Tech Support Forum - View Single Post - XP Infected with malware ProgDav and AntiVir XP 2008 fake program

j_sollars · 08-04-2008, 11:32 AM

I have a client who opened a fake email attachment from UPS, which caused quite some havoc with her PC. Popups claiming that the PC had 12 00 spyware infections and a fake security center would come up with spyware information. Also an ad saying to buy AntiVirus XP 2008 and then after letting the PC idle for a good bit of time a screensaver with a BSOD followed by a Windows is restarting screen.
I have run a number of malware scans including Hitman Pro and the spyware doctor found numerous problems, but could not fix. The spysweeper found Trojan-Progdav and said it fixed, but still has the AntiVir XP 2008 in the Add remove Programs and also still get the screensaver coming up. I have tried to remove the AntiVir Xp 2008 from add remove programs, but doesn't remove. I have followed the 5 steps in the HiJack This Help forum and have run Active Scan followed by DSS and have attached the logs for some ones viewing pleasure. Thanks!

Here is the Main log"

Deckard's System Scanner v20071014.68
Run by bthrasher on 2008-08-04 06:47:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.

-- Last 1 Restore Point(s) --
1: 2008-08-04 11:47:20 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 503 MiB (512 MiB recommended).

-- HijackThis (run as bthrasher.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:49:14 AM, on 8/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Sharp\Sharpdesk\IndexTray.exe
C:\Program Files\Sharp\Sharpdesk\Indexer.exe
C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Sharp\Sharpdesk\FtpServer.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Timeslips\TSTimer.exe
C:\Program Files\Sharp\Sharpdesk\nsapp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Documents and Settings\bthrasher\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\bthrasher.exe
C:\WINDOWS\system32\HPBPRO.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.111.*
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [IndexTray] "C:\Program Files\Sharp\Sharpdesk\IndexTray.exe"
O4 - HKLM\..\Run: [Indexer] "C:\Program Files\Sharp\Sharpdesk\Indexer.exe"
O4 - HKLM\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKLM\..\Run: [TypeRegChecker] "C:\Program Files\Sharp\Sharpdesk\TypeRegChecker.exe"
O4 - HKLM\..\Run: [FtpServer.exe] "C:\Program Files\Sharp\Sharpdesk\FtpServer.exe" -usedefault
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [SymLnch] "C:\DOCUME~1\ADMINI~1.SWL\APPLIC~1\Symantec\Layouts\NORTON~1\1500~1.60\SYMALL~1\NIS_RE~1\90100\Support\SymLnch\SymLnch.exe" "C:\DOCUME~1\ADMINI~1.SWL\APPLIC~1\Symantec\Layouts\NORTON~1\1500~1.60\SYMALL~1\NIS_RE~1\90100\Setup.exe" "/SCANUPREBOOT /temp /patched"
O4 - HKCU\..\Run: [TSTimer] "C:\Program Files\Timeslips\TSTimer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Lookup on CD - c:\AHD4withThesaurus\ahd.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Lookup on CD - {CB9CDC2D-0AB4-4031-A1F7-E9B4070CE521} - c:\AHD4withThesaurus\ahd.htm (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://mail1/ConnectComputer/nshelp.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1121454892203
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SWLAW.local
O17 - HKLM\Software\..\Telephony: DomainName = SWLAW.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6BCB16E-816D-4A01-9073-9B0132D8B32F}: NameServer = 192.168.111.10,12.166.24.72,12.166.24.73
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SWLAW.local
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: cru629.dat??h?5.1,avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 9084 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 COH_Mon - c:\windows\system32\drivers\coh_mon.sys (file missing)
S3 SymIM (Symantec Network Security Intermediate Filter Service) - c:\windows\system32\drivers\symim.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BAsfIpM (Broadcom ASF IP monitoring service v6.0.4) - c:\windows\system32\basfipm.exe <Not Verified; Broadcom Corp.; Broadcom ASF IP monitoring service>
R2 winvnc (VNC Server) - "c:\program files\ultravnc\winvnc.exe" -service <Not Verified; UltraVNC; UltraVNC>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Files created between 2008-07-04 and 2008-08-04 -----------------------------

2008-08-03 17:47:46 0 d-------- C:\Program Files\SpywareBlaster
2008-08-03 16:18:34 0 d-------- C:\Program Files\Panda Security
2008-08-03 16:00:07 0 d-------- C:\Program Files\Trend Micro
2008-07-30 08:12:49 0 d-------- C:\Documents and Settings\proberts\Recent
2008-07-30 08:12:49 0 d-------- C:\Documents and Settings\kwalls\Recent
2008-07-30 08:12:49 0 d-------- C:\Documents and Settings\bthrasher\Recent
2008-07-30 08:12:49 0 d-------- C:\Documents and Settings\bthrasher.BETH\Recent
2008-07-30 08:12:49 0 d-------- C:\Documents and Settings\All Users\Recent
2008-07-30 08:12:49 0 d-------- C:\Documents and Settings\Administrator\Recent
2008-07-30 08:12:49 0 d-------- C:\Documents and Settings\administrator.SWLAW\Recent
2008-07-30 08:12:49 0 d-------- C:\Documents and Settings\__sbs_netsetup__\Recent
2008-07-30 08:11:29 0 d-------- C:\Documents and Settings\proberts\Cookies
2008-07-30 08:11:29 0 d-------- C:\Documents and Settings\kwalls\Cookies
2008-07-30 08:11:29 0 d-------- C:\Documents and Settings\bthrasher.BETH\Cookies
2008-07-30 08:11:29 0 d-------- C:\Documents and Settings\All Users\Cookies
2008-07-30 08:11:29 0 d-------- C:\Documents and Settings\Administrator\Cookies
2008-07-30 08:11:29 0 d-------- C:\Documents and Settings\administrator.SWLAW\Cookies
2008-07-30 08:11:29 0 d-------- C:\Documents and Settings\__sbs_netsetup__\Cookies
2008-07-29 19:00:11 0 d-------- C:\Documents and Settings\administrator.SWLAW\Application Data\Lavasoft
2008-07-29 18:52:07 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-29 18:48:54 164 --a------ C:\install.dat
2008-07-29 18:48:24 0 d-------- C:\Program Files\Lavasoft
2008-07-29 18:35:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-07-29 18:35:16 0 d-------- C:\Temp
2008-07-29 18:11:40 0 d-------- C:\WINDOWS\system32\GroupPolicy
2008-07-29 18:11:18 0 d-------- C:\Program Files\Hitman Pro
2008-07-25 09:34:22 0 d--h----- C:\$AVG8.VAULT$
2008-07-25 08:58:38 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-25 08:58:24 0 d-------- C:\Program Files\AVG
2008-07-25 08:58:24 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-25 08:07:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-25 08:04:50 0 d-------- C:\WINDOWS\pss
2008-07-25 08:03:27 0 d-------- C:\Documents and Settings\administrator.SWLAW\Application Data\U3
2008-07-24 19:48:58 0 d-------- C:\WINDOWS\system32\appmgmt
2008-07-24 18:31:28 0 d-------- C:\Documents and Settings\administrator.SWLAW\Application Data\Macromedia
2008-07-24 18:13:39 0 d-------- C:\Documents and Settings\administrator.SWLAW\Application Data\rhc5scj0e96j
2008-07-24 16:51:31 0 d-------- C:\Program Files\rhc5scj0e96j
2008-07-24 16:49:09 60928 --a------ C:\WINDOWS\system32\blphc1scj0e96j.scr <Not Verified; Sysinternals; Sysinternals Blue Screen>
2008-07-24 11:05:24 14772 --a------ C:\WINDOWS\otedody.sys
2008-07-24 11:05:24 18165 --a------ C:\WINDOWS\hazupexory.dat
2008-07-24 11:05:24 17564 --a------ C:\Program Files\Common Files\lupynuhum.scr
2008-07-24 11:05:24 19041 --a------ C:\Program Files\Common Files\juhufema.dll
2008-07-24 11:05:24 17878 --a------ C:\Documents and Settings\bthrasher\Application Data\synedere.dat
2008-07-24 11:05:24 10767 --a------ C:\Documents and Settings\bthrasher\Application Data\otisunehe.reg
2008-07-24 11:05:24 10643 --a------ C:\Documents and Settings\bthrasher\Application Data\okypuga.sys
2008-07-24 11:05:24 18494 --a------ C:\Documents and Settings\bthrasher\Application Data\kuwy.com
2008-07-24 11:05:24 19041 --a------ C:\Documents and Settings\All Users\Application Data\yvunezas.sys
2008-07-24 11:05:24 12451 --a------ C:\Documents and Settings\All Users\Application Data\yrovekyq.reg
2008-07-24 11:05:24 12813 --a------ C:\Documents and Settings\All Users\Application Data\yhik.exe
2008-07-24 11:05:24 17374 --a------ C:\Documents and Settings\All Users\Application Data\witicuz.scr
2008-07-24 11:05:24 14175 --a------ C:\Documents and Settings\All Users\Application Data\lovo.com
2008-07-24 11:05:24 14872 --a------ C:\Documents and Settings\All Users\Application Data\kicysuqa.scr
2008-07-15 15:09:21 0 d-------- C:\Program Files\Sun
2008-07-09 17:54:39 0 d-------- C:\Documents and Settings\administrator.SWLAW\Application Data\Adobe
2008-07-09 17:49:19 0 d-------- C:\Documents and Settings\administrator.SWLAW\Application Data\Windows Desktop Search
2008-07-09 17:48:08 0 d--h----- C:\Documents and Settings\administrator.SWLAW\Templates
2008-07-09 17:48:08 0 dr------- C:\Documents and Settings\administrator.SWLAW\Start Menu
2008-07-09 17:48:08 0 dr-h----- C:\Documents and Settings\administrator.SWLAW\SendTo
2008-07-09 17:48:08 0 d--h----- C:\Documents and Settings\administrator.SWLAW\PrintHood
2008-07-09 17:48:08 4718592 --ah----- C:\Documents and Settings\administrator.SWLAW\NTUSER.DAT
2008-07-09 17:48:08 0 d--h----- C:\Documents and Settings\administrator.SWLAW\NetHood
2008-07-09 17:48:08 0 dr------- C:\Documents and Settings\administrator.SWLAW\My Documents
2008-07-09 17:48:08 0 d--h----- C:\Documents and Settings\administrator.SWLAW\Local Settings
2008-07-09 17:48:08 0 dr------- C:\Documents and Settings\administrator.SWLAW\Favorites
2008-07-09 17:48:08 0 d-------- C:\Documents and Settings\administrator.SWLAW\Desktop
2008-07-09 17:48:08 0 dr-h----- C:\Documents and Settings\administrator.SWLAW\Application Data
2008-07-09 17:48:08 0 d-------- C:\Documents and Settings\administrator.SWLAW\Application Data\Symantec
2008-07-09 17:48:08 0 d-------- C:\Documents and Settings\administrator.SWLAW\Application Data\Sun
2008-07-09 17:48:08 0 d---s---- C:\Documents and Settings\administrator.SWLAW\Application Data\Microsoft
2008-07-09 17:48:08 0 d-------- C:\Documents and Settings\administrator.SWLAW\Application Data\Identities

-- Find3M Report ---------------------------------------------------------------

2008-07-29 18:48:13 0 d-------- C:\Program Files\Common Files
2008-07-28 11:45:40 848 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-07-25 08:09:08 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-24 11:05:24 10923 --a------ C:\Documents and Settings\bthrasher\Application Data\yneco.ban
2008-07-24 11:05:24 15559 --a------ C:\Documents and Settings\bthrasher\Application Data\rymibyd.dl
2008-07-24 11:05:24 11243 --a------ C:\Documents and Settings\bthrasher\Application Data\javofojix.ban
2008-07-23 13:15:08 0 d-------- C:\Documents and Settings\bthrasher\Application Data\Wal-Mart Digital Photo Manager
2008-07-15 15:08:25 0 d-------- C:\Program Files\Java
2008-06-05 13:37:21 2528 --a------ C:\Documents and Settings\bthrasher\Application Data\$_hpcst$.hpc
2008-06-05 13:34:05 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-05-15 12:09:57 501438 --a------ C:\Documents and Settings\bthrasher\Application Data\fontlst2.opf

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [04/26/2004 09:04 AM]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [02/27/2004 12:29 PM]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [05/20/2004 11:40 AM]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [01/07/2004 02:02 PM]
"IndexTray"="C:\Program Files\Sharp\Sharpdesk\IndexTray.exe" [09/14/2004 03:53 PM]
"Indexer"="C:\Program Files\Sharp\Sharpdesk\Indexer.exe" [09/14/2004 03:54 PM]
"SharpTray"="C:\Program Files\Sharp\Sharpdesk\SharpTray.exe" [09/14/2004 04:02 PM]
"TypeRegChecker"="C:\Program Files\Sharp\Sharpdesk\TypeRegChecker.exe" [09/14/2004 03:55 PM]
"FtpServer.exe"="C:\Program Files\Sharp\Sharpdesk\FtpServer.exe" [09/13/2004 06:07 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/17/2005 08:31 AM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [10/14/2005 03:49 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [10/14/2005 03:46 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [10/14/2005 03:50 PM]
"WinVNC"="C:\Program Files\UltraVNC\WinVNC.exe" [06/18/2006 02:56 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [08/04/2004 06:00 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/25/2008 08:58 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TSTimer"="C:\Program Files\Timeslips\TSTimer.exe" [11/01/2004 04:55 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [05/18/2007 09:44 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/13/2006 01:39 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SymLnch"="C:\DOCUME~1\ADMINI~1.SWL\APPLIC~1\Symantec\Layouts\NORTON~1\1500~1.60\SYMALL~1\NIS_RE~1\90100\Support\SymLnch\SymLnch.exe" "C:\DOCUME~1\ADMINI~1.SWL\APPLIC~1\Symantec\Layouts\NORTON~1\1500~1.60\SYMALL~1\NIS_RE~1\90100\Setup.exe" "/SCANUPREBOOT /temp /patched"

C:\Documents and Settings\bthrasher\Start Menu\Programs\Startup\
DESKTOP.INI [8/11/2004 6:15:06 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [8/11/2004 6:15:06 PM]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2/5/2007 3:40:46 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [02/05/2007 03:39 PM 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=cru629.dat??h?5.1,avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Rxd38.sys]
@="Driver"

*Newly Created Service* - PAVBOOT

-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8910 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2008-08-04 06:49:56 ------------