynchronous Pluggable Protocol Handler])
msdaipp: [HKLM - No CLSID value]
[2001/02/12 03:25:24 | 01,187,840 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]
[2001/02/12 03:25:24 | 01,187,840 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]
[2000/04/19 18:47:36 | 00,520,117 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (ms-itss:{0A9007C0-4076-11D3-8789-0000F8105754} (HKLM) [Microsoft Infotech Storage Protocol for IE 4.0])
[2007/01/19 12:53:24 | 00,063,344 | ---- | M] (Microsoft Corporation) C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (msnim:{828030A1-22C1-4009-854F-8E305202313F} (HKLM) [Reg Error: Value does not exist or could not be read.])
[2002/08/29 04:00:00 | 00,842,268 | ---- | M] () C:\WINDOWS\system32\msdxm.ocx (vnd.ms.radio:{3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} (HKLM) [AsyncPProt Class])
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}"=Microsoft Office 2000 Premium
"{00040409-78E1-11D2-B60F-006097C998E7}"=Microsoft Office 2000 SR-1 Disc 2
"{03CDDD00-BD57-4326-9480-4C74449AF597}"=PhotoStitch
"{093625E3-7B87-49D3-AA53-AD0FCFABAF49}"=Camera Window
"{0C8EE4CE-981E-4E7C-A2B5-2EA68A645589}"=D4100_Help
"{0D2E80C8-0875-43EB-9623-47118E2DFBCA}"=Quicken 2007
"{1FD0C5C1-B01B-4B4C-9607-E5D3B3D1318F}"=Microsoft IntelliPoint 4.1
"{20B8FD81-A71D-42ea-B887-07A616069E63}"=D4100
"{2238A301-6A20-4bdb-A655-C84AB629F6B6}"=hph_readme
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"=Google Toolbar for Internet Explorer
"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}"=HPPhotoSmartExpress
"{3248F0A8-6813-11D6-A77B-00B0D0150060}"=J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160030}"=Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}"=Java(TM) 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}"=Java(TM) 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{363790D2-DA98-41DD-9C9F-69FA36B169DE}"=PanoStandAlone
"{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}"=Google Earth
"{45B8A76B-57EC-4242-B019-066400CD8428}"=BufferChm
"{48B82226-75E3-4E90-92CC-D30F79EA6380}"=Norton Security Scan
"{49140327-BEBF-43dd-B386-43311A065609}"=hph_ProductContext
"{49672EC2-171B-47B4-8CE7-50D7806360D7}"=Windows Live Sign-in Assistant
"{4EA684E9-5C81-4033-A696-3019EC57AC3A}"=HPProductAssistant
"{4F6DED87-B0E2-462F-A4FE-7DAE4A2CB774}"=Joint Operations: Typhoon Rising - Demo
"{571700F0-DB9D-4B3A-B03D-35A14BB5939F}"=Windows Live Messenger
"{5CE42363-EC4B-4D0D-A27B-9B48F253E556}"=LimeWire
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}"=Windows Genuine Advantage v1.3.0254.0
"{66910000-8B30-4973-A159-6371345AFFA5}"=WebReg
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}"=eSupportQFolder
"{6909F917-5499-482e-9AA1-FAD06A99F231}"=Toolbox
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}"=CustomerResearchQFolder
"{702F1CE2-2751-4E8A-AB2D-53262AE0EF05}"=ATI Catalyst Control Center
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}"=Microsoft .NET Framework 2.0
"{7148F0A8-6813-11D6-A77B-00B0D0142100}"=Java 2 Runtime Environment, SE v1.4.2_10
"{789289CA-F73A-4A16-A331-54D498CE069F}"=Ventrilo Client
"{81935798-5D0C-4892-832E-630E6CC07EAF}"=Morrowind
"{8245C111-D83F-4C66-BBC6-2424F6116944}"=TES Construction Set
"{8331C3EA-0C91-43AA-A4D4-27221C631139}"=Status
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}"=Microsoft Silverlight
"{8A5F34E2-37CF-4AD4-808C-2D413786E31A}"=Microsoft Visual C Runtime
"{8A62A068-3FD6-495A-9F66-26FE94F32EC9}"=Rhapsody Player Engine
"{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}"=Unload
"{9115E7DB-3B29-445A-802D-11E0AA945B7F}"=Sound Blaster Live!
"{911A0409-6000-11D3-8CFE-0050048383C9}"=Microsoft Outlook 2002
"{9D404F8F-05A1-4734-9550-6EC2FEE916B8}"=HP Photosmart and Deskjet 7.0 Software
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}"=Windows Defender Signatures
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}"=DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A70900000002}"=Adobe Reader 7.0.9
"{AD708DF0-9F04-4CB3-821A-85804A833B4D}"=ArcSoft Camera Suite
"{ADAED43C-BBD9-42C5-8B21-F4FBFA81E3C3}"=Palm
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1"=Spybot - Search & Destroy
"{B4FEA924-630D-11D4-B78E-005004566E4D}"=ViewSonic Monitor Drivers
"{B8DBED1E-8BC3-4d08-B94A-F9D7D88E9BBF}"=HPSSupply
"{BBEB5679-6E2C-47C6-A9B5-3C6D4CD19B60}"=hph_software_req
"{BEB03A1A-1EB6-48EB-9985-8B97315EE5C0}"=RemoteCapture 2.7.0
"{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}"=Canon Utilities ZoomBrowser EX
"{C438B7C4-B4F8-49C5-A4DF-FF6F1F242778}"=NTI CD-Maker
"{C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476}"=SolutionCenter
"{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}"=HP Update
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}"=Microsoft .NET Framework 1.1
"{D6346347-B8CD-4B52-BF5F-9676CDE79801}"=hph_software
"{DB093244-7D79-4384-0081-633D3B2C1244}"=LOTR The Return of the King (tm) Demo
"{DBC20735-34E6-4E97-A9E5-2066B66B243D}"=TrayApp
"{DBEA1034-5882-4A88-8033-81C4EF0CFA29}"=Google Toolbar for Internet Explorer
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}"=Ad-Aware
"{E1B80DEE-A795-4258-8445-074C06AE3AB8}"=MarketResearch
"{EB21A812-671B-4D08-B974-2A347F0D8F70}"=HP Photosmart Essential
"{EB807EB6-5179-48B7-98D4-7B4934A57A81}"=Documents To Go
"{EF0DD8B7-471C-463B-A298-6066C2FABAF5}"=File Viewer Utility 1.2
"{F157460F-720E-482f-8625-AD7843891E5F}"=InstantShareDevicesMFC
"{F445476A-42DE-11D4-80D0-00C04F2750A6}"=Epocrates Essentials
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}"=HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"3554AA4B-9B0B-451a-A269-2B5F53982209_is1"=ThreatFire 3.5
"Adobe Acrobat 4.0"=Adobe Acrobat 4.0
"Adobe Acrobat 5.0"=Adobe Acrobat 5.0
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player Plugin
"Adobe Photoshop 5.0 Limited Edition"=Adobe Photoshop 5.0 Limited Edition
"Adobe Shockwave Player"=Adobe Shockwave Player 11
"All ATI Software"=ATI - Software Uninstall Utility
"ASUS Probe V2.19.07"=ASUS Probe V2.19.07
"ATI Display Driver"=ATI Display Driver
"Charter"=Charter Pipeline Professor
"Creative PlayCenter 2.0"=Creative PlayCenter
"DIG Game Manager"=DIG Game Manager
"Easy-PhotoPrint"=Canon Utilities Easy-PhotoPrint
"Easy-WebPrint"=Easy-WebPrint
"ERUNT_is1"=ERUNT 1.1j
"HijackThis"=HijackThis 2.0.2
"HP Imaging Device Functions"=HP Imaging Device Functions 7.0
"HP Solution Center & Imaging Support Tools"=HP Solution Center 7.0
"HPExtendedCapabilities"=HP Customer Participation Program 7.0
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"InstallShield_{03CDDD00-BD57-4326-9480-4C74449AF597}"=Canon Utilities PhotoStitch 3.1
"InstallShield_{093625E3-7B87-49D3-AA53-AD0FCFABAF49}"=Canon Camera Window for ZoomBrowser EX
"InstallShield_{5CE42363-EC4B-4D0D-A27B-9B48F253E556}"=LimeWire
"InstallShield_{BEB03A1A-1EB6-48EB-9985-8B97315EE5C0}"=Canon Utilities RemoteCapture 2.7
"InstallShield_{C438B7C4-B4F8-49C5-A4DF-FF6F1F242778}"=NTI CD-Maker 6 Platinum
"InstallShield_{EF0DD8B7-471C-463B-A298-6066C2FABAF5}"=Canon Utilities File Viewer Utility 1.2
"JRE 1.3.1_04"=Java 2 Runtime Environment Standard Edition v1.3.1_04
"Microsoft .NET Framework 1.1 (1033)"=Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0"=Microsoft .NET Framework 2.0
"Microsoft Internet Gaming Zone"=MSN Gaming Zone
"Mozilla Firefox (3.0.3)"=Mozilla Firefox (3.0.3)
"MSCompPackV1"=Microsoft Compression Client Pack 1.0 for Windows XP
"MSN Music Assistant"=MSN Music Assistant
"MSN Toolbar"=MSN Toolbar
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers"=NVIDIA Drivers
"NVIDIAnForce"=NVIDIA Windows 2000/XP nForce Drivers
"OneTouch Version 3.0"=OneTouch Version 3.0
"PaperPort 7.02"=PaperPort 7.02
"PhotoRecord"=Canon PhotoRecord
"QuickTime"=QuickTime
"Shockwave"=Shockwave
"Shop for HP Supplies"=Shop for HP Supplies
"Spybot - Search & Destroy_is1"=Spybot - Search & Destroy 1.3
"SSUtils"=NVIDIA nForce Utilities
"Support.com"=Support.com Software
"Windows CE Services"=Microsoft ActiveSync 3.7
"Windows Media Format Runtime"=Windows Media Format Runtime
"Windows Media Player"=Windows Media Player 10
"WMFDist11"=Windows Media Format 11 runtime
"wmp11"=Windows Media Player 11
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Abacast Client"=Abacast Client
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 11/6/2008 7:21:25 PM | Computer Name = DENNIS-JIF0Z43K | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.
Error - 11/6/2008 7:39:46 PM | Computer Name = DENNIS-JIF0Z43K | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007043C from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro
Error - 11/6/2008 7:39:46 PM | Computer Name = DENNIS-JIF0Z43K | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.
Error - 11/7/2008 8:33:57 PM | Computer Name = DENNIS-JIF0Z43K | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007043C from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro
Error - 11/7/2008 8:33:57 PM | Computer Name = DENNIS-JIF0Z43K | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.
Error - 11/8/2008 12:19:15 PM | Computer Name = DENNIS-JIF0Z43K | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007043C from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro
Error - 11/8/2008 12:19:15 PM | Computer Name = DENNIS-JIF0Z43K | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.
Error - 11/8/2008 12:34:49 PM | Computer Name = DENNIS-JIF0Z43K | Source = Windows Product Activation | ID = 1009
Description = You have not activated Windows within the grace period. To activate
Windows, contact a customer service representative by telephone.
Error - 11/8/2008 1:27:46 PM | Computer Name = DENNIS-JIF0Z43K | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007043C from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro
Error - 11/8/2008 1:27:47 PM | Computer Name = DENNIS-JIF0Z43K | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.
[ System Events ]
Error - 11/8/2008 1:28:49 PM | Computer Name = DENNIS-JIF0Z43K | Source = Service Control Manager | ID = 7001
Description = The Network Location Awareness (NLA) service depends on the AFD Networking
Support Environment service which failed to start because of the following error:
%%31
Error - 11/8/2008 1:28:49 PM | Computer Name = DENNIS-JIF0Z43K | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31
Error - 11/8/2008 1:28:49 PM | Computer Name = DENNIS-JIF0Z43K | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Fips FltMgr IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss Tcpip
Error - 11/8/2008 1:36:25 PM | Computer Name = DENNIS-JIF0Z43K | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
Error - 11/8/2008 1:39:09 PM | Computer Name = DENNIS-JIF0Z43K | Source = Service Control Manager | ID = 7022
Description = The DCOM Server Process Launcher service hung on starting.
Error - 11/8/2008 1:39:09 PM | Computer Name = DENNIS-JIF0Z43K | Source = Service Control Manager | ID = 7000
Description = The Security Center service failed to start due to the following error:
%%1083
Error - 11/8/2008 1:39:19 PM | Computer Name = DENNIS-JIF0Z43K | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
FltMgr
Error - 11/8/2008 1:39:22 PM | Computer Name = DENNIS-JIF0Z43K | Source = RemoteAccess | ID = 20106
Description = Unable to add the interface {184F51D8-B677-4C90-BB26-B5742A2D291D}
with the Router Manager for the IP protocol. The following error occurred: Cannot
complete this function.
Error - 11/8/2008 1:40:01 PM | Computer Name = DENNIS-JIF0Z43K | Source = Service Control Manager | ID = 7000
Description = The HTTP service failed to start due to the following error: %%127
Error - 11/8/2008 1:40:01 PM | Computer Name = DENNIS-JIF0Z43K | Source = Service Control Manager | ID = 7001
Description = The SSDP Discovery Service service depends on the HTTP service which
failed to start because of the following error: %%127
< End of report >
Fatboy_97
2008-11-09, 01:19
Ok now gonna try to get the Teatimer files to the url you listed & do a Erunt backup. Thanks again! Dennis :)
Fatboy_97
2008-11-09, 02:01
Can't seem to get to the TeaTimer files, but did do an Erunt backup before I connected to the web to post the above logs.
One step at a time.....................:D:
Hi :)
Good to see something is working out for you.
Ok.. looks like you did repair install of windows.
So basic windows is there at least after Threatfire/TeaTimer fight.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
It will likely take a few post cus your CF log will be long.
Thanks :)
Fatboy_97
2008-11-09, 20:10
Combofix logs: :bigthumb:
ComboFix 08-11-07.01 - Dennis 2008-11-09 9:47:20.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.663 [GMT -8:00]
Running from: c:\documents and settings\Dennis\Desktop\ComboFix.exe
* Created a new restore point
.
The following files were disabled during the run:
c:\program files\ThreatFire\TFWAH.dll
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Guest\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
c:\program files\UPDATE.PIF
c:\windows\brastk.exe
c:\windows\karina.dat
c:\windows\karna.dat
c:\windows\system32\~.exe
c:\windows\system32\7.tmp
c:\windows\system32\brastk.exe
c:\windows\system32\DelSelf.bat
c:\windows\system32\drivers\109.exe
c:\windows\system32\drivers\125.exe
c:\windows\system32\drivers\156.exe
c:\windows\system32\drivers\171.exe
c:\windows\system32\drivers\187.exe
c:\windows\system32\drivers\203.exe
c:\windows\system32\drivers\31.exe
c:\windows\system32\drivers\312.exe
c:\windows\system32\drivers\343.exe
c:\windows\system32\drivers\437.exe
c:\windows\system32\drivers\453.exe
c:\windows\system32\drivers\531.exe
c:\windows\system32\drivers\546.exe
c:\windows\system32\drivers\578.exe
c:\windows\system32\drivers\640.exe
c:\windows\system32\drivers\687.exe
c:\windows\system32\drivers\703.exe
c:\windows\system32\drivers\718.exe
c:\windows\system32\drivers\734.exe
c:\windows\system32\drivers\765.exe
c:\windows\system32\drivers\796.exe
c:\windows\system32\drivers\843.exe
c:\windows\system32\drivers\890.exe
c:\windows\system32\drivers\906.exe
c:\windows\system32\drivers\921.exe
c:\windows\system32\drivers\937.exe
c:\windows\system32\drivers\953.exe
c:\windows\system32\drivers\984.exe
c:\windows\system32\drivers\Windi26.sys
c:\windows\system32\karna.dat
c:\windows\system32\mdm.exe
c:\windows\system32\TCfNnnmp.ini2
c:\windows\system32\WinCtrl32.dl_
c:\windows\system32\WinCtrl32.dll
c:\windows\system32\wini10541.exe
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80 . . . . failed to delete
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67 . . . . failed to delete
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_WINDI26
-------\Service_Windi26
((((((((((((((((((((((((( Files Created from 2008-10-09 to 2008-11-09 )))))))))))))))))))))))))))))))
.
2008-11-08 17:57 . 2008-11-08 17:57 801,610 --a------ C:\QDATA02.IDX
2008-11-08 16:12 . 2008-11-08 16:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\NVIDIA
2008-11-08 13:39 . 2002-12-04 20:01 820,864 -ra------ c:\windows\system32\drivers\nvmcp.sys
2008-11-08 13:39 . 2002-12-04 20:01 241,664 -ra------ c:\windows\system32\drivers\nvapu.sys
2008-11-08 13:39 . 2002-12-04 20:01 62,336 -ra------ c:\windows\system32\drivers\nvarm.sys
2008-11-08 13:39 . 2002-12-04 20:01 44,032 -ra------ c:\windows\system32\OpenAL32.dll
2008-11-08 13:39 . 2002-12-04 20:01 44,032 -ra------ c:\windows\system32\nvopenal.dll
2008-11-08 13:39 . 2002-12-04 20:01 30,720 -ra------ c:\windows\system32\nvasio.dll
2008-11-08 13:39 . 2002-12-04 20:01 13,056 -ra------ c:\windows\system32\drivers\nvax.sys
2008-11-08 13:39 . 2002-12-04 20:01 5,120 -ra------ c:\windows\system32\ALut.dll
2008-11-08 13:39 . 2002-12-04 20:01 4,096 -ra------ c:\windows\system32\nvack.dll
2008-11-08 13:37 . 2002-08-29 02:01 134,272 --a------ c:\windows\system32\drivers\portcls.sys
2008-11-08 13:37 . 2002-08-29 02:01 134,272 --a--c--- c:\windows\system32\dllcache\portcls.sys
2008-11-08 13:37 . 2002-08-29 01:32 57,856 --a------ c:\windows\system32\drivers\drmk.sys
2008-11-08 13:37 . 2002-08-29 01:32 57,856 --a--c--- c:\windows\system32\dllcache\drmk.sys
2008-11-08 13:37 . 2001-08-17 22:37 22,016 --a------ c:\windows\system32\wdmaud.drv
2008-11-08 13:02 . 2002-10-03 23:23 80,896 -ra------ c:\windows\system32\drivers\NVENET.sys
2008-11-08 13:02 . 2002-10-03 23:23 1,024 -ra------ c:\windows\system32\drivers\jedih2rx.bin
2008-11-08 13:02 . 2002-10-03 23:23 122 -ra------ c:\windows\system32\drivers\ramsed.bin
2008-11-08 13:02 . 2002-10-03 23:23 42 -ra------ c:\windows\system32\drivers\jedireg.pat
2008-11-08 12:55 . 2008-11-08 12:55 3,813 --a------ c:\windows\Ascd_tmp.ini
2008-11-08 12:23 . 2008-11-08 13:04 <DIR> d-------- c:\windows\LastGood.Tmp
2008-11-08 09:59 . 2008-11-08 09:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles
2008-11-08 09:35 . 2006-10-22 12:22 208,896 --a------ c:\windows\system32\nvudisp.exe
2008-11-08 09:35 . 2008-11-09 09:55 88,566 --a------ c:\windows\system32\nvapps.xml
2008-11-08 09:35 . 2006-10-22 12:22 17,056 --a------ c:\windows\system32\nvdisp.nvu
2008-11-08 09:33 . 2006-10-22 15:06 208,896 --a------ c:\windows\system32\NVUNINST.EXE
2008-11-06 14:28 . 2008-11-06 14:28 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2008-11-06 14:28 . 2008-11-06 14:28 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Leadertech
2008-11-04 20:56 . 2008-11-04 21:12 3,484 --a------ c:\windows\system32\PerfStringBackup.TMP
2008-11-04 20:38 . 2002-08-29 04:00 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2008-11-04 20:37 . 2001-08-17 22:36 2,134,528 --a--c--- c:\windows\system32\dllcache\EXCH_smtpsnap.dll
2008-11-04 20:36 . 2008-11-04 20:36 23,392 --a------ c:\windows\system32\nscompat.tlb
2008-11-04 20:36 . 2008-11-04 20:36 16,832 --a------ c:\windows\system32\amcompat.tlb
2008-11-04 20:34 . 2002-08-29 04:00 106,562 --a--c--- c:\windows\system32\dllcache\srchctls.dll
2008-11-04 20:34 . 2008-11-04 20:34 749 -rah----- c:\windows\WindowsShell.Manifest
2008-11-04 20:34 . 2008-11-04 20:34 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2008-11-04 20:34 . 2008-11-04 20:34 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2008-11-04 20:34 . 2008-11-04 20:34 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2008-11-04 20:34 . 2008-11-04 20:34 488 -rah----- c:\windows\system32\logonui.exe.manifest
2008-11-04 20:31 . 2002-08-29 04:00 1,267,712 --a--c--- c:\windows\system32\dllcache\cimwin32.dll
2008-11-04 20:26 . 2001-08-17 13:59 50,048 --a------ c:\windows\system32\drivers\DMusic.sys
2008-11-04 20:26 . 2002-08-29 01:32 5,888 --a------ c:\windows\system32\drivers\splitter.sys
2008-11-04 20:11 . 2002-08-29 04:00 24,661 --a------ c:\windows\system32\spxcoins.dll
2008-11-04 20:11 . 2002-08-29 04:00 24,661 --a--c--- c:\windows\system32\dllcache\spxcoins.dll
2008-11-04 20:11 . 2002-08-29 04:00 13,312 --a------ c:\windows\system32\irclass.dll
2008-11-04 20:11 . 2002-08-29 04:00 13,312 --a--c--- c:\windows\system32\dllcache\irclass.dll
2008-11-04 20:10 . 2002-08-29 04:00 1,086,182 -ra------ c:\windows\SET60.tmp
2008-11-04 20:10 . 2002-08-29 04:00 13,608 -ra------ c:\windows\SET75.tmp
2008-11-04 12:36 . 2002-08-29 01:27 56,576 --a------ c:\windows\system32\drivers\redbook.sys
2008-11-04 12:32 . 2002-08-29 03:46 38,024 --a------ c:\windows\system32\drivers\termdd.sys
2008-11-04 12:31 . 2002-08-29 04:00 696,320 --a--c--- c:\windows\system32\dllcache\sapi.dll
2008-11-04 12:31 . 2002-08-29 04:00 147,456 --a--c--- c:\windows\system32\dllcache\sapi.cpl
2008-11-04 12:31 . 2002-08-29 04:00 132,096 --a------ c:\windows\system\WINSPOOL.DRV
2008-11-04 12:31 . 2002-08-29 03:41 71,168 --a------ c:\windows\system32\storprop.dll
2008-11-04 12:31 . 2002-08-29 04:00 22,016 --a--c--- c:\windows\system32\dllcache\agt0408.dll
2008-11-04 12:31 . 2002-08-29 04:00 19,968 --a--c--- c:\windows\system32\dllcache\agt040e.dll
2008-11-04 12:31 . 2002-08-29 04:00 19,456 --a--c--- c:\windows\system32\dllcache\agt041f.dll
2008-11-04 12:31 . 2002-08-29 04:00 19,456 --a--c--- c:\windows\system32\dllcache\agt0419.dll
2008-11-04 12:31 . 2002-08-29 04:00 19,456 --a--c--- c:\windows\system32\dllcache\agt0415.dll
2008-11-04 12:31 . 2002-08-29 04:00 19,456 --a--c--- c:\windows\system32\dllcache\agt0405.dll
2008-11-04 12:31 . 2002-08-29 04:00 10,496 --a------ c:\windows\system32\drivers\irenum.sys
2008-11-04 12:31 . 2002-08-29 04:00 10,496 --a--c--- c:\windows\system32\dllcache\irenum.sys
2008-10-29 19:10 . 2008-10-29 19:10 20,992 --ahs---- c:\windows\system32\accwizh.dll
2008-10-28 19:41 . 2008-10-28 19:41 <DIR> d-------- c:\program files\ERUNT
2008-10-24 21:34 . 2008-10-24 21:34 <DIR> d-------- C:\New Folder
2008-10-24 21:28 . 2008-10-24 21:28 <DIR> d-------- C:\backups
2008-10-20 17:17 . 2008-10-20 17:17 <DIR> d-------- c:\documents and settings\Guest\Application Data\MX
2008-10-18 16:57 . 2008-11-09 09:51 <DIR> d-------- c:\program files\ThreatFire
2008-10-18 16:57 . 2008-10-18 16:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2008-10-18 16:57 . 2008-10-24 13:07 51,488 --a------ c:\windows\system32\drivers\TfFsMon.sys
2008-10-18 16:57 . 2008-10-24 13:07 39,200 --a------ c:\windows\system32\drivers\TfSysMon.sys
2008-10-18 16:57 . 2008-10-24 13:07 33,056 --a------ c:\windows\system32\drivers\TfNetMon.sys
2008-10-18 16:57 . 2008-10-24 13:07 12,576 --a------ c:\windows\system32\drivers\TfKbMon.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-09 17:53 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-08 18:49 --------- d-----w c:\documents and settings\Dennis\Application Data\MSN6
2008-11-06 23:04 --------- d-----w c:\program files\MSN Messenger
2008-11-03 02:35 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-25 03:59 --------- d-----w c:\program files\Trend Micro
2008-10-19 17:37 --------- d-----w c:\program files\EA GAMES
2008-10-05 09:38 --------- d-----w c:\program files\Microsoft Silverlight
2008-09-30 04:45 --------- d-----w c:\program files\Palm
2008-09-30 04:44 --------- d-----w c:\program files\Common Files\Skyscape
2008-09-25 03:28 134,992 ----a-w C:\QDATA02OFXLOG.DAT
2008-09-19 21:20 --------- d-----w c:\program files\Lavasoft
2008-09-19 21:20 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-09-19 21:19 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-09-18 00:00 --------- d-----w c:\program files\Google
2008-09-16 04:36 --------- d-----w c:\program files\MSN Games
2008-09-16 04:34 --------- d-----w c:\program files\Yahoo!
2008-09-16 04:29 --------- d-----w c:\program files\Oberon Media
2008-09-15 07:56 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-14 20:42 92,672 ----a-w c:\documents and settings\Administrator\KillBox.exe
2008-09-12 08:36 30,592 ----a-w c:\windows\system32\drivers\Winvb84.sys
2008-09-12 00:55 --------- d-----w c:\documents and settings\Guest\Application Data\alot
2006-11-24 21:28 807,624 ----a-w c:\program files\DF_BHD_Pinger_5_0_BHD_TS_v1_5_0_5_-_Creator_Dstructr.zip
2006-07-11 23:00 5,632 --sha-w c:\program files\Thumbs.db
2005-02-10 07:01 79,068,001 ----a-w c:\program files\Blackopsv1.0.zip
2004-03-15 21:29 299,624 ----a-w c:\program files\dxwebsetup.exe
2003-10-16 00:07 2,245 ----a-w c:\program files\_FILES.PFF
2003-10-14 22:49 84 ----a-w c:\program files\UPDATE.WIZ
2003-10-13 22:31 403 ----a-w c:\program files\STARTUP.HTM
2003-10-06 20:29 4,244 ----a-w c:\program files\Gameerr.bin
2003-10-02 17:18 95,377 ----a-w c:\program files\dfvgame.LWF
2003-09-26 22:21 74,534 ----a-w c:\program files\MogSlm04.3di
2003-09-25 23:44 51,529 ----a-w c:\program files\Gametext.bin
2003-09-25 23:04 353,399 ----a-w c:\program files\FAH6b.3di
2003-09-25 23:03 399,366 ----a-w c:\program files\FAH6a.3di
2003-09-25 22:51 644,422 ----a-w c:\program files\fblkhawk.3di
2003-09-25 22:50 668,018 ----a-w c:\program files\fblkhawf.3di
2003-09-25 22:42 649,693 ----a-w c:\program files\fblkhawd.3di
2003-09-24 22:07 116,841 ----a-w c:\program files\ammo.def
2003-09-23 23:55 81,705 ----a-w c:\program files\weapon.def
2003-09-18 21:27 30,647 ----a-w c:\program files\menutxt.bin
2003-09-17 01:29 29,731 ----a-w c:\program files\EMOTE13.bad
2003-09-16 21:46 8,286 ----a-w c:\program files\DELTA01.ADM
2003-09-16 18:04 1,194,796 ----a-w c:\program files\RE_Bsmt.3di
2003-09-16 16:56 49,566 ----a-w c:\program files\MogSlm01.3di
2003-09-15 20:37 73,497 ----a-w c:\program files\dfvmenus.mnu
2003-07-10 21:35 10,538 ----a-w c:\program files\airexp2.ptl
2003-07-10 21:35 1,614 ----a-w c:\program files\bcasings.ptl
2003-07-10 21:35 1,573 ----a-w c:\program files\casings.ptl
2003-07-08 20:47 18,629 ----a-w c:\program files\bird1.pcx
2003-05-30 21:38 4,553 ----a-w c:\program files\ADP_11B.til
2003-05-30 21:38 4,553 ----a-w c:\program files\ADP_11A.til
2003-05-30 21:38 25,647 ----a-w c:\program files\ADP_11B.bms
2003-05-30 21:38 25,647 ----a-w c:\program files\ADP_11A.bms
2003-05-20 21:11 9,173 ----a-w c:\program files\KYLE.WAC
2003-05-07 17:28 225,045 ----a-w c:\program files\Btn_ign.tga
2003-04-17 23:47 185,371 ----a-w c:\program files\FHum50N.3di
2003-04-17 23:32 190,602 ----a-w c:\program files\FHum50X.3di
2003-04-17 23:18 167,321 ----a-w c:\program files\FHum50P.3di
2003-04-17 23:04 167,156 ----a-w c:\program files\FHum50.3di
2003-04-14 23:16 28,805 ----a-w c:\program files\FBK_03a.bms
2003-04-14 23:16 28,793 ----a-w c:\program files\FBK_03b.bms
2003-04-14 23:16 1,540 ----a-w c:\program files\FBK_03b.til
2003-04-14 23:16 1,540 ----a-w c:\program files\FBK_03a.til
2003-04-10 21:58 1,486,671 ----a-w c:\program files\BHD_ups2.tga
2003-04-09 20:47 64,693 ----a-w c:\program files\SPBHD_14.bms
2003-04-09 20:47 2,233 ----a-w c:\program files\SPBHD_14.til
2003-04-04 22:49 242,110 ----a-w c:\program files\Btn_gmdm.tga
2003-04-04 22:33 254,761 ----a-w c:\program files\Btn_zila.tga
2003-04-04 22:27 102,727 ----a-w c:\program files\Btn_lnk2.tga
2003-04-04 22:23 59,374 ----a-w c:\program files\Btn_ext2.tga
2003-03-26 18:43 28,122 ----a-w c:\program files\SDK_01b.bms
2003-03-26 18:43 10,401 ----a-w c:\program files\SDK_01b.til
2003-03-26 18:41 5,140 ----a-w c:\program files\ADK_02b.til
2003-03-26 18:41 30,835 ----a-w c:\program files\ADK_02b.bms
2003-03-26 18:40 30,101 ----a-w c:\program files\ADK_01b.bms
2003-03-26 18:40 10,429 ----a-w c:\program files\ADK_01b.til
2003-03-25 23:32 32,592 ----a-w c:\program files\CTFK_02b.bms
2003-03-25 23:32 10,455 ----a-w c:\program files\CTFK_02b.til
2003-03-25 23:28 30,106 ----a-w c:\program files\ADK_01a.bms
2003-03-25 23:28 10,429 ----a-w c:\program files\ADK_01a.til
2003-03-25 22:21 13,774 ----a-w c:\program files\dfvdbgov.mnu
2003-03-25 18:52 73,378 ----a-w c:\program files\MogBlk07.3DI
2003-03-25 18:16 31,569 ----a-w c:\program files\SDM_01b.bms
2003-03-25 18:15 31,551 ----a-w c:\program files\SDM_01a.bms
2003-03-25 18:09 6,396 ----a-w c:\program files\DMM_01h.til
2003-03-25 18:09 39,417 ----a-w c:\program files\DMM_01h.bms
2003-03-25 18:03 6,396 ----a-w c:\program files\CTFK_03a.til
2003-03-25 18:03 41,222 ----a-w c:\program files\CTFK_03a.bms
2003-03-25 17:59 6,396 ----a-w c:\program files\CTFK_03b.til
2003-03-25 17:59 41,225 ----a-w c:\program files\CTFK_03b.bms
2003-03-24 22:44 6,569 ----a-w c:\program files\zboard.key
2003-03-24 21:13 31,939 ----a-w c:\program files\SDM_02b.bms
2003-03-24 21:01 20,403 ----a-w c:\program files\SDP_01B.bms
2003-03-24 20:52 19,433 ----a-w c:\program files\SDM_01f.bms
2003-03-24 18:54 55,788 ----a-w c:\program files\CTFM_05B.bms
2003-03-24 18:50 55,998 ----a-w c:\program files\CTFM_05A.bms
2003-03-21 23:15 44,500 ----a-w c:\program files\SPBHD_13.bms
2003-03-21 23:15 10,567 ----a-w c:\program files\SPBHD_13.til
2003-03-21 17:18 31,450 ----a-w c:\program files\TKHM_02b.bms
2003-03-21 17:16 31,424 ----a-w c:\program files\TKHM_02a.bms
.
------- Sigcheck -------
2008-04-13 10:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ip6fw.sys
2008-04-13 10:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 401491]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2002-08-29 13312]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-09-17 171448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OneTouch Monitor"="c:\progra~1\VISION~1\ONETOU~2.EXE" [2001-10-16 86016]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-10-22 86016]
"nForce Tray Options"="sstray.exe" [2002-11-12 c:\windows\system32\sstray.exe]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2005-08-12 45056]
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2007-12-25 28672]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-06-09 471040]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\system32\ctmp3.acm
"MSACM.CEGSM"= mobilev.acm
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Dennis\\Local Settings\\Application Data\\Abacast\\Abaclient.exe"=
"c:\\Documents and Settings\\Dennis\\Local Settings\\Application Data\\Abacast\\Abaclient2.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
R0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\System32\DRIVERS\si3112r.sys [2005-11-10 102400]
*Newly Created Service* - BITSDCOMLAUNCH
.
Contents of the 'Scheduled Tasks' folder
2008-11-09 c:\windows\Tasks\User_Feed_Synchronization-{41111FB6-E87B-4712-9635-90034B0CC9F3}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-POINTER - point32.exe
HKU-Default-Run-brastk - c:\windows\system32\brastk.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Dennis\Application Data\Mozilla\Firefox\Profiles\nj8ii6fe.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-09 09:55:49
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\AlerterRasAutoAticlr_optimization_v2.0.50727_32]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\AlerterRpcSs]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\AppMgmtCiSvc]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\AppMgmtCiSvcFastUserSwitchingCompatibility]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\AppMgmtFastUserSwitchingCompatibility]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService PMSP Service]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\AppMgmtFastUserSwitchingCompatibilityTrkWksImapiServiceMessengerRSVP]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\AppMgmtFastUserSwitchingCompatibilityTrkWksImapiServiceNetman]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\aspnet_stateLmHosts]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Aticlr_optimization_v2.0.50727_32]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Aticlr_optimization_v2.0.50727_32AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\AudioSrvRDSessMgr]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\BITSDcomLaunch]
"ImagePath"=" û\06 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Browseraspnet_stateLmHosts]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Browserwuauserv]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\BrowserwuauservALG]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\BrowserwuauservW32TimeSpoolerNVSvc]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ClipSrvSSDPSRVEventSystemwuauservEventlogImapiServicegusvc]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\clr_optimization_v2.0.50727_32RasMan]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\COMSysAppFastUserSwitchingCompatibility]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\COMSysAppFastUserSwitchingCompatibilityWMPNetworkSvcWebClient]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\DhcpNetman]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\dmadminEventlog]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Dnscachegusvc]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\EventSystemgusvc]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\EventSystemgusvcWMPNetworkSvc]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\gusvcstisvc]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HidServaspnet_state]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\LmHostsNtLmSsp]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MessengerRSVP]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MSDTCWZCSVC]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MSDTCWZCSVCAppMgmtCiSvcFastUserSwitchingCompatibility]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MSDTCWZCSVCAppMgmtCiSvcFastUserSwitchingCompatibility Smart]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MSIServerTrkWksALG]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetDDEclr_optimization_v2.0.50727_32]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetDDEdsdm Smart]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetDDEdsdmgusvcstisvc]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetmanSamSs]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetmanWMPNetworkSvcNtmsSvc]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NlaSENS]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NVSvchkmsvc]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NVSvcRemoteAccess]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NVSvcRemoteAccessDhcpNetman]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PolicyAgentWebClient]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PolicyAgentWebClientWmiApSrv]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RasAutoAticlr_optimization_v2.0.50727_32]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RemoteAccessNtLmSsp]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RemoteAccessPolicyAgentWebClient]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RpcLocatorRemoteAccessNtLmSsp]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SCardSvrThemes]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\seclogonALG]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SharedAccessWMPNetworkSvcNtmsSvc]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ShellHWDetection Service for CDROM Access]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ShellHWDetectionIDriverT]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ShellHWDetectionIDriverTPlugPlay]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ShellHWDetectionIDriverTPlugPlayNVSvcRemoteAccess]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ShellHWDetectionIDriverTPlugPlayRpcLocatorRemoteAccessNtLmSsp]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Spooler Smart]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SpoolerAudioSrvRDSessMgr]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SpoolerAudioSrvRDSessMgrTrkWksALGSSDPSRVEventSystemwuauservEventlogImapiServicegusvc]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SpoolerNVSvc]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SSDPSRVEventSystem]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SSDPSRVEventSystemwuauservEventlogImapiServicegusvc]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SwPrvSharedAccess]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SysmonLogAppMgmtCiSvcFastUserSwitchingCompatibility]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TrkWksALG]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TrkWksALGSSDPSRVEventSystemwuauservEventlogImapiServicegusvc]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TrkWksImapiService]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TrkWkslanmanserver]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TrkWksNetmanSamSs]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UPSAudioSrvRDSessMgr]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\W32TimeSpoolerNVSvc]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\winmgmtWmdmPmSNaspnet_stateLmHosts]
"ImagePath"=" û\06 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WmdmPmSNaspnet_stateLmHosts]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WmiApSrvAppMgmtCiSvcFastUserSwitchingCompatibility]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WmiApSrvRemoteAccessNtLmSsp]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WMPNetworkSvcNtmsSvc]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WMPNetworkSvcNtmsSvcTermService]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WMPNetworkSvcWebClient]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WMPNetworkSvcWebClientDhcp]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wscsvc Service for CDROM Access]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wscsvcDhcp]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wuauservDhcp]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wuauservEventlog]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wuauservEventlogImapiService]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wuauservEventlogImapiServicegusvc]
"ImagePath"="ð%€|x\01\09 srv"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\WgaTray.exe
c:\program files\Microsoft Hardware\Mouse\point32.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\system32\rundll32.exe
c:\docume~1\Dennis\LOCALS~1\Temp\_iu14D2N.tmp
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-11-09 10:04:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-09 18:03:58
Pre-Run: 59,668,885,504 bytes free
Post-Run: 59,727,052,800 bytes free
winxpsp1_en_hom_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /bootlog
524 --- E O F --- 2008-09-27 04:11:43
Fatboy_97
2008-11-09, 20:18
On a side note the machine rebooted while running Combofix. When it came back on Threatfire was running again trying to quarrantine it! I deleted Threatfire (figure I could get it again if I wanted) but don't know if it interferred with the scan. I also noticed on the scan that Ad-Aware was a running program so I'm gonna delete it too.
Let me know if you want to run a new scan.
Thanks, Dennis. :)
Fatboy_97
2008-11-09, 20:34
On another side note :red: I'm getting a "Messenger Service" popup that says
Message from FROM to TO on 2008-11-09 10:24
STOP! SYSTEM MAY REQUIRE IMMEDIATE ATTENTION
Your operating system registry might be corrupt
To optionally fix your system registry
1. Download Registry Update from: www.helpfixpc.com
2. Install Registy Update
3. Run Registry Update
4. Reboot your computer
FAILURE TO ACT MAY LEAD TO THE FOLLOWING:
1. The compromise of personal information stored on your computer
2. Slow speeds running programs or system failures.
And then it has an OK button at the bottom which I did not push. I just X'd out of it, but it does seem to come back quite often. :oops:
Hi,
Sorry for delay. Power outages today cus hydro company was doing repairs.
Since you repair installed windows this left you without XP firewall enabled.
We need to turn that on especially if not behind a router.
You're way behind in patches now so are very open to many attacks but can't update to SP2 untill we finish cleaning out the junk.
Turn on XP firewall till we get to the point where we can install a 3rd party one.
How to:
Go to your control panel & double click "network connections"
Right click your network connection then hit properties.
Hit "advanced" tab.
Checkmark "protect my computer...." and OK out.
You should see the lock on your internet connection meaning firewalled.
XP firewall only monitors/controls incomming but it is better than nothing.
----------------------
That message you get is from Messenger service spam.
Messenger service is often used in office type networks for admin to send messages to client computers.
However spammers have found this hole and use it to advertise their junk.
Typical home user will never have the need for this service.
When you had SP2 -- that disabled it but since you are back at SP1 -- it is enabled by default.
We'll disable it & plug that hole & stop some of the traffic.
Click start> run> type services.msc and hit enter.
Scroll down to Messenger & double click it.
Change the startup type to disabled
Hit "stop"
Then Apply & OK out.
Exit services window.
Reboot machine
Run ComboFix again please & post the new C:\ComboFix.txt.
Create a new ERUNT backup when all done & a system restore point.
Next:
Download Dr.Webs CureIt to your desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Double-click the drweb-cureit.exe file and allow it to run the express scan.
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, select the "full system scan"
Click the green arrow > to the right and the scan will begin.
At the first infection, select 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, click the "Select all" toggle button (if available) next to the files found
Then click the green cup icon right below and select Move incurable
This will move any infected files to the %userprofile%\DoctorWeb\quarantaine-folder that can't be cured (in case if we need samples).
Then, from the main Dr.Web CureIt menu (top left), click File and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit and Restart your computer to completely remove any stubborn files in reboot.
Post back with the DrWeb.csv report please and a new Hijackthis log.
Don't worry if DrWEb nuked parts of ComboFix. We can download it later again to finish repairs.
Let me know how system is running.
Do be extremly careful where you surf & what you download, emails and so on.
You have limited firewall, behind on service packs & you just uninstalled ThreatFire so you are very vulnerable to every piece of junk on the planet. :spider:
Don't run any of your p2p programs!
Thanks :)
Fatboy_97
2008-11-11, 05:54
Here's the ComboFix log:
ComboFix 08-11-07.01 - Dennis 2008-11-10 19:33:04.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.727 [GMT -8:00]
Running from: c:\documents and settings\Dennis\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80 . . . . failed to delete
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67 . . . . failed to delete
.
((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))
.
2008-11-08 17:57 . 2008-11-08 17:57 801,610 --a------ C:\QDATA02.IDX
2008-11-08 16:12 . 2008-11-08 16:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\NVIDIA
2008-11-08 13:39 . 2002-12-04 20:01 820,864 -ra------ c:\windows\system32\drivers\nvmcp.sys
2008-11-08 13:39 . 2002-12-04 20:01 241,664 -ra------ c:\windows\system32\drivers\nvapu.sys
2008-11-08 13:39 . 2002-12-04 20:01 62,336 -ra------ c:\windows\system32\drivers\nvarm.sys
2008-11-08 13:39 . 2002-12-04 20:01 44,032 -ra------ c:\windows\system32\OpenAL32.dll
2008-11-08 13:39 . 2002-12-04 20:01 44,032 -ra------ c:\windows\system32\nvopenal.dll
2008-11-08 13:39 . 2002-12-04 20:01 30,720 -ra------ c:\windows\system32\nvasio.dll
2008-11-08 13:39 . 2002-12-04 20:01 13,056 -ra------ c:\windows\system32\drivers\nvax.sys
2008-11-08 13:39 . 2002-12-04 20:01 5,120 -ra------ c:\windows\system32\ALut.dll
2008-11-08 13:39 . 2002-12-04 20:01 4,096 -ra------ c:\windows\system32\nvack.dll
2008-11-08 13:37 . 2002-08-29 02:01 134,272 --a------ c:\windows\system32\drivers\portcls.sys
2008-11-08 13:37 . 2002-08-29 02:01 134,272 --a--c--- c:\windows\system32\dllcache\portcls.sys
2008-11-08 13:37 . 2002-08-29 01:32 57,856 --a------ c:\windows\system32\drivers\drmk.sys
2008-11-08 13:37 . 2002-08-29 01:32 57,856 --a--c--- c:\windows\system32\dllcache\drmk.sys
2008-11-08 13:37 . 2001-08-17 22:37 22,016 --a------ c:\windows\system32\wdmaud.drv
2008-11-08 13:02 . 2002-10-03 23:23 80,896 -ra------ c:\windows\system32\drivers\NVENET.sys
2008-11-08 13:02 . 2002-10-03 23:23 1,024 -ra------ c:\windows\system32\drivers\jedih2rx.bin
2008-11-08 13:02 . 2002-10-03 23:23 122 -ra------ c:\windows\system32\drivers\ramsed.bin
2008-11-08 13:02 . 2002-10-03 23:23 42 -ra------ c:\windows\system32\drivers\jedireg.pat
2008-11-08 12:55 . 2008-11-08 12:55 3,813 --a------ c:\windows\Ascd_tmp.ini
2008-11-08 12:23 . 2008-11-08 13:04 <DIR> d-------- c:\windows\LastGood.Tmp
2008-11-08 09:59 . 2008-11-08 09:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles
2008-11-08 09:35 . 2006-10-22 12:22 208,896 --a------ c:\windows\system32\nvudisp.exe
2008-11-08 09:35 . 2008-11-10 19:40 88,566 --a------ c:\windows\system32\nvapps.xml
2008-11-08 09:35 . 2006-10-22 12:22 17,056 --a------ c:\windows\system32\nvdisp.nvu
2008-11-08 09:33 . 2006-10-22 15:06 208,896 --a------ c:\windows\system32\NVUNINST.EXE
2008-11-06 14:28 . 2008-11-06 14:28 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2008-11-06 14:28 . 2008-11-06 14:28 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Leadertech
2008-11-04 20:56 . 2008-11-04 21:12 3,484 --a------ c:\windows\system32\PerfStringBackup.TMP
2008-11-04 20:38 . 2002-08-29 04:00 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2008-11-04 20:37 . 2001-08-17 22:36 2,134,528 --a--c--- c:\windows\system32\dllcache\EXCH_smtpsnap.dll
2008-11-04 20:36 . 2008-11-04 20:36 23,392 --a------ c:\windows\system32\nscompat.tlb
2008-11-04 20:36 . 2008-11-04 20:36 16,832 --a------ c:\windows\system32\amcompat.tlb
2008-11-04 20:34 . 2002-08-29 04:00 106,562 --a--c--- c:\windows\system32\dllcache\srchctls.dll
2008-11-04 20:34 . 2008-11-04 20:34 749 -rah----- c:\windows\WindowsShell.Manifest
2008-11-04 20:34 . 2008-11-04 20:34 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2008-11-04 20:34 . 2008-11-04 20:34 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2008-11-04 20:34 . 2008-11-04 20:34 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2008-11-04 20:34 . 2008-11-04 20:34 488 -rah----- c:\windows\system32\logonui.exe.manifest
2008-11-04 20:31 . 2002-08-29 04:00 1,267,712 --a--c--- c:\windows\system32\dllcache\cimwin32.dll
2008-11-04 20:26 . 2001-08-17 13:59 50,048 --a------ c:\windows\system32\drivers\DMusic.sys
2008-11-04 20:26 . 2002-08-29 01:32 5,888 --a------ c:\windows\system32\drivers\splitter.sys
2008-11-04 20:11 . 2002-08-29 04:00 24,661 --a------ c:\windows\system32\spxcoins.dll
2008-11-04 20:11 . 2002-08-29 04:00 24,661 --a--c--- c:\windows\system32\dllcache\spxcoins.dll
2008-11-04 20:11 . 2002-08-29 04:00 13,312 --a------ c:\windows\system32\irclass.dll
2008-11-04 20:11 . 2002-08-29 04:00 13,312 --a--c--- c:\windows\system32\dllcache\irclass.dll
2008-11-04 20:10 . 2002-08-29 04:00 1,086,182 -ra------ c:\windows\SET60.tmp
2008-11-04 20:10 . 2002-08-29 04:00 13,608 -ra------ c:\windows\SET75.tmp
2008-11-04 12:36 . 2002-08-29 01:27 56,576 --a------ c:\windows\system32\drivers\redbook.sys
2008-11-04 12:32 . 2002-08-29 03:46 38,024 --a------ c:\windows\system32\drivers\termdd.sys
2008-11-04 12:31 . 2002-08-29 04:00 696,320 --a--c--- c:\windows\system32\dllcache\sapi.dll
2008-11-04 12:31 . 2002-08-29 04:00 147,456 --a--c--- c:\windows\system32\dllcache\sapi.cpl
2008-11-04 12:31 . 2002-08-29 04:00 132,096 --a------ c:\windows\system\WINSPOOL.DRV
2008-11-04 12:31 . 2002-08-29 03:41 71,168 --a------ c:\windows\system32\storprop.dll
2008-11-04 12:31 . 2002-08-29 04:00 22,016 --a--c--- c:\windows\system32\dllcache\agt0408.dll
2008-11-04 12:31 . 2002-08-29 04:00 19,968 --a--c--- c:\windows\system32\dllcache\agt040e.dll
2008-11-04 12:31 . 2002-08-29 04:00 19,456 --a--c--- c:\windows\system32\dllcache\agt041f.dll
2008-11-04 12:31 . 2002-08-29 04:00 19,456 --a--c--- c:\windows\system32\dllcache\agt0419.dll
2008-11-04 12:31 . 2002-08-29 04:00 19,456 --a--c--- c:\windows\system32\dllcache\agt0415.dll
2008-11-04 12:31 . 2002-08-29 04:00 19,456 --a--c--- c:\windows\system32\dllcache\agt0405.dll
2008-11-04 12:31 . 2002-08-29 04:00 10,496 --a------ c:\windows\system32\drivers\irenum.sys
2008-11-04 12:31 . 2002-08-29 04:00 10,496 --a--c--- c:\windows\system32\dllcache\irenum.sys
2008-10-29 19:10 . 2008-10-29 19:10 20,992 --ahs---- c:\windows\system32\accwizh.dll
2008-10-28 19:41 . 2008-10-28 19:41 <DIR> d-------- c:\program files\ERUNT
2008-10-24 21:34 . 2008-10-24 21:34 <DIR> d-------- C:\New Folder
2008-10-24 21:28 . 2008-10-24 21:28 <DIR> d-------- C:\backups
2008-10-20 17:17 . 2008-10-20 17:17 <DIR> d-------- c:\documents and settings\Guest\Application Data\MX
2008-10-18 16:57 . 2008-11-09 10:02 <DIR> d-------- c:\program files\ThreatFire
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-09 18:39 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-09 18:02 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-08 18:49 --------- d-----w c:\documents and settings\Dennis\Application Data\MSN6
2008-11-06 23:04 --------- d-----w c:\program files\MSN Messenger
2008-11-03 02:35 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-25 03:59 --------- d-----w c:\program files\Trend Micro
2008-10-19 17:37 --------- d-----w c:\program files\EA GAMES
2008-10-05 09:38 --------- d-----w c:\program files\Microsoft Silverlight
2008-09-30 04:45 --------- d-----w c:\program files\Palm
2008-09-30 04:44 --------- d-----w c:\program files\Common Files\Skyscape
2008-09-25 03:28 134,992 ----a-w C:\QDATA02OFXLOG.DAT
2008-09-19 21:20 --------- d-----w c:\program files\Lavasoft
2008-09-19 21:20 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-09-18 00:00 --------- d-----w c:\program files\Google
2008-09-16 04:36 --------- d-----w c:\program files\MSN Games
2008-09-16 04:34 --------- d-----w c:\program files\Yahoo!
2008-09-16 04:29 --------- d-----w c:\program files\Oberon Media
2008-09-15 07:56 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-14 20:42 92,672 ----a-w c:\documents and settings\Administrator\KillBox.exe
2008-09-12 08:36 30,592 ----a-w c:\windows\system32\drivers\Winvb84.sys
2008-09-12 00:55 --------- d-----w c:\documents and settings\Guest\Application Data\alot
2006-11-24 21:28 807,624 ----a-w c:\program files\DF_BHD_Pinger_5_0_BHD_TS_v1_5_0_5_-_Creator_Dstructr.zip
2006-07-11 23:00 5,632 --sha-w c:\program files\Thumbs.db
2005-02-10 07:01 79,068,001 ----a-w c:\program files\Blackopsv1.0.zip
2004-03-15 21:29 299,624 ----a-w c:\program files\dxwebsetup.exe
2003-10-16 00:07 2,245 ----a-w c:\program files\_FILES.PFF
2003-10-14 22:49 84 ----a-w c:\program files\UPDATE.WIZ
2003-10-13 22:31 403 ----a-w c:\program files\STARTUP.HTM
2003-10-06 20:29 4,244 ----a-w c:\program files\Gameerr.bin
2003-10-02 17:18 95,377 ----a-w c:\program files\dfvgame.LWF
2003-09-26 22:21 74,534 ----a-w c:\program files\MogSlm04.3di
2003-09-25 23:44 51,529 ----a-w c:\program files\Gametext.bin
2003-09-25 23:04 353,399 ----a-w c:\program files\FAH6b.3di
2003-09-25 23:03 399,366 ----a-w c:\program files\FAH6a.3di
2003-09-25 22:51 644,422 ----a-w c:\program files\fblkhawk.3di
2003-09-25 22:50 668,018 ----a-w c:\program files\fblkhawf.3di
2003-09-25 22:42 649,693 ----a-w c:\program files\fblkhawd.3di
2003-09-24 22:07 116,841 ----a-w c:\program files\ammo.def
2003-09-23 23:55 81,705 ----a-w c:\program files\weapon.def
2003-09-18 21:27 30,647 ----a-w c:\program files\menutxt.bin
2003-09-17 01:29 29,731 ----a-w c:\program files\EMOTE13.bad
2003-09-16 21:46 8,286 ----a-w c:\program files\DELTA01.ADM
2003-09-16 18:04 1,194,796 ----a-w c:\program files\RE_Bsmt.3di
2003-09-16 16:56 49,566 ----a-w c:\program files\MogSlm01.3di
2003-09-15 20:37 73,497 ----a-w c:\program files\dfvmenus.mnu
2003-07-10 21:35 10,538 ----a-w c:\program files\airexp2.ptl
2003-07-10 21:35 1,614 ----a-w c:\program files\bcasings.ptl
2003-07-10 21:35 1,573 ----a-w c:\program files\casings.ptl
2003-07-08 20:47 18,629 ----a-w c:\program files\bird1.pcx
2003-05-30 21:38 4,553 ----a-w c:\program files\ADP_11B.til
2003-05-30 21:38 4,553 ----a-w c:\program files\ADP_11A.til
2003-05-30 21:38 25,647 ----a-w c:\program files\ADP_11B.bms
2003-05-30 21:38 25,647 ----a-w c:\program files\ADP_11A.bms
2003-05-20 21:11 9,173 ----a-w c:\program files\KYLE.WAC
2003-05-07 17:28 225,045 ----a-w c:\program files\Btn_ign.tga
2003-04-17 23:47 185,371 ----a-w c:\program files\FHum50N.3di
2003-04-17 23:32 190,602 ----a-w c:\program files\FHum50X.3di
2003-04-17 23:18 167,321 ----a-w c:\program files\FHum50P.3di
2003-04-17 23:04 167,156 ----a-w c:\program files\FHum50.3di
2003-04-14 23:16 28,805 ----a-w c:\program files\FBK_03a.bms
2003-04-14 23:16 28,793 ----a-w c:\program files\FBK_03b.bms
2003-04-14 23:16 1,540 ----a-w c:\program files\FBK_03b.til
2003-04-14 23:16 1,540 ----a-w c:\program files\FBK_03a.til
2003-04-10 21:58 1,486,671 ----a-w c:\program files\BHD_ups2.tga
2003-04-09 20:47 64,693 ----a-w c:\program files\SPBHD_14.bms
2003-04-09 20:47 2,233 ----a-w c:\program files\SPBHD_14.til
2003-04-04 22:49 242,110 ----a-w c:\program files\Btn_gmdm.tga
2003-04-04 22:33 254,761 ----a-w c:\program files\Btn_zila.tga
2003-04-04 22:27 102,727 ----a-w c:\program files\Btn_lnk2.tga
2003-04-04 22:23 59,374 ----a-w c:\program files\Btn_ext2.tga
2003-03-26 18:43 28,122 ----a-w c:\program files\SDK_01b.bms
2003-03-26 18:43 10,401 ----a-w c:\program files\SDK_01b.til
2003-03-26 18:41 5,140 ----a-w c:\program files\ADK_02b.til
2003-03-26 18:41 30,835 ----a-w c:\program files\ADK_02b.bms
2003-03-26 18:40 30,101 ----a-w c:\program files\ADK_01b.bms
2003-03-26 18:40 10,429 ----a-w c:\program files\ADK_01b.til
2003-03-25 23:32 32,592 ----a-w c:\program files\CTFK_02b.bms
2003-03-25 23:32 10,455 ----a-w c:\program files\CTFK_02b.til
2003-03-25 23:28 30,106 ----a-w c:\program files\ADK_01a.bms
2003-03-25 23:28 10,429 ----a-w c:\program files\ADK_01a.til
2003-03-25 22:21 13,774 ----a-w c:\program files\dfvdbgov.mnu
2003-03-25 18:52 73,378 ----a-w c:\program files\MogBlk07.3DI
2003-03-25 18:16 31,569 ----a-w c:\program files\SDM_01b.bms
2003-03-25 18:15 31,551 ----a-w c:\program files\SDM_01a.bms
2003-03-25 18:09 6,396 ----a-w c:\program files\DMM_01h.til
2003-03-25 18:09 39,417 ----a-w c:\program files\DMM_01h.bms
2003-03-25 18:03 6,396 ----a-w c:\program files\CTFK_03a.til
2003-03-25 18:03 41,222 ----a-w c:\program files\CTFK_03a.bms
2003-03-25 17:59 6,396 ----a-w c:\program files\CTFK_03b.til
2003-03-25 17:59 41,225 ----a-w c:\program files\CTFK_03b.bms
2003-03-24 22:44 6,569 ----a-w c:\program files\zboard.key
2003-03-24 21:13 31,939 ----a-w c:\program files\SDM_02b.bms
2003-03-24 21:01 20,403 ----a-w c:\program files\SDP_01B.bms
2003-03-24 20:52 19,433 ----a-w c:\program files\SDM_01f.bms
2003-03-24 18:54 55,788 ----a-w c:\program files\CTFM_05B.bms
2003-03-24 18:50 55,998 ----a-w c:\program files\CTFM_05A.bms
2003-03-21 23:15 44,500 ----a-w c:\program files\SPBHD_13.bms
2003-03-21 23:15 10,567 ----a-w c:\program files\SPBHD_13.til
2003-03-21 17:18 31,450 ----a-w c:\program files\TKHM_02b.bms
2003-03-21 17:16 31,424 ----a-w c:\program files\TKHM_02a.bms
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 401491]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2002-08-29 13312]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-09-17 171448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OneTouch Monitor"="c:\progra~1\VISION~1\ONETOU~2.EXE" [2001-10-16 86016]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-10-22 86016]
"nForce Tray Options"="sstray.exe" [2002-11-12 c:\windows\system32\sstray.exe]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2005-08-12 45056]
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2007-12-25 28672]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-06-09 471040]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\system32\ctmp3.acm
"MSACM.CEGSM"= mobilev.acm
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Dennis\\Local Settings\\Application Data\\Abacast\\Abaclient.exe"=
"c:\\Documents and Settings\\Dennis\\Local Settings\\Application Data\\Abacast\\Abaclient2.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
R0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\System32\DRIVERS\si3112r.sys [2005-11-10 102400]
.
Contents of the 'Scheduled Tasks' folder
2008-11-11 c:\windows\Tasks\User_Feed_Synchronization-{41111FB6-E87B-4712-9635-90034B0CC9F3}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Dennis\Application Data\Mozilla\Firefox\Profiles\nj8ii6fe.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 19:40:26
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\AlerterRasAutoAticlr_optimization_v2.0.50727_32]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\AlerterRpcSs]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\AppMgmtCiSvc]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\AppMgmtCiSvcFastUserSwitchingCompatibility]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\AppMgmtFastUserSwitchingCompatibility]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService PMSP Service]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\AppMgmtFastUserSwitchingCompatibilityTrkWksImapiServiceMessengerRSVP]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\AppMgmtFastUserSwitchingCompatibilityTrkWksImapiServiceNetman]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\aspnet_stateLmHosts]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Aticlr_optimization_v2.0.50727_32]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Aticlr_optimization_v2.0.50727_32AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\AudioSrvRDSessMgr]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\BITSDcomLaunch]
"ImagePath"=" û\06 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Browseraspnet_stateLmHosts]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Browserwuauserv]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\BrowserwuauservALG]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\BrowserwuauservW32TimeSpoolerNVSvc]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ClipSrvSSDPSRVEventSystemwuauservEventlogImapiServicegusvc]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\clr_optimization_v2.0.50727_32RasMan]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\COMSysAppFastUserSwitchingCompatibility]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\COMSysAppFastUserSwitchingCompatibilityWMPNetworkSvcWebClient]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\DhcpNetman]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\dmadminEventlog]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Dnscachegusvc]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\EventSystemgusvc]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\EventSystemgusvcWMPNetworkSvc]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\gusvcstisvc]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HidServaspnet_state]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\LmHostsNtLmSsp]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MessengerRSVP]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MSDTCWZCSVC]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MSDTCWZCSVCAppMgmtCiSvcFastUserSwitchingCompatibility]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MSDTCWZCSVCAppMgmtCiSvcFastUserSwitchingCompatibility Smart]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MSIServerTrkWksALG]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetDDEclr_optimization_v2.0.50727_32]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetDDEdsdm Smart]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetDDEdsdmgusvcstisvc]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetmanSamSs]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetmanWMPNetworkSvcNtmsSvc]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NlaSENS]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NVSvchkmsvc]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NVSvcRemoteAccess]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NVSvcRemoteAccessDhcpNetman]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PolicyAgentWebClient]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PolicyAgentWebClientWmiApSrv]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RasAutoAticlr_optimization_v2.0.50727_32]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RemoteAccessNtLmSsp]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RemoteAccessPolicyAgentWebClient]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RpcLocatorRemoteAccessNtLmSsp]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SCardSvrThemes]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\seclogonALG]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SharedAccessWMPNetworkSvcNtmsSvc]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ShellHWDetection Service for CDROM Access]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ShellHWDetectionIDriverT]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ShellHWDetectionIDriverTPlugPlay]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ShellHWDetectionIDriverTPlugPlayNVSvcRemoteAccess]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ShellHWDetectionIDriverTPlugPlayRpcLocatorRemoteAccessNtLmSsp]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Spooler Smart]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SpoolerAudioSrvRDSessMgr]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SpoolerAudioSrvRDSessMgrTrkWksALGSSDPSRVEventSystemwuauservEventlogImapiServicegusvc]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SpoolerNVSvc]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SSDPSRVEventSystem]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SSDPSRVEventSystemwuauservEventlogImapiServicegusvc]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SwPrvSharedAccess]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SysmonLogAppMgmtCiSvcFastUserSwitchingCompatibility]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TrkWksALG]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TrkWksALGSSDPSRVEventSystemwuauservEventlogImapiServicegusvc]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TrkWksImapiService]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TrkWkslanmanserver]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TrkWksNetmanSamSs]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UPSAudioSrvRDSessMgr]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\W32TimeSpoolerNVSvc]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\winmgmtWmdmPmSNaspnet_stateLmHosts]
"ImagePath"=" û\06 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WmdmPmSNaspnet_stateLmHosts]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WmiApSrvAppMgmtCiSvcFastUserSwitchingCompatibility]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WmiApSrvRemoteAccessNtLmSsp]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WMPNetworkSvcNtmsSvc]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WMPNetworkSvcNtmsSvcTermService]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WMPNetworkSvcWebClient]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WMPNetworkSvcWebClientDhcp]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wscsvc Service for CDROM Access]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wscsvcDhcp]
"ImagePath"=" srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wuauservDhcp]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wuauservEventlog]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wuauservEventlogImapiService]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wuauservEventlogImapiServicegusvc]
"ImagePath"="ð%€|x\01\09 srv"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\WgaTray.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-11-10 19:48:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-11 03:48:37
ComboFix2.txt 2008-11-09 18:04:04
Pre-Run: 59,642,912,768 bytes free
Post-Run: 59,623,510,016 bytes free
448 --- E O F --- 2008-09-27 04:11:43
Fatboy_97
2008-11-11, 12:52
Wow, a little over 6 hours of scanning! :bigthumb: Here's the DrWeb scan:
RegUBP2b-Dennis.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
107cd1bb-1e50329c\MagicApplet.class;C:\Documents and Settings\Denice\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-1e50329c;VBS.Siggen.1989;;
107cd1bb-1e50329c\OwnClassLoader.class;C:\Documents and Settings\Denice\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-1e50329c;Exploit.ByteVerify;;
107cd1bb-1e50329c\ProxyClassLoader.class;C:\Documents and Settings\Denice\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-1e50329c;Exploit.ByteVerify;;
107cd1bb-1e50329c\Installer.class;C:\Documents and Settings\Denice\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-1e50329c;VBS.Siggen.5970;;
107cd1bb-1e50329c;C:\Documents and Settings\Denice\Application Data\Sun\Java\Deployment\cache\6.0\59;Archive contains infected objects;Moved.;
.tt12.tmp.vbs;C:\Documents and Settings\Denice\Local Settings\Temp;Trojan.ResetSR;Deleted.;
.tt13.tmp.vbs;C:\Documents and Settings\Denice\Local Settings\Temp;Trojan.ResetSR;Deleted.;
.tt16.tmp.vbs;C:\Documents and Settings\Denice\Local Settings\Temp;Trojan.ResetSR;Deleted.;
.tt2.tmp.vbs;C:\Documents and Settings\Denice\Local Settings\Temp;Trojan.ResetSR;Deleted.;
.tt3.tmp.vbs;C:\Documents and Settings\Denice\Local Settings\Temp;Trojan.ResetSR;Deleted.;
.tt3B.tmp.vbs;C:\Documents and Settings\Denice\Local Settings\Temp;Trojan.ResetSR;Deleted.;
.tt4.tmp.vbs;C:\Documents and Settings\Denice\Local Settings\Temp;Trojan.ResetSR;Deleted.;
.tt5.tmp.vbs;C:\Documents and Settings\Denice\Local Settings\Temp;Trojan.ResetSR;Deleted.;
.tt6.tmp.vbs;C:\Documents and Settings\Denice\Local Settings\Temp;Trojan.ResetSR;Deleted.;
.tt7.tmp.vbs;C:\Documents and Settings\Denice\Local Settings\Temp;Trojan.ResetSR;Deleted.;
.tt8.tmp.vbs;C:\Documents and Settings\Denice\Local Settings\Temp;Trojan.ResetSR;Deleted.;
.ttD.tmp.vbs;C:\Documents and Settings\Denice\Local Settings\Temp;Trojan.ResetSR;Deleted.;
ComboFix.exe\32788R22FWJFW\C.bat;C:\Documents and Settings\Dennis\Desktop\ComboFix.exe;Probably BATCH.Virus;;
ComboFix.exe\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Dennis\Desktop\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Documents and Settings\Dennis\Desktop;Archive contains infected objects;Moved.;
smitRem.exe\smitRem/Process.exe;C:\Documents and Settings\Dennis\My Documents\smitRem.exe;Tool.Prockill;;
smitRem.exe\smitRem/pv.exe;C:\Documents and Settings\Dennis\My Documents\smitRem.exe;Program.PrcView.3741;;
smitRem.exe;C:\Documents and Settings\Dennis\My Documents;Archive contains infected objects;Moved.;
TumblebugsSetup-dm[1].exe;C:\Downloads;Adware.TryMedia;Moved.;
618496_5c3317489_\sdcmon.dll;C:\Program Files\Support.com\backup\sd\sdcmon.dll\618496_5c3317489_;Probably DLOADER.Trojan;;
618496_5c3317489_;C:\Program Files\Support.com\backup\sd\sdcmon.dll;Archive contains infected objects;Moved.;
819200_5be9d0a24_\tgupdate.exe;C:\Program Files\Support.com\backup\tg\tgupdate.exe\819200_5be9d0a24_;Probably DLOADER.Trojan;;
819200_5be9d0a24_;C:\Program Files\Support.com\backup\tg\tgupdate.exe;Archive contains infected objects;Moved.;
sdcmon.dll;C:\Program Files\Support.com\bin;Probably DLOADER.Trojan;Moved.;
tgupdate.exe;C:\Program Files\Support.com\bin;Probably DLOADER.Trojan;Moved.;
brastk.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS;Trojan.Packed.1214;Deleted.;
karina.dat.vir;C:\Qoobox\Quarantine\C\WINDOWS;Trojan.Proxy.1739;Deleted.;
karna.dat.vir;C:\Qoobox\Quarantine\C\WINDOWS;Trojan.Proxy.1739;Deleted.;
7.tmp.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.Fakealert.1321;Deleted.;
karna.dat.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.Proxy.1739;Deleted.;
WinCtrl32.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;BackDoor.Bulknet.314;Deleted.;
WinCtrl32.dl_.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;BackDoor.Bulknet.314;Deleted.;
wini10541.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.Fakealert.1475;Deleted.;
125.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers;Trojan.Fakealert.1321;Deleted.;
156.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers;Trojan.Packed.636;Deleted.;
171.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers;Trojan.Packed.636;Deleted.;
187.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers;Trojan.DownLoad.4608;Deleted.;
203.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers;Trojan.DownLoad.4608;Deleted.;
31.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers;Trojan.Packed.638;Deleted.;
343.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers;Trojan.Packed.638;Deleted.;
437.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers;Trojan.DownLoad.12590;Deleted.;
531.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers;Trojan.Fakealert.1321;Deleted.;
546.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers;Trojan.DownLoad.4608;Deleted.;
578.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers;Trojan.DownLoad.12590;Deleted.;
640.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers;Trojan.MulDrop.17829;Deleted.;
687.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers;Trojan.Packed.638;Deleted.;
718.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers;Trojan.Packed.638;Deleted.;
796.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers;Trojan.Fakealert.1321;Deleted.;
843.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers;Trojan.DownLoad.4608;Deleted.;
890.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers;Trojan.Fakealert.1321;Deleted.;
906.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers;Trojan.Fakealert.1321;Deleted.;
937.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers;Trojan.Packed.638;Deleted.;
984.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers;Trojan.Packed.638;Deleted.;
A0000002.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP0;BackDoor.Bulknet.300;Deleted.;
A0000037.reg;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP0;Trojan.StartPage.1505;Deleted.;
A0000059.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP0;BackDoor.Bulknet.300;Deleted.;
A0001059.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP0;BackDoor.Bulknet.300;Deleted.;
A0001065.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP0;BackDoor.Bulknet.300;Deleted.;
A0002065.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP0;BackDoor.Bulknet.300;Deleted.;
A0002069.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP0;BackDoor.Bulknet.300;Deleted.;
A0002072.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP0;BackDoor.Bulknet.300;Deleted.;
A0002076.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP0;BackDoor.Bulknet.300;Deleted.;
A0003076.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP0;BackDoor.Bulknet.300;Deleted.;
A0003080.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP0;BackDoor.Bulknet.300;Deleted.;
A0004080.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP0;BackDoor.Bulknet.300;Deleted.;
A0004083.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP0;BackDoor.Bulknet.300;Deleted.;
A0005083.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP0;BackDoor.Bulknet.300;Deleted.;
A0005093.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP0;BackDoor.Bulknet.300;Deleted.;
A0006093.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP0;BackDoor.Bulknet.300;Deleted.;
A0006096.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP0;BackDoor.Bulknet.300;Deleted.;
A0007097.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP1;BackDoor.Bulknet.300;Deleted.;
A0008096.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP1;BackDoor.Bulknet.300;Deleted.;
A0009096.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP1;BackDoor.Bulknet.300;Deleted.;
A0010096.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP1;BackDoor.Bulknet.300;Deleted.;
A0010099.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP1;BackDoor.Bulknet.300;Deleted.;
A0011099.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP1;BackDoor.Bulknet.300;Deleted.;
A0012099.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP1;BackDoor.Bulknet.300;Deleted.;
A0013099.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP1;BackDoor.Bulknet.300;Deleted.;
A0013102.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP1;BackDoor.Bulknet.300;Deleted.;
A0016452.sys;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP11;Trojan.Rntm.10;Deleted.;
A0016463.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP11;BackDoor.Bulknet.300;Deleted.;
A0016485.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP11;BackDoor.Bulknet.314;Deleted.;
A0016490.sys;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP11;Trojan.Rntm.10;Deleted.;
A0016532.exe\32788R22FWJFW\C.bat;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP11\A0016532.exe;Probably BATCH.Virus;;
A0016532.exe\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP11\A0016532.exe;Program.PsExec.171;;
A0016532.exe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP11;Archive contains infected objects;Moved.;
A0016533.exe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;Trojan.Click.19754;Deleted.;
A0016536.exe\32788R22FWJFW\C.bat;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12\A0016536.exe;Probably BATCH.Virus;;
A0016536.exe\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12\A0016536.exe;Program.PsExec.171;;
A0016536.exe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;Archive contains infected objects;Moved.;
A0016544.exe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;Trojan.Packed.1214;Deleted.;
A0016547.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;BackDoor.Bulknet.314;Deleted.;
A0016551.exe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;Trojan.Fakealert.1475;Deleted.;
A0016553.exe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;Trojan.Fakealert.1321;Deleted.;
A0016554.exe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;Trojan.Packed.636;Deleted.;
A0016555.exe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;Trojan.Packed.636;Deleted.;
A0016556.exe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;Trojan.DownLoad.4608;Deleted.;
A0016557.exe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;Trojan.DownLoad.4608;Deleted.;
A0016558.exe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;Trojan.Packed.638;Deleted.;
A0016560.exe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;Trojan.Packed.638;Deleted.;
A0016561.exe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;Trojan.DownLoad.12590;Deleted.;
A0016563.exe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;Trojan.Fakealert.1321;Deleted.;
A0016564.exe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;Trojan.DownLoad.4608;Deleted.;
A0016565.exe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;Trojan.DownLoad.12590;Deleted.;
A0016566.exe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;Trojan.MulDrop.17829;Deleted.;
A0016567.exe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;Trojan.Packed.638;Deleted.;
A0016569.exe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;Trojan.Packed.638;Deleted.;
A0016572.exe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;Trojan.Fakealert.1321;Deleted.;
A0016573.exe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;Trojan.DownLoad.4608;Deleted.;
A0016574.exe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;Trojan.Fakealert.1321;Deleted.;
A0016575.exe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;Trojan.Fakealert.1321;Deleted.;
A0016577.exe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;Trojan.Packed.638;Deleted.;
A0016579.exe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;Trojan.Packed.638;Deleted.;
A0016591.bat;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;Probably BATCH.Virus;Moved.;
A0016680.EXE;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;Program.PsExec.170;Moved.;
A0016681.exe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;Trojan.Click.19754;Deleted.;
A0016682.exe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;Trojan.Click.19754;Deleted.;
A0016683.scr;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12;Trojan.Fakealert.1321;Deleted.;
MFEX-1.DAT;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP12\snapshot;BackDoor.Bulknet.314;Deleted.;
A0016808.bat;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP14;Probably BATCH.Virus;Moved.;
A0016815.EXE;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP14;Program.PsExec.170;Moved.;
A0016851.reg;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP15;Trojan.StartPage.1505;Deleted.;
A0016852.exe\32788R22FWJFW\C.bat;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP15\A0016852.exe;Probably BATCH.Virus;;
A0016852.exe\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP15\A0016852.exe;Program.PsExec.171;;
A0016852.exe;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP15;Archive contains infected objects;Moved.;
A0014102.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP2;BackDoor.Bulknet.300;Deleted.;
A0014141.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP2;BackDoor.Bulknet.300;Deleted.;
A0015155.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP2;BackDoor.Bulknet.300;Deleted.;
A0016141.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP2;BackDoor.Bulknet.300;Deleted.;
A0016146.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP2;BackDoor.Bulknet.300;Deleted.;
A0016271.dll;C:\System Volume Information\_restore{ACCA21CA-BF96-472C-ACAB-F72510896CE8}\RP2;BackDoor.Bulknet.300;Deleted.;
popcaploader.dll;C:\WINDOWS\Downloaded Program Files;Program.PopcapLoader;Moved.;
13.tmp;C:\WINDOWS\system32;Trojan.Fakealert.1321;Deleted.;
14.tmp;C:\WINDOWS\system32;Trojan.Fakealert.1321;Deleted.;
Fatboy_97
2008-11-11, 12:55
And the HijackThis log: :bigthumb:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:54:19 AM, on 11/11/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WgaTray.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/default/PiratePoppers.1.0.0.39.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--584a3e87-b556-4d06-99f4-d3fef0181acd/online/Diner_Dash_3/en/ddfotg.1.0.0.37.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--b256506b-ac80-48e4-a440-84eccfa8b5f5/online/diner_dash/en/DinerDash.1.0.0.80.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alerter AlerterRasAutoAticlr_optimization_v2.0.50727_32 (AlerterRasAutoAticlr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\
O23 - Service: Alerter AlerterRpcSs (AlerterRpcSs) - Unknown owner - .exe (file missing)
O23 - Service: Application Management AppMgmtCiSvc (AppMgmtCiSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Application Management AppMgmtCiSvc AppMgmtCiSvcFastUserSwitchingCompatibility (AppMgmtCiSvcFastUserSwitchingCompatibility) - Unknown owner - C:\WINDOWS\
O23 - Service: Application Management AppMgmtFastUserSwitchingCompatibility (AppMgmtFastUserSwitchingCompatibility) - Unknown owner - C:\WINDOWS\
O23 - Service: Application Management AppMgmtFastUserSwitchingCompatibility AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService (AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService) - Unknown owner - C:\WINDOWS\
O23 - Service: Application Management AppMgmtFastUserSwitchingCompatibility AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService PMSP Service (AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService PMSP Service) - Unknown owner - C:\WINDOWS\
O23 - Service: Application Management AppMgmtFastUserSwitchingCompatibility AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService PMSP Service AppMgmtFastUserSwitchingCompatibilityTrkWksImapiServiceMessengerRSVP (AppMgmtFastUserSwitchingCompatibilityTrkWksImapiServiceMessengerRSVP) - Unknown owner - .exe (file missing)
O23 - Service: Application Management AppMgmtFastUserSwitchingCompatibility AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService AppMgmtFastUserSwitchingCompatibilityTrkWksImapiServiceNetman (AppMgmtFastUserSwitchingCompatibilityTrkWksImapiServiceNetman) - Unknown owner - C:\WINDOWS\
O23 - Service: ASP.NET State Service aspnet_stateLmHosts (aspnet_stateLmHosts) - Unknown owner - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Ati HotKey Poller Aticlr_optimization_v2.0.50727_32 (Aticlr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\
O23 - Service: Ati HotKey Poller Aticlr_optimization_v2.0.50727_32 Aticlr_optimization_v2.0.50727_32AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService (Aticlr_optimization_v2.0.50727_32AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService) - Unknown owner - .exe (file missing)
O23 - Service: Windows Audio AudioSrvRDSessMgr (AudioSrvRDSessMgr) - Unknown owner - C:\WINDOWS\
O23 - Service: Background Intelligent Transfer Service BITSDcomLaunch (BITSDcomLaunch) - Unknown owner - .exe (file missing)
O23 - Service: Computer Browser Browseraspnet_stateLmHosts (Browseraspnet_stateLmHosts) - Unknown owner - .exe (file missing)
O23 - Service: Computer Browser Browserwuauserv (Browserwuauserv) - Unknown owner - C:\WINDOWS\
O23 - Service: Computer Browser Browserwuauserv BrowserwuauservALG (BrowserwuauservALG) - Unknown owner - C:\WINDOWS\
O23 - Service: Computer Browser Browserwuauserv BrowserwuauservW32TimeSpoolerNVSvc (BrowserwuauservW32TimeSpoolerNVSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: ClipBook ClipSrvSSDPSRVEventSystemwuauservEventlogImapiServicegusvc (ClipSrvSSDPSRVEventSystemwuauservEventlogImapiServicegusvc) - Unknown owner - .exe (file missing)
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 clr_optimization_v2.0.50727_32RasMan (clr_optimization_v2.0.50727_32RasMan) - Unknown owner - C:\WINDOWS\
O23 - Service: COM+ System Application COMSysAppFastUserSwitchingCompatibility (COMSysAppFastUserSwitchingCompatibility) - Unknown owner - C:\WINDOWS\
O23 - Service: COM+ System Application COMSysAppFastUserSwitchingCompatibility COMSysAppFastUserSwitchingCompatibilityWMPNetworkSvcWebClient (COMSysAppFastUserSwitchingCompatibilityWMPNetworkSvcWebClient) - Unknown owner - C:\WINDOWS\
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DHCP Client DhcpNetman (DhcpNetman) - Unknown owner - .exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service dmadminEventlog (dmadminEventlog) - Unknown owner - C:\WINDOWS\
O23 - Service: DNS Client Dnscachegusvc (Dnscachegusvc) - Unknown owner - C:\WINDOWS\
O23 - Service: COM+ Event System EventSystemgusvc (EventSystemgusvc) - Unknown owner - C:\WINDOWS\
O23 - Service: COM+ Event System EventSystemgusvc EventSystemgusvcWMPNetworkSvc (EventSystemgusvcWMPNetworkSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Google Updater Service gusvcstisvc (gusvcstisvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Human Interface Device Access HidServaspnet_state (HidServaspnet_state) - Unknown owner - .exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TCP/IP NetBIOS Helper LmHostsNtLmSsp (LmHostsNtLmSsp) - Unknown owner - C:\WINDOWS\
O23 - Service: Messenger MessengerRSVP (MessengerRSVP) - Unknown owner - .exe (file missing)
O23 - Service: Distributed Transaction Coordinator MSDTCWZCSVC (MSDTCWZCSVC) - Unknown owner - C:\WINDOWS\
O23 - Service: Distributed Transaction Coordinator MSDTCWZCSVC MSDTCWZCSVCAppMgmtCiSvcFastUserSwitchingCompatibility (MSDTCWZCSVCAppMgmtCiSvcFastUserSwitchingCompatibility) - Unknown owner - .exe (file missing)
O23 - Service: Distributed Transaction Coordinator MSDTCWZCSVC MSDTCWZCSVCAppMgmtCiSvcFastUserSwitchingCompatibility MSDTCWZCSVCAppMgmtCiSvcFastUserSwitchingCompatibility Smart (MSDTCWZCSVCAppMgmtCiSvcFastUserSwitchingCompatibility Smart) - Unknown owner - .exe (file missing)
O23 - Service: Windows Installer MSIServerTrkWksALG (MSIServerTrkWksALG) - Unknown owner - .exe (file missing)
O23 - Service: Network DDE NetDDEclr_optimization_v2.0.50727_32 (NetDDEclr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\
O23 - Service: Network DDE DSDM NetDDEdsdm Smart (NetDDEdsdm Smart) - Unknown owner - C:\WINDOWS\
O23 - Service: Network DDE DSDM NetDDEdsdmgusvcstisvc (NetDDEdsdmgusvcstisvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Network Connections NetmanSamSs (NetmanSamSs) - Unknown owner - .exe (file missing)
O23 - Service: Network Connections NetmanWMPNetworkSvcNtmsSvc (NetmanWMPNetworkSvcNtmsSvc) - Unknown owner - .exe (file missing)
O23 - Service: Network Location Awareness (NLA) NlaSENS (NlaSENS) - Unknown owner - C:\WINDOWS\
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: NVIDIA Driver Helper Service NVSvchkmsvc (NVSvchkmsvc) - Unknown owner - .exe (file missing)
O23 - Service: NVIDIA Driver Helper Service NVSvcRemoteAccess (NVSvcRemoteAccess) - Unknown owner - C:\WINDOWS\
O23 - Service: NVIDIA Driver Helper Service NVSvcRemoteAccess NVSvcRemoteAccessDhcpNetman (NVSvcRemoteAccessDhcpNetman) - Unknown owner - .exe (file missing)
O23 - Service: IPSEC Services PolicyAgentWebClient (PolicyAgentWebClient) - Unknown owner - C:\WINDOWS\
O23 - Service: IPSEC Services PolicyAgentWebClient PolicyAgentWebClientWmiApSrv (PolicyAgentWebClientWmiApSrv) - Unknown owner - .exe (file missing)
O23 - Service: Remote Access Auto Connection Manager RasAutoAticlr_optimization_v2.0.50727_32 (RasAutoAticlr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\
O23 - Service: Routing and Remote Access RemoteAccessNtLmSsp (RemoteAccessNtLmSsp) - Unknown owner - C:\WINDOWS\
O23 - Service: Routing and Remote Access RemoteAccessPolicyAgentWebClient (RemoteAccessPolicyAgentWebClient) - Unknown owner - .exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator RpcLocatorRemoteAccessNtLmSsp (RpcLocatorRemoteAccessNtLmSsp) - Unknown owner - C:\WINDOWS\
O23 - Service: Smart Card SCardSvrThemes (SCardSvrThemes) - Unknown owner - C:\WINDOWS\
O23 - Service: Secondary Logon seclogonALG (seclogonALG) - Unknown owner - .exe (file missing)
O23 - Service: Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) SharedAccessWMPNetworkSvcNtmsSvc (SharedAccessWMPNetworkSvcNtmsSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Shell Hardware Detection ShellHWDetection Service for CDROM Access (ShellHWDetection Service for CDROM Access) - Unknown owner - C:\WINDOWS\
O23 - Service: Shell Hardware Detection ShellHWDetectionIDriverT (ShellHWDetectionIDriverT) - Unknown owner - C:\WINDOWS\
O23 - Service: Shell Hardware Detection ShellHWDetectionIDriverT ShellHWDetectionIDriverTPlugPlay (ShellHWDetectionIDriverTPlugPlay) - Unknown owner - .exe (file missing)
O23 - Service: Shell Hardware Detection ShellHWDetectionIDriverT ShellHWDetectionIDriverTPlugPlay ShellHWDetectionIDriverTPlugPlayNVSvcRemoteAccess (ShellHWDetectionIDriverTPlugPlayNVSvcRemoteAccess) - Unknown owner - .exe (file missing)
O23 - Service: Shell Hardware Detection ShellHWDetectionIDriverT ShellHWDetectionIDriverTPlugPlay ShellHWDetectionIDriverTPlugPlayRpcLocatorRemoteAccessNtLmSsp (ShellHWDetectionIDriverTPlugPlayRpcLocatorRemoteAccessNtLmSsp) - Unknown owner - .exe (file missing)
O23 - Service: Print Spooler Spooler Smart (Spooler Smart) - Unknown owner - C:\WINDOWS\
O23 - Service: Print Spooler SpoolerAudioSrvRDSessMgr (SpoolerAudioSrvRDSessMgr) - Unknown owner - C:\WINDOWS\
O23 - Service: Print Spooler SpoolerAudioSrvRDSessMgr SpoolerAudioSrvRDSessMgrTrkWksALGSSDPSRVEventSystemwuauservEventlogImapiServicegusvc (SpoolerAudioSrvRDSessMgrTrkWksALGSSDPSRVEventSystemwuauservEventlogImapiServicegusvc) - Unknown owner - .exe (file missing)
O23 - Service: Print Spooler SpoolerNVSvc (SpoolerNVSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: SSDP Discovery Service SSDPSRVEventSystem (SSDPSRVEventSystem) - Unknown owner - C:\WINDOWS\
O23 - Service: SSDP Discovery Service SSDPSRVEventSystem SSDPSRVEventSystemwuauservEventlogImapiServicegusvc (SSDPSRVEventSystemwuauservEventlogImapiServicegusvc) - Unknown owner - .exe (file missing)
O23 - Service: MS Software Shadow Copy Provider SwPrvSharedAccess (SwPrvSharedAccess) - Unknown owner - C:\WINDOWS\
O23 - Service: Performance Logs and Alerts SysmonLogAppMgmtCiSvcFastUserSwitchingCompatibility (SysmonLogAppMgmtCiSvcFastUserSwitchingCompatibility) - Unknown owner - .exe (file missing)
O23 - Service: Distributed Link Tracking Client TrkWksALG (TrkWksALG) - Unknown owner - C:\WINDOWS\
O23 - Service: Distributed Link Tracking Client TrkWksALG TrkWksALGSSDPSRVEventSystemwuauservEventlogImapiServicegusvc (TrkWksALGSSDPSRVEventSystemwuauservEventlogImapiServicegusvc) - Unknown owner - .exe (file missing)
O23 - Service: Distributed Link Tracking Client TrkWksImapiService (TrkWksImapiService) - Unknown owner - C:\WINDOWS\
O23 - Service: Distributed Link Tracking Client TrkWkslanmanserver (TrkWkslanmanserver) - Unknown owner - .exe (file missing)
O23 - Service: Distributed Link Tracking Client TrkWksNetmanSamSs (TrkWksNetmanSamSs) - Unknown owner - .exe (file missing)
O23 - Service: Uninterruptible Power Supply UPSAudioSrvRDSessMgr (UPSAudioSrvRDSessMgr) - Unknown owner - C:\WINDOWS\
O23 - Service: Windows Time W32TimeSpoolerNVSvc (W32TimeSpoolerNVSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Windows Management Instrumentation winmgmtWmdmPmSNaspnet_stateLmHosts (winmgmtWmdmPmSNaspnet_stateLmHosts) - Unknown owner - .exe (file missing)
O23 - Service: Portable Media Serial Number Service WmdmPmSNaspnet_stateLmHosts (WmdmPmSNaspnet_stateLmHosts) - Unknown owner - .exe (file missing)
O23 - Service: WMI Performance Adapter WmiApSrvAppMgmtCiSvcFastUserSwitchingCompatibility (WmiApSrvAppMgmtCiSvcFastUserSwitchingCompatibility) - Unknown owner - .exe (file missing)
O23 - Service: WMI Performance Adapter WmiApSrvRemoteAccessNtLmSsp (WmiApSrvRemoteAccessNtLmSsp) - Unknown owner - .exe (file missing)
O23 - Service: Windows Media Player Network Sharing Service WMPNetworkSvcNtmsSvc (WMPNetworkSvcNtmsSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Windows Media Player Network Sharing Service WMPNetworkSvcNtmsSvc WMPNetworkSvcNtmsSvcTermService (WMPNetworkSvcNtmsSvcTermService) - Unknown owner - .exe (file missing)
O23 - Service: Windows Media Player Network Sharing Service WMPNetworkSvcWebClient (WMPNetworkSvcWebClient) - Unknown owner - C:\WINDOWS\
O23 - Service: Windows Media Player Network Sharing Service WMPNetworkSvcWebClient WMPNetworkSvcWebClientDhcp (WMPNetworkSvcWebClientDhcp) - Unknown owner - .exe (file missing)
O23 - Service: Security Center wscsvc Service for CDROM Access (wscsvc Service for CDROM Access) - Unknown owner - C:\WINDOWS\
O23 - Service: Security Center wscsvcDhcp (wscsvcDhcp) - Unknown owner - .exe (file missing)
O23 - Service: Automatic Updates wuauservDhcp (wuauservDhcp) - Unknown owner - C:\WINDOWS\
O23 - Service: Automatic Updates wuauservEventlog (wuauservEventlog) - Unknown owner - C:\WINDOWS\
O23 - Service: Automatic Updates wuauservEventlog wuauservEventlogImapiService (wuauservEventlogImapiService) - Unknown owner - C:\WINDOWS\
O23 - Service: Automatic Updates wuauservEventlog wuauservEventlogImapiService wuauservEventlogImapiServicegusvc (wuauservEventlogImapiServicegusvc) - Unknown owner - C:\WINDOWS\
--
End of file - 20187 bytes
Fatboy_97
2008-11-13, 05:43
Looking forward to updating Windows so it will be safer & re-installing some kind of anti malware stuff. Let me know what the new logs are tellin' ya.
Thanks again for your time & patience. :bigthumb:
Hi,
Sorry for the late reply..
Leme look over your logs and see what is left of the battle. :D
Hi,
Please don't leave machine connected to net unless doing stuff here. You have no AV and no decent firewall so your risk of more infections are high.
See if you can get Windows firewall working to give you at least incomming protection.
Open control panel then "network connections"
Right click your connection> properties> advanced> check the box that says "protect my computer...."
Apply & OK out.
Let me know if this fails.
Leave DrWeb's quarantined stuff alone a bit. It tagged some support stuff that came with system we should restore when we're done.
I think we're still rooted.
Download Gmer from here:
http://www.gmer.net/gmer.zip
Unzip it to its own folder.
Disconnect from internet & shut down Antivirus to prevent conflicts.
Shut down also any other unneeded apps including any open browser windows.
The less stuff we got running the less chance of false positives in log.
Double click gmer.exe to run it.
Allow driver to install if asked (gmer.sys)
You may get a warning at program start that there is possible rootkit activity and do you want to run scan.
Say OK to run scan.
If no warning, just click "scan".
Let the scan finish.
Once done press "save"
In the new window that pops up, give the log a name and save it someplace handy.
Press save.
Re-connect to net & post that log here.
Let me know if Gmer gives you errors.
Thanks :)
Fatboy_97
2008-11-15, 01:48
We had already done the "protect my computer" thing on a previous post & it was still checked.
Gmer did not give me any errors & I have been leaving the infected computer "unplugged" from the interweb. :)
Here's the Gmer log:
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-14 15:40:55
Windows 5.1.2600 Service Pack 1
---- Kernel code sections - GMER 1.0.14 ----
.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [ 06 ]
---- User code sections - GMER 1.0.14 ----
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1604] kernel32.dll!SetUnhandledExceptionFilter 77E7E5A1 9 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\msnmsgr.exe (Messenger/Microsoft Corporation)
---- Devices - GMER 1.0.14 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
---- Registry - GMER 1.0.14 ----
Reg HKLM\SOFTWARE\Classes\CLSID\{00C3B745-478E-8E44-2308-95EE1E35FF0D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
Reg HKLM\SOFTWARE\Classes\CLSID\{00C3B745-478E-8E44-2308-95EE1E35FF0D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}@
Reg HKLM\SOFTWARE\Classes\CLSID\{00C3B745-478E-8E44-2308-95EE1E35FF0D}\InprocServer32@ C:\WINDOWS\system32\scrobj.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{00C3B745-478E-8E44-2308-95EE1E35FF0D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{00C3B745-478E-8E44-2308-95EE1E35FF0D}\ProgID@ ScriptletHandler.Event
Reg HKLM\SOFTWARE\Classes\CLSID\{01315B19-6FC4-3686-A23D-C098D0CB5225}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}
Reg HKLM\SOFTWARE\Classes\CLSID\{01315B19-6FC4-3686-A23D-C098D0CB5225}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}@
Reg HKLM\SOFTWARE\Classes\CLSID\{01315B19-6FC4-3686-A23D-C098D0CB5225}\InprocServer32@ mscoree.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{01315B19-6FC4-3686-A23D-C098D0CB5225}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{01315B19-6FC4-3686-A23D-C098D0CB5225}\InprocServer32@Class System.Runtime.Remoting.Metadata.SoapMethodAttribute
Reg HKLM\SOFTWARE\Classes\CLSID\{01315B19-6FC4-3686-A23D-C098D0CB5225}\InprocServer32@Assembly mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
Reg HKLM\SOFTWARE\Classes\CLSID\{01315B19-6FC4-3686-A23D-C098D0CB5225}\InprocServer32@RuntimeVersion v1.1.4322
Reg HKLM\SOFTWARE\Classes\CLSID\{01315B19-6FC4-3686-A23D-C098D0CB5225}\InprocServer32\1.0.5000.0
Reg HKLM\SOFTWARE\Classes\CLSID\{01315B19-6FC4-3686-A23D-C098D0CB5225}\InprocServer32\1.0.5000.0@Class System.Runtime.Remoting.Metadata.SoapMethodAttribute
Reg HKLM\SOFTWARE\Classes\CLSID\{01315B19-6FC4-3686-A23D-C098D0CB5225}\InprocServer32\1.0.5000.0@Assembly mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
Reg HKLM\SOFTWARE\Classes\CLSID\{01315B19-6FC4-3686-A23D-C098D0CB5225}\InprocServer32\1.0.5000.0@RuntimeVersion v1.1.4322
Reg HKLM\SOFTWARE\Classes\CLSID\{01315B19-6FC4-3686-A23D-C098D0CB5225}\InprocServer32\2.0.0.0
Reg HKLM\SOFTWARE\Classes\CLSID\{01315B19-6FC4-3686-A23D-C098D0CB5225}\InprocServer32\2.0.0.0@RuntimeVersion v2.0.50727
Reg HKLM\SOFTWARE\Classes\CLSID\{01315B19-6FC4-3686-A23D-C098D0CB5225}\InprocServer32\2.0.0.0@Assembly mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
Reg HKLM\SOFTWARE\Classes\CLSID\{01315B19-6FC4-3686-A23D-C098D0CB5225}\InprocServer32\2.0.0.0@Class System.Runtime.Remoting.Metadata.SoapMethodAttribute
Reg HKLM\SOFTWARE\Classes\CLSID\{01315B19-6FC4-3686-A23D-C098D0CB5225}\ProgId@ System.Runtime.Remoting.Metadata.SoapMethodAttribute
Reg HKLM\SOFTWARE\Classes\CLSID\{1826CDB1-DCCF-490E-89C8-C722F9CF83C1}\InprocServer32@ ole32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{287EF21A-9D1A-0850-5A9C-5CADADD495FF}\ExtendedErrors@ Extended Error Service
Reg HKLM\SOFTWARE\Classes\CLSID\{287EF21A-9D1A-0850-5A9C-5CADADD495FF}\ExtendedErrors\{00000542-0000-0010-8000-00AA006D2EA4}
Reg HKLM\SOFTWARE\Classes\CLSID\{287EF21A-9D1A-0850-5A9C-5CADADD495FF}\ExtendedErrors\{00000542-0000-0010-8000-00AA006D2EA4}@ ADO Error Lookup
Reg HKLM\SOFTWARE\Classes\CLSID\{392EC2A0-4691-7FCE-606F-8878B7875A35}\Insertable@
Reg HKLM\SOFTWARE\Classes\CLSID\{392EC2A0-4691-7FCE-606F-8878B7875A35}\Ole1Class@ SoundRec
Reg HKLM\SOFTWARE\Classes\CLSID\{392EC2A0-4691-7FCE-606F-8878B7875A35}\ProgID@ SoundRec
Reg HKLM\SOFTWARE\Classes\CLSID\{392EC2A0-4691-7FCE-606F-8878B7875A35}\TreatAs@ {00020C01-0000-0000-C000-000000000046}
Reg HKLM\SOFTWARE\Classes\CLSID\{397A1CDF-CE10-9F24-4188-062E91923DFC}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
Reg HKLM\SOFTWARE\Classes\CLSID\{397A1CDF-CE10-9F24-4188-062E91923DFC}\LocalServer32@ C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
Reg HKLM\SOFTWARE\Classes\CLSID\{397A1CDF-CE10-9F24-4188-062E91923DFC}\ProgID@ gcasDtServ.AgentDataStore
Reg HKLM\SOFTWARE\Classes\CLSID\{397A1CDF-CE10-9F24-4188-062E91923DFC}\TypeLib@ {CEACE91F-3F71-4A8C-B952-63716B2BC026}
Reg HKLM\SOFTWARE\Classes\CLSID\{397A1CDF-CE10-9F24-4188-062E91923DFC}\VERSION@ 1.0
Reg HKLM\SOFTWARE\Classes\CLSID\{3C91CB00-8514-901B-651D-5D20DF97F7FA}\InProcServer32@ C:\PROGRA~1\Canon\Program\zb_ui.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{3C91CB00-8514-901B-651D-5D20DF97F7FA}\InProcServer32@InProcServer32 TVUAg`ee,?6-Bi,e_GnvFEAT_ZoomBrowserCore>]^c%+el*f8WZf4TV%v0t?
Reg HKLM\SOFTWARE\Classes\CLSID\{3C91CB00-8514-901B-651D-5D20DF97F7FA}\InProcServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{3C91CB00-8514-901B-651D-5D20DF97F7FA}\ProgID@ Zb_ui.ZbUiRootFolderItem.1
Reg HKLM\SOFTWARE\Classes\CLSID\{3C91CB00-8514-901B-651D-5D20DF97F7FA}\VersionIndependentProgID@ Zb_ui.ZbUiRootFolderItem
Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\InProcServer32@ C:\WINDOWS\system32\wshom.ocx
Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\InProcServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\ProgID@ WScript.Network.1
Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\TypeLib@ {F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}
Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\VersionIndependentProgID@ WScript.Network
Reg HKLM\SOFTWARE\Classes\CLSID\{942D82A5-DA03-640B-5E19-3CBD62700780}\CurVer@ Zb_ui.ZbUiMyDocumentsFolderItem.1
Reg HKLM\SOFTWARE\Classes\CLSID\{99ABF834-28BA-1905-404D-473A6F82B52F}\CONTROL@
Reg HKLM\SOFTWARE\Classes\CLSID\{99ABF834-28BA-1905-404D-473A6F82B52F}\INPROCSERVER@ C:\WINDOWS\System\THREED16.OCX
Reg HKLM\SOFTWARE\Classes\CLSID\{99ABF834-28BA-1905-404D-473A6F82B52F}\InprocServer32@ C:\WINDOWS\System32\threed32.ocx
Reg HKLM\SOFTWARE\Classes\CLSID\{99ABF834-28BA-1905-404D-473A6F82B52F}\MISCSTATUS@ 0
Reg HKLM\SOFTWARE\Classes\CLSID\{99ABF834-28BA-1905-404D-473A6F82B52F}\MISCSTATUS\1
Reg HKLM\SOFTWARE\Classes\CLSID\{99ABF834-28BA-1905-404D-473A6F82B52F}\MISCSTATUS\1@ 237969
Reg HKLM\SOFTWARE\Classes\CLSID\{99ABF834-28BA-1905-404D-473A6F82B52F}\PROGID@ Threed.SSPanel
Reg HKLM\SOFTWARE\Classes\CLSID\{99ABF834-28BA-1905-404D-473A6F82B52F}\TOOLBOXBITMAP@ C:\WINDOWS\System\THREED16.OCX, 4
Reg HKLM\SOFTWARE\Classes\CLSID\{99ABF834-28BA-1905-404D-473A6F82B52F}\ToolboxBitmap32@ C:\WINDOWS\System32\threed32.ocx, 4
Reg HKLM\SOFTWARE\Classes\CLSID\{99ABF834-28BA-1905-404D-473A6F82B52F}\TYPELIB@ {0BA686C6-F7D3-101A-993E-0000C0EF6F5E}
Reg HKLM\SOFTWARE\Classes\CLSID\{99ABF834-28BA-1905-404D-473A6F82B52F}\VERSION@ 1.0
Reg HKLM\SOFTWARE\Classes\CLSID\{AB35CCB6-940C-C903-1BFC-8E0B382A26E8}\InprocServer32@ C:\PROGRA~1\MICROS~2\Office\OUTLAS9.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{BB791C78-91E0-DB32-3A99-5EA102B313A3}\Conversion\Readable
Reg HKLM\SOFTWARE\Classes\CLSID\{BB791C78-91E0-DB32-3A99-5EA102B313A3}\Conversion\Readable\Main
Reg HKLM\SOFTWARE\Classes\CLSID\{BB791C78-91E0-DB32-3A99-5EA102B313A3}\Conversion\Readable\Main@ WordArt
Reg HKLM\SOFTWARE\Classes\CLSID\{BB791C78-91E0-DB32-3A99-5EA102B313A3}\DataFormats\GetSet
Reg HKLM\SOFTWARE\Classes\CLSID\{BB791C78-91E0-DB32-3A99-5EA102B313A3}\DataFormats\GetSet\0
Reg HKLM\SOFTWARE\Classes\CLSID\{BB791C78-91E0-DB32-3A99-5EA102B313A3}\DataFormats\GetSet\0@ 3,-1,32,1
Reg HKLM\SOFTWARE\Classes\CLSID\{BB791C78-91E0-DB32-3A99-5EA102B313A3}\DataFormats\GetSet\1
Reg HKLM\SOFTWARE\Classes\CLSID\{BB791C78-91E0-DB32-3A99-5EA102B313A3}\DataFormats\GetSet\1@ 1,-1,1,3
Reg HKLM\SOFTWARE\Classes\CLSID\{BB791C78-91E0-DB32-3A99-5EA102B313A3}\DataFormats\GetSet\2
Reg HKLM\SOFTWARE\Classes\CLSID\{BB791C78-91E0-DB32-3A99-5EA102B313A3}\DataFormats\GetSet\2@ MSWordArt.2,-1,1,3
Reg HKLM\SOFTWARE\Classes\CLSID\{BB791C78-91E0-DB32-3A99-5EA102B313A3}\DefaultIcon@ C:\WINDOWS\Installer\{00040409-78E1-11D2-B60F-006097C998E7}\wa32ico.exe,1
Reg HKLM\SOFTWARE\Classes\CLSID\{BB791C78-91E0-DB32-3A99-5EA102B313A3}\InprocHandler32@ ole32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{BB791C78-91E0-DB32-3A99-5EA102B313A3}\Insertable@
Reg HKLM\SOFTWARE\Classes\CLSID\{BB791C78-91E0-DB32-3A99-5EA102B313A3}\LocalServer32@ C:\PROGRA~1\COMMON~1\MICROS~1\WordArt\WRDART32.EXE
Reg HKLM\SOFTWARE\Classes\CLSID\{BB791C78-91E0-DB32-3A99-5EA102B313A3}\LocalServer32@LocalServer32 5LL!!gxsf(Ng]qF`H{LsPubToolsWordArt>289lbwAlf(rW&!!cF5I6?
Reg HKLM\SOFTWARE\Classes\CLSID\{BB791C78-91E0-DB32-3A99-5EA102B313A3}\MiscStatus@0
Reg HKLM\SOFTWARE\Classes\CLSID\{BB791C78-91E0-DB32-3A99-5EA102B313A3}\MiscStatus \1
Reg HKLM\SOFTWARE\Classes\CLSID\{BB791C78-91E0-DB32-3A99-5EA102B313A3}\MiscStatus \1@ 1
Reg HKLM\SOFTWARE\Classes\CLSID\{BB791C78-91E0-DB32-3A99-5EA102B313A3}\ProgID@ MSWordArt.2
Reg HKLM\SOFTWARE\Classes\CLSID\{BB791C78-91E0-DB32-3A99-5EA102B313A3}\Verb\0
Reg HKLM\SOFTWARE\Classes\CLSID\{BB791C78-91E0-DB32-3A99-5EA102B313A3}\Verb\0@ &Edit,0,2
Reg HKLM\SOFTWARE\Classes\CLSID\{BB791C78-91E0-DB32-3A99-5EA102B313A3}\Verb\1
Reg HKLM\SOFTWARE\Classes\CLSID\{BB791C78-91E0-DB32-3A99-5EA102B313A3}\Verb\1@ &Open,0,2
Reg HKLM\SOFTWARE\Classes\CLSID\{C2E222F7-AC2F-CCF7-6FC6-418B73DDB9E9}\InprocHandler32@ ole32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{C2E222F7-AC2F-CCF7-6FC6-418B73DDB9E9}\InprocServer32@ C:\WINDOWS\system32\msi.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{C2E222F7-AC2F-CCF7-6FC6-418B73DDB9E9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{C2E222F7-AC2F-CCF7-6FC6-418B73DDB9E9}\ProgId@ WindowsInstaller.Installer
Reg HKLM\SOFTWARE\Classes\CLSID\{C2E222F7-AC2F-CCF7-6FC6-418B73DDB9E9}\TypeLib@ {000C1092-0000-0000-C000-000000000046}
Reg HKLM\SOFTWARE\Classes\CLSID\{DFE957A2-B69B-F543-5A95-EA6A51E8BAC2}\AutoConvertTo@ {00020820-0000-0000-C000-000000000046}
Reg HKLM\SOFTWARE\Classes\CLSID\{DFE957A2-B69B-F543-5A95-EA6A51E8BAC2}\DefaultIcon@ C:\PROGRA~1\MICROS~2\Office\EXCEL.EXE,1
Reg HKLM\SOFTWARE\Classes\CLSID\{DFE957A2-B69B-F543-5A95-EA6A51E8BAC2}\Insertable@
Reg HKLM\SOFTWARE\Classes\CLSID\{DFE957A2-B69B-F543-5A95-EA6A51E8BAC2}\NotInsertable@
Reg HKLM\SOFTWARE\Classes\CLSID\{DFE957A2-B69B-F543-5A95-EA6A51E8BAC2}\Ole1Class@ ExcelWorksheet
Reg HKLM\SOFTWARE\Classes\CLSID\{DFE957A2-B69B-F543-5A95-EA6A51E8BAC2}\ProgID@ ExcelWorksheet
Reg HKLM\SOFTWARE\Classes\CLSID\{DFE957A2-B69B-F543-5A95-EA6A51E8BAC2}\RTFClassName@ MSBiff
Reg HKLM\SOFTWARE\Classes\CLSID\{DFE957A2-B69B-F543-5A95-EA6A51E8BAC2}\TreatAs@ {00020820-0000-0000-C000-000000000046}
Reg HKLM\SOFTWARE\Classes\CLSID\{EB9A3602-1A27-35A0-22AE-35C6E60CA4B0}\InprocServer32@ C:\Program Files\Microsoft Office\Office\1033\fvfxs.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{EB9A3602-1A27-35A0-22AE-35C6E60CA4B0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FBC056B4-1F31-6BD6-5062-8DE2F1119AF7}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
Reg HKLM\SOFTWARE\Classes\CLSID\{FBC056B4-1F31-6BD6-5062-8DE2F1119AF7}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}@
Reg HKLM\SOFTWARE\Classes\CLSID\{FBC056B4-1F31-6BD6-5062-8DE2F1119AF7}\InprocServer32@ C:\WINDOWS\system32\scrobj.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{FBC056B4-1F31-6BD6-5062-8DE2F1119AF7}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FBC056B4-1F31-6BD6-5062-8DE2F1119AF7}\ProgID@ ScriptletHandler.Event
Reg HKLM\SOFTWARE\Classes\IrfanView@ IrfanView
Reg HKLM\SOFTWARE\Classes\IrfanView\shell
Reg HKLM\SOFTWARE\Classes\IrfanView\shell\open
Reg HKLM\SOFTWARE\Classes\IrfanView\shell\open\command
Reg HKLM\SOFTWARE\Classes\IrfanView\shell\open\command@ "C:\Documents and Settings\All Users\Documents\i_view32.exe" "%1"
---- EOF - GMER 1.0.14 ----
Hi,
We had already done the "protect my computer" thing on a previous post & it was still checked.
Gmer did not give me any errors & I have been leaving the infected computer "unplugged" from the interweb.
Good :)
I'm kinda stumped on what all those funny looking services are.
I would like to have a look at an export of that key.
Actually what might be easier...
Create a new erunt backup.
Go to this folder:
C:\windows\erdnt\{todays date}
Right click on file called "system"> send to> compressed (zipped) folder.
Upload "system.zip" to this site:
http://www.uploadmalware.com
Please leave link in space provided to this thread so I know who's file it is.
Once uploaded you can delete "system.zip"
Thanks :)
Fatboy_97
2008-11-18, 04:32
System.zip successfully uploaded to uploadmalware.com. :)
Got the file.
Thanks :)
It's going to take me a bit to go through it.
I want to make sure the legit services are not dependant on the funkey ones before we remove em.
Man -- I would love to know what the heck you hit. :spider:
OK.. :spider:
Delete current version of ComboFix & grab a new one:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
Save to desktop.
Click start> run> type notepad and hit enter.
Click the "format" menu & ensure "wordwrap" is UNchecked.
Copy the following text to the open notepad:
driver::
AlerterRasAutoAticlr_optimization_v2.0.50727_32
AlerterRpcSs
AppMgmtCiSvc
AppMgmtCiSvcFastUserSwitchingCompatibility
AppMgmtFastUserSwitchingCompatibility
AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService
AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService PMSP Service
AppMgmtFastUserSwitchingCompatibilityTrkWksImapiServiceMessengerRSVP
AppMgmtFastUserSwitchingCompatibilityTrkWksImapiServiceNetman
aspnet_stateLmHosts
Aticlr_optimization_v2.0.50727_32
Aticlr_optimization_v2.0.50727_32AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService
AudioSrvRDSessMgr
BITSDcomLaunch
Browseraspnet_stateLmHosts
Browserwuauserv
BrowserwuauservALG
BrowserwuauservW32TimeSpoolerNVSvc
ClipSrvSSDPSRVEventSystemwuauservEventlogImapiServicegusvc
clr_optimization_v2.0.50727_32RasMan
COMSysAppFastUserSwitchingCompatibility
COMSysAppFastUserSwitchingCompatibilityWMPNetworkSvcWebClient
DhcpNetman
dmadminEventlog
Dnscachegusvc
EventSystemgusvc
EventSystemgusvcWMPNetworkSvc
gusvcstisvc
HidServaspnet_state
LmHostsNtLmSsp
MessengerRSVP
MSDTCWZCSVC
MSDTCWZCSVCAppMgmtCiSvcFastUserSwitchingCompatibility
MSDTCWZCSVCAppMgmtCiSvcFastUserSwitchingCompatibility Smart
MSIServerTrkWksALG
NetDDEclr_optimization_v2.0.50727_32
NetDDEdsdm Smart
NetDDEdsdmgusvcstisvc
NetmanSamSs
NetmanWMPNetworkSvcNtmsSvc
NlaSENS
NVSvchkmsvc
NVSvcRemoteAccess
NVSvcRemoteAccessDhcpNetman
PolicyAgentWebClient
PolicyAgentWebClientWmiApSrv
RasAutoAticlr_optimization_v2.0.50727_32
RemoteAccessNtLmSsp
RemoteAccessPolicyAgentWebClient
RpcLocatorRemoteAccessNtLmSsp
SCardSvrThemes
seclogonALG
SharedAccessWMPNetworkSvcNtmsSvc
ShellHWDetection Service for CDROM Access
ShellHWDetectionIDriverT
ShellHWDetectionIDriverTPlugPlay
ShellHWDetectionIDriverTPlugPlayNVSvcRemoteAccess
ShellHWDetectionIDriverTPlugPlayRpcLocatorRemoteAccessNtLmSsp
Spooler Smart
SpoolerAudioSrvRDSessMgr
SpoolerAudioSrvRDSessMgrTrkWksALGSSDPSRVEventSystemwuauservEventlogImapiServicegusvc
SpoolerNVSvc
SSDPSRVEventSystem
SSDPSRVEventSystemwuauservEventlogImapiServicegusvc
SwPrvSharedAccess
SysmonLogAppMgmtCiSvcFastUserSwitchingCompatibility
TrkWksALG
TrkWksALGSSDPSRVEventSystemwuauservEventlogImapiServicegusvc
TrkWksImapiService
TrkWkslanmanserver
TrkWksNetmanSamSs
UPSAudioSrvRDSessMgr
W32TimeSpoolerNVSvc
winmgmtWmdmPmSNaspnet_stateLmHosts
WmdmPmSNaspnet_stateLmHosts
WmiApSrvAppMgmtCiSvcFastUserSwitchingCompatibility
WmiApSrvRemoteAccessNtLmSsp
WMPNetworkSvcNtmsSvc
WMPNetworkSvcNtmsSvcTermService
WMPNetworkSvcWebClient
WMPNetworkSvcWebClientDhcp
wscsvcDhcp
wuauservDhcp
wuauservEventlog
wuauservEventlogImapiService
wuauservEventlogImapiServicegusvc
Save file as file name cfscript.txt to the desktop.
Shut off any security apps you have running.
Drag CFscript.txt on top of Combofix & drop it.
Follow prompts from ComboFix.
Once done it will create log. (c:\combofix.txt)
Please post contents of that log along with a new hijackthis log.
Let me know how machine is running at this point.
We will likely have more work to do.
Thanks :)
Before I forget -- we should restore those support.com files DrWeb removed.
Program was installed by the PC manufacturer & is OK.
Look in here:
C:\documents & settings\Denice\DoctorWeb\quarantaine
For:
sdcmon.dll
Copy that file to these folders:
C:\Program Files\Support.com\backup\sd
C:\Program Files\Support.com\bin
tgupdate.exe
Copy that file to these folders:
C:\Program Files\Support.com\backup\tg
C:\Program Files\Support.com\bin
No immediate need for reboot.
Let me know if that went OK.
Fatboy_97
2008-11-19, 09:32
Man -- I would love to know what the heck you hit. :spider:
You and me both!:mad:
Fatboy_97
2008-11-19, 09:33
Here's the Combofix log:
ComboFix 08-11-18.04 - Dennis 2008-11-18 23:13:25.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.657 [GMT -8:00]
Running from: c:\documents and settings\Dennis\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dennis\Desktop\cfscript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80 . . . . failed to delete
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67 . . . . failed to delete
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ALERTERRASAUTOATICLR_OPTIMIZATION_V2.0.50727_32
-------\Legacy_ALERTERRPCSS
-------\Legacy_APPMGMTCISVC
-------\Legacy_APPMGMTCISVCFASTUSERSWITCHINGCOMPATIBILITY
-------\Legacy_APPMGMTFASTUSERSWITCHINGCOMPATIBILITY
-------\Legacy_APPMGMTFASTUSERSWITCHINGCOMPATIBILITYTRKWKSIMAPISERVICE
-------\Legacy_APPMGMTFASTUSERSWITCHINGCOMPATIBILITYTRKWKSIMAPISERVICEMESSENGERRSVP
-------\Legacy_APPMGMTFASTUSERSWITCHINGCOMPATIBILITYTRKWKSIMAPISERVICENETMAN
-------\Legacy_APPMGMTFASTUSERSWITCHINGCOMPATIBILITYTRKWKSIMAPISERVICE_PMSP_SERVICE
-------\Legacy_ASPNET_STATELMHOSTS
-------\Legacy_ATICLR_OPTIMIZATION_V2.0.50727_32
-------\Legacy_ATICLR_OPTIMIZATION_V2.0.50727_32APPMGMTFASTUSERSWITCHINGCOMPATIBILITYTRKWKSIMAPISERVICE
-------\Legacy_AUDIOSRVRDSESSMGR
-------\Legacy_BITSDCOMLAUNCH
-------\Legacy_BROWSERASPNET_STATELMHOSTS
-------\Legacy_BROWSERWUAUSERV
-------\Legacy_BROWSERWUAUSERVALG
-------\Legacy_BROWSERWUAUSERVW32TIMESPOOLERNVSVC
-------\Legacy_CLIPSRVSSDPSRVEVENTSYSTEMWUAUSERVEVENTLOGIMAPISERVICEGUSVC
-------\Legacy_CLR_OPTIMIZATION_V2.0.50727_32RASMAN
-------\Legacy_COMSYSAPPFASTUSERSWITCHINGCOMPATIBILITY
-------\Legacy_COMSYSAPPFASTUSERSWITCHINGCOMPATIBILITYWMPNETWORKSVCWEBCLIENT
-------\Legacy_DHCPNETMAN
-------\Legacy_DMADMINEVENTLOG
-------\Legacy_DNSCACHEGUSVC
-------\Legacy_EVENTSYSTEMGUSVC
-------\Legacy_EVENTSYSTEMGUSVCWMPNETWORKSVC
-------\Legacy_GUSVCSTISVC
-------\Legacy_HIDSERVASPNET_STATE
-------\Legacy_LMHOSTSNTLMSSP
-------\Legacy_MESSENGERRSVP
-------\Legacy_MSDTCWZCSVC
-------\Legacy_MSDTCWZCSVCAPPMGMTCISVCFASTUSERSWITCHINGCOMPATIBILITY
-------\Legacy_MSDTCWZCSVCAPPMGMTCISVCFASTUSERSWITCHINGCOMPATIBILITY_SMART
-------\Legacy_MSISERVERTRKWKSALG
-------\Legacy_NETDDECLR_OPTIMIZATION_V2.0.50727_32
-------\Legacy_NETDDEDSDMGUSVCSTISVC
-------\Legacy_NETDDEDSDM_SMART
-------\Legacy_NETMANSAMSS
-------\Legacy_NETMANWMPNETWORKSVCNTMSSVC
-------\Legacy_NLASENS
-------\Legacy_NVSVCHKMSVC
-------\Legacy_NVSVCREMOTEACCESS
-------\Legacy_NVSVCREMOTEACCESSDHCPNETMAN
-------\Legacy_POLICYAGENTWEBCLIENT
-------\Legacy_POLICYAGENTWEBCLIENTWMIAPSRV
-------\Legacy_RASAUTOATICLR_OPTIMIZATION_V2.0.50727_32
-------\Legacy_REMOTEACCESSNTLMSSP
-------\Legacy_REMOTEACCESSPOLICYAGENTWEBCLIENT
-------\Legacy_RPCLOCATORREMOTEACCESSNTLMSSP
-------\Legacy_SCARDSVRTHEMES
-------\Legacy_SECLOGONALG
-------\Legacy_SHAREDACCESSWMPNETWORKSVCNTMSSVC
-------\Legacy_SHELLHWDETECTIONIDRIVERT
-------\Legacy_SHELLHWDETECTIONIDRIVERTPLUGPLAY
-------\Legacy_SHELLHWDETECTIONIDRIVERTPLUGPLAYNVSVCREMOTEACCESS
-------\Legacy_SHELLHWDETECTIONIDRIVERTPLUGPLAYRPCLOCATORREMOTEACCESSNTLMSSP
-------\Legacy_SHELLHWDETECTION_SERVICE_FOR_CDROM_ACCESS
-------\Legacy_SPOOLERAUDIOSRVRDSESSMGR
-------\Legacy_SPOOLERAUDIOSRVRDSESSMGRTRKWKSALGSSDPSRVEVENTSYSTEMWUAUSERVEVENTLOGIMAPISERVICEGUSVC
-------\Legacy_SPOOLERNVSVC
-------\Legacy_SPOOLER_SMART
-------\Legacy_SSDPSRVEVENTSYSTEM
-------\Legacy_SSDPSRVEVENTSYSTEMWUAUSERVEVENTLOGIMAPISERVICEGUSVC
-------\Legacy_SWPRVSHAREDACCESS
-------\Legacy_SYSMONLOGAPPMGMTCISVCFASTUSERSWITCHINGCOMPATIBILITY
-------\Legacy_TRKWKSALG
-------\Legacy_TRKWKSALGSSDPSRVEVENTSYSTEMWUAUSERVEVENTLOGIMAPISERVICEGUSVC
-------\Legacy_TRKWKSIMAPISERVICE
-------\Legacy_TRKWKSLANMANSERVER
-------\Legacy_TRKWKSNETMANSAMSS
-------\Legacy_UPSAUDIOSRVRDSESSMGR
-------\Legacy_W32TIMESPOOLERNVSVC
-------\Legacy_WINMGMTWMDMPMSNASPNET_STATELMHOSTS
-------\Legacy_WMDMPMSNASPNET_STATELMHOSTS
-------\Legacy_WMIAPSRVAPPMGMTCISVCFASTUSERSWITCHINGCOMPATIBILITY
-------\Legacy_WMIAPSRVREMOTEACCESSNTLMSSP
-------\Legacy_WMPNETWORKSVCNTMSSVC
-------\Legacy_WMPNETWORKSVCNTMSSVCTERMSERVICE
-------\Legacy_WMPNETWORKSVCWEBCLIENT
-------\Legacy_WMPNETWORKSVCWEBCLIENTDHCP
-------\Legacy_WSCSVCDHCP
-------\Legacy_WUAUSERVDHCP
-------\Legacy_WUAUSERVEVENTLOG
-------\Legacy_WUAUSERVEVENTLOGIMAPISERVICE
-------\Legacy_WUAUSERVEVENTLOGIMAPISERVICEGUSVC
-------\Service_AlerterRasAutoAticlr_optimization_v2.0.50727_32
-------\Service_AlerterRpcSs
-------\Service_AppMgmtCiSvc
-------\Service_AppMgmtCiSvcFastUserSwitchingCompatibility
-------\Service_AppMgmtFastUserSwitchingCompatibility
-------\Service_AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService
-------\Service_AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService PMSP Service
-------\Service_AppMgmtFastUserSwitchingCompatibilityTrkWksImapiServiceMessengerRSVP
-------\Service_AppMgmtFastUserSwitchingCompatibilityTrkWksImapiServiceNetman
-------\Service_aspnet_stateLmHosts
-------\Service_Aticlr_optimization_v2.0.50727_32
-------\Service_Aticlr_optimization_v2.0.50727_32AppMgmtFastUserSwitchingCompatibilityTrkWksImapiService
-------\Service_AudioSrvRDSessMgr
-------\Service_BITSDcomLaunch
-------\Service_Browseraspnet_stateLmHosts
-------\Service_Browserwuauserv
-------\Service_BrowserwuauservALG
-------\Service_BrowserwuauservW32TimeSpoolerNVSvc
-------\Service_ClipSrvSSDPSRVEventSystemwuauservEventlogImapiServicegusvc
-------\Service_clr_optimization_v2.0.50727_32RasMan
-------\Service_COMSysAppFastUserSwitchingCompatibility
-------\Service_COMSysAppFastUserSwitchingCompatibilityWMPNetworkSvcWebClient
-------\Service_DhcpNetman
-------\Service_dmadminEventlog
-------\Service_Dnscachegusvc
-------\Service_EventSystemgusvc
-------\Service_EventSystemgusvcWMPNetworkSvc
-------\Service_gusvcstisvc
-------\Service_HidServaspnet_state
-------\Service_LmHostsNtLmSsp
-------\Service_MessengerRSVP
-------\Service_MSDTCWZCSVC
-------\Service_MSDTCWZCSVCAppMgmtCiSvcFastUserSwitchingCompatibility
-------\Service_MSDTCWZCSVCAppMgmtCiSvcFastUserSwitchingCompatibility Smart
-------\Service_MSIServerTrkWksALG
-------\Service_NetDDEclr_optimization_v2.0.50727_32
-------\Service_NetDDEdsdm Smart
-------\Service_NetDDEdsdmgusvcstisvc
-------\Service_NetmanSamSs
-------\Service_NetmanWMPNetworkSvcNtmsSvc
-------\Service_NlaSENS
-------\Service_NVSvchkmsvc
-------\Service_NVSvcRemoteAccess
-------\Service_NVSvcRemoteAccessDhcpNetman
-------\Service_PolicyAgentWebClient
-------\Service_PolicyAgentWebClientWmiApSrv
-------\Service_RasAutoAticlr_optimization_v2.0.50727_32
-------\Service_RemoteAccessNtLmSsp
-------\Service_RemoteAccessPolicyAgentWebClient
-------\Service_RpcLocatorRemoteAccessNtLmSsp
-------\Service_SCardSvrThemes
-------\Service_seclogonALG
-------\Service_SharedAccessWMPNetworkSvcNtmsSvc
-------\Service_ShellHWDetection Service for CDROM Access
-------\Service_ShellHWDetectionIDriverT
-------\Service_ShellHWDetectionIDriverTPlugPlay
-------\Service_ShellHWDetectionIDriverTPlugPlayNVSvcRemoteAccess
-------\Service_ShellHWDetectionIDriverTPlugPlayRpcLocatorRemoteAccessNtLmSsp
-------\Service_Spooler Smart
-------\Service_SpoolerAudioSrvRDSessMgr
-------\Service_SpoolerAudioSrvRDSessMgrTrkWksALGSSDPSRVEventSystemwuauservEventlogImapiServicegusvc
-------\Service_SpoolerNVSvc
-------\Service_SSDPSRVEventSystem
-------\Service_SSDPSRVEventSystemwuauservEventlogImapiServicegusvc
-------\Service_SwPrvSharedAccess
-------\Service_SysmonLogAppMgmtCiSvcFastUserSwitchingCompatibility
-------\Service_TrkWksALG
-------\Service_TrkWksALGSSDPSRVEventSystemwuauservEventlogImapiServicegusvc
-------\Service_TrkWksImapiService
-------\Service_TrkWkslanmanserver
-------\Service_TrkWksNetmanSamSs
-------\Service_UPSAudioSrvRDSessMgr
-------\Service_W32TimeSpoolerNVSvc
-------\Service_winmgmtWmdmPmSNaspnet_stateLmHosts
-------\Service_WmdmPmSNaspnet_stateLmHosts
-------\Service_WmiApSrvAppMgmtCiSvcFastUserSwitchingCompatibility
-------\Service_WmiApSrvRemoteAccessNtLmSsp
-------\Service_WMPNetworkSvcNtmsSvc
-------\Service_WMPNetworkSvcNtmsSvcTermService
-------\Service_WMPNetworkSvcWebClient
-------\Service_WMPNetworkSvcWebClientDhcp
-------\Service_wscsvcDhcp
-------\Service_wuauservDhcp
-------\Service_wuauservEventlog
-------\Service_wuauservEventlogImapiService
-------\Service_wuauservEventlogImapiServicegusvc
((((((((((((((((((((((((( Files Created from 2008-10-19 to 2008-11-19 )))))))))))))))))))))))))))))))
.
2008-11-14 15:14 . 2008-11-14 15:14 250 --a------ c:\windows\gmer.ini
2008-11-10 20:00 . 2008-11-10 21:22 <DIR> d-------- c:\documents and settings\Dennis\DoctorWeb
2008-11-08 17:57 . 2008-11-08 17:57 801,610 --a------ C:\QDATA02.IDX
2008-11-08 16:12 . 2008-11-08 16:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\NVIDIA
2008-11-08 13:39 . 2002-12-04 20:01 820,864 -ra------ c:\windows\system32\drivers\nvmcp.sys
2008-11-08 13:39 . 2002-12-04 20:01 241,664 -ra------ c:\windows\system32\drivers\nvapu.sys
2008-11-08 13:39 . 2002-12-04 20:01 62,336 -ra------ c:\windows\system32\drivers\nvarm.sys
2008-11-08 13:39 . 2002-12-04 20:01 44,032 -ra------ c:\windows\system32\OpenAL32.dll
2008-11-08 13:39 . 2002-12-04 20:01 44,032 -ra------ c:\windows\system32\nvopenal.dll
2008-11-08 13:39 . 2002-12-04 20:01 30,720 -ra------ c:\windows\system32\nvasio.dll
2008-11-08 13:39 . 2002-12-04 20:01 13,056 -ra------ c:\windows\system32\drivers\nvax.sys
2008-11-08 13:39 . 2002-12-04 20:01 5,120 -ra------ c:\windows\system32\ALut.dll
2008-11-08 13:39 . 2002-12-04 20:01 4,096 -ra------ c:\windows\system32\nvack.dll
2008-11-08 13:37 . 2002-08-29 02:01 134,272 --a------ c:\windows\system32\drivers\portcls.sys
2008-11-08 13:37 . 2002-08-29 02:01 134,272 --a--c--- c:\windows\system32\dllcache\portcls.sys
2008-11-08 13:37 . 2002-08-29 01:32 57,856 --a------ c:\windows\system32\drivers\drmk.sys
2008-11-08 13:37 . 2002-08-29 01:32 57,856 --a--c--- c:\windows\system32\dllcache\drmk.sys
2008-11-08 13:37 . 2001-08-17 22:37 22,016 --a------ c:\windows\system32\wdmaud.drv
2008-11-08 13:02 . 2002-10-03 23:23 80,896 -ra------ c:\windows\system32\drivers\NVENET.sys
2008-11-08 13:02 . 2002-10-03 23:23 1,024 -ra------ c:\windows\system32\drivers\jedih2rx.bin
2008-11-08 13:02 . 2002-10-03 23:23 122 -ra------ c:\windows\system32\drivers\ramsed.bin
2008-11-08 13:02 . 2002-10-03 23:23 42 -ra------ c:\windows\system32\drivers\jedireg.pat
2008-11-08 12:55 . 2008-11-08 12:55 3,813 --a------ c:\windows\Ascd_tmp.ini
2008-11-08 12:23 . 2008-11-08 13:04 <DIR> d-------- c:\windows\LastGood.Tmp
2008-11-08 09:59 . 2008-11-08 09:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles
2008-11-08 09:35 . 2006-10-22 12:22 208,896 --a------ c:\windows\system32\nvudisp.exe
2008-11-08 09:35 . 2008-11-18 23:19 88,566 --a------ c:\windows\system32\nvapps.xml
2008-11-08 09:35 . 2006-10-22 12:22 17,056 --a------ c:\windows\system32\nvdisp.nvu
2008-11-08 09:33 . 2006-10-22 15:06 208,896 --a------ c:\windows\system32\NVUNINST.EXE
2008-11-06 14:28 . 2008-11-06 14:28 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2008-11-06 14:28 . 2008-11-06 14:28 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Leadertech
2008-11-04 20:56 . 2008-11-04 21:12 3,484 --a------ c:\windows\system32\PerfStringBackup.TMP
2008-11-04 20:38 . 2002-08-29 04:00 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2008-11-04 20:37 . 2001-08-17 22:36 2,134,528 --a--c--- c:\windows\system32\dllcache\EXCH_smtpsnap.dll
2008-11-04 20:36 . 2008-11-04 20:36 23,392 --a------ c:\windows\system32\nscompat.tlb
2008-11-04 20:36 . 2008-11-04 20:36 16,832 --a------ c:\windows\system32\amcompat.tlb
2008-11-04 20:34 . 2002-08-29 04:00 106,562 --a--c--- c:\windows\system32\dllcache\srchctls.dll
2008-11-04 20:34 . 2008-11-04 20:34 749 -rah----- c:\windows\WindowsShell.Manifest
2008-11-04 20:34 . 2008-11-04 20:34 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2008-11-04 20:34 . 2008-11-04 20:34 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2008-11-04 20:34 . 2008-11-04 20:34 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2008-11-04 20:34 . 2008-11-04 20:34 488 -rah----- c:\windows\system32\logonui.exe.manifest
2008-11-04 20:31 . 2002-08-29 04:00 1,267,712 --a--c--- c:\windows\system32\dllcache\cimwin32.dll
2008-11-04 20:26 . 2001-08-17 13:59 50,048 --a------ c:\windows\system32\drivers\DMusic.sys
2008-11-04 20:26 . 2002-08-29 01:32 5,888 --a------ c:\windows\system32\drivers\splitter.sys
2008-11-04 20:11 . 2002-08-29 04:00 24,661 --a------ c:\windows\system32\spxcoins.dll
2008-11-04 20:11 . 2002-08-29 04:00 24,661 --a--c--- c:\windows\system32\dllcache\spxcoins.dll
2008-11-04 20:11 . 2002-08-29 04:00 13,312 --a------ c:\windows\system32\irclass.dll
2008-11-04 20:11 . 2002-08-29 04:00 13,312 --a--c--- c:\windows\system32\dllcache\irclass.dll
2008-11-04 20:10 . 2002-08-29 04:00 1,086,182 -ra------ c:\windows\SET60.tmp
2008-11-04 20:10 . 2002-08-29 04:00 13,608 -ra------ c:\windows\SET75.tmp
2008-11-04 12:36 . 2002-08-29 01:27 56,576 --a------ c:\windows\system32\drivers\redbook.sys
2008-11-04 12:32 . 2002-08-29 03:46 38,024 --a------ c:\windows\system32\drivers\termdd.sys
2008-11-04 12:31 . 2002-08-29 04:00 696,320 --a--c--- c:\windows\system32\dllcache\sapi.dll
2008-11-04 12:31 . 2002-08-29 04:00 147,456 --a--c--- c:\windows\system32\dllcache\sapi.cpl
2008-11-04 12:31 . 2002-08-29 04:00 132,096 --a------ c:\windows\system\WINSPOOL.DRV
2008-11-04 12:31 . 2002-08-29 03:41 71,168 --a------ c:\windows\system32\storprop.dll
2008-11-04 12:31 . 2002-08-29 04:00 22,016 --a--c--- c:\windows\system32\dllcache\agt0408.dll
2008-11-04 12:31 . 2002-08-29 04:00 19,968 --a--c--- c:\windows\system32\dllcache\agt040e.dll
2008-11-04 12:31 . 2002-08-29 04:00 19,456 --a--c--- c:\windows\system32\dllcache\agt041f.dll
2008-11-04 12:31 . 2002-08-29 04:00 19,456 --a--c--- c:\windows\system32\dllcache\agt0419.dll
2008-11-04 12:31 . 2002-08-29 04:00 19,456 --a--c--- c:\windows\system32\dllcache\agt0415.dll
2008-11-04 12:31 . 2002-08-29 04:00 19,456 --a--c--- c:\windows\system32\dllcache\agt0405.dll
2008-11-04 12:31 . 2002-08-29 04:00 10,496 --a------ c:\windows\system32\drivers\irenum.sys
2008-11-04 12:31 . 2002-08-29 04:00 10,496 --a--c--- c:\windows\system32\dllcache\irenum.sys
2008-10-29 19:10 . 2008-10-29 19:10 20,992 --ahs---- c:\windows\system32\accwizh.dll
2008-10-28 19:41 . 2008-10-28 19:41 <DIR> d-------- c:\program files\ERUNT
2008-10-24 21:34 . 2008-10-24 21:34 <DIR> d-------- C:\New Folder
2008-10-24 21:28 . 2008-10-24 21:28 <DIR> d-------- C:\backups
2008-10-20 17:17 . 2008-10-20 17:17 <DIR> d-------- c:\documents and settings\Guest\Application Data\MX
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-09 18:39 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-09 18:02 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-09 18:02 --------- d-----w c:\program files\ThreatFire
2008-11-08 18:49 --------- d-----w c:\documents and settings\Dennis\Application Data\MSN6
2008-11-06 23:04 --------- d-----w c:\program files\MSN Messenger
2008-11-03 02:35 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-25 03:59 --------- d-----w c:\program files\Trend Micro
2008-10-19 17:37 --------- d-----w c:\program files\EA GAMES
2008-10-05 09:38 --------- d-----w c:\program files\Microsoft Silverlight
2008-09-30 04:45 --------- d-----w c:\program files\Palm
2008-09-30 04:44 --------- d-----w c:\program files\Common Files\Skyscape
2008-09-25 03:28 134,992 ----a-w C:\QDATA02OFXLOG.DAT
2008-09-19 21:20 --------- d-----w c:\program files\Lavasoft
2008-09-19 21:20 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-09-14 20:42 92,672 ----a-w c:\documents and settings\Administrator\KillBox.exe
2006-11-24 21:28 807,624 ----a-w c:\program files\DF_BHD_Pinger_5_0_BHD_TS_v1_5_0_5_-_Creator_Dstructr.zip
2006-07-11 23:00 5,632 --sha-w c:\program files\Thumbs.db
2005-02-10 07:01 79,068,001 ----a-w c:\program files\Blackopsv1.0.zip
2004-03-15 21:29 299,624 ----a-w c:\program files\dxwebsetup.exe
2003-10-16 00:07 2,245 ----a-w c:\program files\_FILES.PFF
2003-10-14 22:49 84 ----a-w c:\program files\UPDATE.WIZ
2003-10-13 22:31 403 ----a-w c:\program files\STARTUP.HTM
2003-10-06 20:29 4,244 ----a-w c:\program files\Gameerr.bin
2003-10-02 17:18 95,377 ----a-w c:\program files\dfvgame.LWF
2003-09-26 22:21 74,534 ----a-w c:\program files\MogSlm04.3di
2003-09-25 23:44 51,529 ----a-w c:\program files\Gametext.bin
2003-09-25 23:04 353,399 ----a-w c:\program files\FAH6b.3di
2003-09-25 23:03 399,366 ----a-w c:\program files\FAH6a.3di
2003-09-25 22:51 644,422 ----a-w c:\program files\fblkhawk.3di
2003-09-25 22:50 668,018 ----a-w c:\program files\fblkhawf.3di
2003-09-25 22:42 649,693 ----a-w c:\program files\fblkhawd.3di
2003-09-24 22:07 116,841 ----a-w c:\program files\ammo.def
2003-09-23 23:55 81,705 ----a-w c:\program files\weapon.def
2003-09-18 21:27 30,647 ----a-w c:\program files\menutxt.bin
2003-09-17 01:29 29,731 ----a-w c:\program files\EMOTE13.bad
2003-09-16 21:46 8,286 ----a-w c:\program files\DELTA01.ADM
2003-09-16 18:04 1,194,796 ----a-w c:\program files\RE_Bsmt.3di
2003-09-16 16:56 49,566 ----a-w c:\program files\MogSlm01.3di
2003-09-15 20:37 73,497 ----a-w c:\program files\dfvmenus.mnu
2003-07-10 21:35 10,538 ----a-w c:\program files\airexp2.ptl
2003-07-10 21:35 1,614 ----a-w c:\program files\bcasings.ptl
2003-07-10 21:35 1,573 ----a-w c:\program files\casings.ptl
2003-07-08 20:47 18,629 ----a-w c:\program files\bird1.pcx
2003-05-30 21:38 4,553 ----a-w c:\program files\ADP_11B.til
2003-05-30 21:38 4,553 ----a-w c:\program files\ADP_11A.til
2003-05-30 21:38 25,647 ----a-w c:\program files\ADP_11B.bms
2003-05-30 21:38 25,647 ----a-w c:\program files\ADP_11A.bms
2003-05-20 21:11 9,173 ----a-w c:\program files\KYLE.WAC
2003-05-07 17:28 225,045 ----a-w c:\program files\Btn_ign.tga
2003-04-17 23:47 185,371 ----a-w c:\program files\FHum50N.3di
2003-04-17 23:32 190,602 ----a-w c:\program files\FHum50X.3di
2003-04-17 23:18 167,321 ----a-w c:\program files\FHum50P.3di
2003-04-17 23:04 167,156 ----a-w c:\program files\FHum50.3di
2003-04-14 23:16 28,805 ----a-w c:\program files\FBK_03a.bms
2003-04-14 23:16 28,793 ----a-w c:\program files\FBK_03b.bms
2003-04-14 23:16 1,540 ----a-w c:\program files\FBK_03b.til
2003-04-14 23:16 1,540 ----a-w c:\program files\FBK_03a.til
2003-04-10 21:58 1,486,671 ----a-w c:\program files\BHD_ups2.tga
2003-04-09 20:47 64,693 ----a-w c:\program files\SPBHD_14.bms
2003-04-09 20:47 2,233 ----a-w c:\program files\SPBHD_14.til
2003-04-04 22:49 242,110 ----a-w c:\program files\Btn_gmdm.tga
2003-04-04 22:33 254,761 ----a-w c:\program files\Btn_zila.tga
2003-04-04 22:27 102,727 ----a-w c:\program files\Btn_lnk2.tga
2003-04-04 22:23 59,374 ----a-w c:\program files\Btn_ext2.tga
2003-03-26 18:43 28,122 ----a-w c:\program files\SDK_01b.bms
2003-03-26 18:43 10,401 ----a-w c:\program files\SDK_01b.til
2003-03-26 18:41 5,140 ----a-w c:\program files\ADK_02b.til
2003-03-26 18:41 30,835 ----a-w c:\program files\ADK_02b.bms
2003-03-26 18:40 30,101 ----a-w c:\program files\ADK_01b.bms
2003-03-26 18:40 10,429 ----a-w c:\program files\ADK_01b.til
2003-03-25 23:32 32,592 ----a-w c:\program files\CTFK_02b.bms
2003-03-25 23:32 10,455 ----a-w c:\program files\CTFK_02b.til
2003-03-25 23:28 30,106 ----a-w c:\program files\ADK_01a.bms
2003-03-25 23:28 10,429 ----a-w c:\program files\ADK_01a.til
2003-03-25 22:21 13,774 ----a-w c:\program files\dfvdbgov.mnu
2003-03-25 18:52 73,378 ----a-w c:\program files\MogBlk07.3DI
2003-03-25 18:16 31,569 ----a-w c:\program files\SDM_01b.bms
2003-03-25 18:15 31,551 ----a-w c:\program files\SDM_01a.bms
2003-03-25 18:09 6,396 ----a-w c:\program files\DMM_01h.til
2003-03-25 18:09 39,417 ----a-w c:\program files\DMM_01h.bms
2003-03-25 18:03 6,396 ----a-w c:\program files\CTFK_03a.til
2003-03-25 18:03 41,222 ----a-w c:\program files\CTFK_03a.bms
2003-03-25 17:59 6,396 ----a-w c:\program files\CTFK_03b.til
2003-03-25 17:59 41,225 ----a-w c:\program files\CTFK_03b.bms
2003-03-24 22:44 6,569 ----a-w c:\program files\zboard.key
2003-03-24 21:13 31,939 ----a-w c:\program files\SDM_02b.bms
2003-03-24 21:01 20,403 ----a-w c:\program files\SDP_01B.bms
2003-03-24 20:52 19,433 ----a-w c:\program files\SDM_01f.bms
2003-03-24 18:54 55,788 ----a-w c:\program files\CTFM_05B.bms
2003-03-24 18:50 55,998 ----a-w c:\program files\CTFM_05A.bms
2003-03-21 23:15 44,500 ----a-w c:\program files\SPBHD_13.bms
2003-03-21 23:15 10,567 ----a-w c:\program files\SPBHD_13.til
2003-03-21 17:18 31,450 ----a-w c:\program files\TKHM_02b.bms
2003-03-21 17:16 31,424 ----a-w c:\program files\TKHM_02a.bms
2003-03-21 17:15 31,537 ----a-w c:\program files\TDMM_02b.bms
2003-03-21 17:13 31,527 ----a-w c:\program files\TDMM_02a.bms
2003-03-21 17:12 3,025 ----a-w c:\program files\SDM_02b.til
2003-03-21 17:10 31,921 ----a-w c:\program files\SDM_02a.bms
2003-03-21 17:10 3,025 ----a-w c:\program files\SDM_02a.til
2003-03-21 17:09 31,625 ----a-w c:\program files\FBM_02b.bms
.
((((((((((((((((((((((((((((( snapshot@2008-11-09_10.03.26.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\11-10-2008\ERDNT.EXE
+ 2008-11-11 03:55:42 7,118,848 ----a-w c:\windows\ERDNT\11-10-2008\Users\00000001\ntuser.dat
+ 2008-11-11 03:55:42 184,320 ----a-w c:\windows\ERDNT\11-10-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\11-17-2008\ERDNT.EXE
+ 2008-11-18 02:20:50 7,118,848 ----a-w c:\windows\ERDNT\11-17-2008\Users\00000001\ntuser.dat
+ 2008-11-18 02:20:50 184,320 ----a-w c:\windows\ERDNT\11-17-2008\Users\00000002\UsrClass.dat
+ 2008-11-14 23:14:13 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 05:13:02 811,008 ----a-w c:\windows\gmer.exe
- 2008-11-09 17:44:14 233,472 ----a-w c:\windows\system32\config\systemprofile\ntuser.dat
+ 2008-11-19 07:13:17 233,472 ----a-w c:\windows\system32\config\systemprofile\ntuser.dat
+ 2008-11-14 23:14:13 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 401491]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2002-08-29 13312]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-18 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OneTouch Monitor"="c:\progra~1\VISION~1\ONETOU~2.EXE" [2001-10-16 86016]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-10-22 86016]
"nForce Tray Options"="sstray.exe" [2002-11-12 c:\windows\system32\sstray.exe]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2005-08-12 45056]
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2007-12-25 28672]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-06-09 471040]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\system32\ctmp3.acm
"MSACM.CEGSM"= mobilev.acm
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Dennis\\Local Settings\\Application Data\\Abacast\\Abaclient.exe"=
"c:\\Documents and Settings\\Dennis\\Local Settings\\Application Data\\Abacast\\Abaclient2.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
R0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\System32\DRIVERS\si3112r.sys [2003-05-08 102400]
S2 wscsvc Service for CDROM Access;Security Center wscsvc Service for CDROM Access;ð%€|x srv []
.
Contents of the 'Scheduled Tasks' folder
2008-11-19 c:\windows\Tasks\User_Feed_Synchronization-{41111FB6-E87B-4712-9635-90034B0CC9F3}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-18 23:18:55
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wscsvc Service for CDROM Access]
"ImagePath"="ð%€|x\01\09 srv"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\WgaTray.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-11-18 23:28:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-19 07:27:56
ComboFix2.txt 2008-11-11 03:48:42
ComboFix3.txt 2008-11-09 18:04:04
Pre-Run: 59,305,562,112 bytes free
Post-Run: 59,285,487,616 bytes free
464 --- E O F --- 2008-09-27 04:11:43
Fatboy_97
2008-11-19, 09:34
And the new HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29:28 PM, on 11/18/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/default/PiratePoppers.1.0.0.39.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--584a3e87-b556-4d06-99f4-d3fef0181acd/online/Diner_Dash_3/en/ddfotg.1.0.0.37.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--b256506b-ac80-48e4-a440-84eccfa8b5f5/online/diner_dash/en/DinerDash.1.0.0.80.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Security Center wscsvc Service for CDROM Access (wscsvc Service for CDROM Access) - Unknown owner - C:\WINDOWS\
--
End of file - 7574 bytes
Fatboy_97
2008-11-19, 09:54
Restoring of the support.com files seemed to go well. Let's keep our fingers crossed. :)
Going well indeed.
That was I think 83 rogue services we nuked. :eek:
I don't wanna jinx it but I think we're on the road to recovery :)
I missed a service.
Click start> run> type cmd and hit enter.
Copy the following line:
sc delete "wscsvc Service for CDROM Access"
Right click in the open cmd window & hit "paste"
Hit enter.
Should get success message.
Exit the cmd window & reboot.
Make an ERUNT backup when done.
Post fresh hijackthis log please.
How is the system running now?
Let's do an online scan too please.
This one don't fix -- only reports.
Whatever it finds we'll deal with.
If you already have used Kaspersky online scanner, please uninstall it via add/remove programs because this is a new version I need you to download.
Please do a scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Click on the Accept button and install any components it needs.
The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
Save the file to your desktop.
Copy and paste that information in your next post.
Graphics tutorial available here if needed:
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif
Logs I need:
New HJT log
KAV log
report on how system is performing.
Thanks :)
Fatboy_97
2008-11-21, 18:15
Sorry about the delay. :red:
In response to your questions the system seems to be running fine; just takes forever to load. The Window is starting up screen stays on for at least one and a half minutes. It also takes that long or longer to load Add or Remove Programs in control panel. And when trying to access the Windows Firewall in control panel I get the message "Due to an unidentified problem, Windows cannot display Windows Firewall Settings".
The delay in posting has to do with me following your directions; I did the cmd CD access thing; worked great. I made an Erunt backup OK. I also made an HJT log. Then I started the Kapersky scan and it was going just fine till I moved the cursor to the wrong window while surfing & shut it off. :oops:
Anyway I'll start again now. Here's the HJT log for a start; I'll post the KAW log when it finishes.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:00:49 AM, on 11/21/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/default/PiratePoppers.1.0.0.39.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--584a3e87-b556-4d06-99f4-d3fef0181acd/online/Diner_Dash_3/en/ddfotg.1.0.0.37.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--b256506b-ac80-48e4-a440-84eccfa8b5f5/online/diner_dash/en/DinerDash.1.0.0.80.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 6955 bytes
Fatboy_97
2008-11-21, 20:46
I hope this is the KAW scan:
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, November 21, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 1 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, November 21, 2008 12:18:28
Records in database: 1399297
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
Scan statistics
Files scanned 93279
Threat name 8
Infected objects 17
Suspicious objects 0
Duration of the scan 02:08:39
File name Threat name Threats count
C:\Documents and Settings\Dennis\DoctorWeb\Quarantine\107cd1bb-1e50329c Infected: Trojan-Downloader.Java.OpenConnection.ao 1
C:\Documents and Settings\Dennis\DoctorWeb\Quarantine\107cd1bb-1e50329c Infected: Trojan.Java.ClassLoader.au 1
C:\Documents and Settings\Dennis\DoctorWeb\Quarantine\107cd1bb-1e50329c Infected: Trojan-Downloader.Java.Agent.a 1
C:\Program Files\downloads\radmin22\RADMIN22.EXE Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 3
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\109.exe.vir Infected: Trojan.Win32.Obfuscated.gx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\312.exe.vir Infected: Trojan.Win32.Obfuscated.gx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\453.exe.vir Infected: Trojan.Win32.Obfuscated.gx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\703.exe.vir Infected: Trojan.Win32.Obfuscated.gx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\734.exe.vir Infected: Trojan.Win32.Obfuscated.gx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\765.exe.vir Infected: Trojan.Win32.Obfuscated.gx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\921.exe.vir Infected: Trojan.Win32.Obfuscated.gx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\953.exe.vir Infected: Trojan.Win32.Obfuscated.gx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_Windi26_.sys.zip Infected: Trojan-Downloader.Win32.Mutant.aim 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_brastk_.exe.zip Infected: Trojan-Downloader.Win32.Agent.amoo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir Infected: Trojan-Downloader.Win32.Obfuscated.dro 1
The selected area was scanned.
Thanks for the logs.
That was indeed the KAV log. :)
Looks like everything it detected is contained in quarantine.
We'll clean those up last. They are not a threat to you at the moment.
Only one file I question..
C:\Program Files\downloads\radmin22\RADMIN22.EXE
If you downloaded it on purpose -- fine. It is legit but can be used maliciously if not careful. (like any remote access app)
If you have no idea why it is there then you can delete the "radmin22" folder.
I think we can try installing ServicePack 2.
This should also restore firewall & security center and so on.
If that all goes well .. see about getting your antivirus re-installed.
We've made it this far -- I hate to see you get nabbed now!
Don't re-enable TeaTimer yet tho.
Post new Hijackthis log when done please.
Let me know how it is running.
Check that the windows firewall is running. SP2 access is a bit different.
Open control panel> d. click firewall icon> green = on.
Let me know if it is still slow on starting, etc.
Thanks :)
Fatboy_97
2008-11-23, 00:17
Deleted radmin22 file OK and installed SP2 up to the point of restarting. Now it seems the computer is not continuing to load & locking on a screen that shows a graphic for my motherboard; Asus A7N8X. At the bottom of the screen it says:
Press [Tab] to show POST screen; press [Alt]+[F2] to enter AWDFlash utility
This screen started to show up when the other problems showed up, but usually just comes on for awhile, then proceeds to the next screen & continues to load. It froze on this screen today before I loaded SP2, but I was able to just hit the "small" restart button on the front of the pc & it continued to load. As of right now I can't get past this screen. :mad:
Fatboy_97
2008-11-23, 18:59
So this morning I turn on the "big" computer & it loads to the mobo? screen & then right to the next screen and locks again. This is the screen that shows the main processor, memory testing, and access to the BIOS by pressing DEL. It also shows something new:
Trend ChipAwayVirus(R) On Guard Ver 1.65
What the heck is going on now? :sad:
Fatboy_97
2008-11-23, 21:20
Well got it fired up; found out about the ChipAwayVirus(R) thing being a really old BIOS protection thing; still don't know what the ASUS splash page is all about? At any rate I got SpyBot SD reinstalled & ran it. It found 4 entries:3 Cassova trojans & 1 Right Media browser & removed them. I also started up the Windows Firewall, but did not turn on automatic updates. Here's a new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:40 AM, on 11/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/default/PiratePoppers.1.0.0.39.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--584a3e87-b556-4d06-99f4-d3fef0181acd/online/Diner_Dash_3/en/ddfotg.1.0.0.37.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--b256506b-ac80-48e4-a440-84eccfa8b5f5/online/diner_dash/en/DinerDash.1.0.0.80.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 7011 bytes
I'll continue to surf & do some reboots then post again with results. Thanks again for your time & patience. :)
Hi,
I can't see SP2 doing anything with the BIOS... odd.
You have an ASUS motherboard which explains the splash screen you are seeing.
Sounds like the settings in bios were changed a bit to show the mobo splash screen & the old AV protection. (its just BIOS protection btw)
Both these can be toggled on/off within the bios setup utility.
You can also toggle off the show POST info.
Be real careful what you change in BIOS when in there. Can screw up alot. :p:
Make darn sure you write down any changes you make so you can go back & undo changes if you mess it up.
Let's get an antivirus installed before you get hit again.
Avast or Avira sound like good choices to me if you want free.
Avast:
http://www.avast.com/eng/avast_4_home.html
Avira:
http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html
Install one of the above> update it> register it> run system scan & let it fix what it wants.
Let me know how system is after this.
Post new Hijackthis log too please.
Thanks :)
Fatboy_97
2008-11-25, 07:49
Installed the avast! scanner. System seems to be working well. Here's the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:47:37 PM, on 11/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Hardware\Mouse\POINT32.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/default/PiratePoppers.1.0.0.39.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--584a3e87-b556-4d06-99f4-d3fef0181acd/online/Diner_Dash_3/en/ddfotg.1.0.0.37.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--b256506b-ac80-48e4-a440-84eccfa8b5f5/online/diner_dash/en/DinerDash.1.0.0.80.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 7828 bytes
Good to hear things are working well.
Start Hijackthis
Run system scan only & check ths following: (none are bad -- just housecleaning leftovers)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
If you no longer have Spyware Doctor you can fix this one too:
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
Close all open windows except Hijackthis & hit "fix checked" then OK.
Exit HIjackthis & reboot.
Go ahead with the remaining windows updates except SP3 for now. (choose "custom" to get past the SP3 prompt)
IE7 and the other critical updates should be fine to go get. Likely several visits/reboots before you get them all.
Post new HJT log & let me know if its still running good.
Thanks :)
Fatboy_97
2008-11-27, 07:55
Ok, did all the HJT checklist things; seemed to go well. As you pointed out it took quite a while to get all the Windows updates including IE7, but not SP3. All seems to be running quite well! Thanks so much for all your help! :)
Here's the latest HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:21 PM, on 11/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Hardware\Mouse\POINT32.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/default/PiratePoppers.1.0.0.39.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--584a3e87-b556-4d06-99f4-d3fef0181acd/online/Diner_Dash_3/en/ddfotg.1.0.0.37.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--b256506b-ac80-48e4-a440-84eccfa8b5f5/online/diner_dash/en/DinerDash.1.0.0.80.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 7464 bytes
Good to hear it is going well :)
Wanna try SP3? I think its safe to try it.
Make a restore point> reboot then try SP3. (SP3 will make its own restore point but I want our own first lol)
When I installed it -- windows had to repair something in Office & my MSN.
Was Ok after that.
You should also update your Acrobat reader as well. (uninstall old version first)
Some people have trouble with Java 6 update 10.
I sggest installing the Java update & if it is working OK then uninstall Java 6 update 7.
If Jave screws up -- then uninstall update 10 & leave 7.
Java install:
http://www.java.com/getjava/
Acrobat:
http://www.adobe.com/products/acrobat/readstep2.html
If you don't want toolbars offered by these products -- uncheck em before install.
Let me know how updates go & how SP3 went.
:)
Fatboy_97
2008-11-28, 21:53
SP3, Java, & Adobe installs went well; haven't tested the Java to know if it's gonna work well or not, but did save the old version just in case. The only problem (and it's a minor one) is that the mouse settings seem to need to be refreshed every time I log on. Some buttons don't funtion like they're supposed to. Still workin' on that. Other than that it seems to be working very well, thank you. :)
Hi,
Good to hear things went well.
May want to check manufacturer of the mouse to check for driver/software updates.
Let me know in a couple days if everything is still OK & we'll clean up our battle tools. :bigthumb:
How is it going Fatboy_97. :)
Fatboy_97
2008-12-05, 19:07
All seems to be going quite well, aside from some peripheral issues like the mouse drivers & such. Thanks for asking. :)
Hi,
See if you can uninstall the mouse & let windows re-install it at boot.
Right click "my computer" then "properties"
Click "hardware" tab.
Click "device manager"
Expand "mouse & other pointing devices"
Right click the entry for your mouse & choose "uninstall"
OK the prompt & reboot.
Windows should see the "new" device & re-install it.
If still running TeaTimer you will need to allow! (tell TT to remember)
Let me know if that helps.
Thanks :)
Fatboy_97
2008-12-06, 20:35
Thanks for checking up. :) I had already done the uninstall/install thing to the mouse & it's drivers to no avail.
On an unrelated issue, during boot up the screen has the option of starting in Windows Recovery Console or Windows XP Home & still shows the Trend ChipAwayVirus(R) On Guard. Also, after booting up & signing on it had a notice in the toolbar saying that the Windows Firwall wasn't turned on. I opened the control panel/windows firewall & it showed that it was in fact on. Also showing "new version of Avast!" is available for download; do you want to download now?
No major problems; just little annoyances. :red:
Hi,
I recommend you keep the recovery console installed.
ComboFix is what installed it and it only adds 2 seconds to your boot time.
If you want it gone -- let me know & we'll remove it.
If you want to disable the BIOS virus guard you can do so in the BIOS setup utility. Normally there is onscreen instructions at boot what key to hit to get into "setup"
Once in BIOS there should be onscreen instructions how to move around in there.
Looking for Virus protection -- can toggle on or off.
Save changes & exit.
For the Avast -- there likely is a new software version. Go ahead & download it. That should stop that annoyance.
Firewall warnings...
Click start> run> type cmd and hit enter.
In the cmd window type the following commands exactly as you see em giving each one time to finish:
net stop winmgmt
cd /d %windir%\system32\wbem
ren repository repository.old
net start winmgmt
exit
Reboot.
Let me know if you still get security center alerts.
---------------
Mouse...
Open Device manager. Any yellow ? or ! present?
To get to device manager...
Right click "my computer" then hit "properties"
Click "hardware" tab then "device manager"
In the mean-time leme go back & look to see if we busted something with the mouse along the way or if it too was victim of ThreatFire/TeaTimer wars.
Thanks :)
You still have the install CD for your motherboard?
hmmmm
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"POINTER"="point32.exe"
Open Notepad & copy the above text inside the code box to it.
Click "file" menu then "save as.."
Save as file name fix.reg as file types: all files and save it to the desktop.
Right click it> choose merge then asswer yes to the prompt.
Should get success message.
If asked by security programs about the change please allow & tell the app to remember decision.
REboot> let me know if mouse works right.
Thanks :)
Fatboy_97
2008-12-08, 04:47
Thank you again! :)
The mouse is working fine again & only had the "firewall" issue one time, but did your fix anyway.
Leaving the Recovery Console in & the BIOS guard too.
HI,
Good to hear that worked well.
Keep in mind that if you ever update your BIOS (not something to do unless really needed & you know what you are doing) you will need to disable the BIOS virus guard otherwise the flash might not work proper. (flash utility likely will tell you this anyway)
Let's clean up our battle field now.
Please download OTCleanIT from HERE (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) to your desktop.
Double click to run it. It will clean up the assortment of tools used during malware removal. When it has finnished, it will ask you to reboot in order to remove itself.
Once restarted, go ahead & make yourself a fresh ERUNT backup then you can clean out the old backups we made as we worked from here:
C:\Windows\ERDNT
Keep today's & empty the rest.
I recommend keeping ERUNT as it can be a very handy tool to get one out of trouble provided regular backups are made and a backup is made before doing anything "serious" to the system.
I let mine make backup every boot and there have been a couple times I was glad I had it & saved me a OS re-install.
After a few reboots and checking to see that all is well; it is highly recommended to reset your system restore to remove any possible backed up infected files there.
Right click "my computer"
Click "properties"
Click "system restore" tab
Checkmark "turn off system restore"
Hit apply> ok> ok.
Reboot
Go back and turn system restore back on by removing the check, hit apply, and OK.
A new restore point is created at this time.
here is some great information to help you stay clean and safe online:
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
If you want to help speed up your system Miekiemoes has some great information here:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
Take care & surf safe!
Blender
Fatboy_97
2008-12-10, 10:10
Blender, I know it might be getting a little bit overused here but once again:
THANK YOU for all you have done & for your patience. Its been a very pleasant learning experience & I have thoroughly enjoyed it. (even the very frustrating times when I nOOb'd stuff up. LOL) :red: I'll check back once in awhile & give a progress report.
Here's hoping you have a very happy holiday season & thanks again. :santa:
Dennis.
You're very welcome.
Glad we could help.
It was a bit of a rough trip but hey, We made it. :eek:
Always a good thing when one can learn something good from a bad experience.
Happy Holidays to you & yours as well. :present:
Surf safely!
I'll move topic now to archives. If any new issues please start a new thread.
Thanks,
Tammy