Virtumonde, Smitfraud, Win32.Agent.amwr

[peku006]

Hi AgentPaper

If TeaTimer restores some entries, it doesn't mean that you get reinfected.
TeaTimer takes snapshots and restores things depending on user choice.

1. Right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol).
2. Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
3. Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.
4. Click on Mode > Advanced Mode. When it prompts you, click Yes.
5. On the left hand side, click on Tools.
6. Check (tick) this box if it is not yet ticked: Resident.
7. You will notice that Resident is now added under Tools. Click on Resident.
8. Uncheck (untick) this box: Resident "TeaTimer" (Protection of over-all system settings) active.
9. Exit Spybot Search & Destroy.

Download ResetTeaTimer.bat to the Desktop
http://downloads.subratam.org/ResetTeaTimer.bat

Double click ResetTeaTimer.bat to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).

After that, Reboot

After that enable TeaTimer and let me know if spybot still finds something.

 

[AgentPaper]

Ah, still hope then. Unfortunately the link is just directing me to a page with text that seems to be the program, and not a program itself. Am I supposed to copy it into a .txt file and change the filetype to .exe? Or is the link broken?

 

[peku006]

Hi AgentPaper

http://downloads.subratam.org/ResetTeaTimer.bat

Copy the entire content of the page, open Notepad and paste the content in it,
save this as ResetTeatimer.bat Choose to save as "all files" and place it on your Desktop.
It should look like this:

Double click ResetTeaTimer.bat to remove all entries set by TeaTimer..

 

[AgentPaper]

Disabled, ran the program, restarted, and scanned:

Hint of the Day: Click the bar at the right of this to see more information! ()


Virtumonde.sci: [SBI $1BB1339D] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

Win32.Agent.amwr: [SBI $539521BE] Autorun settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1414292645-561725439-1143596541-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom


--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-09-16 TeaTimer.exe (1.6.3.25)
2008-12-07 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-10-22 Tools.dll (2.1.6.8)
2008-11-04 Includes\Adware.sbi (*)
2008-12-29 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2009-01-06 Includes\Dialer.sbi (*)
2009-01-06 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-11-18 Includes\Hijackers.sbi (*)
2009-01-05 Includes\HijackersC.sbi (*)
2008-12-09 Includes\Keyloggers.sbi (*)
2008-12-22 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-11-18 Includes\Malware.sbi (*)
2009-01-06 Includes\MalwareC.sbi (*)
2008-12-16 Includes\PUPS.sbi (*)
2009-01-06 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-12-29 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-12-10 Includes\Spyware.sbi (*)
2009-01-06 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2009-01-05 Includes\Trojans.sbi (*)
2009-01-06 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll


My only hope is that this is a false positive...not much hope. :banghead:

 

[peku006]

Hi AgentPaper
Let us take a deeper look.

Please download OTScanIt2 from Geeks to Go or Bleeping Computer. Save it to your desktop.

1. Double click on OTScanIt2.exe to run it.
2. Click on Extract. Once done, you will be prompted. Click OK and click Close.
3. Double click on the OTScanIt2 folder. Double click on OTScanIt2.exe to run it.
4. Under Rookit Search, select Yes.
5. Click on Run Scan at the top left hand corner.
6. When done, Notepad will open. Please post this log in your next reply.

Thanks peku006

 

[AgentPaper]

Should mention that Avast! warned me of a trojan twice during the scan, and both times I selected the "move to chest" option. Not sure if this was a false positive on the OTScanIt2 scan, but it seemed prudent at least. The scan didn't seem like it was affected, at any rate:

OTScanIt2 logfile created on: 1/14/2009 6:46:23 AM - Run 1
OTScanIt2 by OldTimer - Version 1.0.6.2     Folder = C:\Documents and Settings\Bryan Johnson\Desktop\OTScanIt2
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.00 Gb Total Physical Memory | 1.39 Gb Available Physical Memory | 69.74% Memory free
3.85 Gb Paging File | 3.32 Gb Available in Paging File | 86.39% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 186.31 Gb Total Space | 18.05 Gb Free Space | 9.69% Space Free | Partition Type: NTFS
Drive D: | 656.89 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 623.86 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
I: Drive not present or media not loaded
 
Computer Name: ALIENLAPTOP
Current User Name: Bryan Johnson
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days
 
[Processes - Safe List]
agrsmmsg.exe -> %SystemRoot%\AGRSMMSG.exe -> [2006/06/29 13:32:00 | 00,089,541 | ---- | M] (Agere Systems)
ashdisp.exe -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> [2008/11/26 10:18:51 | 00,081,000 | ---- | M] (ALWIL Software)
ashmaisv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> [2008/11/26 10:18:32 | 00,254,040 | ---- | M] (ALWIL Software)
ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> [2008/11/26 10:18:46 | 00,155,160 | ---- | M] (ALWIL Software)
ashwebsv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> [2008/11/26 10:16:23 | 00,352,920 | ---- | M] (ALWIL Software)
aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> [2008/11/26 10:12:08 | 00,018,752 | ---- | M] (ALWIL Software)
bisontrayicon.exe -> %SystemRoot%\BisonCam\BisonTrayIcon.exe -> [2005/10/06 18:49:50 | 00,040,960 | ---- | M] ()
btwdins.exe -> %ProgramFiles%\WIDCOMM\Bluetooth Software\bin\btwdins.exe -> [2006/12/11 16:25:24 | 00,266,295 | ---- | M] (Broadcom Corporation.)
dot1xcfg.exe -> %ProgramFiles%\Intel\Wireless\Bin\Dot1XCfg.exe -> [2007/02/21 08:13:26 | 00,487,424 | ---- | M] (Intel Corporation)
evteng.exe -> %ProgramFiles%\Intel\Wireless\Bin\EvtEng.exe -> [2007/02/21 08:28:36 | 00,643,072 | ---- | M] (Intel Corporation)
firefox.exe -> %ProgramFiles%\Mozilla Firefox\firefox.exe -> [2008/12/18 22:57:52 | 00,307,704 | ---- | M] (Mozilla Corporation)
googleupdaterservice.exe -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> [2008/12/06 19:55:24 | 00,168,432 | ---- | M] (Google)
ifrmewrk.exe -> %ProgramFiles%\Intel\Wireless\Bin\iFrmewrk.exe -> [2007/02/21 08:17:42 | 00,970,752 | ---- | M] (Intel Corporation)
ifrmewrk.exe -> %ProgramFiles%\Intel\Wireless\Bin\iFrmewrk.exe -> [2007/02/21 08:17:42 | 00,970,752 | ---- | M] (Intel Corporation)
jqs.exe -> %ProgramFiles%\Java\jre6\bin\jqs.exe -> [2009/01/12 07:57:40 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.)
jusched.exe -> %ProgramFiles%\Java\jre6\bin\jusched.exe -> [2009/01/12 07:57:40 | 00,136,600 | ---- | M] (Sun Microsystems, Inc.)
nvsvc32.exe -> %SystemRoot%\system32\nvsvc32.exe -> [2008/07/02 21:33:00 | 00,159,812 | ---- | M] (NVIDIA Corporation)
otscanit2.exe -> %UserProfile%\Desktop\OTScanIt2\OTScanIt2.exe -> [2009/01/09 09:03:22 | 00,485,376 | ---- | M] (OldTimer Tools)
pctstray.exe -> %ProgramFiles%\Spyware Doctor\pctsTray.exe -> [2008/12/07 04:43:58 | 01,168,264 | ---- | M] (PC Tools)
pnkbstra.exe -> %SystemRoot%\system32\PnkBstrA.exe -> [2008/08/11 06:10:34 | 00,066,872 | ---- | M] ()
regsrvc.exe -> %ProgramFiles%\Intel\Wireless\Bin\RegSrvc.exe -> [2007/02/21 08:10:00 | 00,327,680 | ---- | M] (Intel Corporation)
richvideo.exe -> %ProgramFiles%\CyberLink\Shared Files\RichVideo.exe -> [2007/01/20 05:22:05 | 00,167,936 | ---- | M] ()
rthdcpl.exe -> %SystemRoot%\RTHDCPL.exe -> [2007/01/30 18:54:36 | 16,116,224 | R--- | M] (Realtek Semiconductor Corp.)
rundll32.exe -> %SystemRoot%\system32\rundll32.exe -> [2008/04/13 17:12:33 | 00,033,280 | ---- | M] (Microsoft Corporation)
rundll32.exe -> %SystemRoot%\system32\rundll32.exe -> [2008/04/13 17:12:33 | 00,033,280 | ---- | M] (Microsoft Corporation)
s24evmon.exe -> %ProgramFiles%\Intel\Wireless\Bin\S24EvMon.exe -> [2007/02/21 08:16:48 | 00,983,040 | ---- | M] (Intel Corporation )
syntpenh.exe -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> [2006/08/11 18:56:38 | 00,794,714 | ---- | M] (Synaptics, Inc.)
teatimer.exe -> %ProgramFiles%\Spybot - Search & Destroy\TeaTimer.exe -> [2008/09/16 12:16:08 | 01,833,296 | RHS- | M] (Safer Networking Limited)
zcfgsvc.exe -> %ProgramFiles%\Intel\Wireless\Bin\ZCfgSvc.exe -> [2007/02/21 08:19:58 | 00,819,200 | ---- | M] (Intel Corporation)
 
[Win32 Services - Safe List]
(aspnet_state) ASP.NET State Service [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -> [2008/07/25 10:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation)
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> [2008/11/26 10:12:08 | 00,018,752 | ---- | M] (ALWIL Software)
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> [2008/11/26 10:18:46 | 00,155,160 | ---- | M] (ALWIL Software)
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> [2008/11/26 10:18:32 | 00,254,040 | ---- | M] (ALWIL Software)
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> [2008/11/26 10:16:23 | 00,352,920 | ---- | M] (ALWIL Software)
(btwdins) Bluetooth Service [Win32_Own | Auto | Running] -> %ProgramFiles%\WIDCOMM\Bluetooth Software\bin\btwdins.exe -> [2006/12/11 16:25:24 | 00,266,295 | ---- | M] (Broadcom Corporation.)
(clr_optimization_v2.0.50727_32) .NET Runtime Optimization Service v2.0.50727_X86 [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -> [2008/07/25 10:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation)
(EvtEng) Intel(R) PROSet/Wireless Event Log [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\EvtEng.exe -> [2007/02/21 08:28:36 | 00,643,072 | ---- | M] (Intel Corporation)
(FAH@C:+Documents and Settings+Bryan Johnson+Desktop+FAH504-Console.exe) FAH@C:+Documents and Settings+Bryan Johnson+Desktop+FAH504-Console.exe [Win32_Own | Auto | Stopped] ->  -> File not found
(FLEXnet Licensing Service) FLEXnet Licensing Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -> [2008/05/24 13:34:28 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.)
(FontCache3.0.0.0) Windows Presentation Foundation Font Cache 3.0.0.0 [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -> [2008/07/29 20:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation)
(gusvc) Google Updater Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> [2008/12/06 19:55:24 | 00,168,432 | ---- | M] (Google)
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\1150\Intel 32\IDriverT.exe -> [2005/11/14 00:06:04 | 00,069,632 | ---- | M] (Macrovision Corporation)
(idsvc) Windows CardSpace [Win32_Shared | Unknown | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -> [2008/07/29 18:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation)
(JavaQuickStarterService) Java Quick Starter [Win32_Own | Auto | Running] -> %ProgramFiles%\Java\jre6\bin\jqs.exe -> [2009/01/12 07:57:40 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.)
(NBService) NBService [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Nero\Nero 7\Nero BackItUp\NBService.exe -> [2006/11/10 16:18:02 | 00,774,144 | ---- | M] (Nero AG)
(NetTcpPortSharing) Net.Tcp Port Sharing Service [Win32_Shared | Disabled | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -> [2008/07/29 18:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation)
(NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Running] -> %SystemRoot%\system32\nvsvc32.exe -> [2008/07/02 21:33:00 | 00,159,812 | ---- | M] (NVIDIA Corporation)
(odserv) Microsoft Office Diagnostics Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Microsoft Shared\OFFICE12\ODSERV.EXE -> [2007/08/24 02:19:12 | 00,443,776 | ---- | M] (Microsoft Corporation)
(ose) Office Source Engine [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Microsoft Shared\Source Engine\OSE.EXE -> [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation)
(PnkBstrA) PnkBstrA [Win32_Own | Auto | Running] -> %SystemRoot%\system32\PnkBstrA.exe -> [2008/08/11 06:10:34 | 00,066,872 | ---- | M] ()
(RegSrvc) Intel(R) PROSet/Wireless Registry Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\RegSrvc.exe -> [2007/02/21 08:10:00 | 00,327,680 | ---- | M] (Intel Corporation)
(RichVideo) Cyberlink RichVideo Service(CRVS) [Win32_Own | Auto | Running] -> %ProgramFiles%\CyberLink\Shared Files\RichVideo.exe -> [2007/01/20 05:22:05 | 00,167,936 | ---- | M] ()
(S24EventMonitor) Intel(R) PROSet/Wireless Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\S24EvMon.exe -> [2007/02/21 08:16:48 | 00,983,040 | ---- | M] (Intel Corporation )
(sdAuxService) PC Tools Auxiliary Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Spyware Doctor\pctsAuxs.exe -> [2008/06/13 15:29:14 | 00,356,920 | ---- | M] (PC Tools)
(sdCoreService) PC Tools Security Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Spyware Doctor\pctsSvc.exe -> [2008/12/07 04:43:40 | 01,079,176 | ---- | M] (PC Tools)
(WMPNetworkSvc) Windows Media Player Network Sharing Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Windows Media Player\wmpnetwk.exe -> [2006/10/18 19:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation)
 
[Driver Services - Safe List]
(Aavmker4) avast! Asynchronous Virus Monitor [Kernel | System | Running] -> %SystemRoot%\system32\drivers\aavmker4.sys -> [2008/11/26 10:15:35 | 00,026,944 | ---- | M] (ALWIL Software)
(AegisP) AEGIS Protocol (IEEE 802.1x) v3.6.0.0 [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\AegisP.sys -> [2008/03/10 07:57:55 | 00,021,425 | ---- | M] (Meetinghouse Data Communications)
(AgereSoftModem) Agere Systems Soft Modem [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\AGRSM.sys -> [2006/06/29 13:13:00 | 01,160,320 | ---- | M] (Agere Systems)
(aswFsBlk) aswFsBlk [File_System | Auto | Running] -> %SystemRoot%\system32\drivers\aswFsBlk.sys -> [2008/11/26 10:17:25 | 00,020,560 | ---- | M] (ALWIL Software)
(aswMon2) avast! Standard Shield Support [File_System | Auto | Running] -> %SystemRoot%\system32\drivers\aswmon2.sys -> [2008/11/26 10:18:18 | 00,094,032 | ---- | M] (ALWIL Software)
(aswRdr) aswRdr [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\aswRdr.sys -> [2008/11/26 10:16:29 | 00,023,152 | ---- | M] (ALWIL Software)
(aswSP) avast! Self Protection [Kernel | System | Running] -> %SystemRoot%\system32\drivers\aswSP.sys -> [2008/11/26 10:17:36 | 00,111,184 | ---- | M] (ALWIL Software)
(aswTdi) avast! Network Shield Support [Kernel | System | Running] -> %SystemRoot%\system32\drivers\aswTdi.sys -> [2008/11/26 10:16:38 | 00,050,864 | ---- | M] (ALWIL Software)
(btaudio) Bluetooth Audio Device [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\btaudio.sys -> [2006/10/15 11:02:18 | 00,329,901 | ---- | M] (Broadcom Corporation.)
(BTDriver) Bluetooth Virtual Communications Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\btport.sys -> [2006/10/09 19:00:24 | 00,030,459 | ---- | M] (Broadcom Corporation.)
(BTKRNL) Bluetooth Bus Enumerator [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\btkrnl.sys -> [2006/11/28 11:50:16 | 00,863,402 | ---- | M] (Broadcom Corporation.)
(BTWDNDIS) Bluetooth LAN Access Server [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\btwdndis.sys -> [2006/10/15 11:01:54 | 00,149,123 | ---- | M] (Broadcom Corporation.)
(btwhid) btwhid [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\btwhid.sys -> [2006/11/28 11:48:10 | 00,047,907 | ---- | M] (Broadcom Corporation.)
(BTWUSB) WIDCOMM USB Bluetooth Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\btwusb.sys -> [2006/10/15 10:59:32 | 00,067,672 | ---- | M] (Broadcom Corporation.)
(Cam5603D) BisonCam, NB Pro [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\BisonCam.sys -> [2006/07/11 20:25:10 | 00,750,720 | ---- | M] (Bison Electronics. Inc. )
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\hdaudbus.sys -> [2008/04/13 09:36:05 | 00,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider)
(IKFileSec) File Security Driver [File_System | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\ikfilesec.sys -> [2008/12/07 04:43:20 | 00,040,840 | ---- | M] (PCTools Research Pty Ltd.)
(IKSysFlt) System Filter Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\iksysflt.sys -> [2008/12/07 04:43:21 | 00,066,952 | ---- | M] (PCTools Research Pty Ltd.)
(IKSysSec) System Security Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\iksyssec.sys -> [2008/12/07 04:43:20 | 00,081,288 | ---- | M] (PCTools Research Pty Ltd.)
(IntcAzAudAddService) Service for Realtek HD Audio (WDM) [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\RtkHDAud.sys -> [2007/01/30 18:57:50 | 04,474,368 | R--- | M] (Realtek Semiconductor Corp.)
(kbdhid) Keyboard HID Driver [Kernel | System | Running] -> %SystemRoot%\system32\drivers\kbdhid.sys -> [2008/04/13 11:39:48 | 00,014,592 | ---- | M] (Microsoft Corporation)
(mcdbus) Driver for MagicISO SCSI Host Controller [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\mcdbus.sys -> [2008/07/28 16:19:28 | 00,116,736 | ---- | M] (MagicISO, Inc.)
(NETw4x32) Intel(R) Wireless WiFi Link Adapter Driver for Windows XP 32 Bit [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\NETw4x32.sys -> [2007/02/25 03:05:24 | 02,203,520 | ---- | M] (Intel Corporation)
(nv) nv [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\nv4_mini.sys -> [2008/07/02 21:33:00 | 06,554,976 | ---- | M] (NVIDIA Corporation)
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ptilink.sys -> [2004/08/04 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.)
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\PxHelp20.sys -> [2008/02/20 19:05:38 | 00,043,528 | ---- | M] (Sonic Solutions)
(rimmptsk) rimmptsk [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\rimmptsk.sys -> [2005/11/16 20:28:32 | 00,028,928 | ---- | M] (REDC)
(rimsptsk) rimsptsk [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\rimsptsk.sys -> [2005/12/22 17:02:22 | 00,051,840 | ---- | M] (REDC)
(s24trans) WLAN Transport [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\s24trans.sys -> [2007/02/21 08:16:12 | 00,012,416 | ---- | M] (Intel Corporation)
(sdbus) sdbus [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\sdbus.sys -> [2008/04/13 11:36:44 | 00,079,232 | ---- | M] (Microsoft Corporation)
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\secdrv.sys -> [2007/11/13 01:47:45 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
(sfdrv01) StarForce Protection Environment Driver (version 1.x) [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\sfdrv01.sys -> [2005/08/10 05:44:04 | 00,050,688 | ---- | M] (Protection Technology)
(sfhlp02) StarForce Protection Helper Driver (version 2.x) [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\sfhlp02.sys -> [2005/05/16 06:20:39 | 00,006,656 | ---- | M] (Protection Technology)
(sfsync02) StarForce Protection Synchronization Driver (version 2.x) [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\sfsync02.sys -> [2005/08/10 07:06:28 | 00,019,968 | ---- | M] (Protection Technology)
(sptd) sptd [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\sptd.sys -> [2008/08/03 21:28:22 | 00,717,296 | ---- | M] ()
(SynTP) Synaptics TouchPad Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\SynTP.sys -> [2006/08/11 18:35:42 | 00,197,152 | ---- | M] (Synaptics, Inc.)
(vncdrv) vncdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\vncdrv.sys -> [2002/11/20 16:45:50 | 00,002,218 | ---- | M] (Microsoft Corporation)
(xnacc) Microsoft Common Controller For Windows Driver Service [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\xnacc.sys -> [2006/06/01 13:15:20 | 00,509,440 | ---- | M] (Microsoft Corporation)
(yukonwxp) NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\yk51x86.sys -> [2006/06/20 08:55:00 | 00,244,864 | ---- | M] (Marvell)
 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\"Default_Page_URL" -> http://go.microsoft.com/fwlink/?LinkId=69157 -> 
HKEY_LOCAL_MACHINE\: Main\\"Default_Search_URL" -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKEY_LOCAL_MACHINE\: Main\\"Local Page" -> %SystemRoot%\system32\blank.htm -> 
HKEY_LOCAL_MACHINE\: Main\\"Search Page" -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home -> 
HKEY_LOCAL_MACHINE\: Search\\"CustomizeSearch" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 
HKEY_LOCAL_MACHINE\: Search\\"SearchAssistant" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm -> 
HKEY_CURRENT_USER\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_CURRENT_USER\: Main\\"Start Page" -> http://go.microsoft.com/fwlink/?LinkId=69157 -> 
HKEY_CURRENT_USER\: Main\\"StartPageCache" ->  -> 
HKEY_CURRENT_USER\: SearchURL\\"" -> http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR -> 
HKEY_CURRENT_USER\: SearchURL\\"provider" -> MSN -> 
HKEY_CURRENT_USER\: "ProxyEnable" -> 0 -> 
< FireFox Settings [Default Profile] > -> C:\Documents and Settings\Bryan Johnson\Application Data\Mozilla\FireFox\Profiles\2v4ur0if.default\prefs.js -> 
browser.startup.homepage_override.mstone -> "rv:1.9.0.5" ->
extensions.enabledItems -> {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}:6.0.05 ->
extensions.enabledItems -> {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11 ->
extensions.enabledItems -> jqs@sun.com:1.0 ->
extensions.enabledItems -> {20a82645-c095-46ed-80e3-08825760534b}:1.0 ->
extensions.enabledItems -> {5872365e-67d1-4afd-9480-fd293bebd20d}:1.7.2 ->
extensions.enabledItems -> {B13721C7-F507-4982-B2E5-502A71474FED}:2.2.0.87 ->
extensions.enabledItems -> {2e17e2b2-b8d4-4a67-8d7b-fafa6cc9d1d0}:1.2.3 ->
extensions.enabledItems -> {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.5 ->
< HOSTS File > (624583 bytes and 16606 lines) -> C:\WINDOWS\System32\drivers\etc\Hosts -> 
First 25 entries...
127.0.0.1  localhost
127.0.0.1  ad.a8.net
127.0.0.1  asy.a8ww.net
127.0.0.1  a9rhiwa.cn #[Google.Warning]
127.0.0.1  www.a9rhiwa.cn
127.0.0.1  acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1  www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1  phpadsnew.abac.com
127.0.0.1  a.abnad.net
127.0.0.1  b.abnad.net
127.0.0.1  c.abnad.net #[eTrust.Tracking.Cookie]
127.0.0.1  d.abnad.net
127.0.0.1  e.abnad.net
127.0.0.1  t.abnad.net
127.0.0.1  z.abnad.net
127.0.0.1  banners.absolpublisher.com
127.0.0.1  tracking.absolstats.com
127.0.0.1  adv.abv.bg
127.0.0.1  bimg.abv.bg
127.0.0.1  www2.a-counter.kiev.ua
127.0.0.1  track.acclaimnetwork.com
127.0.0.1  accuserveadsystem.com
127.0.0.1  www.accuserveadsystem.com
127.0.0.1  gtb5.acecounter.com
127.0.0.1  gtb19.acecounter.com
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{45BE43EE-108C-4E1F-86C2-D762948A2968} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] -> [2008/09/15 14:25:44 | 01,562,960 | RHS- | M] (Safer Networking Limited)
{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre6\bin\ssv.dll [Java(tm) Plug-In SSV Helper] -> [2009/01/12 07:57:41 | 00,320,920 | ---- | M] (Sun Microsystems, Inc.)
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKLM] -> %ProgramFiles%\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll [Google Toolbar Notifier BHO] -> [2008/12/06 19:55:35 | 00,657,904 | ---- | M] (Google Inc.)
{B875AD41-E1B8-4DFD-9A40-3F708FE28DD2} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} [HKLM] -> %ProgramFiles%\Windows Live Toolbar\msntb.dll [Windows Live Toolbar Helper] -> [2007/02/12 12:56:04 | 00,546,672 | ---- | M] (Microsoft Corporation)
{DBC80044-A445-435b-BC74-9C25C1C588A9} [HKLM] -> %ProgramFiles%\Java\jre6\bin\jp2ssv.dll [Java(tm) Plug-In 2 SSV Helper] -> [2009/01/12 07:57:40 | 00,034,816 | ---- | M] (Sun Microsystems, Inc.)
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} [HKLM] -> %ProgramFiles%\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [JQSIEStartDetectorImpl Class] -> [2009/01/12 07:57:42 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.)
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" [HKLM] -> %ProgramFiles%\Windows Live Toolbar\msntb.dll [Windows Live Toolbar] -> [2007/02/12 12:56:04 | 00,546,672 | ---- | M] (Microsoft Corporation)
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 
ShellBrowser\\"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" [HKLM] -> %ProgramFiles%\Windows Live Toolbar\msntb.dll [Windows Live Toolbar] -> [2007/02/12 12:56:04 | 00,546,672 | ---- | M] (Microsoft Corporation)
WebBrowser\\"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" [HKLM] -> %ProgramFiles%\Windows Live Toolbar\msntb.dll [Windows Live Toolbar] -> [2007/02/12 12:56:04 | 00,546,672 | ---- | M] (Microsoft Corporation)
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"AGRSMMSG" -> %SystemRoot%\AGRSMMSG.exe [AGRSMMSG.exe] -> [2006/06/29 13:32:00 | 00,089,541 | ---- | M] (Agere Systems)
"avast!" -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe [C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe] -> [2008/11/26 10:18:51 | 00,081,000 | ---- | M] (ALWIL Software)
"BisonTrayIcon" -> %SystemRoot%\BisonCam\BisonTrayIcon.exe [C:\WINDOWS\BisonCam\BisonTrayIcon.exe] -> [2005/10/06 18:49:50 | 00,040,960 | ---- | M] ()
"IntelWireless" -> %ProgramFiles%\Intel\Wireless\Bin\iFrmewrk.exe ["C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless] -> [2007/02/21 08:17:42 | 00,970,752 | ---- | M] (Intel Corporation)
"IntelZeroConfig" -> %ProgramFiles%\Intel\Wireless\Bin\ZCfgSvc.exe ["C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"] -> [2007/02/21 08:19:58 | 00,819,200 | ---- | M] (Intel Corporation)
"ISTray" -> %ProgramFiles%\Spyware Doctor\pctsTray.exe ["C:\Program Files\Spyware Doctor\pctsTray.exe"] -> [2008/12/07 04:43:58 | 01,168,264 | ---- | M] (PC Tools)
"NeroFilterCheck" -> %CommonProgramFiles%\Ahead\Lib\NeroCheck.exe [C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe] -> [2006/01/12 12:40:44 | 00,155,648 | ---- | M] (Nero AG)
"NvCplDaemon" -> %SystemRoot%\system32\nvcpl.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup] -> [2008/07/02 21:33:00 | 13,529,088 | ---- | M] (NVIDIA Corporation)
"NVHotkey" ->  [rundll32.exe nvHotkey.dll,Start] -> File not found
"NvMediaCenter" -> %SystemRoot%\system32\nvmctray.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit] -> [2008/07/02 20:33:00 | 00,086,016 | ---- | M] (NVIDIA Corporation)
"nwiz" -> %SystemRoot%\system32\nwiz.exe [nwiz.exe /installquiet] -> [2008/07/02 21:33:00 | 01,630,208 | ---- | M] ()
"RTHDCPL" -> %SystemRoot%\RTHDCPL.exe [RTHDCPL.EXE] -> [2007/01/30 18:54:36 | 16,116,224 | R--- | M] (Realtek Semiconductor Corp.)
"SkyTel" -> %SystemRoot%\SkyTel.exe [SkyTel.EXE] -> [2006/05/16 18:04:26 | 02,879,488 | R--- | M] (Realtek Semiconductor Corp.)
"SunJavaUpdateSched" -> %ProgramFiles%\Java\jre6\bin\jusched.exe ["C:\Program Files\Java\jre6\bin\jusched.exe"] -> [2009/01/12 07:57:40 | 00,136,600 | ---- | M] (Sun Microsystems, Inc.)
"SynTPEnh" -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [C:\Program Files\Synaptics\SynTP\SynTPEnh.exe] -> [2006/08/11 18:56:38 | 00,794,714 | ---- | M] (Synaptics, Inc.)
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"gadcom" -> %AppData%\gadcom\gadcom.exe ["C:\Documents and Settings\Bryan Johnson\Application Data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A] -> File not found
"Smax4" -> %AppData%\Google\kjzna1562565.exe ["C:\Documents and Settings\Bryan Johnson\Application Data\Google\kjzna1562565.exe"] -> File not found
"SpybotSD TeaTimer" -> %ProgramFiles%\Spybot - Search & Destroy\TeaTimer.exe [C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe] -> [2008/09/16 12:16:08 | 01,833,296 | RHS- | M] (Safer Networking Limited)
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
 -> %AllUsersProfile%\Start Menu\Programs\Startup\Bluetooth.lnk.disabled -> [2007/05/08 16:00:56 | 00,000,637 | ---- | M] ()
 -> %AllUsersProfile%\Start Menu\Programs\Startup\EndWLAN.cmd -> [2007/08/31 07:03:40 | 00,000,209 | ---- | M] ()
%AllUsersProfile%\Start Menu\Programs\Startup\OSCust.lnk -> %SystemRoot%\system32\oem\OSCust.exe -> [2007/08/17 12:53:44 | 00,067,072 | ---- | M] ()
< Bryan Johnson Startup Folder > -> C:\Documents and Settings\Bryan Johnson\Start Menu\Programs\Startup -> 
 -> %UserProfile%\Start Menu\Programs\Startup\MagicDisc.lnk.disabled -> [2008/09/20 15:59:33 | 00,000,652 | ---- | M] ()
< Software Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveAutoRun" ->  [67108863] -> File not found
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"NoDrives" ->  [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"dontdisplaylastusername" ->  [0] -> File not found
\\"legalnoticecaption" ->  [] -> File not found
\\"legalnoticetext" ->  [] -> File not found
\\"shutdownwithoutlogon" ->  [1] -> File not found
\\"undockwithoutlogon" ->  [1] -> File not found
\\"DisableRegistryTools" ->  [0] -> File not found
< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"NoDriveAutoRun" ->  [67108863] -> File not found
\\"NoDrives" ->  [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"DisableRegistryTools" ->  [0] -> File not found
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ -> 
&Windows Live Search -> %ProgramFiles%\Windows Live Toolbar\msntb.dll [res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm] -> [2007/02/12 12:56:04 | 00,546,672 | ---- | M] (Microsoft Corporation)
E&xport to Microsoft Excel -> %ProgramFiles%\Microsoft Office\Office12\EXCEL.EXE [res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000] -> [2008/10/18 18:30:22 | 17,931,616 | ---- | M] (Microsoft Corporation)
Send to &Bluetooth Device... -> %ProgramFiles%\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm [C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm] -> [2006/08/16 07:16:32 | 00,002,773 | ---- | M] ()
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{2670000A-7350-4f3c-8081-5663EE0C6C49}:{48E73304-E1D6-4330-914C-F5F514E3486C} [HKLM] -> %ProgramFiles%\Microsoft Office\Office12\ONBttnIE.dll [Button: Send to OneNote] -> [2007/12/13 01:20:58 | 00,606,288 | ---- | M] (Microsoft Corporation)
{2670000A-7350-4f3c-8081-5663EE0C6C49}:{48E73304-E1D6-4330-914C-F5F514E3486C} [HKLM] -> %ProgramFiles%\Microsoft Office\Office12\ONBttnIE.dll [Menu: S&end to OneNote] -> [2007/12/13 01:20:58 | 00,606,288 | ---- | M] (Microsoft Corporation)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}:{FF059E31-CC5A-4E2E-BF3B-96E929D65503} [HKLM] -> %ProgramFiles%\Microsoft Office\Office12\REFIEBAR.DLL [Button: Research] -> [2006/10/26 19:12:22 | 00,040,424 | ---- | M] (Microsoft Corporation)
{CCA281CA-C863-46ef-9331-5C8D4460577F}:C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm [HKLM] -> %ProgramFiles%\WIDCOMM\Bluetooth Software\btsendto_ie.htm [Button: @btrez.dll,-4015] -> [2006/08/16 07:16:32 | 00,005,589 | ---- | M] ()
{CCA281CA-C863-46ef-9331-5C8D4460577F}:C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm [HKLM] -> %ProgramFiles%\WIDCOMM\Bluetooth Software\btsendto_ie.htm [Menu: @btrez.dll,-12650] -> [2006/08/16 07:16:32 | 00,005,589 | ---- | M] ()
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Menu: Spybot - Search & Destroy Configuration] -> [2008/09/15 14:25:44 | 01,562,960 | RHS- | M] (Safer Networking Limited)
{e2e2dd38-d088-4134-82b7-f2ba38496583}:Exec [HKLM] -> %SystemRoot%\network diagnostic\xpnetdiag.exe [Menu: @xpsp3res.dll,-20001] -> [2008/04/13 11:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Button: Messenger] -> [2008/04/13 17:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Menu: Windows Messenger] -> [2008/04/13 17:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] ->  [Reg Error: Value  does not exist or could not be read.] -> File not found
CmdMapping\\"{2670000A-7350-4f3c-8081-5663EE0C6C49}" [HKLM] -> %ProgramFiles%\Microsoft Office\Office12\ONBttnIE.dll [Send to OneNote] -> [2007/12/13 01:20:58 | 00,606,288 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> %ProgramFiles%\Microsoft Office\Office12\REFIEBAR.DLL [Research] -> [2006/10/26 19:12:22 | 00,040,424 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{CCA281CA-C863-46ef-9331-5C8D4460577F}" [HKLM] ->  [@btrez.dll,-4015] -> File not found
CmdMapping\\"{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}" [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> [2008/09/15 14:25:44 | 01,562,960 | RHS- | M] (Safer Networking Limited)
CmdMapping\\"{e2e2dd38-d088-4134-82b7-f2ba38496583}" [HKLM] -> %SystemRoot%\network diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/13 11:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 17:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://


*Broken into two posts due to length*

 

[AgentPaper]

*continued from previous post*


< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 5215 domain(s) found. ->
50 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 36 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 7372 domain(s) found. ->
56 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 36 range(s) found. ->
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab [Java Plug-in 1.6.0_11] ->
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] ->
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab [Java Plug-in 1.6.0_11] ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab [Java Plug-in 1.6.0_11] ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} [HKLM] -> http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab [Shockwave Flash Object] ->
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{618C7316-3845-4DAD-98C1-BA1807C48274} -> (Intel(R) Wireless WiFi Link 4965AGN) ->
{98B0E1F3-8239-42BD-97B1-6FBB4F96F590} -> () ->
{A7589E95-A939-4C50-A70B-CC9A124F69B2} -> (1394 Net Adapter) ->
{B2E34871-7C72-405E-B5B4-614DD57B9F42} -> () ->
{D2B0BCE5-DED0-40E7-BEB9-9301593807FA} -> (Marvell Yukon 88E8055 PCI-E Gigabit Ethernet Controller) ->
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
efcCrqQJ -> -> File not found
hgGAQkli -> -> File not found
< LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages ->
*LSA Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages ->
C:\WINDOWS\system32\opnmLeBU -> -> File not found
*MultiFile Done* -> ->
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List ->
"%windir%\Network Diagnostic\xpnetdiag.exe" -> C:\WINDOWS\network diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000] -> [2008/04/13 11:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019] -> [2008/04/13 17:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation)
"C:\Program Files\MSN Messenger\livecall.exe" -> C:\Program Files\MSN Messenger\livecall.exe [C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)] -> File not found
"C:\Program Files\MSN Messenger\msnmsgr.exe" -> C:\Program Files\MSN Messenger\msnmsgr.exe [C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1] -> File not found
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List ->
"%windir%\Network Diagnostic\xpnetdiag.exe" -> C:\WINDOWS\network diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000] -> [2008/04/13 11:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019] -> [2008/04/13 17:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Aspyr\Guitar Hero III\GH3.exe" -> C:\Program Files\Aspyr\Guitar Hero III\GH3.exe [C:\Program Files\Aspyr\Guitar Hero III\GH3.exe:*:Enabled:Guitar Hero III] -> [2007/10/12 23:09:14 | 11,816,448 | ---- | M] (Aspyr Media, Inc.)
"C:\Program Files\BitTorrent\bittorrent.exe" -> C:\Program Files\BitTorrent\bittorrent.exe [C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent] -> File not found
"C:\Program Files\Electronic Arts\Battlefield 2142\BF2142.exe" -> C:\Program Files\Electronic Arts\Battlefield 2142\BF2142.exe [C:\Program Files\Electronic Arts\Battlefield 2142\BF2142.exe:*:Enabled:Battlefield 2] -> [2008/05/21 12:33:10 | 08,419,956 | ---- | M] ()
"C:\Program Files\Electronic Arts\EADM\Core.exe" -> C:\Program Files\Electronic Arts\EADM\Core.exe [C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager] -> [2008/06/13 17:27:34 | 02,752,512 | ---- | M] (Electronic Arts)
"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe" -> C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe [C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword] -> [2007/09/27 13:48:40 | 14,105,000 | R--- | M] (Firaxis Games)
"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe" -> C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_Pitboss.exe [C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword Pitboss] -> [2007/09/27 13:48:42 | 11,650,360 | R--- | M] (Firaxis Games)
"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe" -> C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe [C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4] -> [2007/05/16 21:52:50 | 11,739,782 | ---- | M] (Firaxis Games)
"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe" -> C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe [C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe:*:Enabled:Sid Meier's Civilization 4 Warlords] -> [2007/05/16 18:25:20 | 11,134,130 | ---- | M] (Firaxis Games)
"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe" -> C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe [C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Pitboss] -> [2007/05/16 18:57:52 | 08,581,120 | ---- | M] (Firaxis Games)
"C:\Program Files\Java\jre1.6.0_05\bin\javaw.exe" -> C:\Program Files\Java\jre1.6.0_05\bin\javaw.exe [C:\Program Files\Java\jre1.6.0_05\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary] -> [2008/02/22 00:23:39 | 00,135,168 | ---- | M] (Sun Microsystems, Inc.)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" -> C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE [C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote] -> [2008/05/21 04:54:40 | 01,022,496 | ---- | M] (Microsoft Corporation)
"C:\Program Files\SEGA\Medieval II Total War\medieval2.exe" -> C:\Program Files\SEGA\Medieval II Total War\medieval2.exe [C:\Program Files\SEGA\Medieval II Total War\medieval2.exe:*:Enabled:Medieval 2: Total War] -> [2007/08/04 18:58:38 | 21,165,576 | ---- | M] (The Creative Assembly Ltd)
"C:\Program Files\Skype\Phone\Skype.exe" -> C:\Program Files\Skype\Phone\Skype.exe [C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype] -> [2008/05/30 14:54:14 | 21,718,312 | R--- | M] (Skype Technologies S.A.)
"C:\Program Files\Steam\SteamApps\agent_paper\team fortress 2\hl2.exe" -> C:\Program Files\Steam\SteamApps\agent_paper\team fortress 2\hl2.exe [C:\Program Files\Steam\SteamApps\agent_paper\team fortress 2\hl2.exe:*:Enabled:hl2] -> [2009/01/07 18:55:39 | 00,098,304 | ---- | M] ()
"C:\Program Files\THQ\Dawn of War - Soulstorm\Soulstorm.exe" -> C:\Program Files\THQ\Dawn of War - Soulstorm\Soulstorm.exe [C:\Program Files\THQ\Dawn of War - Soulstorm\Soulstorm.exe:*:Enabled:Soulstorm] -> [2008/01/23 22:30:56 | 09,793,536 | ---- | M] (THQ Canada Inc.)
"C:\WINDOWS\system32\java.exe" -> C:\WINDOWS\system32\java.exe [C:\WINDOWS\system32\java.exe:*:Enabled:Java(TM) Platform SE binary] -> [2009/01/12 07:57:39 | 00,144,792 | ---- | M] (Sun Microsystems, Inc.)
"C:\WINDOWS\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [C:\WINDOWS\system32\sessmgr.exe:*isabledxpsp2res.dll,-22019] -> [2008/04/13 17:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation)
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot ->
"AlternateShell" -> cmd.exe ->
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 ->
"DisplayName" -> CD-ROM Driver ->
"ImagePath" -> %SystemRoot%\system32\drivers\cdrom.sys [system32\DRIVERS\cdrom.sys] -> [2008/04/13 11:40:46 | 00,062,976 | ---- | M] (Microsoft Corporation)
< Drives with AutoRun files > -> ->
C:\AUTOEXEC.BAT [] -> %SystemDrive%\AUTOEXEC.BAT [ NTFS ] -> [2007/05/08 14:19:13 | 00,000,000 | ---- | M] ()
D:\Autorun [] -> D:\Autorun.exe [ CDFS ] -> [2007/06/10 20:25:04 | 00,263,744 | R--- | M] (Firaxis Games)
D:\autorun.exe [MZ | ] -> D:\autorun.exe [ CDFS ] -> [2007/06/10 20:25:04 | 00,263,744 | R--- | M] (Firaxis Games)
D:\autorun.inf [[autorun] | OPEN=autorun.exe | ICON=Autorun\Civ4Installer.ico | LABEL=Sid Meier's Civilization 4 - Beyond the Sword | | [appdata] | Mutex=Civ4 21031 | InstallFile=setup.exe | PlayFile=Civ4BeyondSword.exe | RegKey=INSTALLDIR | | [0x09] | ;English | Background=Autorun\Civ4BeyondtheSwordAutoRunBG.bmp | LegalPos=74,244,500 | LegalColor=255,255,255 | LegalShadow=0,0,0 | LegalFont=MS Sans Serif,8 | LegalStyle=normal | LegalText=©2007 Take-Two Interactive Software and its subsidiaries. Developed by Firaxis Games. Sid Meier's Civilization IV: Warlords, Civ, Civilization, 2K Games, the 2K logo, Firaxis Games, the Firaxis Games logo and Take-Two Interactive Software are all trademarks and/or registered trademarks of Take-Two Interactive Software, Inc. in the USA and/or foreign countries. Unauthorized copying, reverse engineering, transmission, public performance, rental, pay for play, or circumvention of copy protection is strictly prohibited. All rights reserved. | ExecPos=117,171 | InstallImage=Autorun\BTN01-Install.bmp | InstallHilite=Autorun\BTN01-Install_OVER.bmp | PlayImage=Autorun\BTN01-Play.bmp | PlayHilite=Autorun\BTN01-Play_OVER.bmp | ReadmePos=267,171 | ReadmeImage=Autorun\BTN02-ReadMe.bmp | ReadmeHilite=Autorun\BTN02-ReadMe_OVER.bmp | ReadmeFile=Readme\English\Readme.htm | ExitPos=412,171 | ExitImage=Autorun\BTN03-Exit.bmp | ExitHilite=Autorun\BTN03-Exit_OVER.bmp | | [0x0c] | ;French | Background=Autorun\Civ4BeyondtheSwordAutoRunBG.bmp | LegalPos=85,272,480 | LegalColor=255,255,255 | LegalShadow=0,0,0 | LegalFont=MS Sans Serif,8 | LegalStyle=normal | LegalText=©2007 Take-Two Interactive Software et ses filiales. Développé par Firaxis Games. Sid Meier's Civilization IV: Warlords, Civ, Civilization, 2K Games, le logo 2K, Firaxis Games, le logo Firaxis Games et Take-Two Interactive Software sont toutes des marques commerciales et/ou des marques déposées de Take-Two Interactive Software, Inc. aux États-Unis et/ou dans d'autres pays. Toute reproduction non autorisée, rétro-ingénierie, transmission, représentation publique, location, jeu contre de l'argent, ou détournement de la protection de copie est strictement interdite. Tous droits réservés. | ExecPos=117,171 | InstallImage=Autorun\FR_BTN01-Install.bmp | InstallHilite=Autorun\FR_BTN01-Install_OVER.bmp | PlayImage=Autorun\FR_BTN01-Play.bmp | PlayHilite=Autorun\FR_BTN01-Play_OVER.bmp | ReadmePos=267,171 | ReadmeImage=Autorun\FR_BTN02-ReadMe.bmp | ReadmeHilite=Autorun\FR_BTN02-ReadMe_OVER.bmp | ReadmeFile=Readme\French\Readme.htm | ExitPos=412,171 | ExitImage=Autorun\FR_BTN03-Exit.bmp | ExitHilite=Autorun\FR_BTN03-Exit_OVER.bmp | | [0x10] | ;Italian | Background=Autorun\Civ4BeyondtheSwordAutoRunBG.bmp | LegalPos=85,272,480 | LegalColor=255,255,255 | LegalShadow=0,0,0 | LegalFont=MS Sans Serif,8 | LegalStyle=normal | LegalText=©2007 Take-Two Interactive Software e sue sussidiarie. Sviluppato da Firaxis Games. Sid Meier's Civilization IV: Warlords, Civ, Civilization, 2K Games, il logo 2K, Firaxis Games, il logo Firaxis Games e Take-Two Interactive Software sono tutti marchi e/o marchi registrati di Take-Two Interactive Software, Inc. negli Stati Uniti e/o in altri paesi. La copia non autorizzata, l'esecuzione di ingegneria inversa, la trasmissione, la riproduzione in pubblico, l'affitto, la modalità pay for play o l'aggiramento della protezione contro la copia illegale sono assolutamente vietati. Tutti i diritti riservati. | ExecPos=117,171 | InstallImage=Autorun\IT_BTN01-Install.bmp | InstallHilite=Autorun\IT_BTN01-Install_OVER.bmp | PlayImage=Autorun\IT_BTN01-Play.bmp | PlayHilite=Autorun\IT_BTN01-Play_OVER.bmp | ReadmePos=267,171 | ReadmeImage=Autorun\IT_BTN02-ReadMe.bmp | ReadmeHilite=Autorun\IT_BTN02-ReadMe_OVER.bmp | ReadmeFile=Readme\Italian\Readme.htm | ExitPos=412,171 | ExitImage=Autorun\IT_BTN03-Exit.bmp | ExitHilite=Autorun\IT_BTN03-Exit_OVER.bmp | | [0x07] | ;German | Background=Autorun\Civ4BeyondtheSwordAutoRunBG.bmp | LegalPos=85,272,480 | LegalColor=255,255,255 | LegalShadow=0,0,0 | LegalFont=MS Sans Serif,8 | LegalStyle=normal | LegalText=©2007 Take-Two Interactive Software und Tochtergesellschaften. Entwickelt von Firaxis Games. Sid Meier's Civilization IV: Warlords, Civ, Civilization, 2K Games, das 2K-Logo, Firaxis Games, das Firaxis Games-Logo und Take-Two Interactive Software sind Warenzeichen bzw. eingetragene Warenzeichen von Take-Two Interactive Software, Inc. in den USA und/oder anderen Ländern. Das unberechtigte Kopieren, die Zurückentwicklung (Reverse Engineering), Übertragung, öffentliche Aufführung, Vermietung, das Spielen gegen Zahlung eines Entgelts und die Umgehung von Urheberschutzmaßnahmen sind strengstens untersagt. Alle Rechte vorbehalten. | ExecPos=117,171 | InstallImage=Autorun\GE_BTN01-Install.bmp | InstallHilite=Autorun\GE_BTN01-Install_OVER.bmp | PlayImage=Autorun\GE_BTN01-Play.bmp | PlayHilite=Autorun\GE_BTN01-Play_OVER.bmp | ReadmePos=267,171 | ReadmeImage=Autorun\GE_BTN02-ReadMe.bmp | ReadmeHilite=Autorun\GE_BTN02-ReadMe_OVER.bmp | ReadmeFile=Readme\German\Readme.htm | ExitPos=412,171 | ExitImage=Autorun\GE_BTN03-Exit.bmp | ExitHilite=Autorun\GE_BTN03-Exit_OVER.bmp | | [0x0a] | ;Spanish | Background=Autorun\Civ4BeyondtheSwordAutoRunBG.bmp | LegalPos=85,272,480 | LegalColor=255,255,255 | LegalShadow=0,0,0 | LegalFont=MS Sans Serif,8 | LegalStyle=normal | LegalText=©2007 Take-Two Interactive Software y sus subsidiarias. Desarrollado por Firaxis Games. Sid Meier’s Civilization IV: Warlords, Civ, Civilization, 2K Games, el logotipo de 2K, Firaxis Games, el logotipo de Firaxis Games y Take-Two Interactive Software son marcas comerciales o marcas comerciales registradas de Take-Two Interactive Software, Inc. Queda estrictamente prohibida cualquiera de las siguientes acciones sin autorización previa: copia, ingeniería inversa, transmisión, demostración pública, alquiler, pago por uso del programa o intento de saltarse la protección anticopia. Todos los derechos reservados. | ExecPos=117,171 | InstallImage=Autorun\SP_BTN01-Install.bmp | InstallHilite=Autorun\SP_BTN01-Install_OVER.bmp | PlayImage=Autorun\SP_BTN01-Play.bmp | PlayHilite=Autorun\SP_BTN01-Play_OVER.bmp | ReadmePos=267,171 | ReadmeImage=Autorun\SP_BTN02-ReadMe.bmp | ReadmeHilite=Autorun\SP_BTN02-ReadMe_OVER.bmp | ReadmeFile=Readme\Spanish\Readme.htm | ExitPos=412,171 | ExitImage=Autorun\SP_BTN03-Exit.bmp | ExitHilite=Autorun\SP_BTN03-Exit_OVER.bmp | ] -> D:\autorun.inf [ CDFS ] -> [2007/05/25 13:16:04 | 00,006,299 | R--- | M] ()
H:\Autorun [] -> H:\Autorun.exe [ CDFS ] -> [1999/06/13 13:56:36 | 00,061,440 | R--- | M] ()
H:\Autorun.exe [MZ | ] -> H:\Autorun.exe [ CDFS ] -> [1999/06/13 13:56:36 | 00,061,440 | R--- | M] ()
H:\Autorun.ico [] -> H:\Autorun.ico [ CDFS ] -> [1999/05/30 13:08:48 | 00,011,478 | R--- | M] ()
H:\AUTORUN.INF [[autorun] | open=autorun.exe | icon=autorun.ico | name=Dungeon Keeper II | | ] -> H:\AUTORUN.INF [ CDFS ] -> [1999/05/03 10:12:46 | 00,000,073 | R--- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 ->
\{e4e189f0-fdac-11db-a39b-aee61cdc95c2}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e4e189f0-fdac-11db-a39b-aee61cdc95c2}\Shell\AutoRun\command
\{e4e189f0-fdac-11db-a39b-aee61cdc95c2}\Shell\AutoRun\command\\"" -> E:\pstart.exe [E:\pstart.exe] -> File not found


[Files/Folders - Created Within 30 Days]
2 C:\*.tmp files -> C:\*.tmp ->
1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
OTScanIt2 -> %UserProfile%\Desktop\OTScanIt2 -> [2009/01/14 06:45:59 | 00,000,000 | ---D | C]
OTScanIt2.exe -> %UserProfile%\Desktop\OTScanIt2.exe -> [2009/01/14 06:45:40 | 00,656,730 | ---- | C] ()
ResetTeaTimer.bat -> %UserProfile%\Desktop\ResetTeaTimer.bat -> [2009/01/14 06:16:23 | 00,009,123 | ---- | C] ()
SystemRequirementsLab -> %ProgramFiles%\SystemRequirementsLab -> [2009/01/13 18:16:31 | 00,000,000 | ---D | C]
SystemRequirementsLab -> %AppData%\SystemRequirementsLab -> [2009/01/13 18:16:29 | 00,000,000 | ---D | C]
wmpns.dll -> %SystemRoot%\System32\wmpns.dll -> [2009/01/13 17:53:06 | 00,221,184 | ---- | C] (Microsoft Corporation)
Prefetch -> %SystemRoot%\Prefetch -> [2009/01/13 17:52:16 | 00,000,000 | ---D | C]
scripting -> %SystemRoot%\System32\scripting -> [2009/01/13 17:43:25 | 00,000,000 | ---D | C]
l2schemas -> %SystemRoot%\l2schemas -> [2009/01/13 17:43:23 | 00,000,000 | ---D | C]
en -> %SystemRoot%\System32\en -> [2009/01/13 17:43:22 | 00,000,000 | ---D | C]
bits -> %SystemRoot%\System32\bits -> [2009/01/13 17:43:22 | 00,000,000 | ---D | C]
ServicePackFiles -> %SystemRoot%\ServicePackFiles -> [2009/01/13 17:40:35 | 00,000,000 | ---D | C]
network diagnostic -> %SystemRoot%\network diagnostic -> [2009/01/13 17:38:03 | 00,000,000 | ---D | C]
$NtServicePackUninstall$ -> %SystemRoot%\$NtServicePackUninstall$ -> [2009/01/13 17:32:32 | 00,000,000 | -H-D | C]
Readme.htm -> %SystemRoot%\Readme.htm -> [2009/01/13 04:12:24 | 00,224,111 | R--- | C] ()
Warlords -> %SystemDrive%\Warlords -> [2009/01/13 04:12:24 | 00,000,000 | ---D | C]
Resource -> %SystemRoot%\Resource -> [2009/01/13 04:12:24 | 00,000,000 | ---D | C]
Assets -> %SystemDrive%\Assets -> [2009/01/13 04:12:24 | 00,000,000 | ---D | C]
Shaders -> %SystemRoot%\Shaders -> [2009/01/13 04:11:46 | 00,000,000 | ---D | C]
PublicMaps -> %SystemRoot%\PublicMaps -> [2009/01/13 04:11:46 | 00,000,000 | ---D | C]
msxml3.dll -> %SystemRoot%\msxml3.dll -> [2009/01/13 04:11:42 | 01,104,896 | ---- | C] (Microsoft Corporation)
Mods -> %SystemRoot%\Mods -> [2009/01/13 04:11:42 | 00,000,000 | ---D | C]
CvGameCoreDLL -> %SystemRoot%\CvGameCoreDLL -> [2009/01/13 04:11:42 | 00,000,000 | ---D | C]
Assets -> %SystemRoot%\Assets -> [2009/01/13 04:11:42 | 00,000,000 | ---D | C]
boost_python-vc71-mt-gd-1_32.dll -> %SystemRoot%\boost_python-vc71-mt-gd-1_32.dll -> [2009/01/13 04:11:40 | 00,294,912 | ---- | C] ()
InstallShield Installation Information -> %ProgramFiles%\InstallShield Installation Information -> [2009/01/13 03:49:45 | 00,000,000 | -H-D | C]
Fall from Heaven 2.lnk -> %UserProfile%\Desktop\Fall from Heaven 2.lnk -> [2009/01/13 02:41:24 | 00,002,007 | ---- | C] ()
SiteHound -> %AppData%\SiteHound -> [2009/01/13 02:05:43 | 00,000,000 | ---D | C]
FireTrust -> %ProgramFiles%\FireTrust -> [2009/01/13 02:05:40 | 00,000,000 | ---D | C]
WinPatrol -> %AppData%\WinPatrol -> [2009/01/13 02:04:50 | 00,000,000 | ---D | C]
BillP Studios -> %ProgramFiles%\BillP Studios -> [2009/01/13 02:04:45 | 00,000,000 | ---D | C]
SpywareBlaster.lnk -> %UserProfile%\Desktop\SpywareBlaster.lnk -> [2009/01/13 02:03:21 | 00,000,690 | ---- | C] ()
SpywareBlaster -> %ProgramFiles%\SpywareBlaster -> [2009/01/13 02:03:19 | 00,000,000 | ---D | C]
sitehound_ff_24072008.exe -> %UserProfile%\Desktop\sitehound_ff_24072008.exe -> [2009/01/13 02:02:21 | 01,190,552 | ---- | C] ()
ComboFix -> %SystemDrive%\ComboFix -> [2009/01/13 01:40:57 | 00,000,000 | ---D | C]
RECYCLER -> %SystemDrive%\RECYCLER -> [2009/01/12 07:59:09 | 00,000,000 | -HSD | C]
Malwarebytes -> %AppData%\Malwarebytes -> [2009/01/12 06:03:32 | 00,000,000 | ---D | C]
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> [2009/01/12 06:03:30 | 00,015,504 | ---- | C] (Malwarebytes Corporation)
Malwarebytes' Anti-Malware.lnk -> %AllUsersProfile%\Desktop\Malwarebytes' Anti-Malware.lnk -> [2009/01/12 06:03:30 | 00,000,696 | ---- | C] ()
mbamswissarmy.sys -> %SystemRoot%\System32\drivers\mbamswissarmy.sys -> [2009/01/12 06:03:27 | 00,038,496 | ---- | C] (Malwarebytes Corporation)
Malwarebytes' Anti-Malware -> %ProgramFiles%\Malwarebytes' Anti-Malware -> [2009/01/12 06:03:26 | 00,000,000 | ---D | C]
Malwarebytes -> %AllUsersProfile%\Application Data\Malwarebytes -> [2009/01/12 06:03:26 | 00,000,000 | ---D | C]
xmllite.dll -> %SystemRoot%\System32\xmllite.dll -> [2009/01/12 05:17:23 | 00,121,856 | ---- | C] (Microsoft Corporation)
wlanapi.dll -> %SystemRoot%\System32\wlanapi.dll -> [2009/01/12 05:17:21 | 00,069,120 | ---- | C] (Microsoft Corporation)
viaagp.sys -> %SystemRoot%\System32\drivers\viaagp.sys -> [2009/01/12 05:17:19 | 00,042,240 | ---- | C] (Microsoft Corporation)
wacompen.sys -> %SystemRoot%\System32\drivers\wacompen.sys -> [2009/01/12 05:17:19 | 00,014,208 | ---- | C] (Microsoft Corporation)
usbvideo.sys -> %SystemRoot%\System32\drivers\usbvideo.sys -> [2009/01/12 05:17:18 | 00,121,984 | ---- | C] (Microsoft Corporation)
usb8023x.sys -> %SystemRoot%\System32\drivers\usb8023x.sys -> [2009/01/12 05:17:18 | 00,012,800 | ---- | C] (Microsoft Corporation)
tsgqec.dll -> %SystemRoot%\System32\tsgqec.dll -> [2009/01/12 05:17:17 | 00,053,248 | ---- | C] (Microsoft Corporation)
tspkg.dll -> %SystemRoot%\System32\tspkg.dll -> [2009/01/12 05:17:17 | 00,050,688 | ---- | C] (Microsoft Corporation)
uagp35.sys -> %SystemRoot%\System32\drivers\uagp35.sys -> [2009/01/12 05:17:17 | 00,044,672 | ---- | C] (Microsoft Corporation)
spupdwxp.exe -> %SystemRoot%\System32\spupdwxp.exe -> [2009/01/12 05:17:13 | 00,020,992 | ---- | C] (Microsoft Corporation)
smbali.sys -> %SystemRoot%\System32\drivers\smbali.sys -> [2009/01/12 05:17:12 | 00,005,888 | ---- | C] (Microsoft Corporation)
setupn.exe -> %SystemRoot%\System32\setupn.exe -> [2009/01/12 05:17:10 | 00,032,768 | ---- | C] (Microsoft Corporation)
sffp_mmc.sys -> %SystemRoot%\System32\drivers\sffp_mmc.sys -> [2009/01/12 05:17:10 | 00,010,240 | ---- | C] (Microsoft Corporation)
rhttpaa.dll -> %SystemRoot%\System32\rhttpaa.dll -> [2009/01/12 05:17:09 | 00,290,304 | ---- | C] (Microsoft Corporation)
rfcomm.sys -> %SystemRoot%\System32\drivers\rfcomm.sys -> [2009/01/12 05:17:09 | 00,059,136 | ---- | C] (Microsoft Corporation)
rndismpx.sys -> %SystemRoot%\System32\drivers\rndismpx.sys -> [2009/01/12 05:17:09 | 00,030,592 | ---- | C] (Microsoft Corporation)
qagentrt.dll -> %SystemRoot%\System32\qagentrt.dll -> [2009/01/12 05:17:08 | 00,291,328 | ---- | C] (Microsoft Corporation)
qagent.dll -> %SystemRoot%\System32\qagent.dll -> [2009/01/12 05:17:08 | 00,150,528 | ---- | C] (Microsoft Corporation)
qutil.dll -> %SystemRoot%\System32\qutil.dll -> [2009/01/12 05:17:08 | 00,076,800 | ---- | C] (Microsoft Corporation)
qcliprov.dll -> %SystemRoot%\System32\qcliprov.dll -> [2009/01/12 05:17:08 | 00,062,464 | ---- | C] (Microsoft Corporation)
rasqec.dll -> %SystemRoot%\System32\rasqec.dll -> [2009/01/12 05:17:08 | 00,061,952 | ---- | C] (Microsoft Corporation)
onex.dll -> %SystemRoot%\System32\onex.dll -> [2009/01/12 05:17:06 | 00,144,384 | ---- | C] (Microsoft Corporation)
napmontr.dll -> %SystemRoot%\System32\napmontr.dll -> [2009/01/12 05:17:03 | 00,193,024 | ---- | C] (Microsoft Corporation)
napstat.exe -> %SystemRoot%\System32\napstat.exe -> [2009/01/12 05:17:03 | 00,176,640 | ---- | C] (Microsoft Corporation)
netwlan5.img -> %SystemRoot%\System32\drivers\netwlan5.img -> [2009/01/12 05:17:03 | 00,067,866 | ---- | C] ()
napipsec.dll -> %SystemRoot%\System32\napipsec.dll -> [2009/01/12 05:17:03 | 00,030,208 | ---- | C] (Microsoft Corporation)
mutohpen.sys -> %SystemRoot%\System32\drivers\mutohpen.sys -> [2009/01/12 05:17:03 | 00,012,672 | ---- | C] (Microsoft Corporation)
msxml6.dll -> %SystemRoot%\System32\dllcache\msxml6.dll -> [2009/01/12 05:17:02 | 01,307,648 | ---- | C] (Microsoft Corporation)
mssha.dll -> %SystemRoot%\System32\mssha.dll -> [2009/01/12 05:17:02 | 00,155,136 | ---- | C] (Microsoft Corporation)
msxml6r.dll -> %SystemRoot%\System32\dllcache\msxml6r.dll -> [2009/01/12 05:17:02 | 00,079,872 | ---- | C] (Microsoft Corporation)
msshavmsg.dll -> %SystemRoot%\System32\msshavmsg.dll -> [2009/01/12 05:17:02 | 00,076,800 | ---- | C] (Microsoft Corporation)
mmcex.dll -> %SystemRoot%\System32\mmcex.dll -> [2009/01/12 05:16:55 | 00,397,312 | ---- | C] (Microsoft Corporation)
microsoft.managementconsole.dll -> %SystemRoot%\System32\microsoft.managementconsole.dll -> [2009/01/12 05:16:55 | 00,184,320 | ---- | C] (Microsoft Corporation)
mmcfxcommon.dll -> %SystemRoot%\System32\mmcfxcommon.dll -> [2009/01/12 05:16:55 | 00,106,496 | ---- | C] (Microsoft Corporation)
mmcperf.exe -> %SystemRoot%\System32\mmcperf.exe -> [2009/01/12 05:16:55 | 00,033,792 | ---- | C] (Microsoft Corporation)
kmsvc.dll -> %SystemRoot%\System32\kmsvc.dll -> [2009/01/12 05:16:49 | 00,061,440 | ---- | C] (Microsoft Corporation)
l2gpstore.dll -> %SystemRoot%\System32\l2gpstore.dll -> [2009/01/12 05:16:49 | 00,037,376 | ---- | C] (Microsoft Corporation)
kbdpash.dll -> %SystemRoot%\System32\kbdpash.dll -> [2009/01/12 05:16:49 | 00,006,144 | ---- | C] (Microsoft Corporation)
kbdnepr.dll -> %SystemRoot%\System32\kbdnepr.dll -> [2009/01/12 05:16:49 | 00,006,144 | ---- | C] (Microsoft Corporation)
kbdiultn.dll -> %SystemRoot%\System32\kbdiultn.dll -> [2009/01/12 05:16:49 | 00,006,144 | ---- | C] (Microsoft Corporation)
kbdbhc.dll -> %SystemRoot%\System32\kbdbhc.dll -> [2009/01/12 05:16:49 | 00,006,144 | ---- | C] (Microsoft Corporation)
smtpapi.dll -> %SystemRoot%\System32\smtpapi.dll -> [2009/01/12 05:16:45 | 00,010,752 | ---- | C] (Microsoft Corporation)
rwnh.dll -> %SystemRoot%\System32\rwnh.dll -> [2009/01/12 05:16:44 | 00,009,728 | ---- | C] (Microsoft Corporation)
pid.inf -> %SystemRoot%\System32\pid.inf -> [2009/01/12 05:16:44 | 00,000,974 | ---- | C] ()
irbus.sys -> %SystemRoot%\System32\drivers\irbus.sys -> [2009/01/12 05:16:43 | 00,046,592 | ---- | C] (Microsoft Corporation)
comsdupd.exe -> %SystemRoot%\System32\comsdupd.exe -> [2009/01/12 05:16:43 | 00,009,728 | ---- | C] (Microsoft Corporation)
hidbth.sys -> %SystemRoot%\System32\drivers\hidbth.sys -> [2009/01/12 05:16:41 | 00,025,600 | ---- | C] (Microsoft Corporation)
hidir.sys -> %SystemRoot%\System32\drivers\hidir.sys -> [2009/01/12 05:16:41 | 00,019,200 | ---- | C] (Microsoft Corporation)
gagp30kx.sys -> %SystemRoot%\System32\drivers\gagp30kx.sys -> [2009/01/12 05:16:40 | 00,046,464 | ---- | C] (Microsoft Corporation)
faxpatch.exe -> %SystemRoot%\System32\faxpatch.exe -> [2009/01/12 05:16:39 | 00,020,992 | ---- | C] (Microsoft Corporation)
eapp3hst.dll -> %SystemRoot%\System32\eapp3hst.dll -> [2009/01/12 05:16:38 | 00,184,832 | ---- | C] (Microsoft Corporation)
eapphost.dll -> %SystemRoot%\System32\eapphost.dll -> [2009/01/12 05:16:38 | 00,180,224 | ---- | C] (Microsoft Corporation)
eappcfg.dll -> %SystemRoot%\System32\eappcfg.dll -> [2009/01/12 05:16:38 | 00,126,976 | ---- | C] (Microsoft Corporation)
eappgnui.dll -> %SystemRoot%\System32\eappgnui.dll -> [2009/01/12 05:16:38 | 00,094,208 | ---- | C] (Microsoft Corporation)
eapqec.dll -> %SystemRoot%\System32\eapqec.dll -> [2009/01/12 05:16:38 | 00,059,392 | ---- | C] (Microsoft Corporation)
eappprxy.dll -> %SystemRoot%\System32\eappprxy.dll -> [2009/01/12 05:16:38 | 00,040,960 | ---- | C] (Microsoft Corporation)
eapsvc.dll -> %SystemRoot%\System32\eapsvc.dll -> [2009/01/12 05:16:38 | 00,033,792 | ---- | C] (Microsoft Corporation)
eapolqec.dll -> %SystemRoot%\System32\eapolqec.dll -> [2009/01/12 05:16:38 | 00,030,720 | ---- | C] (Microsoft Corporation)
dot3ui.dll -> %SystemRoot%\System32\dot3ui.dll -> [2009/01/12 05:16:37 | 00,650,752 | ---- | C] (Microsoft Corporation)
dot3svc.dll -> %SystemRoot%\System32\dot3svc.dll -> [2009/01/12 05:16:37 | 00,132,096 | ---- | C] (Microsoft Corporation)
dot3cfg.dll -> %SystemRoot%\System32\dot3cfg.dll -> [2009/01/12 05:16:37 | 00,057,856 | ---- | C] (Microsoft Corporation)
dot3msm.dll -> %SystemRoot%\System32\dot3msm.dll -> [2009/01/12 05:16:37 | 00,056,320 | ---- | C] (Microsoft Corporation)
dhcpqec.dll -> %SystemRoot%\System32\dhcpqec.dll -> [2009/01/12 05:16:37 | 00,048,640 | ---- | C] (Microsoft Corporation)
dot3gpclnt.dll -> %SystemRoot%\System32\dot3gpclnt.dll -> [2009/01/12 05:16:37 | 00,039,936 | ---- | C] (Microsoft Corporation)
dimsroam.dll -> %SystemRoot%\System32\dimsroam.dll -> [2009/01/12 05:16:37 | 00,039,936 | ---- | C] (Microsoft Corporation)
dot3api.dll -> %SystemRoot%\System32\dot3api.dll -> [2009/01/12 05:16:37 | 00,026,112 | ---- | C] (Microsoft Corporation)
dimsntfy.dll -> %SystemRoot%\System32\dimsntfy.dll -> [2009/01/12 05:16:37 | 00,019,456 | ---- | C] (Microsoft Corporation)
dot3dlg.dll -> %SystemRoot%\System32\dot3dlg.dll -> [2009/01/12 05:16:37 | 00,009,216 | ---- | C] (Microsoft Corporation)
cxthsfs2.cty -> %SystemRoot%\System32\drivers\cxthsfs2.cty -> [2009/01/12 05:16:36 | 00,129,045 | ---- | C] ()
credssp.dll -> %SystemRoot%\System32\credssp.dll -> [2009/01/12 05:16:35 | 00,012,800 | ---- | C] (Microsoft Corporation)
azroles.dll -> %SystemRoot%\System32\azroles.dll -> [2009/01/12 05:16:32 | 00,233,472 | ---- | C] (Microsoft Corporation)
bthpan.sys -> %SystemRoot%\System32\drivers\bthpan.sys -> [2009/01/12 05:16:32 | 00,101,120 | ---- | C] (Microsoft Corporation)
ativmc20.cod -> %SystemRoot%\System32\drivers\ativmc20.cod -> [2009/01/12 05:16:32 | 00,064,352 | ---- | C] ()
bthmodem.sys -> %SystemRoot%\System32\drivers\bthmodem.sys -> [2009/01/12 05:16:32 | 00,037,888 | ---- | C] (Microsoft Corporation)
bthprint.sys -> %SystemRoot%\System32\drivers\bthprint.sys -> [2009/01/12 05:16:32 | 00,036,480 | ---- | C] (Microsoft Corporation)
bthusb.sys -> %SystemRoot%\System32\drivers\bthusb.sys -> [2009/01/12 05:16:32 | 00,018,944 | ---- | C] (Microsoft Corporation)
bthenum.sys -> %SystemRoot%\System32\drivers\bthenum.sys -> [2009/01/12 05:16:32 | 00,017,024 | ---- | C] (Microsoft Corporation)
bitsprx4.dll -> %SystemRoot%\System32\bitsprx4.dll -> [2009/01/12 05:16:32 | 00,007,168 | ---- | C] (Microsoft Corporation)
aaclient.dll -> %SystemRoot%\System32\aaclient.dll -> [2009/01/12 05:16:30 | 00,136,192 | ---- | C] (Microsoft Corporation)
agpcpq.sys -> %SystemRoot%\System32\drivers\agpcpq.sys -> [2009/01/12 05:16:30 | 00,044,928 | ---- | C] (Microsoft Corporation)
alim1541.sys -> %SystemRoot%\System32\drivers\alim1541.sys -> [2009/01/12 05:16:30 | 00,042,752 | ---- | C] (Microsoft Corporation)
agp440.sys -> %SystemRoot%\System32\drivers\agp440.sys -> [2009/01/12 05:16:30 | 00,042,368 | ---- | C] (Microsoft Corporation)
Boot.bak -> %SystemDrive%\Boot.bak -> [2009/01/12 04:54:33 | 00,000,211 | ---- | C] ()
cmldr -> %SystemDrive%\cmldr -> [2009/01/12 04:54:26 | 00,260,272 | ---- | C] ()
cmdcons -> %SystemDrive%\cmdcons -> [2009/01/12 04:54:22 | 00,000,000 | RHSD | C]
ERDNT -> %SystemRoot%\ERDNT -> [2009/01/12 04:51:30 | 00,000,000 | ---D | C]
BalanceModv116TechChart.pdf -> %UserProfile%\Desktop\BalanceModv116TechChart.pdf -> [2009/01/10 06:10:05 | 00,198,631 | ---- | C] ()
HijackThis.lnk -> %UserProfile%\Desktop\HijackThis.lnk -> [2009/01/08 17:36:28 | 00,001,734 | ---- | C] ()
Trend Micro -> %ProgramFiles%\Trend Micro -> [2009/01/08 17:36:28 | 00,000,000 | ---D | C]
Spybot - Search & Destroy - Scheduled Task.job -> %SystemRoot%\tasks\Spybot - Search & Destroy - Scheduled Task.job -> [2009/01/08 14:26:23 | 00,000,296 | ---- | C] ()
GroupPolicy -> %SystemRoot%\System32\GroupPolicy -> [2009/01/08 13:50:26 | 00,000,000 | -H-D | C]
Internet.lnk -> %UserProfile%\Desktop\Internet.lnk -> [2009/01/05 13:35:25 | 00,000,104 | ---- | C] ()
Dwarf Fortress -> %UserProfile%\Desktop\Dwarf Fortress -> [2009/01/04 17:31:26 | 00,000,000 | ---D | C]
Google -> %AllUsersProfile%\Application Data\Google -> [2009/01/01 14:19:06 | 00,000,000 | ---D | C]
Space Empires IV Deluxe.lnk -> %UserProfile%\Desktop\Space Empires IV Deluxe.lnk -> [2008/12/30 23:58:55 | 00,001,584 | ---- | C] ()
Space Empires V.lnk -> %UserProfile%\Desktop\Space Empires V.lnk -> [2008/12/30 23:56:14 | 00,001,568 | ---- | C] ()
FallfromHeaven2.exe -> %UserProfile%\Desktop\FallfromHeaven2.exe -> [2008/12/30 17:40:32 | 40,563,1672 | ---- | C] ()
Google -> %UserProfile%\Local Settings\Application Data\Google -> [2008/12/30 12:33:29 | 00,000,000 | ---D | C]
Mount and Blade.lnk -> %UserProfile%\Desktop\Mount and Blade.lnk -> [2008/12/29 06:10:58 | 00,001,570 | ---- | C] ()
Mount&Blade Savegames -> %UserProfile%\My Documents\Mount&Blade Savegames -> [2008/12/28 13:09:19 | 00,000,000 | ---D | C]
Mount&Blade -> %AppData%\Mount&Blade -> [2008/12/28 13:07:56 | 00,000,000 | ---D | C]
World of Warcraft.lnk -> %AllUsersProfile%\Desktop\World of Warcraft.lnk -> [2008/12/22 01:26:38 | 00,000,823 | ---- | C] ()
World of Warcraft -> %ProgramFiles%\World of Warcraft -> [2008/12/22 01:26:38 | 00,000,000 | ---D | C]
Blizzard -> %AllUsersProfile%\Application Data\Blizzard -> [2008/12/21 20:48:38 | 00,000,000 | ---D | C]
CohTest -> %ProgramFiles%\CohTest -> [2008/12/17 07:32:15 | 00,000,000 | ---D | C]

[Files/Folders - Modified Within 30 Days]
2 C:\*.tmp files -> C:\*.tmp ->
1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
5 C:\Documents and Settings\Bryan Johnson\Local Settings\temp\*.tmp files -> C:\Documents and Settings\Bryan Johnson\Local Settings\temp\*.tmp ->
OTScanIt2.exe -> %UserProfile%\Desktop\OTScanIt2.exe -> [2009/01/14 06:45:46 | 00,656,730 | ---- | M] ()
CONFIG.NT -> %SystemRoot%\System32\CONFIG.NT -> [2009/01/14 06:35:42 | 00,002,626 | ---- | M] ()
Check Updates for Windows Live Toolbar.job -> %SystemRoot%\tasks\Check Updates for Windows Live Toolbar.job -> [2009/01/14 06:33:00 | 00,000,270 | ---- | M] ()
nvapps.xml -> %SystemRoot%\System32\nvapps.xml -> [2009/01/14 06:19:09 | 00,181,371 | ---- | M] ()
wpa.dbl -> %SystemRoot%\System32\wpa.dbl -> [2009/01/14 06:19:00 | 00,001,158 | ---- | M] ()
Perflib_Perfdata_704.dat -> %SystemRoot%\Temp\Perflib_Perfdata_704.dat -> [2009/01/14 06:18:27 | 00,016,384 | ---- | M] ()
Perflib_Perfdata_208.dat -> %SystemRoot%\Temp\Perflib_Perfdata_208.dat -> [2009/01/14 06:18:26 | 00,000,000 | ---- | M] ()
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [2009/01/14 06:18:25 | 00,000,006 | -H-- | M] ()
bootstat.dat -> %SystemRoot%\bootstat.dat -> [2009/01/14 06:18:21 | 00,002,048 | --S- | M] ()
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [2009/01/14 06:18:17 | 21,468,16000 | -HS- | M] ()
NTUSER.DAT -> %UserProfile%\NTUSER.DAT -> [2009/01/14 06:17:01 | 11,796,480 | -H-- | M] ()
ntuser.ini -> %UserProfile%\ntuser.ini -> [2009/01/14 06:17:01 | 00,000,178 | -HS- | M] ()
ResetTeaTimer.bat -> %UserProfile%\Desktop\ResetTeaTimer.bat -> [2009/01/14 06:16:23 | 00,009,123 | ---- | M] ()
imsins.BAK -> %SystemRoot%\imsins.BAK -> [2009/01/14 03:02:37 | 00,001,374 | ---- | M] ()
qmgr0.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr0.dat -> [2009/01/13 23:03:08 | 00,004,646 | ---- | M] ()
qmgr1.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr1.dat -> [2009/01/13 23:03:08 | 00,004,232 | ---- | M] ()
Perflib_Perfdata_7d8.dat -> %SystemRoot%\Temp\Perflib_Perfdata_7d8.dat -> [2009/01/13 20:55:20 | 00,016,384 | ---- | M] ()
Perflib_Perfdata_6f4.dat -> %SystemRoot%\Temp\Perflib_Perfdata_6f4.dat -> [2009/01/13 19:06:18 | 00,016,384 | ---- | M] ()
Perflib_Perfdata_190.dat -> %SystemRoot%\Temp\Perflib_Perfdata_190.dat -> [2009/01/13 19:06:18 | 00,016,384 | ---- | M] ()
perfh009.dat -> %SystemRoot%\System32\perfh009.dat -> [2009/01/13 17:54:58 | 00,441,252 | ---- | M] ()
perfc009.dat -> %SystemRoot%\System32\perfc009.dat -> [2009/01/13 17:54:57 | 00,071,404 | ---- | M] ()
PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI -> [2009/01/13 17:54:56 | 00,521,268 | ---- | M] ()
desktop.ini -> %UserProfile%\My Documents\desktop.ini -> [2009/01/13 17:53:05 | 00,000,084 | -HS- | M] ()
FNTCACHE.DAT -> %SystemRoot%\System32\FNTCACHE.DAT -> [2009/01/13 17:51:41 | 00,157,952 | ---- | M] ()
ntldr -> %SystemDrive%\ntldr -> [2009/01/13 17:37:32 | 00,250,048 | RHS- | M] ()
Perflib_Perfdata_760.dat -> %SystemRoot%\Temp\Perflib_Perfdata_760.dat -> [2009/01/13 17:24:08 | 00,016,384 | ---- | M] ()
Fall from Heaven 2.lnk -> %UserProfile%\Desktop\Fall from Heaven 2.lnk -> [2009/01/13 02:41:24 | 00,002,007 | ---- | M] ()
SpywareBlaster.lnk -> %UserProfile%\Desktop\SpywareBlaster.lnk -> [2009/01/13 02:03:21 | 00,000,690 | ---- | M] ()
sitehound_ff_24072008.exe -> %UserProfile%\Desktop\sitehound_ff_24072008.exe -> [2009/01/13 02:02:27 | 01,190,552 | ---- | M] ()
CF25815.exe -> %UserProfile%\Local Settings\temp\CF25815.exe -> [2009/01/13 01:40:52 | 00,388,608 | ---- | M] (Microsoft Corporation)
kosglue-7.0.25.0.dll -> %UserProfile%\Local Settings\temp\jkos-Bryan Johnson\binaries\kosglue-7.0.25.0.dll -> [2009/01/12 08:02:02 | 00,729,152 | ---- | M] (Kaspersky Lab)
kave.dll -> %UserProfile%\Local Settings\temp\jkos-Bryan Johnson\binaries\kave.dll -> [2009/01/12 08:02:02 | 00,282,624 | ---- | M] (Kaspersky Lab.)
prLoader.dll -> %UserProfile%\Local Settings\temp\jkos-Bryan Johnson\binaries\prLoader.dll -> [2009/01/12 08:02:02 | 00,184,320 | ---- | M] (Kaspersky Lab)
ScanningProcess.exe -> %UserProfile%\Local Settings\temp\jkos-Bryan Johnson\binaries\ScanningProcess.exe -> [2009/01/12 08:02:01 | 00,139,264 | ---- | M] (Kaspersky Lab.)
FSSync.dll -> %UserProfile%\Local Settings\temp\jkos-Bryan Johnson\binaries\FSSync.dll -> [2009/01/12 08:02:01 | 00,038,400 | ---- | M] (Kaspersky Lab)
Malwarebytes' Anti-Malware.lnk -> %AllUsersProfile%\Desktop\Malwarebytes' Anti-Malware.lnk -> [2009/01/12 06:03:30 | 00,000,696 | ---- | M] ()
system.ini -> %SystemRoot%\system.ini -> [2009/01/12 05:04:07 | 00,000,227 | ---- | M] ()
boot.ini -> %SystemDrive%\boot.ini -> [2009/01/12 04:54:33 | 00,000,281 | RHS- | M] ()
Microsoft Office Excel 2007.lnk -> %UserProfile%\Desktop\Microsoft Office Excel 2007.lnk -> [2009/01/11 14:46:35 | 00,002,473 | ---- | M] ()
Steam.lnk -> %AllUsersProfile%\Desktop\Steam.lnk -> [2009/01/10 19:57:41 | 00,002,193 | ---- | M] ()
MRT.exe -> %SystemRoot%\System32\MRT.exe -> [2009/01/09 18:35:28 | 20,853,704 | ---- | M] (Microsoft Corporation)
HijackThis.lnk -> %UserProfile%\Desktop\HijackThis.lnk -> [2009/01/08 17:36:28 | 00,001,734 | ---- | M] ()
Spybot - Search & Destroy.lnk -> %UserProfile%\Desktop\Spybot - Search & Destroy.lnk -> [2009/01/08 14:38:45 | 00,000,963 | ---- | M] ()
Spybot - Search & Destroy - Scheduled Task.job -> %SystemRoot%\tasks\Spybot - Search & Destroy - Scheduled Task.job -> [2009/01/08 14:26:29 | 00,000,296 | ---- | M] ()
HOSTS.MVP -> %SystemRoot%\System32\drivers\etc\HOSTS.MVP -> [2009/01/08 04:25:22 | 00,624,583 | ---- | M] ()
HOSTS -> %SystemRoot%\System32\drivers\etc\HOSTS -> [2009/01/08 04:25:22 | 00,624,583 | ---- | M] ()
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini -> [2009/01/06 13:25:07 | 00,000,069 | ---- | M] ()
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> %UserProfile%\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> [2009/01/06 13:24:58 | 00,095,744 | ---- | M] ()
Internet.lnk -> %UserProfile%\Desktop\Internet.lnk -> [2009/01/05 13:35:25 | 00,000,104 | ---- | M] ()
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [2009/01/05 09:41:47 | 00,054,156 | -H-- | M] ()
mbamswissarmy.sys -> %SystemRoot%\System32\drivers\mbamswissarmy.sys -> [2009/01/04 18:38:22 | 00,038,496 | ---- | M] (Malwarebytes Corporation)
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> [2009/01/04 18:38:18 | 00,015,504 | ---- | M] (Malwarebytes Corporation)
Space Empires IV Deluxe.lnk -> %UserProfile%\Desktop\Space Empires IV Deluxe.lnk -> [2008/12/30 23:58:55 | 00,001,584 | ---- | M] ()
Space Empires V.lnk -> %UserProfile%\Desktop\Space Empires V.lnk -> [2008/12/30 23:56:14 | 00,001,568 | ---- | M] ()
FallfromHeaven2.exe -> %UserProfile%\Desktop\FallfromHeaven2.exe -> [2008/12/30 18:26:52 | 40,563,1672 | ---- | M] ()
Mount and Blade.lnk -> %UserProfile%\Desktop\Mount and Blade.lnk -> [2008/12/29 06:10:58 | 00,001,570 | ---- | M] ()
World of Warcraft.lnk -> %AllUsersProfile%\Desktop\World of Warcraft.lnk -> [2008/12/22 05:26:59 | 00,000,823 | ---- | M] ()
City of Heroes.lnk -> %UserProfile%\Desktop\City of Heroes.lnk -> [2008/12/17 07:32:15 | 00,001,405 | ---- | M] ()
VCExpress000223.dat -> %AllUsersProfile%\Application Data\Microsoft\VCExpress\9.0\VCExpress000223.dat -> [2008/09/23 11:13:51 | 00,677,178 | -H-- | M] ()
opa12.dat -> %AllUsersProfile%\Application Data\Microsoft\OFFICE\DATA\opa12.dat -> [2008/07/30 21:01:52 | 00,008,504 | ---- | M] ()

[Alternate Data Streams]
@Alternate Data Stream - 0 bytes -> %SystemRoot%\alienware logo_slvr.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
@Alternate Data Stream - 0 bytes -> %SystemRoot%\alienware_logo_slvr.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
@Alternate Data Stream - 0 bytes -> %UserProfile%\Desktop\Thumbs.db:encryptable
@Alternate Data Stream - 108 bytes -> %AllUsersProfile%\Application Data\TEMPFC5A2B2
@Alternate Data Stream - 3552 bytes -> %SystemRoot%\alienware logo_slvr.jpg:Q30lsldxJoudresxAaaqpcawXc
@Alternate Data Stream - 3552 bytes -> %SystemRoot%\alienware_logo_slvr.jpg:Q30lsldxJoudresxAaaqpcawXc
[CatchMe Rootkit Scan by GMER]
< Windows folder & sub-folders >
scanning hidden processes ...
IPC error: 2 The system cannot find the file specified.
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"u0"=hex:b8,96,90,02,04,00,00,00,00,00,00,00,35,65,65,61,39,39,39,38,62,..
"p0"="C:\Program Files\DAEMON Tools Pro\"
"h0"=dword:00000000
"hdf12"=hex:1b,00,a6,e9,ed,ad,c5,8b,f5,5a,6d,2c,6f,c3,2e,5a,a9,44,06,2e,34,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0"=hex:20,01,00,00,cf,d5,4e,fb,ae,23,0c,ba,6b,fa,24,1a,31,93,fa,cd,11,..
"hdf12"=hex:ac,0a,3c,db,e3,49,59,28,a5,51,80,26,47,0f,45,db,e4,36,8f,d8,72,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12"=hex:e9,22,ed,a9,5b,fa,ac,68,0e,f6,55,0d,7d,4c,fc,6e,79,3c,02,b4,a5,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000001
"khjeh"=hex:90,b2,6f,2e,1d,d6,cf,8c,e2,56,93,a3,9f,18,5d,5c,dd,a5,04,81,00,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,2b,30,da,d7,41,ba,7b,85,af,70,df,21,2d,8e,6d,6b,7d,..
"khjeh"=hex:0b,7e,da,77,a5,fa,2f,6d,99,83,82,a6,72,f8,0e,4f,6e,44,e2,4a,48,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:33,c8,8b,c7,63,f3,a8,b1,fd,56,aa,ab,eb,c1,82,0e,c3,8a,ef,31,6e,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"u0"=hex:b8,96,90,02,04,00,00,00,00,00,00,00,35,65,65,61,39,39,39,38,62,..
"p0"="C:\Program Files\DAEMON Tools Pro\"
"h0"=dword:00000000
"hdf12"=hex:1b,00,a6,e9,ed,ad,c5,8b,f5,5a,6d,2c,6f,c3,2e,5a,a9,44,06,2e,34,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0"=hex:20,01,00,00,cf,d5,4e,fb,ae,23,0c,ba,6b,fa,24,1a,31,93,fa,cd,11,..
"hdf12"=hex:ac,0a,3c,db,e3,49,59,28,a5,51,80,26,47,0f,45,db,e4,36,8f,d8,72,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12"=hex:e9,22,ed,a9,5b,fa,ac,68,0e,f6,55,0d,7d,4c,fc,6e,79,3c,02,b4,a5,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000001
"khjeh"=hex:90,b2,6f,2e,1d,d6,cf,8c,e2,56,93,a3,9f,18,5d,5c,dd,a5,04,81,00,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,2b,30,da,d7,41,ba,7b,85,af,70,df,21,2d,8e,6d,6b,7d,..
"khjeh"=hex:0b,7e,da,77,a5,fa,2f,6d,99,83,82,a6,72,f8,0e,4f,6e,44,e2,4a,48,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:33,c8,8b,c7,63,f3,a8,b1,fd,56,aa,ab,eb,c1,82,0e,c3,8a,ef,31,6e,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"u0"=hex:b8,96,90,02,04,00,00,00,00,00,00,00,35,65,65,61,39,39,39,38,62,..
"p0"="C:\Program Files\DAEMON Tools Pro\"
"h0"=dword:00000000
"hdf12"=hex:1b,00,a6,e9,ed,ad,c5,8b,f5,5a,6d,2c,6f,c3,2e,5a,a9,44,06,2e,34,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0"=hex:20,01,00,00,cf,d5,4e,fb,ae,23,0c,ba,6b,fa,24,1a,31,93,fa,cd,11,..
"hdf12"=hex:ac,0a,3c,db,e3,49,59,28,a5,51,80,26,47,0f,45,db,e4,36,8f,d8,72,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12"=hex:e9,22,ed,a9,5b,fa,ac,68,0e,f6,55,0d,7d,4c,fc,6e,79,3c,02,b4,a5,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000001
"khjeh"=hex:90,b2,6f,2e,1d,d6,cf,8c,e2,56,93,a3,9f,18,5d,5c,dd,a5,04,81,00,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,2b,30,da,d7,41,ba,7b,85,af,70,df,21,2d,8e,6d,6b,7d,..
"khjeh"=hex:0b,7e,da,77,a5,fa,2f,6d,99,83,82,a6,72,f8,0e,4f,6e,44,e2,4a,48,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:33,c8,8b,c7,63,f3,a8,b1,fd,56,aa,ab,eb,c1,82,0e,c3,8a,ef,31,6e,..
scanning hidden registry entries ...
scanning hidden files ...
C:\WINDOWS\alienware_logo_slvr.jpg:Q30lsldxJoudresxAaaqpcawXc 3552 bytes
C:\WINDOWS\alienware_logo_slvr.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
C:\WINDOWS\alienware logo_slvr.jpg:Q30lsldxJoudresxAaaqpcawXc 3552 bytes
C:\WINDOWS\alienware logo_slvr.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 6
< Document and Settings folder & sub folders >
scanning hidden files ...
IPC error: 2 The system cannot find the file specified.
C:\Documents and Settings\All Users\Application Data\TEMPFC5A2B2 108 bytes
scan completed successfully
hidden files: 39

< End of report >
[/code]

 

[peku006]

Hi

delete the ResetTeaTimer.bat from your desktop

1. Right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol).
2. Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
3. Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.
4. Click on Mode > Advanced Mode. When it prompts you, click Yes.
5. On the left hand side, click on Tools.
6. Check (tick) this box if it is not yet ticked: Resident.
7. You will notice that Resident is now added under Tools. Click on Resident.
8. Uncheck (untick) this box: Resident "TeaTimer" (Protection of over-all system settings) active.
9. Exit Spybot Search & Destroy.

Download and Unzip to your Desktop: ResetTeaTimer.bat.zip >
Double click ResetTeaTimer.bat

After that, Reboot

Start OTScanIt2. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "gadcom" -> %AppData%\gadcom\gadcom.exe ["C:\Documents and Settings\Bryan Johnson\Application Data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A]

After that, Reboot

After that enable TeaTimer and let me know if spybot still finds something.

Thanks peku006

 

[AgentPaper]

Squeaky clean! huzzay!

Now that that's done, a few quick questions that might be nothing. First, teatimer is alerting me a lot of registry changes. This is nice and all, but I have no idea what I should allow and what I should deny. Should I just deny everything? Allow everything? Are there certain times I should expect these changes? Certain things to look out for? Right now it's useless to me, the thing might as well not even tell me, because I have no idea what's going on.

Second, every time I turn my computer on, I get an error message "Failed to locate Hotkey.dll", and a black DOS type window shows up a bit after, runs 3 lines that say something about a framework, and closes. It doesn't seem to matter if I close the window before the lines show up, and I have no idea what it's doing.

Last, and most importantly: Thank you! :yahoo: I can't say how glad I am that I can start browsing more normally now, not afraid that every second I'm on the internet virtumonde is downloading more and more viruses.

 

[peku006]

Hi AgentPaper

With Spybot's TeaTimer, whenever there is a registry change to the system, it pops up a notification to allow or deny. If you selected deny change but keep getting the alert, then something is attempting to alter the registry and the pop-up notifications will continue.

Please Read This Tea Timer popups

you should download the "Hotkey.dll", and copy it into the system32 folder.....but
I am not an expert at this type of problem. I would suggest that you go to one of the forums below that specialize in more general computer problems. They have people that know more about this sort of problem because it does not seem to be a malware problem.

Good Hardware and Software Help Forums
Computer Trouble here: http://forum.computertrouble.co.uk/index.php
or
TechSupportGuy here : http://forums.techguy.org/21-windows-nt-2000-xp/
or
VirtualDr here: http://discussions.virtualdr.com/forumdisplay.php?f=48
or
PCPitStop here : http://forums.pcpitstop.com/index.php?showforum=3

All may require you to register free before posting for help.

 

[peku006]

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.