Trojan, Worm and Other Virus Problems

jchilderssalas · 11-20-2008, 09:59 PM

I'm so thankful to have found this free forum. I work from home on my PC and use it every single day. About two months ago, I started experiencing numerous pop-ups from IE, even when i was using the Firefox browser (I have both on my system). My system was also very slow and would often freeze-up while online. In addition, it wouldn't allow me to watch certain videos or freely use certain sites. At that time I downloaded a new Anti-virus software--ParetoLogic Anti-Spyware. It immediately picked up several viruses, which I cleaned, but a few kept returning.

Because I could use my computer again (even though the software showed there were still viruses that would not be removed), I just kind of ignored the viruses. I scanned the computer each day for new ones and "cleaned" the system with the Anti-Spyware, but there would still be these three viruses that wouldn't go away.

Up until this week, my computer was running somewhat smoothly. However, all of the sudden, I started experiencing the numerous pop-ups from IE again and everything was slow, making my life and my job very difficult! When I did a scan today through ParetoLogic, I saw numerous new viruses, including a Trojan and a Worm. Not cool.

Below I'm pasting the DDS text as requested. I'm attaching one of the other files needed: Attach.txt. I have the Gmer.text saved to my desktop, but when I try to upload it here, I get a message reading: "file invalid," so I'm not sure what to do about that. Thank you in advance for any help or suggestions you can offer. I can provide more info if needed.

Jessica

DDS (Version 1.0) - NTFSx86
Run by Jason Salas at 22:16:39.90 on 11/20/2008

============== Psuedo HJT Report ===============

uStart Page = hxxp://www.cnn.com
uSearch Page = yahoo.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=yie7c
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mWinlogon: Shell=Explorer.exe c:\windows\Nail.exe
BHO: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {31BB8CCE-E675-4647-8265-3975443B8F7E} - c:\windows\system32\yayaBSIX.dll
BHO: {418141f6-f4f2-417b-9480-deaa98afad55} - c:\windows\system32\jzcxhe.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - c:\windows\system32\M5s20cRu.dll
BHO: {A63E645F-13BD-45ED-B15F-6E8C1BD57279} - c:\windows\system32\byXOhGvu.dll
TB: {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - c:\program files\paypal\paypal plug-in\OToolbar.dll
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [slide.exe] c:\program files\slide\slide.exe
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [Creative Live! Cam Manager] "c:\program files\creative\creative live! cam\live! cam manager\CTLCMgr.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ParetoLogic Anti-Spyware] "c:\program files\paretologic\anti-spyware\Pareto_AS.exe" -NM -hidesplash
uRun: [gadcom] "c:\documents and settings\jason salas\application data\gadcom\gadcom.exe"

61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
uRun: [SpeedRunner] c:\documents and settings\jason salas\application data\speedrunner\SpeedRunner.exe
uRun: [SfKg6wIP] c:\documents and settings\jason salas\application data\microsoft\windows\ojeiyoa.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
mRun: [OASClnt] c:\program files\mcafee.com\vso\oasclnt.exe
mRun: [HostManager] c:\program files\common files\aol\1135805068\ee\AOLSoftware.exe
mRun: [RegistryMechanic]
mRun: [EPSON Stylus CX7800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAFA.EXE /P26 "EPSON Stylus CX7800 Series"

/O6 "USB001" /M "Stylus CX7800"
mRun: [x3watchpro] c:\program files\x3watchpro\x3watchpro.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [V0410Mon.exe] c:\windows\V0410Mon.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [iesvcmon] "c:\windows\system32\iesvcmon.exe"
mPolicies-explorer: <NO NAME> =
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
LSP: CESpy.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: byXOhGvu - byXOhGvu.dll
AppInit_DLLs: jzcxhe.dll
SEH: {51C55F9E-C308-4c95-89AB-8858D8AFD819} - c:\program files\paretologic\anti-spyware\PASShlExt.dll
SEH: {A63E645F-13BD-45ED-B15F-6E8C1BD57279} - c:\windows\system32\byXOhGvu.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\yayaBSIX

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2008-11-20 20:16 687,592 a------- c:\windows\system32\atmtd.dll._
2008-11-20 20:16 687,592 a------- c:\windows\system32\atmtd.dll
2008-11-20 20:15 1,989 a------- c:\windows\uninstall_nmon.vbs
2008-11-20 20:15 <DIR> --dsh--- c:\windows\SmFzb24gU2FsYXM
2008-11-20 20:15 <DIR> --d----- c:\program files\Network Monitor
2008-11-20 20:15 <DIR> --d----- c:\program files\InetGet2
2008-11-20 20:04 129,024 a------- c:\windows\system32\jzcxhe.dll
2008-11-20 20:04 129,024 a------- c:\windows\system32\wciursxt.dll
2008-11-20 19:58 1,632,503 ---sh--- c:\windows\system32\xwfismka.ini
2008-11-20 19:58 72,704 a------- c:\windows\system32\akmsifwx.dll
2008-11-20 19:31 250 a------- c:\windows\gmer.ini
2008-11-20 18:19 <DIR> --d----- c:\program files\Webtools
2008-11-20 18:14 <DIR> --d----- c:\program files\Mjcore
2008-11-20 00:33 37,027 a------- c:\windows\atmoUn.exe
2008-11-19 23:40 25,600 a------- c:\windows\system32\hgGyxWQK.dll
2008-11-19 23:40 25,600 a------- c:\windows\system32\ddcCVonk.dll
2008-11-19 23:17 53,938 a------- c:\windows\system32\cont_adsoftinc-remove.exe
2008-11-19 23:16 77,897 a------- c:\windows\system32\texpzbixgvrydzo.exe
2008-11-19 23:16 465,920 a------- c:\windows\system32\iesvcmon.exe
2008-11-19 20:01 129,024 a------- c:\windows\system32\ldhnpg.dll
2008-11-19 20:01 129,024 a------- c:\windows\system32\thsncwlb.dll
2008-11-19 19:58 1,496,340 ---sh--- c:\windows\system32\vtbtmyki.ini
2008-11-19 19:58 72,704 -------- c:\windows\system32\ikymtbtv.dll
2008-11-18 23:21 245,248 a------- c:\windows\svchost.exe
2008-11-18 23:16 <DIR> --d----- c:\program files\iCheck
2008-11-18 23:16 <DIR> --d----- c:\program files\GetPack
2008-11-18 19:55 124,928 a------- c:\windows\system32\gpvntx.dll
2008-11-18 19:55 124,928 a------- c:\windows\system32\kdstmnfc.dll
2008-11-17 22:35 <DIR> --d----- c:\program files\XoftSpySE
2008-11-17 20:09 <DIR> --d----- c:\docume~1\jasons~1\applic~1\SpeedRunner
2008-11-17 20:04 <DIR> --d----- c:\docume~1\jasons~1\applic~1\Twain
2008-11-17 19:58 1,574,259 ---sh--- c:\windows\system32\iotuhsdh.ini
2008-11-17 19:58 68,096 a------- c:\windows\system32\hdshutoi.dll
2008-11-17 19:55 124,928 a------- c:\windows\system32\lvyqzp.dll
2008-11-17 19:55 124,928 a------- c:\windows\system32\epgxpxxv.dll
2008-11-16 19:56 1,574,259 ---sh--- c:\windows\system32\ekpdequs.ini
2008-11-16 19:54 124,928 a------- c:\windows\system32\ptsmhk.dll
2008-11-16 19:54 124,928 a------- c:\windows\system32\rgvlalld.dll
2008-11-16 19:53 889,518 a--sh--- c:\windows\system32\XISBayay.ini2
2008-11-16 19:53 889,518 a--sh--- c:\windows\system32\XISBayay.ini
2008-11-16 19:53 313,856 a------- c:\windows\system32\yayaBSIX.dll
2008-11-16 19:48 <DIR> --d----- c:\docume~1\jasons~1\applic~1\gadcom
2008-11-16 19:48 25,600 a------- c:\windows\system32\yayxwVpp.dll
2008-11-16 19:48 25,600 a------- c:\windows\system32\byXOhGvu.dll
2008-11-16 19:47 26,624 a------- c:\windows\system32\msansspc.dll
2008-11-11 23:49 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 23:47 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll
2008-10-30 10:23 190,976 a------- c:\windows\system32\hnfittqtgdk.dll
2008-10-28 08:21 554,496 a------- c:\windows\system32\nsq3EA.dll
2008-10-23 16:14 337,408 -------- c:\windows\system32\dllcache\netapi32.dll

==================== Find3M ====================

2008-11-20 00:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2008-11-18 11:57 <DIR> --d-h--- c:\docume~1\jasons~1\applic~1\x3watchpro
2008-11-14 10:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\WholeSecurity
2008-10-21 09:47 <DIR> --d----- c:\program files\Microsoft ActiveSync
2008-10-17 19:52 <DIR> --d----- c:\docume~1\jasons~1\applic~1\Reallusion
2008-10-17 19:52 <DIR> --d----- c:\docume~1\jasons~1\applic~1\tmp
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-12 17:53 <DIR> --d----- c:\program files\Messenger
2008-10-12 17:49 80,375 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-03 11:41 6,066,176 -------- c:\windows\system32\dllcache\ieframe.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-26 10:13 <DIR> --d----- c:\program files\iTunes
2008-09-26 10:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-26 10:12 <DIR> --d----- c:\program files\iPod
2008-09-26 10:07 <DIR> --d----- c:\program files\Bonjour
2008-09-15 06:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-15 06:12 1,846,400 -------- c:\windows\system32\dllcache\win32k.sys
2008-09-09 19:14 1,307,648 -------- c:\windows\system32\msxml6.dll
2008-09-09 19:14 1,307,648 -------- c:\windows\system32\dllcache\msxml6.dll
2008-09-08 04:41 333,824 -------- c:\windows\system32\dllcache\srv.sys
2008-09-04 11:15 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-08-29 10:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-08-29 09:53 61,440 a------- c:\windows\system32\dnssd.dll
2008-08-27 02:24 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-08-25 02:38 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-08-25 02:37 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-08-23 03:27 29,184 a------- c:\windows\system32\M5s20cRu.dll
2008-08-23 03:27 81,922 a------- c:\windows\system32\mM5EA3r3.exe
2008-08-22 23:56 635,848 -------- c:\windows\system32\dllcache\iexplore.exe
2008-08-22 23:54 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-08-21 17:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-08-19 09:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic Anti-Spyware
2008-04-30 13:13 <DIR> --d----- c:\docume~1\jasons~1\applic~1\Move Networks
2008-02-12 20:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Creative
2008-02-12 12:39 <DIR> --d----- c:\docume~1\jasons~1\applic~1\Slide
2007-10-11 21:30 <DIR> --d----- c:\docume~1\jasons~1\applic~1\MSN6
2007-09-16 13:46 <DIR> --d----- c:\docume~1\jasons~1\applic~1\TechSmith
2006-12-11 13:41 <DIR> --d----- c:\docume~1\jasons~1\applic~1\Snapfish
2006-09-20 16:27 <DIR> --d----- c:\docume~1\jasons~1\applic~1\Walgreens
2006-06-08 15:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DIGStream
2006-02-02 17:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Tools
2006-02-02 17:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Bin
2005-12-28 15:29 <DIR> --d----- c:\docume~1\jasons~1\applic~1\AOL
2005-12-28 15:27 <DIR> --d----- c:\docume~1\jasons~1\applic~1\You've Got Pictures Screensaver
2005-12-28 15:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Pure Networks
2005-10-27 10:34 <DIR> --d----- c:\docume~1\jasons~1\applic~1\School Zone Preferences
2005-09-05 20:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MSN6
2005-06-07 12:29 <DIR> --d----- c:\docume~1\jasons~1\applic~1\Netscape
2005-05-29 20:40 <DIR> --d----- c:\docume~1\jasons~1\applic~1\Musicmatch
2005-05-05 19:22 <DIR> --d----- c:\docume~1\jasons~1\applic~1\Digital Album Organizer
2004-11-23 09:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kodak
2004-11-04 16:44 <DIR> --d----- c:\docume~1\jasons~1\applic~1\SpamExtract
2004-03-01 20:31 <DIR> --d----- c:\docume~1\jasons~1\applic~1\Inspiration Software
2004-02-09 11:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Napster
2003-08-14 09:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\McAfee.com
2003-07-27 16:43 <DIR> --d----- c:\docume~1\jasons~1\applic~1\Kazaa Lite
2003-06-11 20:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBT
2003-06-05 12:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BVRP Software
2003-06-05 12:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Dell
2003-06-05 12:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBSI
2008-02-12 19:32 75 ---shr-- c:\windows\CT4CET.bin
2005-08-02 16:46 187,904 a--shr-- c:\windows\smfzb24gu2fsyxm\asappsrv.dll
2005-08-02 16:58 293,888 a--shr-- c:\windows\smfzb24gu2fsyxm\command.exe
2005-07-29 16:24 472 a--shr-- c:\windows\smfzb24gu2fsyxm\mAIWvZb0oZIPsrg.vbs

============= FINISH: 22:20:16.23 ===============

Gary R · 11-21-2008, 01:48 AM

Looking over your log, back as soon as possible.

Gary R · 11-21-2008, 01:59 AM

Quote:

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.

Hi jchilderssalas

I'm Gary R, I'll be glad to help you with your computer problems.

Please observe these rules while we work:

Perform all actions in the order given.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Stick with it till you're given the all clear.
Remember, absence of symptoms does not mean the infection is all gone.
Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.

If you can do these things, everything should go smoothly.

If you're using XP, you'll need Administrator privileges to perform the fixes. (XP accounts are Administrator by default)
If you're using Vista, it will be necessary to right click all tools we use and select ----> Run as Admistrator

Quote:

It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

OK, I need to run a further scan on your computer The tool we use will not fix anything on the first pass, but will give me the information I need to create a fix. The second time we run this tool, it will remove the files and registry items that I designate in the next set of instructions I give you.

Before running the new scan let's clean out your Temporary Files folders, this will give us less to scan and should shorten the scan time a little.

Click Start > Run and type cleanmgr then click OK.
This will bring up the Disk Cleanup window.
Check the following entries.
- Temporary Internet Files.
- Recycle Bin.
- Temporary Files.
Click OK.
When a prompt pops up click Yes.

Now download OTScanIt.exe by OldTimer to your Desktop.

Double-click on it to extract the files.
It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

Close ALL OTHER PROGRAMS.
Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
Next check the following.
- Scan all users
- In the Drivers section click on Non-Microsoft.
- In the Rootkit Search section click on Yes
- Under Additional Scans click the checkboxes in front of the following items to select them:
  - File - Additional Folder Scans
Do not change any other settings.
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. Make sure that the first line is code with brackets around it [] and that the last line is /code with brackets around it [].

After posting, if the last line is not End of Report then the log is too big to fit into a single post and you will need to split it into multiple posts and post each separately.

Download HJTInstall.exe to your Desktop.

Doubleclick HJTInstall.exe to install it.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Summary of the logs I need from you in your next post:
OTScanIt log (this will probably take several posts to ensure you post it all)

HijackThis (HJT) log

Please post each log separately to prevent them being cut off by the forum post size limiter.

jchilderssalas · 11-21-2008, 09:01 AM

Gary, thank you so much for your help. Unfortunately, my computer has gone from bad to worse between last night and this morning. I can't even get myself logged in to this help forum without Firefox freezing up and shutting down. I borrowed my friend's laptop so I could at least get online for more than 10 seconds at a time. I am having to ask for extensions for my job, which is a major pain.

The pop-ups are no longer from IE--strangely enough--they are now Firefox pop-ups, and I'm not having any IE pop-ups. I'm going to keep trying to get on the forum through my home computer, because I know you said I need to be logged in to run the OTScanIT.exe. So far, I have only managed to complete the Disk Clean-up step.

Just thought I would update you. If you have any suggestions, I'll keep checking in using this laptop for now.

Thanks.

Gary R · 11-21-2008, 09:41 AM

When I say you need to be logged on, I meant logged on to your computer, NOT logged in to this forum.

There are two types of account on an XP install, user accounts and admin accounts, OTScanIt needs an admin account to run properly, most XP accounts are admin by default.

If you log on to your computer in your usual account, it's highly likely that it will be an admin account.

Just run OTScanIt, if there's any problems we'll deal with them as they arise

jchilderssalas · 11-21-2008, 10:04 AM

Okay, thanks for the clarification. I am running the scan now.

jchilderssalas · 11-21-2008, 10:15 AM

Gary--I couldn't send the entire Notepad text, because I received a message saying it was too long to post in one message. I'll send a second one with the remainder of the code. Thanks.

[code]
OTScanIt logfile created on: 11/21/2008 11:13:21 AM
OTScanIt by OldTimer - Version 1.0.19.0 Folder = C:\Documents and Settings\Jason Salas\Desktop\OTScanIt
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yyyy

767.00 Mb Total Physical Memory | 275.67 Mb Available Physical Memory | 35.94% Memory free
1.08 Gb Paging File | 0.68 Gb Available in Paging File | 62.49% Paging File free
Paging file location(s): C:\pagefile.sys 384 768;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.84 Gb Total Space | 31.89 Gb Free Space | 57.11% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DELLIMITRI
Current User Name: Jason Salas
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On

[Processes - Non-Microsoft Only]
kodakccs.exe -> %SystemRoot%\SYSTEM32\DRIVERS\KodakCCS.exe -> Eastman Kodak Company [Ver = 1.1.5100.0 | Size = 301624 bytes | Modified Date = 02/19/2004 10:01:48 AM | Attr = ]
mcdetect.exe -> %ProgramFiles%\McAfee.com\Agent\Mcdetect.exe -> McAfee, Inc [Ver = 6, 0, 0, 19 | Size = 126976 bytes | Modified Date = 10/13/2005 7:56:16 PM | Attr = ]
mctskshd.exe -> %ProgramFiles%\McAfee.com\Agent\McTskshd.exe -> McAfee, Inc [Ver = 6, 0, 0, 13 | Size = 122368 bytes | Modified Date = 08/24/2005 3:01:04 PM | Attr = ]
scsiaccess.exe -> %SystemRoot%\SYSTEM32\ScsiAccess.EXE -> [Ver = | Size = 181312 bytes | Modified Date = 02/04/2003 8:22:30 AM | Attr = ]
mcagent.exe -> %ProgramFiles%\McAfee.com\Agent\mcagent.exe -> McAfee, Inc [Ver = 6, 0, 0, 16 | Size = 303104 bytes | Modified Date = 09/22/2005 6:29:08 PM | Attr = ]
e_fatiafa.exe -> %SystemRoot%\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_FATIAFA.EXE -> SEIKO EPSON CORPORATION [Ver = 4.00 | Size = 98304 bytes | Modified Date = 04/06/2005 10:00:00 PM | Attr = ]
x3watchpro.exe -> %ProgramFiles%\X3watchpro\x3watchpro.exe -> Tiger Green Productions LLC [Ver = 2.00.0008 | Size = 442368 bytes | Modified Date = 05/07/2007 2:50:34 PM | Attr = ]
searchprotection.exe -> %ProgramFiles%\Yahoo!\Search Protection\SearchProtection.exe -> Yahoo! Inc [Ver = 2008, 8, 8, 1 | Size = 111856 bytes | Modified Date = 10/07/2008 9:23:46 AM | Attr = ]
iesvcmon.exe -> %SystemRoot%\SYSTEM32\iesvcmon.exe -> System Service [Ver = 1.02.0004 | Size = 465920 bytes | Modified Date = 11/19/2008 11:16:31 PM | Attr = ]
pareto_as.exe -> %ProgramFiles%\ParetoLogic\Anti-Spyware\Pareto_AS.exe -> ParetoLogic Inc. [Ver = 5, 7, 5728, 10 | Size = 2643312 bytes | Modified Date = 08/13/2008 11:30:20 AM | Attr = ]
gadcom.exe -> %AppData%\gadcom\gadcom.exe -> [Ver = | Size = 56320 bytes | Modified Date = 11/21/2008 12:39:33 AM | Attr = ]
ojeiyoa.exe -> %AppData%\Microsoft\Windows\ojeiyoa.exe -> [Ver = | Size = 35328 bytes | Modified Date = 11/20/2008 6:59:21 PM | Attr = ]
sonytray.exe -> %ProgramFiles%\Sony Corporation\Image Transfer\SonyTray.exe -> [Ver = | Size = 73728 bytes | Modified Date = 10/16/2002 7:20:20 PM | Attr = ]
kodak software updater.exe -> %ProgramFiles%\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe -> [Ver = | Size = 16423 bytes | Modified Date = 02/11/2004 4:58:16 PM | Attr = ]
firefox.exe -> %ProgramFiles%\Mozilla Firefox\firefox.exe -> Mozilla Corporation [Ver = 1.8.1.18: 2008102918 | Size = 7676528 bytes | Modified Date = 11/13/2008 7:58:29 AM | Attr = ]
speedrunner.exe -> %AppData%\SpeedRunner\SpeedRunner.exe -> [Ver = 1, 0, 0, 2 | Size = 218112 bytes | Modified Date = 11/21/2008 10:22:20 AM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(AOLService) AOL Spyware Protection Service [Win32_Own | Auto | Stopped] -> %CommonProgramFiles%\aol\AOL Spyware Protection\aolserv.exe -> [Ver = | Size = 184373 bytes | Modified Date = 06/29/2004 9:29:30 AM | Attr = ]
(KodakCCS) Kodak Camera Connection Software [Win32_Own | Auto | Running] -> %SystemRoot%\SYSTEM32\DRIVERS\KodakCCS.exe -> Eastman Kodak Company [Ver = 1.1.5100.0 | Size = 301624 bytes | Modified Date = 02/19/2004 10:01:48 AM | Attr = ]
(McDetect.exe) McAfee WSC Integration [Win32_Own | Auto | Running] -> %ProgramFiles%\McAfee.com\Agent\Mcdetect.exe -> McAfee, Inc [Ver = 6, 0, 0, 19 | Size = 126976 bytes | Modified Date = 10/13/2005 7:56:16 PM | Attr = ]
(McTskshd.exe) McAfee Task Scheduler [Win32_Own | Auto | Running] -> %ProgramFiles%\McAfee.com\Agent\McTskshd.exe -> McAfee, Inc [Ver = 6, 0, 0, 13 | Size = 122368 bytes | Modified Date = 08/24/2005 3:01:04 PM | Attr = ]
(mcupdmgr.exe) McAfee SecurityCenter Update Manager [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\McAfee.com\Agent\mcupdmgr.exe -> McAfee, Inc [Ver = 6, 0, 0, 4 | Size = 245760 bytes | Modified Date = 07/01/2005 6:22:50 PM | Attr = ]
(ScsiAccess) ScsiAccess [Win32_Own | Auto | Running] -> %SystemRoot%\SYSTEM32\ScsiAccess.EXE -> [Ver = | Size = 181312 bytes | Modified Date = 02/04/2003 8:22:30 AM | Attr = ]

[Driver Services - Non-Microsoft Only]
(cdudf_xp) cdudf_xp [File_System | System | Running] -> %SystemRoot%\System32\drivers\cdudf_xp.sys -> Roxio [Ver = 5.3.4.21 built by: WinDDK | Size = 241152 bytes | Modified Date = 12/17/2002 11:27:32 AM | Attr = ]
(DcCam) Kodak Camera Proxy [Kernel | System | Running] -> %SystemRoot%\SYSTEM32\DRIVERS\DcCam.sys -> Eastman Kodak Company [Ver = 1.5.0500.8 | Size = 36918 bytes | Modified Date = 12/05/2003 9:40:20 AM | Attr = ]
(DcFpoint) DcFpoint [Kernel | On_Demand | Stopped] -> %SystemRoot%\SYSTEM32\DRIVERS\DcFpoint.sys -> Eastman Kodak Company [Ver = 1.5.0500.1 | Size = 61564 bytes | Modified Date = 09/30/2003 6:00:08 PM | Attr = ]
(DCFS2K) Kodak DCFS2K Driver [Kernel | Auto | Running] -> %SystemRoot%\SYSTEM32\DRIVERS\DCFS2k.sys -> Eastman Kodak Company [Ver = 1.0.4100.2 | Size = 38737 bytes | Modified Date = 11/16/2003 7:50:06 PM | Attr = ]
(DcLps) Legacy Polling Service [Kernel | On_Demand | Stopped] -> %SystemRoot%\SYSTEM32\DRIVERS\DcLps.sys -> Eastman Kodak Company [Ver = 1.5.0500.1 | Size = 8022 bytes | Modified Date = 09/30/2003 5:59:14 PM | Attr = ]
(DcPTP) DcPTP [Kernel | On_Demand | Stopped] -> %SystemRoot%\SYSTEM32\DRIVERS\DcPtp.sys -> Eastman Kodak Company [Ver = 1.5.0500.8 | Size = 68182 bytes | Modified Date = 12/05/2003 9:48:34 AM | Attr = ]
(dvd_2K) dvd_2K [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\drivers\Dvd_2k.sys -> Roxio [Ver = 5.3.4.59 | Size = 25898 bytes | Modified Date = 06/05/2003 12:34:28 PM | Attr = ]
(Exportit) Exportit [Kernel | System | Stopped] -> %SystemRoot%\SYSTEM32\DRIVERS\ExportIt.sys -> Eastman Kodak Company [Ver = 1.0.8900.0 | Size = 148529 bytes | Modified Date = 02/19/2004 8:23:46 AM | Attr = ]
(gmer) gmer [Kernel | On_Demand | Stopped] -> %SystemRoot%\SYSTEM32\DRIVERS\gmer.sys -> GMER [Ver = 1, 0, 14, 4401 | Size = 85969 bytes | Modified Date = 11/20/2008 7:31:29 PM | Attr = ]
(iAimTV2) iAimTV2 [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\DRIVERS\wATV03nt.sys -> File not found
(mmc_2K) mmc_2K [Kernel | On_Demand | Running] -> %SystemRoot%\System32\drivers\Mmc_2k.sys -> Roxio [Ver = 5.3.4.59 | Size = 30630 bytes | Modified Date = 06/05/2003 12:34:28 PM | Attr = ]
(mraid35x) mraid35x [Kernel | Disabled | Stopped] -> %SystemRoot%\SYSTEM32\DRIVERS\MRAID35X.SYS -> American Megatrends Inc. [Ver = 6.19 (XPClient.010817-1148) | Size = 17280 bytes | Modified Date = 08/17/2001 12:52:12 PM | Attr = ]
(pwd_2k) pwd_2k [Kernel | System | Running] -> %SystemRoot%\System32\drivers\pwd_2K.sys -> Roxio [Ver = 5.3.4.59 | Size = 143834 bytes | Modified Date = 06/05/2003 12:34:28 PM | Attr = ]
(RLDesignVirtualAudioCableWdm) Live! Cam Virtual [Kernel | On_Demand | Running] -> %SystemRoot%\SYSTEM32\DRIVERS\livecamv.sys -> [Ver = | Size = 31616 bytes | Modified Date = 01/15/2007 5:57:08 PM | Attr = ]
(Sparrow) Sparrow [Kernel | Disabled | Stopped] -> %SystemRoot%\SYSTEM32\DRIVERS\SPARROW.SYS -> Adaptec, Inc. [Ver = v2.0a (ReleaseBinaries.001205-1804) | Size = 19072 bytes | Modified Date = 08/17/2001 1:07:44 PM | Attr = ]
(UdfReadr_xp) UdfReadr_xp [File_System | System | Running] -> %SystemRoot%\System32\drivers\udfreadr_xp.sys -> Roxio [Ver = 5.3.4.60 built by: WinDDK | Size = 206464 bytes | Modified Date = 06/05/2003 12:34:28 PM | Attr = ]
(V0410Vfx) Creative Camera VF0410 Video VFX Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\SYSTEM32\DRIVERS\V0410Vfx.sys -> EyePower Games Pte. Ltd. [Ver = 1.50.10.00 | Size = 7168 bytes | Modified Date = 12/04/2006 11:37:46 PM | Attr = R ]

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
EPSON Stylus CX7800 Series -> %SystemRoot%\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_FATIAFA.EXE [C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P26 "EPSON Stylus CX7800 Series" /O6 "USB001" /M "Stylus CX7800"] -> SEIKO EPSON CORPORATION [Ver = 4.00 | Size = 98304 bytes | Modified Date = 04/06/2005 10:00:00 PM | Attr = ]
HostManager -> %CommonProgramFiles%\aol\1135805068\EE\aolsoftware.exe [C:\Program Files\Common Files\AOL\1135805068\ee\AOLSoftware.exe] -> America Online, Inc. [Ver = 1.5.6.1 | Size = 50736 bytes | Modified Date = 09/25/2006 6:52:48 PM | Attr = ]
iesvcmon -> %SystemRoot%\SYSTEM32\iesvcmon.exe ["C:\WINDOWS\system32\iesvcmon.exe"] -> System Service [Ver = 1.02.0004 | Size = 465920 bytes | Modified Date = 11/19/2008 11:16:31 PM | Attr = ]
iTunesHelper -> %ProgramFiles%\iTunes\iTunesHelper.exe ["C:\Program Files\iTunes\iTunesHelper.exe"] -> Apple Inc. [Ver = 8.0.0.35 | Size = 289576 bytes | Modified Date = 09/10/2008 5:40:06 PM | Attr = ]
MCAgentExe -> %ProgramFiles%\McAfee.com\Agent\mcagent.exe [c:\PROGRA~1\mcafee.com\agent\mcagent.exe] -> McAfee, Inc [Ver = 6, 0, 0, 16 | Size = 303104 bytes | Modified Date = 09/22/2005 6:29:08 PM | Attr = ]
MCUpdateExe -> %ProgramFiles%\McAfee.com\Agent\mcupdate.exe [C:\PROGRA~1\mcafee.com\agent\mcupdate.exe] -> McAfee, Inc [Ver = 6, 0, 0, 21 | Size = 212992 bytes | Modified Date = 01/11/2006 12:05:42 PM | Attr = ]
NvCplDaemon -> %SystemRoot%\SYSTEM32\nvcpl.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup] -> NVIDIA Corporation [Ver = 6.14.10.5216 | Size = 5058560 bytes | Modified Date = 10/06/2003 2:16:00 PM | Attr = ]
QuickTime Task -> %ProgramFiles%\QuickTime\QTTask.exe ["C:\Program Files\QuickTime\QTTask.exe" -atboottime] -> Apple Inc. [Ver = 7.5.5 (990.7) | Size = 413696 bytes | Modified Date = 09/06/2008 3:09:14 PM | Attr = ]
RegistryMechanic -> [] -> File not found
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_07\bin\jusched.exe ["C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 144784 bytes | Modified Date = 06/10/2008 4:27:04 AM | Attr = ]
TkBellExe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe ["C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot] -> RealNetworks, Inc. [Ver = 0.1.1.45 | Size = 185896 bytes | Modified Date = 03/28/2008 6:36:55 PM | Attr = ]
UserFaultCheck -> [%systemroot%\system32\dumprep 0 -u] -> File not found
V0410Mon.exe -> %SystemRoot%\V0410Mon.exe [C:\WINDOWS\V0410Mon.exe] -> Creative Technology Ltd. [Ver = 1.00.04.00 | Size = 32768 bytes | Modified Date = 06/06/2007 7:00:00 PM | Attr = R ]
x3watchpro -> %ProgramFiles%\X3watchpro\x3watchpro.exe [C:\Program Files\X3watchpro\x3watchpro.exe] -> Tiger Green Productions LLC [Ver = 2.00.0008 | Size = 442368 bytes | Modified Date = 05/07/2007 2:50:34 PM | Attr = ]
YSearchProtection -> %ProgramFiles%\Yahoo!\Search Protection\SearchProtection.exe ["C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"] -> Yahoo! Inc [Ver = 2008, 8, 8, 1 | Size = 111856 bytes | Modified Date = 10/07/2008 9:23:46 AM | Attr = ]
< RunOnceEx [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx ->
-> [] -> File not found
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Creative Live! Cam Manager -> %ProgramFiles%\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe ["C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"] -> Creative Technology Ltd. [Ver = 1.52.2.0 | Size = 155648 bytes | Modified Date = 06/07/2007 2:01:38 PM | Attr = ]
gadcom -> %AppData%\gadcom\gadcom.exe ["C:\Documents and Settings\Jason Salas\Application Data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A] -> [Ver = | Size = 56320 bytes | Modified Date = 11/21/2008 12:39:33 AM | Attr = ]
ParetoLogic Anti-Spyware -> %ProgramFiles%\ParetoLogic\Anti-Spyware\Pareto_AS.exe ["C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash] -> ParetoLogic Inc. [Ver = 5, 7, 5728, 10 | Size = 2643312 bytes | Modified Date = 08/13/2008 11:30:20 AM | Attr = ]
SfKg6wIP -> %AppData%\Microsoft\Windows\ojeiyoa.exe [C:\Documents and Settings\Jason Salas\Application Data\Microsoft\Windows\ojeiyoa.exe] -> [Ver = | Size = 35328 bytes | Modified Date = 11/20/2008 6:59:21 PM | Attr = ]
Skype -> %ProgramFiles%\Skype\Phone\Skype.exe ["C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized] -> Skype Technologies S.A. [Ver = 3.6.0.248 | Size = 21898024 bytes | Modified Date = 02/06/2008 6:37:52 PM | Attr = R ]
slide.exe -> %ProgramFiles%\Slide\Slide.exe [c:\program files\slide\slide.exe] -> Slide, Inc. [Ver = 0.1.47.45787 | Size = 32128 bytes | Modified Date = 04/26/2007 1:30:04 PM | Attr = ]
SpeedRunner -> %AppData%\SpeedRunner\SpeedRunner.exe [C:\Documents and Settings\Jason Salas\Application Data\SpeedRunner\SpeedRunner.exe] -> [Ver = 1, 0, 0, 2 | Size = 218112 bytes | Modified Date = 11/21/2008 10:22:20 AM | Attr = ]
Yahoo! Pager -> %ProgramFiles%\Yahoo!\Messenger\YahooMessenger.exe ["C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet] -> Yahoo! Inc. [Ver = 8,1,0,421 | Size = 4670704 bytes | Modified Date = 08/30/2007 5:43:18 PM | Attr = ]
YSearchProtection -> %ProgramFiles%\Yahoo!\Search Protection\SearchProtection.exe [C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe] -> Yahoo! Inc [Ver = 2008, 8, 8, 1 | Size = 111856 bytes | Modified Date = 10/07/2008 9:23:46 AM | Attr = ]
< Run [HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\] > -> HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Creative Live! Cam Manager -> %ProgramFiles%\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe ["C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"] -> Creative Technology Ltd. [Ver = 1.52.2.0 | Size = 155648 bytes | Modified Date = 06/07/2007 2:01:38 PM | Attr = ]
gadcom -> %AppData%\gadcom\gadcom.exe ["C:\Documents and Settings\Jason Salas\Application Data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A] -> [Ver = | Size = 56320 bytes | Modified Date = 11/21/2008 12:39:33 AM | Attr = ]
ParetoLogic Anti-Spyware -> %ProgramFiles%\ParetoLogic\Anti-Spyware\Pareto_AS.exe ["C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash] -> ParetoLogic Inc. [Ver = 5, 7, 5728, 10 | Size = 2643312 bytes | Modified Date = 08/13/2008 11:30:20 AM | Attr = ]
SfKg6wIP -> %AppData%\Microsoft\Windows\ojeiyoa.exe [C:\Documents and Settings\Jason Salas\Application Data\Microsoft\Windows\ojeiyoa.exe] -> [Ver = | Size = 35328 bytes | Modified Date = 11/20/2008 6:59:21 PM | Attr = ]
Skype -> %ProgramFiles%\Skype\Phone\Skype.exe ["C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized] -> Skype Technologies S.A. [Ver = 3.6.0.248 | Size = 21898024 bytes | Modified Date = 02/06/2008 6:37:52 PM | Attr = R ]
slide.exe -> %ProgramFiles%\Slide\Slide.exe [c:\program files\slide\slide.exe] -> Slide, Inc. [Ver = 0.1.47.45787 | Size = 32128 bytes | Modified Date = 04/26/2007 1:30:04 PM | Attr = ]
SpeedRunner -> %AppData%\SpeedRunner\SpeedRunner.exe [C:\Documents and Settings\Jason Salas\Application Data\SpeedRunner\SpeedRunner.exe] -> [Ver = 1, 0, 0, 2 | Size = 218112 bytes | Modified Date = 11/21/2008 10:22:20 AM | Attr = ]
Yahoo! Pager -> %ProgramFiles%\Yahoo!\Messenger\YahooMessenger.exe ["C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet] -> Yahoo! Inc. [Ver = 8,1,0,421 | Size = 4670704 bytes | Modified Date = 08/30/2007 5:43:18 PM | Attr = ]
YSearchProtection -> %ProgramFiles%\Yahoo!\Search Protection\SearchProtection.exe [C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe] -> Yahoo! Inc [Ver = 2008, 8, 8, 1 | Size = 111856 bytes | Modified Date = 10/07/2008 9:23:46 AM | Attr = ]
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersProfile%\Start Menu\Programs\Startup\Image Transfer.lnk -> %ProgramFiles%\Sony Corporation\Image Transfer\SonyTray.exe -> [Ver = | Size = 73728 bytes | Modified Date = 10/16/2002 7:20:20 PM | Attr = ]
%AllUsersProfile%\Start Menu\Programs\Startup\Kodak EasyShare software.lnk -> %ProgramFiles%\Kodak\Kodak EasyShare software\bin\EasyShare.exe -> Eastman Kodak Company [Ver = 2, 0, 21, 57 | Size = 635019 bytes | Modified Date = 04/27/2004 2:04:44 AM | Attr = ]
%AllUsersProfile%\Start Menu\Programs\Startup\Kodak software updater.lnk -> %ProgramFiles%\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe -> [Ver = | Size = 16423 bytes | Modified Date = 02/11/2004 4:58:16 PM | Attr = ]
< Default User Startup Folder > -> C:\Documents and Settings\Default User\Start Menu\Programs\Startup ->
< Jason Salas Startup Folder > -> C:\Documents and Settings\Jason Salas\Start Menu\Programs\Startup ->
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs ->
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls ->
jzcxhe.dll -> %SystemRoot%\SYSTEM32\jzcxhe.dll -> [Ver = | Size = 129024 bytes | Modified Date = 11/20/2008 8:04:14 PM | Attr = ]
*MultiFile Done* -> ->
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{51C55F9E-C308-4c95-89AB-8858D8AFD819} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\ParetoLogic\Anti-Spyware\PASShlExt.dll [ParetoLogic Anti-Spyware] -> ParetoLogic Inc. [Ver = 1, 0, 3333, 23 | Size = 98304 bytes | Modified Date = 08/13/2008 11:30:20 AM | Attr = ]
{A63E645F-13BD-45ED-B15F-6E8C1BD57279} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\SYSTEM32\byXOhGvu.dll [] -> [Ver = | Size = 25600 bytes | Modified Date = 11/16/2008 7:48:01 PM | Attr = ]
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
*SecurityProviders* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
msansspc.dll -> %SystemRoot%\SYSTEM32\msansspc.dll -> [Ver = | Size = 26624 bytes | Modified Date = 11/16/2008 7:47:59 PM | Attr = ]
*MultiFile Done* -> ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell ->
Explorer.exe -> %SystemRoot%\explorer.exe -> Microsoft Corporation [Ver = 6.00.2900.5512 (xpsp.080413-2105) | Size = 1033728 bytes | Modified Date = 04/13/2008 6:12:19 PM | Attr = ]
C:\WINDOWS\Nail.exe -> %SystemRoot%\Nail.exe -> File not found
*MultiFile Done* -> ->
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit ->
C:\WINDOWS\system32\userinit.exe -> %SystemRoot%\SYSTEM32\userinit.exe -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 26112 bytes | Modified Date = 04/13/2008 6:12:38 PM | Attr = ]
*MultiFile Done* -> ->
*UIHost* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost ->
logonui.exe -> %SystemRoot%\SYSTEM32\logonui.exe -> Microsoft Corporation [Ver = 6.00.2900.5512 (xpsp.080413-2105) | Size = 514560 bytes | Modified Date = 04/13/2008 6:12:24 PM | Attr = ]
*MultiFile Done* -> ->
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet ->
rundll32 shell32 -> %SystemRoot%\SYSTEM32\shell32.dll -> Microsoft Corporation [Ver = 6.00.2900.5512 (xpsp.080413-2105) | Size = 8461312 bytes | Modified Date = 04/13/2008 6:12:05 PM | Attr = ]
Control_RunDLL "sysdm.cpl" -> %SystemRoot%\SYSTEM32\sysdm.cpl -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2105) | Size = 300544 bytes | Modified Date = 04/13/2008 6:12:41 PM | Attr = ]
*MultiFile Done* -> ->
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKEY_USERS\S-1-5-19] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKEY_USERS\S-1-5-20] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006] > -> HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
byXOhGvu -> %SystemRoot%\SYSTEM32\byXOhGvu.dll -> [Ver = | Size = 25600 bytes | Modified Date = 11/16/2008 7:48:01 PM | Attr = ]
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> _ [binary data] ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoCDBurning -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\undockwithoutlogon -> 1 ->
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\_NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\CDRAutoRun -> 0 ->
Reg Error: Key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ not found. -> ->
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\CDRAutoRun -> 0 ->
Reg Error: Key HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ not found. -> ->
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-19] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
Reg Error: Key HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ not found. -> ->
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-20] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
Reg Error: Key HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ not found. -> ->
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006] > -> HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\_NoDriveTypeAutoRun -> 145 ->
HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
< CDROM Autorun Setting > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\ -> ->
*DependOnGroup* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DependOnGroup ->
SCSI miniport -> -> File not found
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Group -> SCSI CDROM Class ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Start -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Tag -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Type -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DisplayName -> CD-ROM Driver ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ImagePath -> %SystemRoot%\SYSTEM32\DRIVERS\cdrom.sys [System32\DRIVERS\cdrom.sys] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2108) | Size = 62976 bytes | Modified Date = 04/13/2008 12:40:46 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun -> 1 ->
*AutoRunAlwaysDisable* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRunAlwaysDisable ->
NEC MBR-7 -> -> File not found
NEC MBR-7.4 -> -> File not found
PIONEER CHANGR DRM-1804X -> -> File not found
PIONEER CD-ROM DRM-6324X -> -> File not found
PIONEER CD-ROM DRM-624X -> -> File not found
TORiSAN CD-ROM CDR_C36 -> -> File not found
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\ -> ->
< HOSTS File > (737 bytes and 20 lines) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Main\\Search Bar -> http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html ->
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOWS\system32\blank.htm ->
HKEY_CURRENT_USER\: Main\\Search Bar -> http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html ->
HKEY_CURRENT_USER\: Main\\Search Page -> yahoo.com ->
HKEY_CURRENT_USER\: Main\\Start Page -> http://www.cnn.com ->
HKEY_CURRENT_USER\: SearchURL\\ -> http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com[Reg Error: Value provider does not exist or could not be read.] ->
HKEY_CURRENT_USER\: ProxyEnable -> 0 ->
HKEY_CURRENT_USER\: ProxyOverride -> *.local ->
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> ->
HKEY_USERS\.DEFAULT\: Main\\Default_Page_URL -> http://www.dellnet.com ->
HKEY_USERS\.DEFAULT\: Main\\Start Page -> http://yahoo.sbc.com/dsl ->
HKEY_USERS\.DEFAULT\: ProxyEnable -> 0 ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> ->
HKEY_USERS\S-1-5-18\: Main\\Default_Page_URL -> http://www.dellnet.com ->
HKEY_USERS\S-1-5-18\: Main\\Start Page -> http://yahoo.sbc.com/dsl ->
HKEY_USERS\S-1-5-18\: ProxyEnable -> 0 ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > -> ->
HKEY_USERS\S-1-5-19\: ProxyEnable -> 0 ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > -> ->
HKEY_USERS\S-1-5-20\: ProxyEnable -> 0 ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\] > -> ->
HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\: Main\\Local Page -> C:\WINDOWS\system32\blank.htm ->
HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\: Main\\Search Bar -> http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html ->
HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\: Main\\Search Page -> yahoo.com ->
HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\: Main\\Start Page -> http://www.cnn.com ->
HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\: SearchURL\\ -> http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com[Reg Error: Value provider does not exist or could not be read.] ->
HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\: ProxyEnable -> 0 ->
HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\: ProxyOverride -> *.local ->
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1993 domain(s) found. ->
.[msn] -> My Computer ->
objects_aol.com[*] -> Out of zone range - ( 5 ) ->
www_paypal.com [https] -> Trusted sites ->
24 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 18 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\] > -> HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1993 domain(s) found. ->
.[msn] -> My Computer ->
objects_aol.com[*] -> Out of zone range - ( 5 ) ->
www_paypal.com [https] -> Trusted sites ->
24 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\] > -> HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 18 range(s) found. ->
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{02478D38-C3F9-4EFB-9B51-7695ECA05670} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
{3049C3E9-B461-4BC5-8870-4C09146192CA} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Real\RealPlayer\rpbrowserrecordplugin.dll [RealPlayer Download and Record Plugin for Internet Explorer] -> RealPlayer [Ver = 1.0.1.57 | Size = 308856 bytes | Modified Date = 03/28/2008 6:38:50 PM | Attr = ]
{418141f6-f4f2-417b-9480-deaa98afad55} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\SYSTEM32\jzcxhe.dll [Reg Error: Value does not exist or could not be read.] -> [Ver = | Size = 129024 bytes | Modified Date = 11/20/2008 8:04:14 PM | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_07\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 509328 bytes | Modified Date = 06/10/2008 4:27:02 AM | Attr = ]
{8D6A2B83-6ADB-4B5C-AAD3-DC6D49E8935F} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\SYSTEM32\yayaBSIX.dll [Reg Error: Value does not exist or could not be read.] -> [Ver = | Size = 313856 bytes | Modified Date = 11/16/2008 7:53:11 PM | Attr = ]
{99C6D1BB-7555-474C-91DA-D8FB62A9CC75} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\SYSTEM32\M5s20cRu.dll [solution Class] -> TODO: <Company name> [Ver = 1.0.0.1 | Size = 29184 bytes | Modified Date = 08/23/2008 3:27:37 AM | Attr = ]
{A63E645F-13BD-45ED-B15F-6E8C1BD57279} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\SYSTEM32\byXOhGvu.dll [Reg Error: Value does not exist or could not be read.] -> [Ver = | Size = 25600 bytes | Modified Date = 11/16/2008 7:48:01 PM | Attr = ]
< Internet Explorer Bars [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\Messenger\yhexbmes.dll [&Yahoo! Messenger] -> Yahoo! Inc. [Ver = 2003, 6, 23, 1 | Size = 274503 bytes | Modified Date = 06/23/2003 11:30:02 AM | Attr = ]
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\Messenger\yhexbmes.dll [&Yahoo! Messenger] -> Yahoo! Inc. [Ver = 2003, 6, 23, 1 | Size = 274503 bytes | Modified Date = 06/23/2003 11:30:02 AM | Attr = ]
< Internet Explorer Bars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Bars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Bars [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Bars [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Bars [HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\] > -> HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\Messenger\yhexbmes.dll [&Yahoo! Messenger] -> Yahoo! Inc. [Ver = 2003, 6, 23, 1 | Size = 274503 bytes | Modified Date = 06/23/2003 11:30:02 AM | Attr = ]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
{DC0F2F93-27FA-4f84-ACAA-9416F90B9511} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\PayPal\PayPal Plug-In\OToolbar.dll [PayPal Plug-In] -> [Ver = 2, 2, 15, 0 | Size = 3146240 bytes | Modified Date = 09/29/2008 12:57:12 PM | Attr = ]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
WebBrowser\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
WebBrowser\\{4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
WebBrowser\\{804DB5C7-31E6-4885-850A-F1941B58A4C7} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
WebBrowser\\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\] > -> HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
WebBrowser\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
WebBrowser\\{4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
WebBrowser\\{804DB5C7-31E6-4885-850A-F1941B58A4C7} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
WebBrowser\\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [] -> File not found
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{E023F504-0C5A-4750-A1E7-A9046DEA8A21} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{E023F504-0C5A-4750-A1E7-A9046DEA8A21} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
PluginsPageFriendlyName -> Microsoft ActiveX Gallery ->
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s ->
< User Agent Post Platform [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform ->
{4099DE68-CBCD-4C99-AB3D-9766B37FEF56} -> ->
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{24B71ACE-9FCE-48DB-B753-BA27E426E1C1} -> () ->
{3C437856-9E8E-4970-AA7B-FF1F15944C6A} -> (1394 Net Adapter) ->
{D413DEA1-163E-40E1-9640-D9F5CC2B97A4} -> (Intel(R) PRO/100 VE Network Connection) ->
< Winsock2 Catalogs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\ ->
NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] -> %ProgramFiles%\Bonjour\mdnsNSP.dll -> Apple Inc. [Ver = 1,0,5,11 | Size = 147456 bytes | Modified Date = 08/29/2008 9:53:50 AM | Attr = ]
< Default Protocols [HKEY_USERS\S-1-5-19\] - Select to Repair > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults ->
shell -> shell protocol not assigned ->
< Default Protocols [HKEY_USERS\S-1-5-20\] - Select to Repair > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults ->
shell -> shell protocol not assigned ->
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
skype4com:{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} [HKEY_LOCAL_MACHINE] -> %CommonProgramFiles%\Skype\Skype4COM.dll[IEProtocolHandler Class] -> Skype Technologies [Ver = 1, 0, 28, 2 | Size = 1934672 bytes | Modified Date = 02/06/2008 6:37:52 PM | Attr = R ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{01113300-3E00-11D2-8470-0060089874ED}[HKEY_LOCAL_MACHINE] -> http://www.activation.rr.com/install/download/tgctlcm.cab[Support.com Configuration Class] ->
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}[HKEY_LOCAL_MACHINE] -> http://www.apple.com/qtactivex/qtplugin.cab[QuickTime Object] ->
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}[HKEY_LOCAL_MACHINE] -> C:\Program Files\Yahoo!\Common\Yinsthelper.dll[Installation Support] ->
{33564D57-0000-0010-8000-00AA00389B71}[HKEY_LOCAL_MACHINE] -> http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB[Reg Error: Key does not exist or could not be opened.] ->
{33564D57-9980-0010-8000-00AA00389B71}[HKEY_LOCAL_MACHINE] -> http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab[Reg Error: Key does not exist or could not be opened.] ->
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}[HKEY_LOCAL_MACHINE] -> http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab[McAfee.com Operating System Class] ->
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}[HKEY_LOCAL_MACHINE] -> http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219367284921[MUWebControl Class] ->
{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab[Java Plug-in 1.6.0_07] ->
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}[HKEY_LOCAL_MACHINE] -> http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab[Reg Error: Key does not exist or could not be opened.] ->

jchilderssalas · 11-21-2008, 10:16 AM

{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jin...ndows-i586.cab[Java Plug-in 1.5.0_01] ->
{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jin...ndows-i586.cab[Java Plug-in 1.5.0_02] ->
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jin...ndows-i586.cab[Java Plug-in 1.5.0_06] ->
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jin...ndows-i586.cab[Java Plug-in 1.6.0_03] ->
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jin...ndows-i586.cab[Java Plug-in 1.6.0_05] ->
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jin...ndows-i586.cab[Java Plug-in 1.6.0_07] ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jin...ndows-i586.cab[Java Plug-in 1.6.0_07] ->
{D27CDB6E-AE6D-11CF-96B8-444553540000}[HKEY_LOCAL_MACHINE] -> http://fpdownload.macromedia.com/get...nt/swflash.cab[Shockwave Flash Object] ->
{EF791A6B-FC12-4C68-99EF-FB9E207A39E6}[HKEY_LOCAL_MACHINE] -> http://download.mcafee.com/molbin/is...87/mcfscan.cab[McFreeScan Class] ->
{FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0}[HKEY_LOCAL_MACHINE] -> http://download.spyspotter.com/spysp...terInstall.cab[Reg Error: Key does not exist or could not be opened.] ->
DirectAnimation Java Classes[HKEY_LOCAL_MACHINE] -> file://C:\WINDOWS\Java\classes\dajava.cab[Reg Error: Key does not exist or could not be opened.] ->
Microsoft XML Parser for Java[HKEY_LOCAL_MACHINE] -> file://C:\WINDOWS\Java\classes\xmldso.cab[Reg Error: Key does not exist or could not be opened.] ->
< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/DS3.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/DS3.dll\\.Owner -> {DDFFA75A-E81D-4454-89FC-B9FD0631E726} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/DS3.dll\\{DDFFA75A-E81D-4454-89FC-B9FD0631E726} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1018.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1018.dll\\.Owner -> {DBAE7000-01EC-4162-8FEB-8A27AC937CA0} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1018.dll\\{DBAE7000-01EC-4162-8FEB-8A27AC937CA0} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1100.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1100.dll\\.Owner -> {DBAE7000-01EC-4162-8FEB-8A27AC937CA0} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1100.dll\\{DBAE7000-01EC-4162-8FEB-8A27AC937CA0} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ipixx.ocx\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ipixx.ocx\\.Owner -> {11260943-421B-11D0-8EAC-0000C07D88CF} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ipixx.ocx\\{11260943-421B-11D0-8EAC-0000C07D88CF} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/iSetup.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/iSetup.dll\\.Owner -> {90C9629E-CD32-11D3-BBFB-00105A1F0D68} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/iSetup.dll\\{90C9629E-CD32-11D3-BBFB-00105A1F0D68} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/iSetup.exe\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/iSetup.exe\\.Owner -> {90C9629E-CD32-11D3-BBFB-00105A1F0D68} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/iSetup.exe\\{90C9629E-CD32-11D3-BBFB-00105A1F0D68} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ITDetector.ocx\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ITDetector.ocx\\.Owner -> {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ITDetector.ocx\\{D719897A-B07A-4C0C-AEA9-9B663A28DFCB} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MsnPUpld.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MsnPUpld.dll\\.Owner -> {4F1E5B1A-2A80-42CA-8532-2D05CB959537} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MsnPUpld.dll\\{4F1E5B1A-2A80-42CA-8532-2D05CB959537} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/PURen-us.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/PURen-us.dll\\.Owner -> {4F1E5B1A-2A80-42CA-8532-2D05CB959537} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/PURen-us.dll\\{4F1E5B1A-2A80-42CA-8532-2D05CB959537} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SSCHECK.DLL\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SSCHECK.DLL\\.Owner -> {421A63BA-4632-43E0-A942-3B4AB645BE51} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SSCHECK.DLL\\{421A63BA-4632-43E0-A942-3B4AB645BE51} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SyncroAdX.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SyncroAdX.dll\\.Owner -> {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SyncroAdX.dll\\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/tgctlcm.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/tgctlcm.dll\\.Owner -> {01113300-3E00-11D2-8470-0060089874ED} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/tgctlcm.dll\\{01113300-3E00-11D2-8470-0060089874ED} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/IPX32d56.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/IPX32d56.dll\\.Owner -> {11260943-421B-11D0-8EAC-0000C07D88CF} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/IPX32d56.dll\\{11260943-421B-11D0-8EAC-0000C07D88CF} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/mm32DCMP.DLL\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/mm32DCMP.DLL\\.Owner -> {11260943-421B-11D0-8EAC-0000C07D88CF} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/mm32DCMP.DLL\\{11260943-421B-11D0-8EAC-0000C07D88CF} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/SYSTEM32/muweb.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/SYSTEM32/muweb.dll\\.Owner -> {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/SYSTEM32/muweb.dll\\{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -> ->

[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\DefaultLaunchPermission -> [Binary data over 100 bytes] ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\EnableDCOM -> Y ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineLaunchRestriction -> [Binary data over 100 bytes] ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineAccessRestriction -> [Binary data over 100 bytes] ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{A50398B8-9075-4FBF-A7A1-456BF21937AD} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{AD65A69D-3831-40D7-9629-9B0B50A93843} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{0040D221-54A1-11D1-9DE0-006097042D69} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST\\System.EnterpriseServices.Thunk.dll -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallOverride -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\ -> ->
Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ not found. -> ->
Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ not found. -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ -> ->
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages ->
msv1_0 -> %SystemRoot%\SYSTEM32\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 132608 bytes | Modified Date = 04/13/2008 6:12:00 PM | Attr = ]
C:\WINDOWS\system32\yayaBSIX -> %SystemRoot%\SYSTEM32\yayaBSIX.dll -> [Ver = | Size = 313856 bytes | Modified Date = 11/16/2008 7:53:11 PM | Attr = ]
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Bounds -> 0 [binary data] ->
*Security Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages ->
kerberos -> %SystemRoot%\SYSTEM32\kerberos.dll -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 299520 bytes | Modified Date = 04/13/2008 6:11:56 PM | Attr = ]
msv1_0 -> %SystemRoot%\SYSTEM32\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 132608 bytes | Modified Date = 04/13/2008 6:12:00 PM | Attr = ]
schannel -> %SystemRoot%\SYSTEM32\schannel.dll -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 144384 bytes | Modified Date = 04/13/2008 6:12:05 PM | Attr = ]
wdigest -> %SystemRoot%\SYSTEM32\wdigest.dll -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 49152 bytes | Modified Date = 04/13/2008 6:12:08 PM | Attr = ]
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\LsaPid -> 748 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\SecureBoot -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\auditbaseobjects -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\crashonauditfail -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\disabledomaincreds -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\everyoneincludesanonymous -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fipsalgorithmpolicy -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\forceguest -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fullprivilegeauditing -> [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\limitblankpassworduse -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\lmcompatibilitylevel -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nodefaultadminowner -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nolmhash -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymous -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymoussam -> 1 ->
*Notification Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Notification Packages ->
scecli -> %SystemRoot%\SYSTEM32\scecli.dll -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 181248 bytes | Modified Date = 04/13/2008 6:12:05 PM | Attr = ]
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\ImpersonatePrivilegeUpgradeToolHasRun -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\ -> ->
*ProviderOrder* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\\ProviderOrder ->
Windows NT Access Provider -> -> File not found
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\\ProviderPath -> %SystemRoot%\SYSTEM32\ntmarta.dll [%SystemRoot%\system32\ntmarta.dll] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 118784 bytes | Modified Date = 04/13/2008 6:12:02 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\\Pattern -> CA D4 18 DB 51 C2 31 EB 4C 73 4F BC 92 18 35 D7 37 64 65 36 32 62 66 63 00 00 00 00 01 00 00 00 B4 01 00 00 B8 01 00 00 34 CA 06 00 45 9D BF 71 04 00 00 00 10 00 00 00 00 00 00 00 80 6B 0D 14 [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\\GrafBlumGroup -> 81 B0 25 B0 4D D9 8D 53 05 [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\\Lookup -> 59 D5 59 4F F4 F1 [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0\\ntlmminclientsec -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0\\ntlmminserversec -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\\SkewMatrix -> 62 82 37 51 04 30 3D BD AF EF 67 E4 69 3A 29 60 [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\\SSOURL -> http://www.passport.com ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\\Time -> E6 4F A4 7C 3A 49 C9 01 [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Name -> Digest ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Comment -> Digest SSPI Authentication Package ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Capabilities -> 16464 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\RpcId -> 65535 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Version -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\TokenSize -> 65535 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Time -> 00 54 CF 23 C4 9D C8 01 [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Type -> 49 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Name -> DPA ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Comment -> DPA Security Package ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Capabilities -> 55 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\RpcId -> 17 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Version -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\TokenSize -> 768 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Time -> 00 DB 62 27 C4 9D C8 01 [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Type -> 49 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Name -> MSN ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Comment -> MSN Security Package ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Capabilities -> 55 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\RpcId -> 18 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Version -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\TokenSize -> 768 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Time -> 00 08 94 28 C4 9D C8 01 [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Type -> 49 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Type -> 32 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Start -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ImagePath -> %SystemRoot%\SYSTEM32\svchost.exe [%SystemRoot%\System32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2111) | Size = 14336 bytes | Modified Date = 04/13/2008 6:12:36 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DisplayName -> Windows Firewall/Internet Connection Sharing (ICS) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnService -> Netman;WinMgmt; ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnGroup -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ObjectName -> LocalSystem ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Description -> Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\\Epoch -> 131772 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\\ServiceDll -> %SystemRoot%\SYSTEM32\ipnathlp.dll [%SystemRoot%\System32\ipnathlp.dll] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-0852) | Size = 331264 bytes | Modified Date = 04/13/2008 6:11:55 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe -> %SystemRoot%\SYSTEM32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2111) | Size = 141312 bytes | Modified Date = 04/13/2008 6:12:34 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\Network Diagnostic\xpnetdiag.exe -> %SystemRoot%\network diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-0852) | Size = 558080 bytes | Modified Date = 04/13/2008 12:53:32 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msnmsgr.exe -> %ProgramFiles%\MSN Messenger\msnmsgr.exe [C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.0] -> Microsoft Corporation [Ver = 7.0.0813 | Size = 6856704 bytes | Modified Date = 04/27/2005 12:04:08 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\DoNotAllowExceptions -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\DisableNotifications -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\PROGRA~1\Yahoo!\MESSEN~1\YPAGER.EXE -> %SystemDrive%\PROGRA~1\Yahoo!\MESSEN~1\YPAGER.EXE [C:\PROGRA~1\Yahoo!\MESSEN~1\YPAGER.EXE:*:Enabled:Yahoo! Messenger] -> File not found
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\PROGRA~1\Yahoo!\MESSEN~1\yserver.exe -> %ProgramFiles%\Yahoo!\Messenger\YServer.exe [C:\PROGRA~1\Yahoo!\MESSEN~1\yserver.exe:*:Enabled:Yahoo! FT Server] -> Yahoo! Inc. [Ver = 3, 0, 0, 1 | Size = 91376 bytes | Modified Date = 08/30/2007 5:43:18 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe -> %SystemRoot%\SYSTEM32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2111) | Size = 141312 bytes | Modified Date = 04/13/2008 6:12:34 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe -> %ProgramFiles%\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater] -> [Ver = | Size = 16423 bytes | Modified Date = 02/11/2004 4:58:16 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Real\RealPlayer\realplay.exe -> %ProgramFiles%\Real\RealPlayer\realplay.exe [C:\Program Files\Real\RealPlayer\realplay.exe:*:Disabled:RealOne Player] -> RealNetworks, Inc. [Ver = 11.0.0.442 | Size = 214560 bytes | Modified Date = 03/28/2008 6:37:55 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Messenger\msmsgs.exe -> %ProgramFiles%\Messenger\msmsgs.exe [C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger] -> Microsoft Corporation [Ver = 4.7.3001 | Size = 1695232 bytes | Modified Date = 04/13/2008 6:12:28 PM | Attr = HS]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Mozilla Firefox\firefox.exe -> %ProgramFiles%\Mozilla Firefox\firefox.exe [C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox] -> Mozilla Corporation [Ver = 1.8.1.18: 2008102918 | Size = 7676528 bytes | Modified Date = 11/13/2008 7:58:29 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\aol\Loader\aolload.exe -> %CommonProgramFiles%\aol\Loader\aolload.exe [C:\Program Files\Common Files\aol\Loader\aolload.exe:*:Enabled:AOL Application Loader] -> America Online, Inc. [Ver = 9.2.0.1 | Size = 11352 bytes | Modified Date = 07/11/2005 3:35:18 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\aol\ACS\AOLDial.exe -> %CommonProgramFiles%\aol\ACS\AOLDial.exe [C:\Program Files\Common Files\aol\ACS\AOLDial.exe:*:Enabled:AOL] -> AOL LLC [Ver = 4.6.1.2 | Size = 71216 bytes | Modified Date = 10/23/2006 6:50:37 AM | Attr = R ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\aol\ACS\AOLacsd.exe -> %CommonProgramFiles%\aol\ACS\AOLacsd.exe [C:\Program Files\Common Files\aol\ACS\AOLacsd.exe:*:Enabled:AOL] -> AOL LLC [Ver = 4.6.1.2 | Size = 46640 bytes | Modified Date = 10/23/2006 6:50:35 AM | Attr = R ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\America Online 9.0\waol.exe -> %ProgramFiles%\America Online 9.0\waol.exe [C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL] -> America Online, Inc. [Ver = 9.02.000 | Size = 37464 bytes | Modified Date = 07/11/2005 11:17:51 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\aol\TopSpeed\2.0\aoltsmon.exe -> %CommonProgramFiles%\aol\TopSpeed\2.0\aoltsmon.exe [C:\Program Files\Common Files\aol\TopSpeed\2.0\aoltsmon.exe:*:Enabled:AOLTsMon] -> America Online, Inc [Ver = 2, 0, 0, 0 | Size = 100016 bytes | Modified Date = 10/15/2004 2:54:14 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\aol\TopSpeed\2.0\aoltpspd.exe -> %CommonProgramFiles%\aol\TopSpeed\2.0\aoltpspd.exe [C:\Program Files\Common Files\aol\TopSpeed\2.0\aoltpspd.exe:*:Enabled:AOLTopSpeed] -> America Online Inc [Ver = 2, 0, 0, 0 | Size = 46768 bytes | Modified Date = 10/15/2004 2:54:12 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\aol\1135805068\EE\AOLServiceHost.exe -> %CommonProgramFiles%\aol\1135805068\EE\AOLServiceHost.exe [C:\Program Files\Common Files\aol\1135805068\EE\AOLServiceHost.exe:*:Enabled:AOL] -> America Online, Inc. [Ver = 1.0.0.6 | Size = 110680 bytes | Modified Date = 11/03/2004 3:03:00 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\aol\System Information\sinf.exe -> %CommonProgramFiles%\aol\System Information\sinf.exe [C:\Program Files\Common Files\aol\System Information\sinf.exe:*:Enabled:AOL] -> America Online Inc. [Ver = 1, 0, 0, 1 | Size = 140888 bytes | Modified Date = 04/05/2005 6

43 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\aol\AOL Spyware Protection\AOLSP Scheduler.exe -> %CommonProgramFiles%\aol\AOL Spyware Protection\AOLSP Scheduler.exe [C:\Program Files\Common Files\aol\AOL Spyware Protection\AOLSP Scheduler.exe:*:Enabled:AOL] -> [Ver = 1, 0, 0, 74 | Size = 79448 bytes | Modified Date = 10/18/2004 5:42:18 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\aol\AOL Spyware Protection\asp.exe -> %CommonProgramFiles%\aol\AOL Spyware Protection\asp.exe [C:\Program Files\Common Files\aol\AOL Spyware Protection\asp.exe:*:Enabled:AOL] -> AOL Spyware Protection [Ver = 1.00.0076 | Size = 3040856 bytes | Modified Date = 10/15/2004 12:16:06 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe -> %CommonProgramFiles%\AolCoach\en_en\player\AOLNySEV.exe [C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Enabled:AOL] -> File not found
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\Network Diagnostic\xpnetdiag.exe -> %SystemRoot%\network diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-0852) | Size = 558080 bytes | Modified Date = 04/13/2008 12:53:32 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -> %ProgramFiles%\Yahoo!\Messenger\YahooMessenger.exe [C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger] -> Yahoo! Inc. [Ver = 8,1,0,421 | Size = 4670704 bytes | Modified Date = 08/30/2007 5:43:18 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\aol\1135805068\EE\aolsoftware.exe -> %CommonProgramFiles%\aol\1135805068\EE\aolsoftware.exe [C:\Program Files\Common Files\aol\1135805068\EE\aolsoftware.exe:*:Enabled:AOL Shared Components] -> America Online, Inc. [Ver = 1.5.6.1 | Size = 50736 bytes | Modified Date = 09/25/2006 6:52:48 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Internet Explorer\iexplore.exe -> %ProgramFiles%\Internet Explorer\iexplore.exe [C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer] -> Microsoft Corporation [Ver = 7.00.6000.16735 (vista_gdr.080820-1506) | Size = 635848 bytes | Modified Date = 08/22/2008 11:56:15 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Yahoo!\browser\ybrowser.exe -> %ProgramFiles%\Yahoo!\browser\ybrowser.exe [C:\Program Files\Yahoo!\browser\ybrowser.exe:*:Enabled:Yahoo! Browser] -> Yahoo!, Inc. [Ver = 2003, 10, 22, 2 | Size = 443824 bytes | Modified Date = 10/22/2003 2:48:02 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Pando Networks\Pando\pando.exe -> %ProgramFiles%\Pando Networks\Pando\pando.exe [C:\Program Files\Pando Networks\Pando\pando.exe:*:Enabled:pando] -> File not found
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Bonjour\mDNSResponder.exe -> %ProgramFiles%\Bonjour\mDNSResponder.exe [C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour] -> Apple Inc. [Ver = 1,0,5,11 | Size = 238888 bytes | Modified Date = 08/29/2008 10:18:44 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\iTunes\iTunes.exe -> %ProgramFiles%\iTunes\iTunes.exe [C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes] -> Apple Inc. [Ver = 8.0.0.35 | Size = 14228264 bytes | Modified Date = 09/10/2008 5:39:54 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msnmsgr.exe -> %ProgramFiles%\MSN Messenger\msnmsgr.exe [C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.0] -> Microsoft Corporation [Ver = 7.0.0813 | Size = 6856704 bytes | Modified Date = 04/27/2005 12:04:08 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Skype\Phone\Skype.exe -> %ProgramFiles%\Skype\Phone\Skype.exe [C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype] -> Skype Technologies S.A. [Ver = 3.6.0.248 | Size = 21898024 bytes | Modified Date = 02/06/2008 6:37:52 PM | Attr = R ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security\\Security -> [Binary data over 100 bytes] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\\ServiceUpgrade -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\0 -> Root\LEGACY_SHAREDACCESS\0000 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\Count -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\NextInstance -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Type -> 32 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Start -> 4 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ImagePath -> %SystemRoot%\SYSTEM32\svchost.exe [%systemroot%\system32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2111) | Size = 14336 bytes | Modified Date = 04/13/2008 6:12:36 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\DisplayName -> Automatic Updates ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ObjectName -> LocalSystem ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Description -> Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site. ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\\ServiceDll -> %SystemRoot%\SYSTEM32\wuauserv.dll [C:\WINDOWS\system32\wuauserv.dll] -> Microsoft Corporation [Ver = 5.4.3790.5512 (xpsp.080413-0852) | Size = 6656 bytes | Modified Date = 04/13/2008 6:12:11 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\\Security -> [Binary data over 100 bytes] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\0 -> Root\LEGACY_WUAUSERV\0000 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\Count -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\NextInstance -> 1 ->
Reg Error: Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\ not found. -> ->
Reg Error: Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\ not found. -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\\ProxyEnable -> 0 ->

[Files/Folders - Created Within 30 days]
gmer.sys -> %SystemRoot%\System32\drivers\gmer.sys -> GMER [Ver = 1, 0, 14, 4401 | Size = 85969 bytes | Created Date = 11/20/2008 7:31:29 PM | Attr = ]
akmsifwx.dll -> %SystemRoot%\System32\akmsifwx.dll -> [Ver = | Size = 72704 bytes | Created Date = 11/20/2008 7:58:08 PM | Attr = ]
byXOhGvu.dll -> %SystemRoot%\System32\byXOhGvu.dll -> [Ver = | Size = 25600 bytes | Created Date = 11/16/2008 7:48:01 PM | Attr = ]
cont_adsoftinc-remove.exe -> %SystemRoot%\System32\cont_adsoftinc-remove.exe -> [Ver = | Size = 53938 bytes | Created Date = 11/19/2008 11:17:14 PM | Attr = ]
ddcCVonk.dll -> %SystemRoot%\System32\ddcCVonk.dll -> [Ver = | Size = 25600 bytes | Created Date = 11/19/2008 11:40:57 PM | Attr = ]
ekpdequs.ini -> %SystemRoot%\System32\ekpdequs.ini -> [Ver = | Size = 1574259 bytes | Created Date = 11/16/2008 7:56:18 PM | Attr = HS]
epgxpxxv.dll -> %SystemRoot%\System32\epgxpxxv.dll -> [Ver = | Size = 124928 bytes | Created Date = 11/17/2008 7:55:45 PM | Attr = ]
gpvntx.dll -> %SystemRoot%\System32\gpvntx.dll -> [Ver = | Size = 124928 bytes | Created Date = 11/18/2008 7:55:17 PM | Attr = ]
hdshutoi.dll -> %SystemRoot%\System32\hdshutoi.dll -> [Ver = | Size = 68096 bytes | Created Date = 11/17/2008 7:58:48 PM | Attr = ]
hgGyxWQK.dll -> %SystemRoot%\System32\hgGyxWQK.dll -> [Ver = | Size = 25600 bytes | Created Date = 11/19/2008 11:40:58 PM | Attr = ]
hnfittqtgdk.dll -> %SystemRoot%\System32\hnfittqtgdk.dll -> [Ver = 2, 5, 0, 0 | Size = 190976 bytes | Created Date = 10/30/2008 10:23:04 AM | Attr = ]
iesvcmon.exe -> %SystemRoot%\System32\iesvcmon.exe -> System Service [Ver = 1.02.0004 | Size = 465920 bytes | Created Date = 11/19/2008 11:16:31 PM | Attr = ]
iotuhsdh.ini -> %SystemRoot%\System32\iotuhsdh.ini -> [Ver = | Size = 1574259 bytes | Created Date = 11/17/2008 7:58:49 PM | Attr = HS]
jzcxhe.dll -> %SystemRoot%\System32\jzcxhe.dll -> [Ver = | Size = 129024 bytes | Created Date = 11/20/2008 8:04:15 PM | Attr = ]
kdstmnfc.dll -> %SystemRoot%\System32\kdstmnfc.dll -> [Ver = | Size = 124928 bytes | Created Date = 11/18/2008 7:55:15 PM | Attr = ]
ldhnpg.dll -> %SystemRoot%\System32\ldhnpg.dll -> [Ver = | Size = 129024 bytes | Created Date = 11/19/2008 8:01:12 PM | Attr = ]
lvyqzp.dll -> %SystemRoot%\System32\lvyqzp.dll -> [Ver = | Size = 124928 bytes | Created Date = 11/17/2008 7:55:46 PM | Attr = ]
msansspc.dll -> %SystemRoot%\System32\msansspc.dll -> [Ver = | Size = 26624 bytes | Created Date = 11/16/2008 7:47:59 PM | Attr = ]
nsq3EA.dll -> %SystemRoot%\System32\nsq3EA.dll -> [Ver = 4, 6, 3, 5 | Size = 554496 bytes | Created Date = 10/28/2008 8:21:50 AM | Attr = ]
ptsmhk.dll -> %SystemRoot%\System32\ptsmhk.dll -> [Ver = | Size = 124928 bytes | Created Date = 11/16/2008 7:54:10 PM | Attr = ]
qoMccCsS.dll -> %SystemRoot%\System32\qoMccCsS.dll -> [Ver = | Size = 25600 bytes | Created Date = 11/21/2008 12:36:38 AM | Attr = ]
rgvlalld.dll -> %SystemRoot%\System32\rgvlalld.dll -> [Ver = | Size = 124928 bytes | Created Date = 11/16/2008 7:54:09 PM | Attr = ]
texpzbixgvrydzo.exe -> %SystemRoot%\System32\texpzbixgvrydzo.exe -> [Ver = | Size = 77897 bytes | Created Date = 11/19/2008 11:16:56 PM | Attr = ]
thsncwlb.dll -> %SystemRoot%\System32\thsncwlb.dll -> [Ver = | Size = 129024 bytes | Created Date = 11/19/2008 8:01:08 PM | Attr = ]
vtbtmyki.ini -> %SystemRoot%\System32\vtbtmyki.ini -> [Ver = | Size = 1496340 bytes | Created Date = 11/19/2008 7:58:19 PM | Attr = HS]
vtUomnOF.dll -> %SystemRoot%\System32\vtUomnOF.dll -> [Ver = | Size = 25600 bytes | Created Date = 11/21/2008 12:36:37 AM | Attr = ]
wciursxt.dll -> %SystemRoot%\System32\wciursxt.dll -> [Ver = | Size = 129024 bytes | Created Date = 11/20/2008 8:04:08 PM | Attr = ]
XISBayay.ini -> %SystemRoot%\System32\XISBayay.ini -> [Ver = | Size = 917089 bytes | Created Date = 11/16/2008 7:53:12 PM | Attr = HS]
XISBayay.ini2 -> %SystemRoot%\System32\XISBayay.ini2 -> [Ver = | Size = 917089 bytes | Created Date = 11/16/2008 7:53:12 PM | Attr = HS]
xwfismka.ini -> %SystemRoot%\System32\xwfismka.ini -> [Ver = | Size = 1632503 bytes | Created Date = 11/20/2008 7:58:23 PM | Attr = HS]
yayaBSIX.dll -> %SystemRoot%\System32\yayaBSIX.dll -> [Ver = | Size = 313856 bytes | Created Date = 11/16/2008 7:53:04 PM | Attr = ]
yayxwVpp.dll -> %SystemRoot%\System32\yayxwVpp.dll -> [Ver = | Size = 25600 bytes | Created Date = 11/16/2008 7:48:02 PM | Attr = ]
atmoUn.exe -> %SystemRoot%\atmoUn.exe -> [Ver = | Size = 37027 bytes | Created Date = 11/20/2008 12:33:52 AM | Attr = ]
gmer.dll -> %SystemRoot%\gmer.dll -> [Ver = 1, 0, 14, 14536 | Size = 884736 bytes | Created Date = 11/20/2008 7:31:28 PM | Attr = ]
gmer.exe -> %SystemRoot%\gmer.exe -> [Ver = 1, 0, 14, 14536 | Size = 811008 bytes | Created Date = 11/20/2008 7:31:27 PM | Attr = ]
gmer.ini -> %SystemRoot%\gmer.ini -> [Ver = | Size = 250 bytes | Created Date = 11/20/2008 7:31:58 PM | Attr = ]
gmer_uninstall.cmd -> %SystemRoot%\gmer_uninstall.cmd -> [Ver = | Size = 80 bytes | Created Date = 11/20/2008 7:31:29 PM | Attr = ]
SmFzb24gU2FsYXM -> %SystemRoot%\SmFzb24gU2FsYXM -> [Folder | Created Date = 11/20/2008 8:15:39 PM | Attr = HS]
3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
XoftSpySE 2.job -> %SystemRoot%\tasks\XoftSpySE 2.job -> [Ver = | Size = 460 bytes | Created Date = 11/17/2008 10:35:20 PM | Attr = ]
XoftSpySE.job -> %SystemRoot%\tasks\XoftSpySE.job -> [Ver = | Size = 374 bytes | Created Date = 11/17/2008 10:35:18 PM | Attr = ]
[Files Created - Additional Folder Scans - Non-Microsoft Only]
gadcom -> %AppData%\gadcom -> [Folder | Created Date = 11/21/2008 9:44:55 AM | Attr = ]
SpeedRunner -> %AppData%\SpeedRunner -> [Folder | Created Date = 11/17/2008 8:09:32 PM | Attr = ]
Twain -> %AppData%\Twain -> [Folder | Created Date = 11/17/2008 8:04:31 PM | Attr = ]
dds.scr -> %UserProfile%\Desktop\dds.scr -> [Ver = | Size = 356463 bytes | Created Date = 11/20/2008 7:28:03 PM | Attr = ]
gmer.text -> %UserProfile%\Desktop\gmer.text -> [Ver = | Size = 950724 bytes | Created Date = 11/20/2008 10:00:17 PM | Attr = ]
ingredients list for the week.doc -> %UserProfile%\Desktop\ingredients list for the week.doc -> [Ver = | Size = 31232 bytes | Created Date = 11/02/2008 11:50:39 PM | Attr = ]
OTScanIt -> %UserProfile%\Desktop\OTScanIt -> [Folder | Created Date = 11/21/2008 11:09:18 AM | Attr = ]
1 C:\Documents and Settings\Jason Salas\Desktop\*.tmp files -> C:\Documents and Settings\Jason Salas\Desktop\*.tmp ->
OTScanIt.exe -> %UserProfile%\Desktop\OTScanIt.exe -> [Ver = | Size = 576581 bytes | Created Date = 11/21/2008 11:08:27 AM | Attr = ]
XoftSpySE.lnk -> %UserProfile%\Desktop\XoftSpySE.lnk -> [Ver = | Size = 682 bytes | Created Date = 11/17/2008 10:35:12 PM | Attr = ]
XoftSpySE_Setup.exe -> %UserProfile%\Desktop\XoftSpySE_Setup.exe -> ParetoLogic Inc. [Ver = 4.31.0.10 | Size = 3472016 bytes | Created Date = 11/17/2008 10:34:01 PM | Attr = ]
GetPack -> %ProgramFiles%\GetPack -> [Folder | Created Date = 11/18/2008 11:16:15 PM | Attr = ]
iCheck -> %ProgramFiles%\iCheck -> [Folder | Created Date = 11/18/2008 11:16:15 PM | Attr = ]
InetGet2 -> %ProgramFiles%\InetGet2 -> [Folder | Created Date = 11/20/2008 8:15:15 PM | Attr = ]
Mjcore -> %ProgramFiles%\Mjcore -> [Folder | Created Date = 11/20/2008 6:14:11 PM | Attr = ]
Network Monitor -> %ProgramFiles%\Network Monitor -> [Folder | Created Date = 11/20/2008 8:15:39 PM | Attr = ]
Webtools -> %ProgramFiles%\Webtools -> [Folder | Created Date = 11/20/2008 6:19:09 PM | Attr = ]
XoftSpySE -> %ProgramFiles%\XoftSpySE -> [Folder | Created Date = 11/17/2008 10:35:12 PM | Attr = ]

[Files/Folders - Modified Within 30 days]
4 C:\*.tmp files -> C:\*.tmp ->
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 804331520 bytes | Modified Date = 11/21/2008 10:12:59 AM | Attr = HS]
gmer.sys -> %SystemRoot%\System32\drivers\gmer.sys -> GMER [Ver = 1, 0, 14, 4401 | Size = 85969 bytes | Modified Date = 11/20/2008 7:31:29 PM | Attr = ]
akmsifwx.dll -> %SystemRoot%\System32\akmsifwx.dll -> [Ver = | Size = 72704 bytes | Modified Date = 11/20/2008 7:58:09 PM | Attr = ]
byXOhGvu.dll -> %SystemRoot%\System32\byXOhGvu.dll -> [Ver = | Size = 25600 bytes | Modified Date = 11/16/2008 7:48:01 PM | Attr = ]
3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
cont_adsoftinc-remove.exe -> %SystemRoot%\System32\cont_adsoftinc-remove.exe -> [Ver = | Size = 53938 bytes | Modified Date = 11/19/2008 11:19:14 PM | Attr = ]
ddcCVonk.dll -> %SystemRoot%\System32\ddcCVonk.dll -> [Ver = | Size = 25600 bytes | Modified Date = 11/19/2008 11:40:57 PM | Attr = ]
ekpdequs.ini -> %SystemRoot%\System32\ekpdequs.ini -> [Ver = | Size = 1574259 bytes | Modified Date = 11/17/2008 7:56:59 PM | Attr = HS]
epgxpxxv.dll -> %SystemRoot%\System32\epgxpxxv.dll -> [Ver = | Size = 124928 bytes | Modified Date = 11/17/2008 7:55:46 PM | Attr = ]
FNTCACHE.DAT -> %SystemRoot%\System32\FNTCACHE.DAT -> [Ver = | Size = 332280 bytes | Modified Date = 11/07/2008 1:15:37 AM | Attr = ]
gpvntx.dll -> %SystemRoot%\System32\gpvntx.dll -> [Ver = | Size = 124928 bytes | Modified Date = 11/18/2008 7:55:17 PM | Attr = ]
hdshutoi.dll -> %SystemRoot%\System32\hdshutoi.dll -> [Ver = | Size = 68096 bytes | Modified Date = 11/17/2008 7:58:49 PM | Attr = ]
hgGyxWQK.dll -> %SystemRoot%\System32\hgGyxWQK.dll -> [Ver = | Size = 25600 bytes | Modified Date = 11/19/2008 11:40:57 PM | Attr = ]
hnfittqtgdk.dll -> %SystemRoot%\System32\hnfittqtgdk.dll -> [Ver = 2, 5, 0, 0 | Size = 190976 bytes | Modified Date = 10/30/2008 10:23:04 AM | Attr = ]
iesvcmon.exe -> %SystemRoot%\System32\iesvcmon.exe -> System Service [Ver = 1.02.0004 | Size = 465920 bytes | Modified Date = 11/19/2008 11:16:31 PM | Attr = ]
iotuhsdh.ini -> %SystemRoot%\System32\iotuhsdh.ini -> [Ver = | Size = 1574259 bytes | Modified Date = 11/17/2008 7:59:02 PM | Attr = HS]
jzcxhe.dll -> %SystemRoot%\System32\jzcxhe.dll -> [Ver = | Size = 129024 bytes | Modified Date = 11/20/2008 8:04:14 PM | Attr = ]
kdstmnfc.dll -> %SystemRoot%\System32\kdstmnfc.dll -> [Ver = | Size = 124928 bytes | Modified Date = 11/18/2008 7:55:17 PM | Attr = ]
ldhnpg.dll -> %SystemRoot%\System32\ldhnpg.dll -> [Ver = | Size = 129024 bytes | Modified Date = 11/19/2008 8:01:11 PM | Attr = ]
lvyqzp.dll -> %SystemRoot%\System32\lvyqzp.dll -> [Ver = | Size = 124928 bytes | Modified Date = 11/17/2008 7:55:46 PM | Attr = ]
msansspc.dll -> %SystemRoot%\System32\msansspc.dll -> [Ver = | Size = 26624 bytes | Modified Date = 11/16/2008 7:47:59 PM | Attr = ]
nsq3EA.dll -> %SystemRoot%\System32\nsq3EA.dll -> [Ver = 4, 6, 3, 5 | Size = 554496 bytes | Modified Date = 10/28/2008 8:21:50 AM | Attr = ]
ptsmhk.dll -> %SystemRoot%\System32\ptsmhk.dll -> [Ver = | Size = 124928 bytes | Modified Date = 11/16/2008 7:54:10 PM | Attr = ]
qoMccCsS.dll -> %SystemRoot%\System32\qoMccCsS.dll -> [Ver = | Size = 25600 bytes | Modified Date = 11/21/2008 12:36:37 AM | Attr = ]
rgvlalld.dll -> %SystemRoot%\System32\rgvlalld.dll -> [Ver = | Size = 124928 bytes | Modified Date = 11/16/2008 7:54:10 PM | Attr = ]
texpzbixgvrydzo.exe -> %SystemRoot%\System32\texpzbixgvrydzo.exe -> [Ver = | Size = 77897 bytes | Modified Date = 11/19/2008 11:18:50 PM | Attr = ]
thsncwlb.dll -> %SystemRoot%\System32\thsncwlb.dll -> [Ver = | Size = 129024 bytes | Modified Date = 11/19/2008 8:01:11 PM | Attr = ]
vtbtmyki.ini -> %SystemRoot%\System32\vtbtmyki.ini -> [Ver = | Size = 1496340 bytes | Modified Date = 11/20/2008 7:04:40 PM | Attr = HS]
vtUomnOF.dll -> %SystemRoot%\System32\vtUomnOF.dll -> [Ver = | Size = 25600 bytes | Modified Date = 11/21/2008 12:36:37 AM | Attr = ]
wciursxt.dll -> %SystemRoot%\System32\wciursxt.dll -> [Ver = | Size = 129024 bytes | Modified Date = 11/20/2008 8:04:14 PM | Attr = ]
WPA.DBL -> %SystemRoot%\System32\WPA.DBL -> [Ver = | Size = 1170 bytes | Modified Date = 11/21/2008 10:16:31 AM | Attr = ]
XISBayay.ini -> %SystemRoot%\System32\XISBayay.ini -> [Ver = | Size = 917089 bytes | Modified Date = 11/21/2008 11:14:18 AM | Attr = HS]
XISBayay.ini2 -> %SystemRoot%\System32\XISBayay.ini2 -> [Ver = | Size = 917089 bytes | Modified Date = 11/21/2008 11:12:07 AM | Attr = HS]
xwfismka.ini -> %SystemRoot%\System32\xwfismka.ini -> [Ver = | Size = 1632503 bytes | Modified Date = 11/20/2008 7:58:47 PM | Attr = HS]
yayaBSIX.dll -> %SystemRoot%\System32\yayaBSIX.dll -> [Ver = | Size = 313856 bytes | Modified Date = 11/16/2008 7:53:11 PM | Attr = ]
yayxwVpp.dll -> %SystemRoot%\System32\yayxwVpp.dll -> [Ver = | Size = 25600 bytes | Modified Date = 11/16/2008 7:48:01 PM | Attr = ]
3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
atmoUn.exe -> %SystemRoot%\atmoUn.exe -> [Ver = | Size = 37027 bytes | Modified Date = 11/20/2008 12:33:52 AM | Attr = ]
BOOTSTAT.DAT -> %SystemRoot%\BOOTSTAT.DAT -> [Ver = | Size = 2048 bytes | Modified Date = 11/21/2008 10:13:05 AM | Attr = S]
gmer.dll -> %SystemRoot%\gmer.dll -> [Ver = 1, 0, 14, 14536 | Size = 884736 bytes | Modified Date = 11/20/2008 7:31:29 PM | Attr = ]
gmer.ini -> %SystemRoot%\gmer.ini -> [Ver = | Size = 250 bytes | Modified Date = 11/20/2008 7:34:14 PM | Attr = ]
gmer_uninstall.cmd -> %SystemRoot%\gmer_uninstall.cmd -> [Ver = | Size = 80 bytes | Modified Date = 11/20/2008 7:31:29 PM | Attr = ]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1393 bytes | Modified Date = 11/13/2008 9:11:11 PM | Attr = ]
WIN.INI -> %SystemRoot%\WIN.INI -> [Ver = | Size = 699 bytes | Modified Date = 11/13/2008 9:19:17 PM | Attr = ]
AppleSoftwareUpdate.job -> %SystemRoot%\tasks\AppleSoftwareUpdate.job -> [Ver = | Size = 284 bytes | Modified Date = 11/21/2008 10:58:33 AM | Attr = ]
At1.job -> %SystemRoot%\tasks\At1.job -> [Ver = | Size = 350 bytes | Modified Date = 11/21/2008 12:50:00 AM | Attr = ]
At10.job -> %SystemRoot%\tasks\At10.job -> [Ver = | Size = 350 bytes | Modified Date = 11/21/2008 9:00:00 AM | Attr = ]
At11.job -> %SystemRoot%\tasks\At11.job -> [Ver = | Size = 350 bytes | Modified Date = 11/21/2008 10:00:13 AM | Attr = ]
At12.job -> %SystemRoot%\tasks\At12.job -> [Ver = | Size = 350 bytes | Modified Date = 11/21/2008 11:00:00 AM | Attr = ]
At13.job -> %SystemRoot%\tasks\At13.job -> [Ver = | Size = 350 bytes | Modified Date = 11/20/2008 12:00:00 PM | Attr = ]
At14.job -> %SystemRoot%\tasks\At14.job -> [Ver = | Size = 350 bytes | Modified Date = 11/20/2008 1:00:00 PM | Attr = ]
At15.job -> %SystemRoot%\tasks\At15.job -> [Ver = | Size = 350 bytes | Modified Date = 11/20/2008 2:00:00 PM | Attr = ]
At16.job -> %SystemRoot%\tasks\At16.job -> [Ver = | Size = 350 bytes | Modified Date = 11/20/2008 3:00:00 PM | Attr = ]
At17.job -> %SystemRoot%\tasks\At17.job -> [Ver = | Size = 350 bytes | Modified Date = 11/20/2008 4:00:00 PM | Attr = ]
At18.job -> %SystemRoot%\tasks\At18.job -> [Ver = | Size = 350 bytes | Modified Date = 11/20/2008 5:00:00 PM | Attr = ]
At19.job -> %SystemRoot%\tasks\At19.job -> [Ver = | Size = 350 bytes | Modified Date = 11/20/2008 6:00:00 PM | Attr = ]
At2.job -> %SystemRoot%\tasks\At2.job -> [Ver = | Size = 350 bytes | Modified Date = 11/21/2008 1:00:00 AM | Attr = ]
At20.job -> %SystemRoot%\tasks\At20.job -> [Ver = | Size = 350 bytes | Modified Date = 11/20/2008 7:00:02 PM | Attr = ]
At21.job -> %SystemRoot%\tasks\At21.job -> [Ver = | Size = 350 bytes | Modified Date = 11/20/2008 8:00:02 PM | Attr = ]
At22.job -> %SystemRoot%\tasks\At22.job -> [Ver = | Size = 350 bytes | Modified Date = 11/20/2008 9:00:00 PM | Attr = ]
At23.job -> %SystemRoot%\tasks\At23.job -> [Ver = | Size = 350 bytes | Modified Date = 11/20/2008 10:00:00 PM | Attr = ]
At24.job -> %SystemRoot%\tasks\At24.job -> [Ver = | Size = 350 bytes | Modified Date = 11/20/2008 11:00:00 PM | Attr = ]
At25.job -> %SystemRoot%\tasks\At25.job -> [Ver = | Size = 350 bytes | Modified Date = 11/21/2008 12:16:00 AM | Attr = ]
At26.job -> %SystemRoot%\tasks\At26.job -> [Ver = | Size = 350 bytes | Modified Date = 11/21/2008 1:00:00 AM | Attr = ]
At27.job -> %SystemRoot%\tasks\At27.job -> [Ver = | Size = 350 bytes | Modified Date = 11/21/2008 2:00:00 AM | Attr = ]
At28.job -> %SystemRoot%\tasks\At28.job -> [Ver = | Size = 350 bytes | Modified Date = 11/21/2008 3:00:00 AM | Attr = ]
At29.job -> %SystemRoot%\tasks\At29.job -> [Ver = | Size = 350 bytes | Modified Date = 11/21/2008 4:00:00 AM | Attr = ]
At3.job -> %SystemRoot%\tasks\At3.job -> [Ver = | Size = 350 bytes | Modified Date = 11/21/2008 2:00:00 AM | Attr = ]
At30.job -> %SystemRoot%\tasks\At30.job -> [Ver = | Size = 350 bytes | Modified Date = 11/21/2008 5:00:00 AM | Attr = ]
At31.job -> %SystemRoot%\tasks\At31.job -> [Ver = | Size = 350 bytes | Modified Date = 11/21/2008 6:00:00 AM | Attr = ]
At32.job -> %SystemRoot%\tasks\At32.job -> [Ver = | Size = 350 bytes | Modified Date = 11/21/2008 7:00:00 AM | Attr = ]
At33.job -> %SystemRoot%\tasks\At33.job -> [Ver = | Size = 350 bytes | Modified Date = 11/21/2008 8:00:00 AM | Attr = ]
At34.job -> %SystemRoot%\tasks\At34.job -> [Ver = | Size = 350 bytes | Modified Date = 11/21/2008 9:00:00 AM | Attr = ]
At35.job -> %SystemRoot%\tasks\At35.job -> [Ver = | Size = 350 bytes | Modified Date = 11/21/2008 10:00:14 AM | Attr = ]
At36.job -> %SystemRoot%\tasks\At36.job -> [Ver = | Size = 350 bytes | Modified Date = 11/21/2008 11:00:01 AM | Attr = ]
At37.job -> %SystemRoot%\tasks\At37.job -> [Ver = | Size = 350 bytes | Modified Date = 11/20/2008 12:00:00 PM | Attr = ]
At38.job -> %SystemRoot%\tasks\At38.job -> [Ver = | Size = 350 bytes | Modified Date = 11/20/2008 1:00:00 PM | Attr = ]
At39.job -> %SystemRoot%\tasks\At39.job -> [Ver = | Size = 350 bytes | Modified Date = 11/20/2008 2:00:00 PM | Attr = ]
At4.job -> %SystemRoot%\tasks\At4.job -> [Ver = | Size = 350 bytes | Modified Date = 11/21/2008 3:00:00 AM | Attr = ]
At40.job -> %SystemRoot%\tasks\At40.job -> [Ver = | Size = 350 bytes | Modified Date = 11/20/2008 3:00:00 PM | Attr = ]
At41.job -> %SystemRoot%\tasks\At41.job -> [Ver = | Size = 350 bytes | Modified Date = 11/20/2008 4:00:00 PM | Attr = ]
At42.job -> %SystemRoot%\tasks\At42.job -> [Ver = | Size = 350 bytes | Modified Date = 11/20/2008 5:00:00 PM | Attr = ]
At43.job -> %SystemRoot%\tasks\At43.job -> [Ver = | Size = 350 bytes | Modified Date = 11/20/2008 6:00:00 PM | Attr = ]
At44.job -> %SystemRoot%\tasks\At44.job -> [Ver = | Size = 350 bytes | Modified Date = 11/20/2008 7:00:03 PM | Attr = ]
At45.job -> %SystemRoot%\tasks\At45.job -> [Ver = | Size = 350 bytes | Modified Date = 11/20/2008 8:00:02 PM | Attr = ]
At46.job -> %SystemRoot%\tasks\At46.job -> [Ver = | Size = 350 bytes | Modified Date = 11/20/2008 9:00:00 PM | Attr = ]
At47.job -> %SystemRoot%\tasks\At47.job -> [Ver = | Size = 350 bytes | Modified Date = 11/20/2008 10:00:00 PM | Attr = ]
At48.job -> %SystemRoot%\tasks\At48.job -> [Ver = | Size = 350 bytes | Modified Date = 11/20/2008 11:00:00 PM | Attr = ]
At5.job -> %SystemRoot%\tasks\At5.job -> [Ver = | Size = 350 bytes | Modified Date = 11/21/2008 4:00:00 AM | Attr = ]
At6.job -> %SystemRoot%\tasks\At6.job -> [Ver = | Size = 350 bytes | Modified Date = 11/21/2008 5:00:00 AM | Attr = ]
At7.job -> %SystemRoot%\tasks\At7.job -> [Ver = | Size = 350 bytes | Modified Date = 11/21/2008 6:00:00 AM | Attr = ]
At8.job -> %SystemRoot%\tasks\At8.job -> [Ver = | Size = 350 bytes | Modified Date = 11/21/2008 7:00:00 AM | Attr = ]
At9.job -> %SystemRoot%\tasks\At9.job -> [Ver = | Size = 350 bytes | Modified Date = 11/21/2008 8:00:00 AM | Attr = ]
Pareto UNS.job -> %SystemRoot%\tasks\Pareto UNS.job -> [Ver = | Size = 418 bytes | Modified Date = 11/18/2008 6:00:00 PM | Attr = ]
ParetoLogic Anti-Spyware.job -> %SystemRoot%\tasks\ParetoLogic Anti-Spyware.job -> [Ver = | Size = 436 bytes | Modified Date = 11/21/2008 3:00:00 AM | Attr = ]
ParetoLogic Update.job -> %SystemRoot%\tasks\ParetoLogic Update.job -> [Ver = | Size = 424 bytes | Modified Date = 11/20/2008 12:33:00 AM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 11/21/2008 10:13:39 AM | Attr = H ]
XoftSpySE 2.job -> %SystemRoot%\tasks\XoftSpySE 2.job -> [Ver = | Size = 460 bytes | Modified Date = 11/21/2008 10:13:48 AM | Attr = ]
XoftSpySE.job -> %SystemRoot%\tasks\XoftSpySE.job -> [Ver = | Size = 374 bytes | Modified Date = 11/18/2008 6:04:06 AM | Attr = ]
C:\Documents and Settings\All Users\Application Data\Microsoft\Money\11.0\Webcache\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\Money\11.0\Webcache -> [Folder | Modified Date = 06/05/2003 12:29:46 PM | Attr = ]
about.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Money\11.0\Webcache\about.dat -> [Ver = | Size = 1528 bytes | Modified Date = 07/17/2002 10:00:00 AM | Attr = ]
college.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Money\11.0\Webcache\college.dat -> [Ver = | Size = 327746 bytes | Modified Date = 07/17/2002 10:00:00 AM | Attr = ]
ylpgscat.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Money\11.0\Webcache\ylpgscat.dat -> [Ver = | Size = 12283223 bytes | Modified Date = 07/17/2002 10:00:00 AM | Attr = ]
C:\Documents and Settings\All Users\Application Data\Microsoft\MSDAIPP\Offline\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\MSDAIPP\Offline -> [Folder | Modified Date = 09/30/2003 4:53:20 PM | Attr = ]
HashFile.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\MSDAIPP\Offline\HashFile.dat -> [Ver = | Size = 102412 bytes | Modified Date = 09/30/2003 4:53:20 PM | Attr = ]
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader -> [Folder | Modified Date = 06/05/2003 12:37:31 PM | Attr = ]
qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat -> [Ver = | Size = 4232 bytes | Modified Date = 11/11/2008 11:49:54 PM | Attr = ]
qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat -> [Ver = | Size = 4646 bytes | Modified Date = 11/11/2008 11:49:54 PM | Attr = ]
C:\Documents and Settings\All Users\Application Data\Microsoft\Office\Data\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\Office\Data -> [Folder | Modified Date = 10/21/2008 9:54:02 AM | Attr = ]
data.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Office\Data\data.dat -> [Ver = | Size = 1388 bytes | Modified Date = 08/09/2005 9

14 PM | Attr = ]
opa11.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Office\Data\opa11.dat -> [Ver = | Size = 11068 bytes | Modified Date = 10/21/2008 9:54:36 AM | Attr = ]
C:\Documents and Settings\All Users\Application Data\Microsoft\Works\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\Works -> [Folder | Modified Date = 03/17/2008 3:12:08 PM | Attr = ]
wkcalcat.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Works\wkcalcat.dat -> [Ver = | Size = 16384 bytes | Modified Date = 10/20/2003 4:48:28 PM | Attr = ]
wklntnts.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Works\wklntnts.dat -> [Ver = | Size = 1424304 bytes | Modified Date = 11/21/2008 12:09:25 AM | Attr = ]
wklntsk.dat -> C:\Documents and Settings\All Users\Application
Data\Microsoft\Works\wklntsk.dat -> [Ver = | Size = 1424304 bytes | Modified Date = 11/21/2008 12:09:25 AM | Attr = ]
C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0\ -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0 -> [Folder | Modified Date = 11/20/2008 10:08:42 PM | Attr = ]
notifykeysB.com -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0\notifykeysB.com -> [Ver = | Size = 148 bytes | Modified Date = 11/11/2008 1:16:40 PM | Attr = ]
C:\Documents and Settings\Jason Salas\Local Settings\Temp\ -> C:\Documents and Settings\Jason Salas\Local Settings\Temp -> [Folder | Modified Date = 11/21/2008 11:14:22 AM | Attr = ]
79.exe -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\79.exe -> [Ver = | Size = 605643 bytes | Modified Date = 11/19/2008 11:16:36 PM | Attr = ]
cmdinst.exe -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\cmdinst.exe -> [Ver = 1.0.1 | Size = 852566 bytes | Modified Date = 11/20/2008 8:15:32 PM | Attr = ]
CTPBSEQ.EXE -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\CTPBSEQ.EXE -> Creative Technology Ltd. [Ver = 1, 0, 0, 5 | Size = 65536 bytes | Modified Date = 03/11/2007 7:05:00 PM | Attr = R ]
mondrver_1110_nathan_old.exe -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\mondrver_1110_nathan_old.exe -> [Ver = 1.00 | Size = 495616 bytes | Modified Date = 11/19/2008 11:16:28 PM | Attr = ]
orz.exe -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\orz.exe -> [Ver = 1.0.0.18 | Size = 62464 bytes | Modified Date = 11/18/2008 11:20:54 PM | Attr = ]
wJQs.exe -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\wJQs.exe -> [Ver = | Size = 26624 bytes | Modified Date = 11/19/2008 11:40:50 PM | Attr = ]
44 C:\Documents and Settings\Jason Salas\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\*.tmp ->
C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0\ -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0 -> [Folder | Modified Date = 11/20/2008 10:08:42 PM | Attr = ]
FI.exe -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0\FI.exe -> [Ver = | Size = 110592 bytes | Modified Date = 11/12/2002 5:38:32 AM | Attr = ]
MSClsid.exe -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0\MSClsid.exe -> [Ver = | Size = 1720 bytes | Modified Date = 11/14/2008 1:23:17 PM | Attr = ]
Policies.exe -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0\Policies.exe -> [Ver = | Size = 1720 bytes | Modified Date = 11/14/2008 11:21:49 AM | Attr = ]
WREGS.exe -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0\WREGS.exe -> SteelWerX [Ver = 3.0.0.0 | Size = 518144 bytes | Modified Date = 08/31/2000 8:00:00 AM | Attr = ]
C:\Documents and Settings\Jason Salas\Local Settings\Temp\ -> C:\Documents and Settings\Jason Salas\Local Settings\Temp -> [Folder | Modified Date = 11/21/2008 11:14:22 AM | Attr = ]
IadHide5.dll -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\IadHide5.dll -> BackWeb [Ver = Version 6.3.2 (Build 62R) | Size = 24613 bytes | Modified Date = 02/11/2004 4:58:16 PM | Attr = ]
44 C:\Documents and Settings\Jason Salas\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\*.tmp ->
C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0\ -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0 -> [Folder | Modified Date = 11/20/2008 10:08:42 PM | Attr = ]
SvcWhtDDS.dll -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0\SvcWhtDDS.dll -> [Ver = | Size = 54628 bytes | Modified Date = 11/11/2008 6:21:44 PM | Attr = ]
SvcWhtDDSVista.dll -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0\SvcWhtDDSVista.dll -> [Ver = | Size = 16308 bytes | Modified Date = 11/11/2008 4:15:56 PM | Attr = ]
C:\Documents and Settings\Jason Salas\Local Settings\Temp\ -> C:\Documents and Settings\Jason Salas\Local Settings\Temp -> [Folder | Modified Date = 11/21/2008 11:14:22 AM | Attr = ]
8hNyuW5P.dat -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\8hNyuW5P.dat -> [Ver = | Size = 4227 bytes | Modified Date = 11/21/2008 9:08:45 AM | Attr = ]
44 C:\Documents and Settings\Jason Salas\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\*.tmp ->
C:\Documents and Settings\Jason Salas\Local Settings\Temp\Cookies\ -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\Cookies -> [Folder | Modified Date = 08/21/2008 5

51 AM | Attr = HS]
index.dat -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\Cookies\index.dat -> [Ver = | Size = 16384 bytes | Modified Date = 08/21/2008 5

48 AM | Attr = HS]
C:\Documents and Settings\Jason Salas\Local Settings\Temp\History\History.IE5\ -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\History\History.IE5\ -> [Folder | Modified Date = 11/21/2008 10:43:36 AM | Attr = HS]
index.dat -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\History\History.IE5\index.dat -> [Ver = | Size = 16384 bytes | Modified Date = 08/21/2008 5

48 AM | Attr = HS]
C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\ -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\ -> [Folder | Modified Date = 08/21/2008 5

48 AM | Attr = HS]
index.dat -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat -> [Ver = | Size = 32768 bytes | Modified Date = 08/21/2008 5

48 AM | Attr = HS]
C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\ -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\ -> [Folder | Modified Date = 08/21/2008 5

48 AM | Attr = HS]
desktop.ini -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\desktop.ini -> [Ver = | Size = 0 bytes | Modified Date = 08/21/2008 5

48 AM | Attr = HS]
C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\2IQENZWG\ -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\2IQENZWG -> [Folder | Modified Date = 11/21/2008 10:43:35 AM | Attr = HS]
desktop.ini -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\2IQENZWG\desktop.ini -> [Ver = | Size = 67 bytes | Modified Date = 08/21/2008 5

54 AM | Attr = HS]
C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\8X8KR62E\ -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\8X8KR62E -> [Folder | Modified Date = 11/21/2008 10:43:35 AM | Attr = HS]
desktop.ini -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\8X8KR62E\desktop.ini -> [Ver = | Size = 67 bytes | Modified Date = 08/21/2008 5

54 AM | Attr = HS]
C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\CP0LZTQT\ -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\CP0LZTQT -> [Folder | Modified Date = 11/21/2008 10:43:35 AM | Attr = HS]
desktop.ini -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\CP0LZTQT\desktop.ini -> [Ver = | Size = 67 bytes | Modified Date = 08/21/2008 5

54 AM | Attr = HS]
C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\RX6G6G29\ -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\RX6G6G29 -> [Folder | Modified Date = 11/21/2008 10:43:35 AM | Attr = HS]
desktop.ini -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\RX6G6G29\desktop.ini -> [Ver = | Size = 67 bytes | Modified Date = 08/21/2008 5

54 AM | Attr = HS]
C:\WINDOWS\Temp\ -> C:\WINDOWS\Temp -> [Folder | Modified Date = 11/21/2008 10:15:14 AM | Attr = ]
8hNyuW5P.dat -> C:\WINDOWS\Temp\8hNyuW5P.dat -> [Ver = | Size = 15543 bytes | Modified Date = 08/22/2008 11:00:04 PM | Attr = ]
N5t20dSv.dat -> C:\WINDOWS\Temp\N5t20dSv.dat -> [Ver = | Size = 8669 bytes | Modified Date = 08/19/2008 3:07:43 PM | Attr = ]
Perflib_Perfdata_588.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_588.dat -> [Ver = | Size = 16384 bytes | Modified Date = 08/19/2008 7:21:41 PM | Attr = ]
pP2HD0u0.dat -> C:\WINDOWS\Temp\pP2HD0u0.dat -> [Ver = | Size = 10599 bytes | Modified Date = 08/21/2008 7:01:18 PM | Attr = ]
sS5KG3x3.dat -> C:\WINDOWS\Temp\sS5KG3x3.dat -> [Ver = | Size = 10155 bytes | Modified Date = 08/22/2008 11:00:01 PM | Attr = ]
110 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp ->
C:\WINDOWS\Temp\Cookies\ -> C:\WINDOWS\Temp\Cookies -> [Folder | Modified Date = 11/20/2008 6:15:53 PM | Attr = HS]
index.dat -> C:\WINDOWS\Temp\Cookies\index.dat -> [Ver = | Size = 32768 bytes | Modified Date = 11/21/2008 7:48:37 AM | Attr = HS]
C:\WINDOWS\Temp\History\History.IE5\ -> C:\WINDOWS\Temp\History\History.IE5\ -> [Folder | Modified Date = 10/02/2007 11:17:56 PM | Attr = HS]
index.dat -> C:\WINDOWS\Temp\History\History.IE5\index.dat -> [Ver = | Size = 16384 bytes | Modified Date = 11/21/2008 7:48:37 AM | Attr = HS]
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\ -> C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\ -> [Folder | Modified Date = 10/02/2007 11:17:56 PM | Attr = HS]
index.dat -> C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat -> [Ver = | Size = 49152 bytes | Modified Date = 11/21/2008 7:48:37 AM | Attr = HS]
C:\WINDOWS\Temp\History\History.IE5\ -> C:\WINDOWS\Temp\History\History.IE5\ -> [Folder | Modified Date = 10/02/2007 11:17:56 PM | Attr = HS]
desktop.ini -> C:\WINDOWS\Temp\History\History.IE5\desktop.ini -> [Ver = | Size = 145 bytes | Modified Date = 10/02/2007 11:17:56 PM | Attr = HS]
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\ -> C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\ -> [Folder | Modified Date = 10/02/2007 11:17:56 PM | Attr = HS]
desktop.ini -> C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini -> [Ver = | Size = 67 bytes | Modified Date = 10/02/2007 11:17:56 PM | Attr = HS]
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CG8I0X7H\ -> C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CG8I0X7H -> [Folder | Modified Date = 11/21/2008 7:48:41 AM | Attr = HS]
desktop.ini -> C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CG8I0X7H\desktop.ini -> [Ver = | Size = 67 bytes | Modified Date = 10/02/2007 11:17:56 PM | Attr = HS]
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G50LZR5N\ -> C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G50LZR5N -> [Folder | Modified Date = 08/15/2008 3:28:28 PM | Attr = HS]
desktop.ini -> C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G50LZR5N\desktop.ini -> [Ver = | Size = 67 bytes | Modified Date = 10/02/2007 11:17:56 PM | Attr = HS]
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GIZOJ1P5\ -> C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GIZOJ1P5 -> [Folder | Modified Date = 08/15/2008 3:28:29 PM | Attr = HS]
desktop.ini -> C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GIZOJ1P5\desktop.ini -> [Ver = | Size = 67 bytes | Modified Date = 10/02/2007 11:17:56 PM | Attr = HS]
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\XQSH2LUA\ -> C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\XQSH2LUA -> [Folder | Modified Date = 08/15/2008 3:28:28 PM | Attr = HS]
desktop.ini -> C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\XQSH2LUA\desktop.ini -> [Ver = | Size = 67 bytes | Modified Date = 10/02/2007 11:17:56 PM | Attr = HS]
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
GDIPFONTCACHEV1.DAT -> %UserProfile%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT -> [Ver = | Size = 100288 bytes | Modified Date = 11/07/2008 8:07:48 AM | Attr = ]
70 C:\Documents and Settings\Jason Salas\My Documents\*.tmp files -> C:\Documents and Settings\Jason Salas\My Documents\*.tmp ->
dds.scr -> %UserProfile%\Desktop\dds.scr -> [Ver = | Size = 356463 bytes | Modified Date = 11/20/2008 7:26:55 PM | Attr = ]
gmer.text -> %UserProfile%\Desktop\gmer.text -> [Ver = | Size = 950724 bytes | Modified Date = 11/20/2008 10:00:17 PM | Attr = ]
ingredients list for the week.doc -> %UserProfile%\Desktop\ingredients list for the week.doc -> [Ver = | Size = 31232 bytes | Modified Date = 11/02/2008 11:50:39 PM | Attr = ]
1 C:\Documents and Settings\Jason Salas\Desktop\*.tmp files -> C:\Documents and Settings\Jason Salas\Desktop\*.tmp ->
OTScanIt.exe -> %UserProfile%\Desktop\OTScanIt.exe -> [Ver = | Size = 576581 bytes | Modified Date = 11/21/2008 11:08:05 AM | Attr = ]
XoftSpySE.lnk -> %UserProfile%\Desktop\XoftSpySE.lnk -> [Ver = | Size = 682 bytes | Modified Date = 11/17/2008 10:35:12 PM | Attr = ]
XoftSpySE_Setup.exe -> %UserProfile%\Desktop\XoftSpySE_Setup.exe -> ParetoLogic Inc. [Ver = 4.31.0.10 | Size = 3472016 bytes | Modified Date = 11/17/2008 10:34:41 PM | Attr = ]

[CatchMe Rootkit Scan by GMER]
< Windows folder & sub-folders >
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
< Document and Settings folder & sub folders >
scanning hidden files ...
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\All Users\Documents\My Music\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\Desktop\My Pictures\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\Desktop\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\Favorites\dcmountainbikeclub Desperation Church Mountain Bike Club.url:favicon 1406 bytes
C:\Documents and Settings\Jason Salas\Favorites\Heartland Racing - Home.url:favicon 1150 bytes
C:\Documents and Settings\Jason Salas\My Documents\DESPERATE\LCC Site Work\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\DESPERATE\LCC Site Work\Zip Photos\DC_web_pix_vol2\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\DESPERATE\LCC Site Work\Zip Photos\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\DESPERATE\PROM\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\Copy of My Pictures\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\Jason's UMKC work\Might be able to use for portfolio\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\thrift store listing_files\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Music\mb\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Music\Musicmatch downloads\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\100_FUJI\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Arie's Web Page\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Mia's ice cream\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\FAll 2008\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\FISH\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\calendar\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Calendar 2007\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\calendar pictures\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2004-11-23\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2004-12-07\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2004-12-10\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2004-12-20\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2004-12-21\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2005-01-10\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2005-01-20\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2005-02-15\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2005-03-08\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2005-03-18\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2005-04-21\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2005-06-08\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2005-06-10\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2005-06-13\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2005-06-16\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2005-06-21\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2005-06-25\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2005-06-26\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2005-07-08\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2005-07-22\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2005-08-02\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2005-09-02\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2005-09-14\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2005-09-17\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2005-09-22\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2005-10-02\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2005-11-02\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2005-11-09\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2005-12-10\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2005-12-12\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2006-01-12\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2006-01-18\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2006-01-28\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2006-02-12\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2006-02-16\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2006-02-21\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2006-03-01\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2006-03-02\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2006-03-06\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2006-03-08\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2006-03-20\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2005-05-20\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2005-10-22\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2006-03-22\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-05-12\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2006-03-23\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2006-04-08\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2006-04-10\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2006-04-11\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2006-04-19\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2006-05-10\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2006-05-11\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2006-06-03\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2006-06-07\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2006-06-16\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2006-06-23\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2006-06-26\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2006-07-13\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2006-07-18\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2006-07-21\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2006-07-22\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-01-17\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-01-27\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-01-31\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-02-03\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-02-10\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-02-11\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-02-19\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-02-25\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-02-27\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-03-03\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-03-09\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-03-13\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-03-18\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-03-25\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-04-10\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-04-11\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-04-20\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-05-05\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-05-15\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-05-16\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-05-21\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-06-02\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-06-08\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-06-24\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-07-05\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-07-26\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-07-30\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-07-31\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-08-06\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-08-18\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-09-08\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\2007-11-13\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\grandma's pictures\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Kodak Pictures\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Luisas photos\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\new baby xander\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Spring 2008\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Spring 2008\2008-04-06\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Spring 2008\May 2008\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Spring 2008\June 2008\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Summer 2008\July August 2008\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Summer 2008\Thumbs.db:encryptable 0 bytes
C:\Documents and Settings\Jason Salas\My Documents\My Pictures\Thumbs.db:encryptable 0 bytes
scan completed successfully
hidden files: 156

< End of report >
[/code]

jchilderssalas · 11-21-2008, 10:25 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:15 PM, on 11/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\AOL\1135805068\ee\AOLSoftware.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE
C:\Program Files\X3watchpro\x3watchpro.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\V0410Mon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\iesvcmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe
C:\Documents and Settings\Jason Salas\Application Data\gadcom\gadcom.exe
C:\Documents and Settings\Jason Salas\Application Data\Microsoft\Windows\ojeiyoa.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jason Salas\Desktop\OTScanIt\OTScanIt.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\Jason Salas\Application Data\SpeedRunner\SpeedRunner.exe
C:\hi jack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135805068\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P26 "EPSON Stylus CX7800 Series" /O6 "USB001" /M "Stylus CX7800"
O4 - HKLM\..\Run: [x3watchpro] C:\Program Files\X3watchpro\x3watchpro.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [V0410Mon.exe] C:\WINDOWS\V0410Mon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [iesvcmon] "C:\WINDOWS\system32\iesvcmon.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [slide.exe] c:\program files\slide\slide.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ParetoLogic Anti-Spyware] "C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Jason Salas\Application Data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [SpeedRunner] C:\Documents and Settings\Jason Salas\Application Data\SpeedRunner\SpeedRunner.exe
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\Jason Salas\Application Data\Microsoft\Windows\ojeiyoa.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: cespy.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.activation.rr.com/install...ad/tgctlcm.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1219367284921
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...87/mcfscan.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spysp...terInstall.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: jzcxhe.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\\aolserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 10172 bytes

Gary R · 11-21-2008, 12:12 PM

OK, that's one seriously infected machine. We have a lot to remove and it may take us a while to get rid of everything.

Before we progress, you would be well advised to back up your personal files. With a machine as badly infected as this, there is always a possibility of us having problems. Text files and pictures are unlikely to be infected, though there is always some element of risk in backing up files from an infected machine.

Once you've done that.

First

Please download Malwarebytes' Anti-Malware to your Desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Click on the Malwarebytes' Anti-Malware icon to launch the programme.
- Click the Updates tab.
  - Click Check for Updates and allow the programme to download the latest definitions.
Close MBAM (Do not run a scan with it yet).

Next

Disconnect from the Internet, by which I mean remove your line connection (this is important)

Once disconnected

Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you're running Vista then right-click the program and choose Run as Administrator).
Copy/Paste the information in the codebox below into the pane where it says Paste fix here, then click the Run Fix button.

Code:

[Processes - Non-Microsoft Only]
YY -> iesvcmon.exe -> %SystemRoot%\SYSTEM32\iesvcmon.exe
YY -> gadcom.exe -> %AppData%\gadcom\gadcom.exe
YY -> ojeiyoa.exe -> %AppData%\Microsoft\Windows\ojeiyoa.exe
YY -> speedrunner.exe -> %AppData%\SpeedRunner\SpeedRunner.exe
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> iesvcmon -> %SystemRoot%\SYSTEM32\iesvcmon.exe ["C:\WINDOWS\system32\iesvcmon.exe"] 
YN -> UserFaultCheck -> [%systemroot%\system32\dumprep 0 -u]
< RunOnceEx [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
YN -> ~EmptyValue -> []
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> gadcom -> %AppData%\gadcom\gadcom.exe ["C:\Documents and Settings\Jason Salas\Application Data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A]
YY -> SfKg6wIP -> %AppData%\Microsoft\Windows\ojeiyoa.exe [C:\Documents and Settings\Jason Salas\Application Data\Microsoft\Windows\ojeiyoa.exe]
YY -> SpeedRunner -> %AppData%\SpeedRunner\SpeedRunner.exe [C:\Documents and Settings\Jason Salas\Application Data\SpeedRunner\SpeedRunner.exe]
< Run [HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\] > -> HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> gadcom -> %AppData%\gadcom\gadcom.exe ["C:\Documents and Settings\Jason Salas\Application Data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A]
YY -> SfKg6wIP -> %AppData%\Microsoft\Windows\ojeiyoa.exe [C:\Documents and Settings\Jason Salas\Application Data\Microsoft\Windows\ojeiyoa.exe]
YY -> SpeedRunner -> %AppData%\SpeedRunner\SpeedRunner.exe [C:\Documents and Settings\Jason Salas\Application Data\SpeedRunner\SpeedRunner.exe]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> jzcxhe.dll -> %SystemRoot%\SYSTEM32\jzcxhe.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YY -> {A63E645F-13BD-45ED-B15F-6E8C1BD57279} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\SYSTEM32\byXOhGvu.dll []
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
YY -> C:\WINDOWS\Nail.exe -> %SystemRoot%\Nail.exe
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> 
YN -> HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> 
YN -> HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOWS\system32\blank.htm
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\] > -> 
YN -> HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\: Main\\Local Page -> C:\WINDOWS\system32\blank.htm
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {418141f6-f4f2-417b-9480-deaa98afad55} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\SYSTEM32\jzcxhe.dll [Reg Error: Value does not exist or could not be read.]
YY -> {8D6A2B83-6ADB-4B5C-AAD3-DC6D49E8935F} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\SYSTEM32\yayaBSIX.dll [Reg Error: Value does not exist or could not be read.]
YY -> {99C6D1BB-7555-474C-91DA-D8FB62A9CC75} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\SYSTEM32\M5s20cRu.dll [solution Class]
YY -> {A63E645F-13BD-45ED-B15F-6E8C1BD57279} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\SYSTEM32\byXOhGvu.dll [Reg Error: Value does not exist or could not be read.]
< Internet Explorer Bars [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YY -> {4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Yahoo!\Messenger\yhexbmes.dll [&Yahoo! Messenger]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{804DB5C7-31E6-4885-850A-F1941B58A4C7} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\] > -> HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{804DB5C7-31E6-4885-850A-F1941B58A4C7} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{E023F504-0C5A-4750-A1E7-A9046DEA8A21} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{E023F504-0C5A-4750-A1E7-A9046DEA8A21} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {33564D57-9980-0010-8000-00AA00389B71}[HKEY_LOCAL_MACHINE] -> http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab[Reg Error: Key does not exist or could not be opened.]
YN -> {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jin...ndows-i586.cab[Java Plug-in 1.5.0_02]
YN -> {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jin...ndows-i586.cab[Java Plug-in 1.5.0_06]
YN -> {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0}[HKEY_LOCAL_MACHINE] -> http://download.spyspotter.com/spysp...terInstall.cab[Reg Error: Key does not exist or could not be opened.]
< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/DS3.dll\\.Owner -> {DDFFA75A-E81D-4454-89FC-B9FD0631E726}
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1018.dll\\.Owner -> {DBAE7000-01EC-4162-8FEB-8A27AC937CA0}
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1100.dll\\.Owner -> {DBAE7000-01EC-4162-8FEB-8A27AC937CA0}
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/iSetup.dll\\.Owner -> {90C9629E-CD32-11D3-BBFB-00105A1F0D68}
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/iSetup.exe\\.Owner -> {90C9629E-CD32-11D3-BBFB-00105A1F0D68}
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SSCHECK.DLL\\.Owner -> {421A63BA-4632-43E0-A942-3B4AB645BE51}
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SyncroAdX.dll\\.Owner -> {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
YY -> C:\WINDOWS\system32\yayaBSIX -> %SystemRoot%\SYSTEM32\yayaBSIX.dll
< BotCheck > -> 
[Files/Folders - Created Within 30 days]
NY -> akmsifwx.dll -> %SystemRoot%\System32\akmsifwx.dll
NY -> byXOhGvu.dll -> %SystemRoot%\System32\byXOhGvu.dll
NY -> cont_adsoftinc-remove.exe -> %SystemRoot%\System32\cont_adsoftinc-remove.exe
NY -> ddcCVonk.dll -> %SystemRoot%\System32\ddcCVonk.dll
NY -> ekpdequs.ini -> %SystemRoot%\System32\ekpdequs.ini
NY -> epgxpxxv.dll -> %SystemRoot%\System32\epgxpxxv.dll
NY -> hdshutoi.dll -> %SystemRoot%\System32\hdshutoi.dll
NY -> hgGyxWQK.dll -> %SystemRoot%\System32\hgGyxWQK.dll
NY -> hnfittqtgdk.dll -> %SystemRoot%\System32\hnfittqtgdk.dll
NY -> iesvcmon.exe -> %SystemRoot%\System32\iesvcmon.exe
NY -> jzcxhe.dll -> %SystemRoot%\System32\jzcxhe.dll
NY -> kdstmnfc.dll -> %SystemRoot%\System32\kdstmnfc.dll
NY -> ldhnpg.dll -> %SystemRoot%\System32\ldhnpg.dll
NY -> lvyqzp.dll -> %SystemRoot%\System32\lvyqzp.dll
NY -> msansspc.dll -> %SystemRoot%\System32\msansspc.dll
NY -> nsq3EA.dll -> %SystemRoot%\System32\nsq3EA.dll
NY -> ptsmhk.dll -> %SystemRoot%\System32\ptsmhk.dll
NY -> qoMccCsS.dll -> %SystemRoot%\System32\qoMccCsS.dll
NY -> rgvlalld.dll -> %SystemRoot%\System32\rgvlalld.dll
NY -> texpzbixgvrydzo.exe -> %SystemRoot%\System32\texpzbixgvrydzo.exe
NY -> thsncwlb.dll -> %SystemRoot%\System32\thsncwlb.dll
NY -> vtbtmyki.ini -> %SystemRoot%\System32\vtbtmyki.ini
NY -> vtUomnOF.dll -> %SystemRoot%\System32\vtUomnOF.dll
NY -> wciursxt.dll -> %SystemRoot%\System32\wciursxt.dll
NY -> XISBayay.ini -> %SystemRoot%\System32\XISBayay.ini
NY -> XISBayay.ini2 -> %SystemRoot%\System32\XISBayay.ini2
NY -> xwfismka.ini -> %SystemRoot%\System32\xwfismka.ini
NY -> yayaBSIX.dll -> %SystemRoot%\System32\yayaBSIX.dll
NY -> yayxwVpp.dll -> %SystemRoot%\System32\yayxwVpp.dll
NY -> SmFzb24gU2FsYXM -> %SystemRoot%\SmFzb24gU2FsYXM
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> gadcom -> %AppData%\gadcom
NY -> SpeedRunner -> %AppData%\SpeedRunner
NY -> Mjcore -> %ProgramFiles%\Mjcore
[Files/Folders - Modified Within 30 days]
NY -> akmsifwx.dll -> %SystemRoot%\System32\akmsifwx.dll
NY -> byXOhGvu.dll -> %SystemRoot%\System32\byXOhGvu.dll
NY -> cont_adsoftinc-remove.exe -> %SystemRoot%\System32\cont_adsoftinc-remove.exe
NY -> ddcCVonk.dll -> %SystemRoot%\System32\ddcCVonk.dll
NY -> ekpdequs.ini -> %SystemRoot%\System32\ekpdequs.ini
NY -> epgxpxxv.dll -> %SystemRoot%\System32\epgxpxxv.dll
NY -> gpvntx.dll -> %SystemRoot%\System32\gpvntx.dll
NY -> hdshutoi.dll -> %SystemRoot%\System32\hdshutoi.dll
NY -> hgGyxWQK.dll -> %SystemRoot%\System32\hgGyxWQK.dll
NY -> hnfittqtgdk.dll -> %SystemRoot%\System32\hnfittqtgdk.dll
NY -> iesvcmon.exe -> %SystemRoot%\System32\iesvcmon.exe
NY -> iotuhsdh.ini -> %SystemRoot%\System32\iotuhsdh.ini
NY -> jzcxhe.dll -> %SystemRoot%\System32\jzcxhe.dll
NY -> kdstmnfc.dll -> %SystemRoot%\System32\kdstmnfc.dll
NY -> ldhnpg.dll -> %SystemRoot%\System32\ldhnpg.dll
NY -> lvyqzp.dll -> %SystemRoot%\System32\lvyqzp.dll
NY -> msansspc.dll -> %SystemRoot%\System32\msansspc.dll
NY -> nsq3EA.dll -> %SystemRoot%\System32\nsq3EA.dll
NY -> ptsmhk.dll -> %SystemRoot%\System32\ptsmhk.dll
NY -> qoMccCsS.dll -> %SystemRoot%\System32\qoMccCsS.dll
NY -> rgvlalld.dll -> %SystemRoot%\System32\rgvlalld.dll
NY -> texpzbixgvrydzo.exe -> %SystemRoot%\System32\texpzbixgvrydzo.exe
NY -> thsncwlb.dll -> %SystemRoot%\System32\thsncwlb.dll
NY -> vtbtmyki.ini -> %SystemRoot%\System32\vtbtmyki.ini
NY -> vtUomnOF.dll -> %SystemRoot%\System32\vtUomnOF.dll
NY -> wciursxt.dll -> %SystemRoot%\System32\wciursxt.dll
NY -> XISBayay.ini -> %SystemRoot%\System32\XISBayay.ini
NY -> XISBayay.ini2 -> %SystemRoot%\System32\XISBayay.ini2
NY -> xwfismka.ini -> %SystemRoot%\System32\xwfismka.ini
NY -> yayaBSIX.dll -> %SystemRoot%\System32\yayaBSIX.dll
NY -> yayxwVpp.dll -> %SystemRoot%\System32\yayxwVpp.dll
NY -> At1.job -> %SystemRoot%\tasks\At1.job
NY -> At10.job -> %SystemRoot%\tasks\At10.job
NY -> At11.job -> %SystemRoot%\tasks\At11.job
NY -> At12.job -> %SystemRoot%\tasks\At12.job
NY -> At13.job -> %SystemRoot%\tasks\At13.job
NY -> At14.job -> %SystemRoot%\tasks\At14.job
NY -> At15.job -> %SystemRoot%\tasks\At15.job
NY -> At16.job -> %SystemRoot%\tasks\At16.job
NY -> At17.job -> %SystemRoot%\tasks\At17.job
NY -> At18.job -> %SystemRoot%\tasks\At18.job
NY -> At19.job -> %SystemRoot%\tasks\At19.job
NY -> At2.job -> %SystemRoot%\tasks\At2.job
NY -> At20.job -> %SystemRoot%\tasks\At20.job
NY -> At21.job -> %SystemRoot%\tasks\At21.job
NY -> At22.job -> %SystemRoot%\tasks\At22.job
NY -> At23.job -> %SystemRoot%\tasks\At23.job
NY -> At24.job -> %SystemRoot%\tasks\At24.job
NY -> At25.job -> %SystemRoot%\tasks\At25.job
NY -> At26.job -> %SystemRoot%\tasks\At26.job
NY -> At27.job -> %SystemRoot%\tasks\At27.job
NY -> At28.job -> %SystemRoot%\tasks\At28.job
NY -> At29.job -> %SystemRoot%\tasks\At29.job
NY -> At3.job -> %SystemRoot%\tasks\At3.job
NY -> At30.job -> %SystemRoot%\tasks\At30.job
NY -> At31.job -> %SystemRoot%\tasks\At31.job
NY -> At32.job -> %SystemRoot%\tasks\At32.job
NY -> At33.job -> %SystemRoot%\tasks\At33.job
NY -> At34.job -> %SystemRoot%\tasks\At34.job
NY -> At35.job -> %SystemRoot%\tasks\At35.job
NY -> At36.job -> %SystemRoot%\tasks\At36.job
NY -> At37.job -> %SystemRoot%\tasks\At37.job
NY -> At38.job -> %SystemRoot%\tasks\At38.job
NY -> At39.job -> %SystemRoot%\tasks\At39.job
NY -> At4.job -> %SystemRoot%\tasks\At4.job
NY -> At40.job -> %SystemRoot%\tasks\At40.job
NY -> At41.job -> %SystemRoot%\tasks\At41.job
NY -> At42.job -> %SystemRoot%\tasks\At42.job
NY -> At43.job -> %SystemRoot%\tasks\At43.job
NY -> At44.job -> %SystemRoot%\tasks\At44.job
NY -> At45.job -> %SystemRoot%\tasks\At45.job
NY -> At46.job -> %SystemRoot%\tasks\At46.job
NY -> At47.job -> %SystemRoot%\tasks\At47.job
NY -> At48.job -> %SystemRoot%\tasks\At48.job
NY -> At5.job -> %SystemRoot%\tasks\At5.job
NY -> At6.job -> %SystemRoot%\tasks\At6.job
NY -> At7.job -> %SystemRoot%\tasks\At7.job
NY -> At8.job -> %SystemRoot%\tasks\At8.job
NY -> At9.job -> %SystemRoot%\tasks\At9.job
NY -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0\ -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0
NY -> notifykeysB.com -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0\notifykeysB.com
NY -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\ -> C:\Documents and Settings\Jason Salas\Local Settings\Temp
NY -> 79.exe -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\79.exe
NY -> cmdinst.exe -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\cmdinst.exe
NY -> CTPBSEQ.EXE -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\CTPBSEQ.EXE
NY -> mondrver_1110_nathan_old.exe -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\mondrver_1110_nathan_old.exe
NY -> orz.exe -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\orz.exe
NY -> wJQs.exe -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\wJQs.exe
NY -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0\ -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0
NY -> FI.exe -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0\FI.exe
NY -> MSClsid.exe -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0\MSClsid.exe
NY -> Policies.exe -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0\Policies.exe
NY -> WREGS.exe -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0\WREGS.exe
NY -> IadHide5.dll -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\IadHide5.dll
NY -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0\ -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0
NY -> SvcWhtDDS.dll -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0\SvcWhtDDS.dll
NY -> SvcWhtDDSVista.dll -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0\SvcWhtDDSVista.dll
NY -> 8hNyuW5P.dat -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\8hNyuW5P.dat
NY -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\2IQENZWG\ -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\2IQENZWG
NY -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\8X8KR62E\ -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\8X8KR62E
NY -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\CP0LZTQT\ -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\CP0LZTQT
NY -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\RX6G6G29\ -> C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\RX6G6G29
NY -> 8hNyuW5P.dat -> C:\WINDOWS\Temp\8hNyuW5P.dat
NY -> N5t20dSv.dat -> C:\WINDOWS\Temp\N5t20dSv.dat
NY -> Perflib_Perfdata_588.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_588.dat
NY -> pP2HD0u0.dat -> C:\WINDOWS\Temp\pP2HD0u0.dat
NY -> sS5KG3x3.dat -> C:\WINDOWS\Temp\sS5KG3x3.dat
NY -> C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CG8I0X7H\ -> C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CG8I0X7H
NY -> C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G50LZR5N\ -> C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G50LZR5N
NY -> C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GIZOJ1P5\ -> C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GIZOJ1P5
NY -> C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\XQSH2LUA\ -> C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\XQSH2LUA
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> 1 C:\Documents and Settings\Jason Salas\Desktop\*.tmp files -> C:\Documents and Settings\Jason Salas\Desktop\*.tmp
[Extra Files]
%SystemRoot%\tasks\*.job
Purity
[Empty Temp Folders]

Make sure you copy all the fix, you'll have to scan down inside the box above to get it all.

I've attached a copy of it as an attachment at the bottom Fix.txt

The fix should only take a very short time.
When it's completed either a message box will popup telling you that it's finished or you'll be asked to reboot to finish the fix.
- If it's finished :-
  - Click the Ok button and Notepad will open with a log.
  - Post that information back here please.
- If a reboot is required :-
  - Click the Yes button to reboot the machine.
  - After the reboot, OTScanIt will finish moving any files that could'nt be moved during the fix and NotePad will open with the final results.
  - Post that information back here please.

Next

- Click on the Malwarebytes' Anti-Malware icon to launch the programme.
- Click the Scanner tab.
  - Check Perform Full Scan.
  - Click Scan and wait for the scan to complete.
  - When the scan is complete, click OK, then Show Results.
  - Ensure all items are checked then click Remove Selected.
    - A box will pop-up telling you that files have been quarantined.
    - A log will pop-up.
  - Post the log in your next reply please.

You can also access the log by doing the following

Click on the Logs tab.
- Click on the log at the bottom of those listed to highlight it.
- Click Open

Finally

Run a new scan with HijackThis and post the log please.

Summary of the logs I need from you in your next post:
OTScanIt log

MBAM log

New HJT log

Please post each log separately to prevent them being cut off by the forum post size limiter.

jchilderssalas · 11-21-2008, 04:03 PM

Gary--thanks. Here's the info.

[Processes - Non-Microsoft Only]
Process iesvcmon.exe killed successfully.
C:\WINDOWS\SYSTEM32\iesvcmon.exe moved successfully.
Process gadcom.exe killed successfully.
C:\Documents and Settings\Jason Salas\Application Data\gadcom\gadcom.exe moved successfully.
Unable to kill process ojeiyoa.exe .
C:\Documents and Settings\Jason Salas\Application Data\Microsoft\Windows\ojeiyoa.exe moved successfully.
Unable to kill process speedrunner.exe .
C:\Documents and Settings\Jason Salas\Application Data\SpeedRunner\SpeedRunner.exe moved successfully.
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\iesvcmon deleted successfully.
File C:\WINDOWS\SYSTEM32\iesvcmon.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\UserFaultCheck deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\\~EmptyValue deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\gadcom deleted successfully.
File C:\Documents and Settings\Jason Salas\Application Data\gadcom\gadcom.exe not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SfKg6wIP deleted successfully.
File C:\Documents and Settings\Jason Salas\Application Data\Microsoft\Windows\ojeiyoa.exe not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SpeedRunner deleted successfully.
File C:\Documents and Settings\Jason Salas\Application Data\SpeedRunner\SpeedRunner.exe not found.
Registry value HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\gadcom not found.
File C:\Documents and Settings\Jason Salas\Application Data\gadcom\gadcom.exe not found.
Registry value HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SfKg6wIP not found.
File C:\Documents and Settings\Jason Salas\Application Data\Microsoft\Windows\ojeiyoa.exe not found.
Registry value HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SpeedRunner not found.
File C:\Documents and Settings\Jason Salas\Application Data\SpeedRunner\SpeedRunner.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:jzcxhe.dll deleted successfully.
C:\WINDOWS\SYSTEM32\jzcxhe.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{A63E645F-13BD-45ED-B15F-6E8C1BD57279} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A63E645F-13BD-45ED-B15F-6E8C1BD57279}\ deleted successfully.
File move failed. C:\WINDOWS\SYSTEM32\byXOhGvu.dll scheduled to be moved on reboot.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:C:\WINDOWS\Nail.exe deleted successfully.
File C:\WINDOWS\Nail.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\\Local Page deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\\Local Page deleted successfully.
Registry key HKEY_USERS\1-5-21-1544435123-3516180548-2941355249-1006\SOFTWARE\Microsoft\Internet Explorer\Main not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{418141f6-f4f2-417b-9480-deaa98afad55}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{418141f6-f4f2-417b-9480-deaa98afad55}\ deleted successfully.
File C:\WINDOWS\SYSTEM32\jzcxhe.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8D6A2B83-6ADB-4B5C-AAD3-DC6D49E8935F}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D6A2B83-6ADB-4B5C-AAD3-DC6D49E8935F}\ deleted successfully.
C:\WINDOWS\SYSTEM32\yayaBSIX.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}\ deleted successfully.
C:\WINDOWS\SYSTEM32\M5s20cRu.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A63E645F-13BD-45ED-B15F-6E8C1BD57279}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A63E645F-13BD-45ED-B15F-6E8C1BD57279}\ not found.
File move failed. C:\WINDOWS\SYSTEM32\byXOhGvu.dll scheduled to be moved on reboot.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ deleted successfully.
C:\Program Files\Yahoo!\Messenger\yhexbmes.dll moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{804DB5C7-31E6-4885-850A-F1941B58A4C7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{804DB5C7-31E6-4885-850A-F1941B58A4C7}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3}\ not found.
Registry value HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{804DB5C7-31E6-4885-850A-F1941B58A4C7} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{804DB5C7-31E6-4885-850A-F1941B58A4C7}\ not found.
Registry value HKEY_USERS\S-1-5-21-1544435123-3516180548-2941355249-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3}\ not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{E023F504-0C5A-4750-A1E7-A9046DEA8A21} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}\ not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB5F1910-F110-11d2-BB9E-00C04F795683}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{E023F504-0C5A-4750-A1E7-A9046DEA8A21} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB5F1910-F110-11d2-BB9E-00C04F795683}\ not found.
Starting removal of ActiveX control {33564D57-9980-0010-8000-00AA00389B71}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{33564D57-9980-0010-8000-00AA00389B71}\Contains\Files\ not found.
C:\WINDOWS\Downloaded Program Files\wmv9dmo.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33564D57-9980-0010-8000-00AA00389B71}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}\Contains\Files\ not found.
not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}\ deleted successfully.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\Contains\Files\ not found.
not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Starting removal of ActiveX control {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0}\Contains\Files\ not found.
C:\WINDOWS\Downloaded Program Files\SETUP.INF not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/DS3.dll\\.Owner deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1018.dll\\.Owner deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1100.dll\\.Owner deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/iSetup.dll\\.Owner deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/iSetup.exe\\.Owner deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SSCHECK.DLL\\.Owner deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SyncroAdX.dll\\.Owner deleted successfully.
[Registry - Additional Scans - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages:C:\WINDOWS\system32\yayaBSIX deleted successfully.
File C:\WINDOWS\SYSTEM32\yayaBSIX.dll not found.
[Files/Folders - Created Within 30 days]
C:\WINDOWS\System32\akmsifwx.dll moved successfully.
File move failed. C:\WINDOWS\System32\byXOhGvu.dll scheduled to be moved on reboot.
C:\WINDOWS\System32\cont_adsoftinc-remove.exe moved successfully.
C:\WINDOWS\System32\ddcCVonk.dll moved successfully.
C:\WINDOWS\System32\ekpdequs.ini moved successfully.
C:\WINDOWS\System32\epgxpxxv.dll moved successfully.
C:\WINDOWS\System32\hdshutoi.dll moved successfully.
C:\WINDOWS\System32\hgGyxWQK.dll moved successfully.
C:\WINDOWS\System32\hnfittqtgdk.dll moved successfully.
File C:\WINDOWS\System32\iesvcmon.exe not found!
File C:\WINDOWS\System32\jzcxhe.dll not found!
C:\WINDOWS\System32\kdstmnfc.dll moved successfully.
C:\WINDOWS\System32\ldhnpg.dll moved successfully.
C:\WINDOWS\System32\lvyqzp.dll moved successfully.
C:\WINDOWS\System32\msansspc.dll moved successfully.
C:\WINDOWS\System32\nsq3EA.dll moved successfully.
C:\WINDOWS\System32\ptsmhk.dll moved successfully.
C:\WINDOWS\System32\qoMccCsS.dll moved successfully.
C:\WINDOWS\System32\rgvlalld.dll moved successfully.
C:\WINDOWS\System32\texpzbixgvrydzo.exe moved successfully.
C:\WINDOWS\System32\thsncwlb.dll moved successfully.
C:\WINDOWS\System32\vtbtmyki.ini moved successfully.
C:\WINDOWS\System32\vtUomnOF.dll moved successfully.
C:\WINDOWS\System32\wciursxt.dll moved successfully.
File move failed. C:\WINDOWS\System32\XISBayay.ini scheduled to be moved on reboot.
C:\WINDOWS\System32\XISBayay.ini2 moved successfully.
C:\WINDOWS\System32\xwfismka.ini moved successfully.
File C:\WINDOWS\System32\yayaBSIX.dll not found!
C:\WINDOWS\System32\yayxwVpp.dll moved successfully.
C:\WINDOWS\SmFzb24gU2FsYXM folder moved successfully.
[Files Created - Additional Folder Scans - Non-Microsoft Only]
C:\Documents and Settings\Jason Salas\Application Data\gadcom folder moved successfully.
C:\Documents and Settings\Jason Salas\Application Data\SpeedRunner folder moved successfully.
C:\Program Files\Mjcore folder moved successfully.
[Files/Folders - Modified Within 30 days]
File C:\WINDOWS\System32\akmsifwx.dll not found!
File move failed. C:\WINDOWS\System32\byXOhGvu.dll scheduled to be moved on reboot.
File C:\WINDOWS\System32\cont_adsoftinc-remove.exe not found!
File C:\WINDOWS\System32\ddcCVonk.dll not found!
File C:\WINDOWS\System32\ekpdequs.ini not found!
File C:\WINDOWS\System32\epgxpxxv.dll not found!
C:\WINDOWS\System32\gpvntx.dll moved successfully.
File C:\WINDOWS\System32\hdshutoi.dll not found!
File C:\WINDOWS\System32\hgGyxWQK.dll not found!
File C:\WINDOWS\System32\hnfittqtgdk.dll not found!
File C:\WINDOWS\System32\iesvcmon.exe not found!
C:\WINDOWS\System32\iotuhsdh.ini moved successfully.
File C:\WINDOWS\System32\jzcxhe.dll not found!
File C:\WINDOWS\System32\kdstmnfc.dll not found!
File C:\WINDOWS\System32\ldhnpg.dll not found!
File C:\WINDOWS\System32\lvyqzp.dll not found!
File C:\WINDOWS\System32\msansspc.dll not found!
File C:\WINDOWS\System32\nsq3EA.dll not found!
File C:\WINDOWS\System32\ptsmhk.dll not found!
File C:\WINDOWS\System32\qoMccCsS.dll not found!
File C:\WINDOWS\System32\rgvlalld.dll not found!
File C:\WINDOWS\System32\texpzbixgvrydzo.exe not found!
File C:\WINDOWS\System32\thsncwlb.dll not found!
File C:\WINDOWS\System32\vtbtmyki.ini not found!
File C:\WINDOWS\System32\vtUomnOF.dll not found!
File C:\WINDOWS\System32\wciursxt.dll not found!
C:\WINDOWS\System32\XISBayay.ini moved successfully.
File C:\WINDOWS\System32\XISBayay.ini2 not found!
File C:\WINDOWS\System32\xwfismka.ini not found!
File C:\WINDOWS\System32\yayaBSIX.dll not found!
File C:\WINDOWS\System32\yayxwVpp.dll not found!
C:\WINDOWS\tasks\At1.job moved successfully.
C:\WINDOWS\tasks\At10.job moved successfully.
C:\WINDOWS\tasks\At11.job moved successfully.
C:\WINDOWS\tasks\At12.job moved successfully.
C:\WINDOWS\tasks\At13.job moved successfully.
C:\WINDOWS\tasks\At14.job moved successfully.
C:\WINDOWS\tasks\At15.job moved successfully.
C:\WINDOWS\tasks\At16.job moved successfully.
C:\WINDOWS\tasks\At17.job moved successfully.
C:\WINDOWS\tasks\At18.job moved successfully.
C:\WINDOWS\tasks\At19.job moved successfully.
C:\WINDOWS\tasks\At2.job moved successfully.
C:\WINDOWS\tasks\At20.job moved successfully.
C:\WINDOWS\tasks\At21.job moved successfully.
C:\WINDOWS\tasks\At22.job moved successfully.
C:\WINDOWS\tasks\At23.job moved successfully.
C:\WINDOWS\tasks\At24.job moved successfully.
C:\WINDOWS\tasks\At25.job moved successfully.
C:\WINDOWS\tasks\At26.job moved successfully.
C:\WINDOWS\tasks\At27.job moved successfully.
C:\WINDOWS\tasks\At28.job moved successfully.
C:\WINDOWS\tasks\At29.job moved successfully.
C:\WINDOWS\tasks\At3.job moved successfully.
C:\WINDOWS\tasks\At30.job moved successfully.
C:\WINDOWS\tasks\At31.job moved successfully.
C:\WINDOWS\tasks\At32.job moved successfully.
C:\WINDOWS\tasks\At33.job moved successfully.
C:\WINDOWS\tasks\At34.job moved successfully.
C:\WINDOWS\tasks\At35.job moved successfully.
C:\WINDOWS\tasks\At36.job moved successfully.
C:\WINDOWS\tasks\At37.job moved successfully.
C:\WINDOWS\tasks\At38.job moved successfully.
C:\WINDOWS\tasks\At39.job moved successfully.
C:\WINDOWS\tasks\At4.job moved successfully.
C:\WINDOWS\tasks\At40.job moved successfully.
C:\WINDOWS\tasks\At41.job moved successfully.
C:\WINDOWS\tasks\At42.job moved successfully.
C:\WINDOWS\tasks\At43.job moved successfully.
C:\WINDOWS\tasks\At44.job moved successfully.
C:\WINDOWS\tasks\At45.job moved successfully.
C:\WINDOWS\tasks\At46.job moved successfully.
C:\WINDOWS\tasks\At47.job moved successfully.
C:\WINDOWS\tasks\At48.job moved successfully.
C:\WINDOWS\tasks\At5.job moved successfully.
C:\WINDOWS\tasks\At6.job moved successfully.
C:\WINDOWS\tasks\At7.job moved successfully.
C:\WINDOWS\tasks\At8.job moved successfully.
C:\WINDOWS\tasks\At9.job moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0 folder moved successfully.
File C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0\notifykeysB.com not found!
C:\Documents and Settings\Jason Salas\Local Settings\Temp\vwpt\acropro folder moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Temp\vwpt folder moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Temp\VBE folder moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\RX6G6G29 folder moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\CP0LZTQT folder moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\8X8KR62E folder moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\2IQENZWG folder moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5 folder moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files folder moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Directory 1 for singalong.zip folder moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Directory 1 for frustrated_Print.zip folder moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Directory 1 for contentchef.zip\contentchef folder moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Directory 1 for contentchef.zip folder moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Temp\plugtmp-128 folder moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Temp\plugtmp-127 folder moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Temp\plugtmp-126 folder moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Temp\plugtmp folder moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Temp\msohtml1\01 folder moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Temp\msohtml1 folder moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Temp\msohtml folder moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Temp\History\History.IE5 folder moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Temp\History folder moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Temp\Cookies folder moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Temp\CabGeneric\DirOne\water folder moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Temp\CabGeneric\DirOne\earth folder moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Temp\CabGeneric\DirOne folder moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Temp\CabGeneric folder moved successfully.
Folder move failed. C:\Documents and Settings\Jason Salas\Local Settings\Temp scheduled to be moved on reboot.
File C:\Documents and Settings\Jason Salas\Local Settings\Temp\79.exe not found!
File C:\Documents and Settings\Jason Salas\Local Settings\Temp\cmdinst.exe not found!
File C:\Documents and Settings\Jason Salas\Local Settings\Temp\CTPBSEQ.EXE not found!
File C:\Documents and Settings\Jason Salas\Local Settings\Temp\mondrver_1110_nathan_old.exe not found!
File C:\Documents and Settings\Jason Salas\Local Settings\Temp\orz.exe not found!
C:\Documents and Settings\Jason Salas\Local Settings\Temp\wJQs.exe moved successfully.
File C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0 not found!
File C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0\FI.exe not found!
File C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0\MSClsid.exe not found!
File C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0\Policies.exe not found!
File C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0\WREGS.exe not found!
File C:\Documents and Settings\Jason Salas\Local Settings\Temp\IadHide5.dll not found!
File C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0 not found!
File C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0\SvcWhtDDS.dll not found!
File C:\Documents and Settings\Jason Salas\Local Settings\Temp\RarSFX0\SvcWhtDDSVista.dll not found!
File C:\Documents and Settings\Jason Salas\Local Settings\Temp\8hNyuW5P.dat not found!
File C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\2IQENZWG not found!
File C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\8X8KR62E not found!
File C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\CP0LZTQT not found!
File C:\Documents and Settings\Jason Salas\Local Settings\Temp\Temporary Internet Files\Content.IE5\RX6G6G29 not found!
C:\WINDOWS\Temp\8hNyuW5P.dat moved successfully.
C:\WINDOWS\Temp\N5t20dSv.dat moved successfully.
C:\WINDOWS\Temp\Perflib_Perfdata_588.dat moved successfully.
C:\WINDOWS\Temp\pP2HD0u0.dat moved successfully.
C:\WINDOWS\Temp\sS5KG3x3.dat moved successfully.
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CG8I0X7H folder moved successfully.
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G50LZR5N folder moved successfully.
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GIZOJ1P5 folder moved successfully.
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\XQSH2LUA folder moved successfully.
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
[Extra Files]
< %SystemRoot%\tasks\*.job >
C:\WINDOWS\tasks\AppleSoftwareUpdate.job moved successfully.
C:\WINDOWS\tasks\Pareto UNS.job moved successfully.
C:\WINDOWS\tasks\ParetoLogic Anti-Spyware.job moved successfully.
C:\WINDOWS\tasks\ParetoLogic Update.job moved successfully.
C:\WINDOWS\tasks\XoftSpySE 2.job moved successfully.
C:\WINDOWS\tasks\XoftSpySE.job moved successfully.
< Purity >
C:\Program Files\InetGet2 folder moved successfully.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Jason Salas\Local Settings\Temp\sqlite_baF0JpdHtAIrtOj scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jason Salas\Local Settings\Temp\~DFDF10.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Jason Salas\Local Settings\Application Data\Mozilla\Firefox\Profiles\nme8com7.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jason Salas\Local Settings\Application Data\Mozilla\Firefox\Profiles\nme8com7.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jason Salas\Local Settings\Application Data\Mozilla\Firefox\Profiles\nme8com7.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jason Salas\Local Settings\Application Data\Mozilla\Firefox\Profiles\nme8com7.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jason Salas\Local Settings\Application Data\Mozilla\Firefox\Profiles\nme8com7.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
RecycleBin -> emptied.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.19.0 fix logfile created on 11212008_150020

Files moved on Reboot...
File move failed. C:\WINDOWS\SYSTEM32\byXOhGvu.dll scheduled to be moved on reboot.
C:\WINDOWS\System32\XISBayay.ini moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Temp folder moved successfully.
File C:\Documents and Settings\Jason Salas\Local Settings\Temp\sqlite_baF0JpdHtAIrtOj not found!
File C:\Documents and Settings\Jason Salas\Local Settings\Temp\~DFDF10.tmp not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT scheduled to be moved on reboot.
C:\Documents and Settings\Jason Salas\Local Settings\Application Data\Mozilla\Firefox\Profiles\nme8com7.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Application Data\Mozilla\Firefox\Profiles\nme8com7.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Application Data\Mozilla\Firefox\Profiles\nme8com7.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Application Data\Mozilla\Firefox\Profiles\nme8com7.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Jason Salas\Local Settings\Application Data\Mozilla\Firefox\Profiles\nme8com7.default\XUL.mfl moved successfully.

jchilderssalas · 11-21-2008, 04:20 PM

Malwarebytes' Anti-Malware 1.30
Database version: 1414
Windows 5.1.2600 Service Pack 3

11/21/2008 5:39:34 PM
mbam-log-2008-11-21 (17-39-34).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|G:\|)
Objects scanned: 137455
Time elapsed: 2 hour(s), 20 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 35
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 9
Files Infected: 62

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\byXOhGvu.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\byxohgvu (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{892b2785-b0d0-4aa2-ae6a-0ed60b00a979} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{00476c87-a276-49bf-86bc-ff005732430b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{80ef304a-b1c4-425c-8535-95ab6f1eefb8} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{e81cf86b-f683-422a-b742-3f2427ea9d6a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{ff46f4ab-a85f-487e-b399-3f191ac0fe23} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{99c6d1bb-7555-474c-91da-d8fb62a9cc75} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\icheck (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BHO_MyJavaCore.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpeedRunner (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SpeedRunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\404Search (Adware.404Search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\Network Monitor (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetPack (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\iCheck (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\byXOhGvu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\Jason Salas\Application Data\Twain\Twain.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\srff.dll (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1957\A0160225.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1957\A0160236.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1957\A0160255.dll (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1958\A0160295.exe () -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1959\A0160309.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1959\A0160312.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1959\A0160400.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1960\A0160450.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1960\A0160451.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1960\A0160452.exe (Adware.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1960\A0160466.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1871\A0150799.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\_OTScanIt\MovedFiles\11212008_150020\C_Documents and Settings\Jason Salas\Application Data\Microsoft\Windows\ojeiyoa.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\_OTScanIt\MovedFiles\11212008_150020\C_Documents and Settings\Jason Salas\Application Data\SpeedRunner\SpeedRunner.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\_OTScanIt\MovedFiles\11212008_150020\C_Documents and Settings\Jason Salas\Local Settings\Temp\cmdinst.exe (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\_OTScanIt\MovedFiles\11212008_150020\C_WINDOWS\SmFzb24gU2FsYXM\asappsrv.dll (Adware.CommAd) -> Quarantined and deleted successfully.
C:\_OTScanIt\MovedFiles\11212008_150020\C_WINDOWS\SYSTEM32\ddcCVonk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\_OTScanIt\MovedFiles\11212008_150020\C_WINDOWS\SYSTEM32\epgxpxxv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\_OTScanIt\MovedFiles\11212008_150020\C_WINDOWS\SYSTEM32\gpvntx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\_OTScanIt\MovedFiles\11212008_150020\C_WINDOWS\SYSTEM32\hdshutoi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\_OTScanIt\MovedFiles\11212008_150020\C_WINDOWS\SYSTEM32\hgGyxWQK.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\_OTScanIt\MovedFiles\11212008_150020\C_WINDOWS\SYSTEM32\kdstmnfc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\_OTScanIt\MovedFiles\11212008_150020\C_WINDOWS\SYSTEM32\lvyqzp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\_OTScanIt\MovedFiles\11212008_150020\C_WINDOWS\SYSTEM32\M5s20cRu.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\_OTScanIt\MovedFiles\11212008_150020\C_WINDOWS\SYSTEM32\ptsmhk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\_OTScanIt\MovedFiles\11212008_150020\C_WINDOWS\SYSTEM32\qoMccCsS.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\_OTScanIt\MovedFiles\11212008_150020\C_WINDOWS\SYSTEM32\rgvlalld.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\_OTScanIt\MovedFiles\11212008_150020\C_WINDOWS\SYSTEM32\vtUomnOF.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\_OTScanIt\MovedFiles\11212008_150020\C_WINDOWS\SYSTEM32\yayaBSIX.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\_OTScanIt\MovedFiles\11212008_150020\C_WINDOWS\SYSTEM32\yayxwVpp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\404Search\s.dat (Adware.404Search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\bubble.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\bubble16.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\celebs.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\ebay.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\ebaysm.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\ErrorLog.txt (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\games.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\gotb.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\highlight.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\hotstuff.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\hotstuffsm.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\movies.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\music.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\news.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\ngames.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\radio.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\REALBARTB0115.cfg (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\sports.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\GetPack\dictame.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetPack\GetPack24.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetPack\trgtame.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\iCheck\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\Btg270h1.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mM5EA3r3.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

jchilderssalas · 11-21-2008, 04:21 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:53:13 PM, on 11/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\AOL\1135805068\ee\AOLSoftware.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE
C:\Program Files\X3watchpro\x3watchpro.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\V0410Mon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\slide\slide.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\hi jack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {8D6A2B83-6ADB-4B5C-AAD3-DC6D49E8935F} - C:\WINDOWS\system32\yayaBSIX.dll (file missing)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135805068\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P26 "EPSON Stylus CX7800 Series" /O6 "USB001" /M "Stylus CX7800"
O4 - HKLM\..\Run: [x3watchpro] C:\Program Files\X3watchpro\x3watchpro.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [V0410Mon.exe] C:\WINDOWS\V0410Mon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [slide.exe] c:\program files\slide\slide.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ParetoLogic Anti-Spyware] "C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: cespy.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.activation.rr.com/install...ad/tgctlcm.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1219367284921
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...87/mcfscan.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\\aolserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 9808 bytes

Gary R · 11-22-2008, 01:12 AM

OK, looking a whole lot better, still some work to do.

First

If you haven't already done it, re-start your computer. This is necessary to remove some files which are locked into running processes and have been scheduled to be removed when you re-boot your computer.

Next

Run a scan with HJT and when finished check the following items (if found).

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {8D6A2B83-6ADB-4B5C-AAD3-DC6D49E8935F} - C:\WINDOWS\system32\yayaBSIX.dll (file missing)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)

Now close all open windows and click Fix Checked to remove them.

Next

There's an indication on your computer that you have

Quote:

CovenantEyes "internet accountability" software. Surveillance software that tracks all activities, logs keystrokes, etc.

http://www.covenanteyes.com/about.php

Did you install this, or do you know why it's on your computer?

Next

I'd like you to check a file for Viruses.

Go to VirusTotal or Jotti's

Quote:

C:\WINDOWS\V0410Mon.exe

Copy/Paste the filepath in the quote box above into the white Upload a file box.
Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
After a while, a window will open, with details of what the scans found.
Note details of any viruses found.
Post me the details please.

Next

Update Malwarebytes' Anti-Malware, then run a new scan, please post me the log.

Next

I need you to run an online scan for me

Please go to Kaspersky Online Scanner.
Read through the requirements and privacy statement and click on the Accept button.
It will start downloading and installing the scanner and virus definitions.
- You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they're not, please tick them and click on the Save button:
- Spyware, Adware, Dialers and other potentially dangerous programs.
- Mail databases.
Under Scan, click on My Computer.
Once the scan is complete, it will display the results.
- Click on View Scan Report.
You will see a list of infected items.
- Click the Save Report As... button (see red arrow below)
- In the Save as... prompt, select Desktop
- In the File name box, name the file KAVScan
- In the Save as type prompt, select Text file (see below)
- Copy and paste that information in your next post please.

Finally

Run a new HJT scan and post me the log please.

Summary of the logs I need from you in your next post:
Virus Total or Jotti's results.

New MBAM log

Kaspersky log

New HJT log

Please post each log separately to prevent them being cut off by the forum post size limiter.

How's your computer running now?

jchilderssalas · 11-22-2008, 12:13 PM

Gary,

When I followed directions for the VirusTotal I received this message:

File has already been analysed:
MD5: 9d294186f5246f0a207e57533b31e919
First received: 02.05.2008 16:58:30 (CET)
Date: 11.21.2008 16:58:43 (CET) [+1D]
Results: 0/37
Permalink: analisis/026c81644b938996963a8573fff3094

Then, when I clicked on the "permalink," I got this:

File V0410Mon.exe received on 11.21.2008 16:55:44 (CET)
Current status: finished
Result: 0/37 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.11.21.0 2008.11.21 -
AntiVir 7.9.0.35 2008.11.21 -
Authentium 5.1.0.4 2008.11.20 -
Avast 4.8.1281.0 2008.11.20 -
AVG 8.0.0.199 2008.11.21 -
BitDefender 7.2 2008.11.21 -
CAT-QuickHeal 10.00 2008.11.21 -
ClamAV 0.94.1 2008.11.21 -
DrWeb 4.44.0.09170 2008.11.21 -
eSafe 7.0.17.0 2008.11.19 -
eTrust-Vet 31.6.6221 2008.11.21 -
Ewido 4.0 2008.11.21 -
F-Prot 4.4.4.56 2008.11.21 -
F-Secure 8.0.14332.0 2008.11.21 -
Fortinet 3.117.0.0 2008.11.21 -
GData 19 2008.11.21 -
Ikarus T3.1.1.45.0 2008.11.21 -
K7AntiVirus 7.10.530 2008.11.21 -
Kaspersky 7.0.0.125 2008.11.21 -
McAfee 5440 2008.11.20 -
McAfee+Artemis 5440 2008.11.20 -
Microsoft 1.4104 2008.11.21 -
NOD32 3631 2008.11.21 -
Norman 5.80.02 2008.11.20 -
Panda 9.0.0.4 2008.11.20 -
PCTools 4.4.2.0 2008.11.21 -
Prevx1 V2 2008.11.21 -
Rising 21.04.42.00 2008.11.21 -
SecureWeb-Gateway 6.7.6 2008.11.21 -
Sophos 4.35.0 2008.11.21 -
Sunbelt 3.1.1823.2 2008.11.21 -
Symantec 10 2008.11.21 -
TheHacker 6.3.1.1.159 2008.11.19 -
TrendMicro 8.700.0.1004 2008.11.21 -
VBA32 3.12.8.9 2008.11.20 -
ViRobot 2008.11.18.1474 2008.11.18 -
VirusBuster 4.5.11.0 2008.11.21 -
Additional information
File size: 32768 bytes
MD5...: 9d294186f5246f0a207e57533b31e919
SHA1..: f9545c3a55610c8e5df366f13ddc3502effe78fd
SHA256: 733e8b5152280db48988ccdfe4e4fcd68c9d9ffdc77f66150a17b90183a002d2
SHA512: 6187ac6e278fb15c0405b1d86fb3275bf5362108612ffe580cfcdbd572be9df5
cf618ac804a7ee023179c78db79d8fcc6f0341b009d093cf2d02ecf004fe17ca
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x402d5e
timedatestamp.....: 0x4667b8a1 (Thu Jun 07 07:49:53 2007)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1fc4 0x2000 6.13 107ea2cb273c2954cd88b4fedfd53214
.rdata 0x3000 0x95a 0x1000 3.48 ff2c686df4ab8c73ed5e4fc0aeeb5473
.data 0x4000 0x1d4 0x1000 0.94 803736bb576fac5d034bcb25d5113041
.sxdata 0x5000 0x4 0x1000 0.00 e0f6821e0906d569a9a3e873c22c4d70
PAGECONS 0x6000 0x10 0x1000 0.05 b108dd9efebe4d7ac76987fad2d0aa36
.rsrc 0x7000 0x3b8 0x1000 0.95 9cbe73aa80a77746d976154b494d5d41

( 7 imports )
> KERNEL32.dll: Sleep, HeapFree, CreateFileA, DuplicateHandle, GetCurrentThread, GetCurrentProcess, lstrcatA, HeapAlloc, GetProcessHeap, GetTickCount, lstrcmpiA, lstrcpyA, lstrlenA, IsBadReadPtr, WaitForSingleObject, Process32Next, Process32First, CreateToolhelp32Snapshot, WaitForMultipleObjects, CreateMutexA, GetWindowsDirectoryA, GetFullPathNameA, GetModuleFileNameA, GetVersionExA, GetExitCodeProcess, CreateProcessA, ResetEvent, SetEvent, CreateEventA, GetLastError, OpenProcess, CloseHandle, GetStartupInfoA
> msvcrt.dll: _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, exit, _initterm, _cexit, _XcptFilter, _exit, _c_exit, _beginthread, _endthread, __getmainargs, _acmdln, __setusermatherr
> SHLWAPI.dll: StrStrIA
> SETUPAPI.dll: SetupDiEnumDeviceInterfaces, SetupDiGetDeviceRegistryPropertyA, SetupDiGetClassDevsExA, SetupDiEnumDeviceInfo, SetupDiGetClassDevsA, SetupDiDestroyDeviceInfoList, SetupDiGetDeviceInterfaceDetailA, SetupDiOpenDevRegKey
> USER32.dll: PostQuitMessage, GetWindowLongA, DispatchMessageA, TranslateMessage, IsDialogMessageA, IsWindow, GetMessageA, CreateDialogParamA, BroadcastSystemMessageA, RegisterWindowMessageA, DestroyWindow, PostMessageA, SetWindowLongA
> ADVAPI32.dll: RegCloseKey, RegSetValueExA, RegDeleteValueA, RegOpenKeyExA, RegQueryValueExA
> ksproxy.ax: KsSynchronousDeviceControl

( 0 exports )

Are these the details you needed for this scan?

jchilderssalas · 11-22-2008, 12:15 PM

As for Covenant Eyes, that was something we downloaded a long time ago, but we no longer use it....I didn't think it was still on the computer. When I attempted to remove the program a moment ago, a message came up saying I could permanently damage or injure something with the system if I attempted to remove it without the proper "Uninstall code." I am not sure what that is, so I just left it there. Is it important for me to remove this program?

Gary R · 11-22-2008, 12:43 PM

OK, no worries about V0410Mon.exe nothing bad showing there.

As for Covenant Eyes, because of its keylogging properties I just wanted to make sure it was something you'd installed yourself, and not something that your attacker had put on your machine.

No need to remove it I don't think.

Now if you can send me the other 3 logs I asked for in my last post, we'll see if there's anything else needs attention.

jchilderssalas · 11-22-2008, 02:04 PM

Malwarebytes' Anti-Malware 1.30
Database version: 1416
Windows 5.1.2600 Service Pack 3

11/22/2008 4:04:36 PM
mbam-log-2008-11-22 (16-04-36).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|G:\|)
Objects scanned: 138496
Time elapsed: 1 hour(s), 23 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1960\A0160535.sys (Trojan.Downloader) -> Quarantined and deleted successfully.

jchilderssalas · 11-22-2008, 02:35 PM

Gary, When I try to run the Kaspersky scan online, I keep getting an error message during the dowload process--before I get to the step when I can run the program.

It says: "Starting Java Applet has failed! Please go online to use this program."

I'm confused by this because I AM online. Any suggestions? Thanks.

Also, you asked how my computer is running....MUCH better! It is a lot faster and I've only had one pop-up all day.

I'll wait for directions before I move forward with the other scans. Thanks.

Gary R · 11-23-2008, 12:27 AM

OK, since you're having problems with Kaspersky, try the following.

Please do a scan with ESET Online Scanner
Note: The scan will only work with Internet Explorer

Check the box "Yes, I accept the Terms of Use" and click Start
Accept the ActiveX by clicking the yellow bar at the top.
Install the software when prompted.
Read the Welcome notice and then click Start to download the necessary components.
When download is complete, make sure Remove found threats stays Unchecked.
Click Start to begin the scan.
After the scan completes, the Details tab in the Results window will display what was found.
A file will also be saved at: C:/program files/esetonlinescanner/log.txt
Please post me the content of that file.