Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
Help With Removal of Amaena Help With Removal of Amaena
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
 
Thread Tools
Old 03-17-2007, 03:52 PM   #1 (permalink)
Registered User
 
Join Date: Mar 2007
Posts: 10
OS: Windows XP


Help With Removal of Amaena
I think i'm infected with the amaena virus worm. I keep getting pop-ups from winpro antivirus 2007 so i downloaded hijackthis and used it heres my log. If anyone could help me it would be appreciated very much.


Logfile of HijackThis v1.99.1
Scan saved at 4:59:04 PM, on 3/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bm...hoo&bm=yh_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {aea2e1cb-803e-4ab1-8380-405e85de1d0c} - C:\WINDOWS\system32\ipsC71.dll
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\tmp3F.tmp.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\nnomkh.dll",setvm
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sd...SL/tgctlcm.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1170972936624
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1170972923725
O17 - HKLM\System\CCS\Services\Tcpip\..\{C087977D-B0D0-4AAB-83CC-2364E68885C7}: NameServer = 192.168.2.1,192.168.2.3
O20 - Winlogon Notify: ipsC71 - C:\WINDOWS\SYSTEM32\ipsC71.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
KiLLTaCuLaR is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 03-19-2007, 02:34 PM   #2 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 26,734
OS: 2000 Pro; XP Pro; XP Home


Re: Help With Removal of Amaena
Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

If you would be so kind as to do this:

Please go to: VirusTotal
  • At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to this file in BOLD:

    C:\WINDOWS\system32\ipsC71.dll

  • Click "Open".
  • Then click the "Send" button at the top of the VirusTotal page.
  • This will scan the file. Please be patient.
  • Once scanned, copy and paste the results in your next reply.

---------------------------------------------------------------------------------------------

Next, please do this:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.

What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 03-19-2007, 07:50 PM   #3 (permalink)
Registered User
 
Join Date: Mar 2007
Posts: 10
OS: Windows XP


Re: Help With Removal of Amaena
Thank you very much for replying quickly. I have done what you have told and here are the results:

Antivirus Version Update Result
AhnLab-V3 2007.3.20.0 03.19.2007 no virus found
AntiVir 7.3.1.43 03.19.2007 no virus found
Authentium 4.93.8 03.20.2007 no virus found
Avast 4.7.936.0 03.19.2007 no virus found
AVG 7.5.0.447 03.19.2007 no virus found
BitDefender 7.2 03.20.2007 no virus found
CAT-QuickHeal 9.00 03.15.2007 no virus found
ClamAV devel-20070312 03.20.2007 no virus found
DrWeb 4.33 03.19.2007 no virus found
eSafe 7.0.14.0 03.19.2007 no virus found
eTrust-Vet 30.6.3491 03.19.2007 no virus found
Ewido 4.0 03.19.2007 no virus found
FileAdvisor 1 03.20.2007 no virus found
Fortinet 2.85.0.0 03.19.2007 suspicious
F-Prot 4.3.1.45 03.19.2007 no virus found
F-Secure 6.70.13030.0 03.19.2007 no virus found
Ikarus T3.1.1.3 03.19.2007 no virus found
Kaspersky 4.0.2.24 03.20.2007 no virus found
McAfee 4987 03.19.2007 no virus found
Microsoft 1.2306 03.20.2007 no virus found
NOD32v2 2128 03.19.2007 no virus found
Norman 5.80.02 03.19.2007 no virus found
Panda 9.0.0.4 03.19.2007 Suspicious file
Prevx1 V2 03.20.2007 Polynomial.Code.Exploit
Sophos 4.15.0 03.13.2007 no virus found
Sunbelt 2.2.907.0 03.16.2007 VIPRE.Suspicious
Symantec 10 03.20.2007 no virus found
TheHacker 6.1.6.077 03.19.2007 no virus found
UNA 1.83 03.16.2007 no virus found
VBA32 3.11.2 03.19.2007 no virus found
VirusBuster 4.3.7:9 03.19.2007 Packed/Upack


Aditional Information
File size: 19691 bytes
MD5: 8bfa882e7879e77f2e59a759767d4bd2
SHA1: 2219bd0f552e20cb135194b85df1bb3eaddab8e5
packers: UPack
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=cf7083439737
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

Deckard's System Scanner v20070318.32
Run by Phil on 2007-03-19 at 21:43:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
59: 2007-03-20 02:43:43 UTC - RP75 - Deckard's System Scanner Restore Point
58: 2007-03-19 05:40:56 UTC - RP74 - System Checkpoint
57: 2007-03-18 04:59:06 UTC - RP73 - ComboScan Restore Point
56: 2007-03-18 04:49:22 UTC - RP72 - Software Distribution Service 2.0
55: 2007-03-17 23:17:00 UTC - RP71 - Installed Ad-Aware SE Personal


-- First Restore Point --
1: 2007-02-03 00:54:02 UTC - RP17 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Phil.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:44:28 PM, on 3/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Phil\Desktop\dss.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\PROGRA~1\HIJACK~1\Phil.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bm...hoo&bm=yh_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36DBC179-A19F-48F2-B16A-6A3E19B42A87} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {aea2e1cb-803e-4ab1-8380-405e85de1d0c} - C:\WINDOWS\system32\ipsC71.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [IESet] "IExplorer.dll .dbt"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [IESet] "IExplorer.dll .dbt"
O4 - HKCU\..\Run: [IESet] "IExplorer.dll .dbt"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - https://activatemydsl.verizon.net/sd...SL/tgctlcm.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1170972936624
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1170972923725
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C087977D-B0D0-4AAB-83CC-2364E68885C7}: NameServer = 192.168.2.1,192.168.2.3
O20 - Winlogon Notify: ipsC71 - C:\WINDOWS\SYSTEM32\ipsC71.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


-- File Associations -----------------------------------------------------------

.ini - inifile - NOTEDAD.EXE %1
.txt - txtfile - NOTEDAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 SSFS0509 (Spy Sweeper File System Filer Driver: 0509) - c:\windows\system32\drivers\ssfs0509.sys
R0 SSHRMD (Spy Sweeper Hookrack MiniDriver) - c:\windows\system32\drivers\sshrmd.sys
R0 SSIDRV (Spy Sweeper Interdiction Driver) - c:\windows\system32\drivers\ssidrv.sys
R1 nod32drv - c:\windows\system32\drivers\nod32drv.sys
R1 OMCI - c:\windows\system32\drivers\omci.sys
R1 PCLEPCI - c:\windows\system32\drivers\pclepci.sys
R2 AMON - c:\windows\system32\drivers\amon.sys
R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys
R2 mdmxsdk - c:\windows\system32\drivers\mdmxsdk.sys
R3 HSF_DP - c:\windows\system32\drivers\hsf_dp.sys
R3 HSFHWICH - c:\windows\system32\drivers\hsfhwich.sys
R3 MarvinBus (Pinnacle Marvin Bus) - c:\windows\system32\drivers\marvinbus.sys
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys
R3 SSKBFD (Webroot Spy Sweeper Keylogger Shield Keyboard Filter) - c:\windows\system32\drivers\sskbfd.sys
R3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys

S3 ac97intc (Intel(r) 82801 Audio Driver Install Service (WDM)) - c:\windows\system32\drivers\ac97intc.sys
S3 AnyDVD - c:\windows\system32\drivers\anydvd.sys
S3 hamachi_oem (PlayLinc Adapter) - c:\windows\system32\drivers\gan_adapter.sys
S3 MREMPR5 (MREMPR5 NDIS Protocol Driver) - c:\program files\common files\motive\mrempr5.sys
S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\program files\common files\motive\mrendis5.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Scheduled Tasks -------------------------------------------------------------

2007-03-19 0704 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB>


-- Files created between 2007-02-19 and 2007-03-19 -----------------------------

2007-03-18 14:03:19 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\Webroot
2007-03-18 14:03:06 21056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-03-18 14:03:06 128064 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-03-18 14:03:06 21568 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-03-18 14:03:06 20544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-03-18 14:03:00 0 d-------- C:\Program Files\Webroot
2007-03-18 14:03:00 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Webroot
2007-03-18 12:48:14 0 d-------- C:\Documents and Settings\Phil\Application Data\Webroot
2007-03-18 11:07:41 299392 --a------ C:\WINDOWS\system32\imon.dll
2007-03-18 11:07:40 15424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-03-18 11:07:40 512096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-03-18 10:54:36 155648 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-03-18 10:54:36 684032 --a------ C:\WINDOWS\system32\libeay32.dll
2007-03-17 23:51:28 0 d-------- C:\WINDOWS\system32\PreInstall<PREINS~1>
2007-03-17 23:51:23 0 d--h----- C:\WINDOWS\$hf_mig$
2007-03-17 23:31:18 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~3>
2007-03-17 23:30:49 2062665 --a------ C:\spywareguardsetup.exe<SPYWAR~2.EXE>
2007-03-17 23:26:55 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~2>
2007-03-17 23:26:21 2566736 --a------ C:\spywareblastersetup351.exe<SPYWAR~1.EXE>
2007-03-17 22:02:23 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-03-17 21:29:51 0 d-------- C:\VundoFix Backups<VUNDOF~1>
2007-03-17 21:21:40 0 d-------- C:\Documents and Settings\Phil\Application Data\Motive
2007-03-17 18:17:08 0 d-------- C:\Documents and Settings\Phil\Application Data\Lavasoft
2007-03-17 18:16:35 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-03-17 1816 0 --a------ C:\WINDOWS\nsreg.dat
2007-03-17 17:24:22 116952 --a------ C:\sysbqdg.exe
2007-03-17 17:18:45 36864 --a------ C:\WINDOWS\system32\Explorer.exe
2007-03-17 16:53:34 488144 --a------ C:\HJTsetup.exe
2007-03-16 17:40:47 19691 --a------ C:\WINDOWS\system32\ipsC71.dll
2007-03-16 17:40:46 27188 --a------ C:\WINDOWS\system32\geedb.exe
2007-03-16 17:35:45 8535 --a------ C:\WINDOWS\system32\awtrpop.dll
2007-03-15 16:51:03 0 d-------- C:\Program Files\Smart Projects<SMARTP~1>
2007-03-07 20:20:35 0 d-------- C:\Program Files\Apple Software Update<APPLES~1>
2007-03-02 19:24:56 0 d-------- C:\Documents and Settings\Phil\Application Data\Google
2007-03-02 19:15:41 0 d-------- C:\Documents and Settings\Phil\Application Data\Adobe
2007-03-02 19:12:54 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Adobe
2007-03-02 19:11:16 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Google
2007-03-02 16:16:19 0 d-------- C:\Documents and Settings\Phil\Application Data\Intuit
2007-03-02 16:15:42 0 d-------- C:\Program Files\ItsDeductible2006<ITSDED~2>
2007-03-02 16:14:20 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Intuit
2007-03-02 16:13:36 1716297 -----n--- C:\WINDOWS\system32\InetClnt.dll
2007-03-02 16:12:18 0 d-------- C:\Documents and Settings\Phil\Application Data\InstallShield<INSTAL~1>


-- Find3M Report ---------------------------------------------------------------

2007-03-19 21:44:02 0 d-------- C:\Documents and Settings\Phil\Application Data\uTorrent
2007-03-19 16:30:56 0 d-------- C:\Program Files\iTunes
2007-03-19 16:30:30 0 d-------- C:\Program Files\iPod
2007-03-19 16:28:18 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-03-18 12:46:19 0 d-------- C:\Program Files\Common Files\M?crosoft
2007-03-18 12:21:33 0 d-------- C:\Program Files\Common Files\?ppPatch
2007-03-18 12:21:23 0 d-------- C:\Program Files\Common Files\{28392580-095F-1033-0423-030210040001}<{28392~1>
2007-03-18 12:21:15 0 d-------- C:\Program Files\Common Files\{38392580-095F-1033-0423-030210040001}<{38392~1>
2007-03-18 11:04:53 12038580 --a------ C:\Program Files\NOD32[1].Antivirus.System.v2.70.16_-_FINAL.rar<NOD32_~1.RAR>
2007-03-18 10:53:31 13410729 --a------ C:\Program Files\WRSS4Flz.rar
2007-03-18 00:30:01 0 d-------- C:\Program Files\GamePark
2007-03-17 22:25:50 0 d-------- C:\Program Files\Google
2007-03-17 1809 0 d-------- C:\Documents and Settings\Phil\Application Data\Mozilla
2007-03-16 13:36:08 0 d-------- C:\Documents and Settings\Phil\Application Data\Vso
2007-03-15 15:32:01 0 d-------- C:\Documents and Settings\Phil\Application Data\Ahead
2007-03-05 20:19:10 0 d-------- C:\Program Files\Verizon
2007-03-02 19:14:12 0 d-------- C:\Program Files\Common Files\Adobe
2007-03-02 16:05:16 0 d-------- C:\Program Files\TurboTax
2007-02-15 20:44:24 0 d-------- C:\Program Files\XAimer
2007-02-11 02:02:41 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-02-11 01:49:46 0 d-------- C:\Program Files\CCleaner
2007-02-09 16:18:50 0 d---s---- C:\Documents and Settings\Phil\Application Data\Microsoft<MICROS~1>
2007-02-09 16:18:44 0 d-------- C:\Program Files\Bamboo Technology<BAMBOO~1>
2007-02-09 15:41:46 34 --a------ C:\Documents and Settings\Phil\Application Data\pcouffin.log
2007-02-09 15:41:27 47360 --a------ C:\Documents and Settings\Phil\Application Data\pcouffin.sys
2007-02-09 15:41:27 7176 --a------ C:\Documents and Settings\Phil\Application Data\pcouffin.cat
2007-02-09 15:41:27 81920 --a------ C:\Documents and Settings\Phil\Application Data\ezpinst.exe
2007-02-09 15:41:26 1144 --a------ C:\Documents and Settings\Phil\Application Data\pcouffin.inf
2007-02-08 21:02:56 0 d-------- C:\Documents and Settings\Phil\Application Data\Pinnacle Systems<PINNAC~1>
2007-02-08 20:52:26 0 d-------- C:\Program Files\PlayLinc
2007-02-08 19:46:37 95 --a------ C:\AUTOEXEC.BAT
2007-02-08 19:35:41 2683984 --a------ C:\Program Files\ccsetup137.exe<CCSETU~1.EXE>
2007-02-08 19:09:42 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-02-08 19:04:02 0 d-------- C:\Program Files\Movie Maker<MOVIEM~1>
2007-02-08 19:03:41 0 d-------- C:\Program Files\Windows NT<WINDOW~1>
2007-02-08 18:58:32 250032 -rahs---- C:\ntldr
2007-02-08 17:16:22 0 d--h----- C:\Program Files\WindowsUpdate<WINDOW~3>
2007-02-05 08:31:10 0 d-------- C:\Program Files\PokerRoom.com<POKERR~1.COM>
2007-02-04 20:49:41 0 d-------- C:\Program Files\SupportSoft<SUPPOR~1>
2007-01-27 1333 0 d-------- C:\Documents and Settings\Phil\Application Data\Nero
2007-01-27 13:02:59 0 d-------- C:\Documents and Settings\Phil\Application Data\SlySoft
2007-01-27 12:59:09 0 d-------- C:\Program Files\SlySoft
2007-01-27 12:58:32 0 d-------- C:\Program Files\AnyDVD 6[1].1.1.0 Beta<ANYDVD~1.0BE>
2007-01-27 12:58:08 1284302 --a------ C:\Program Files\AnyDVD 6[1].1.1.0 Beta.rar<ANYDVD~1.RAR>
2007-01-27 12:50:50 0 d-------- C:\Program Files\Common Files\Ahead
2007-01-26 19:33:31 0 d-------- C:\Program Files\uTorrent
2007-01-26 19:33:17 645670 --a------ C:\Program Files\uTorrent-1.6-install.exe<UTORRE~1.EXE>
2007-01-26 19:10:13 0 d-------- C:\Documents and Settings\Phil\Application Data\Apple Computer<APPLEC~1>
2007-01-26 1955 0 d-------- C:\Documents and Settings\Phil\Application Data\BitTorrent<BITTOR~1>
2007-01-26 1811 0 d-------- C:\Documents and Settings\Phil\Application Data\dvdcss
2007-01-26 18:00:51 0 d-------- C:\Program Files\Common Files\Download Manager<DOWNLO~1>
2007-01-25 21:30:34 0 d-------- C:\Program Files\IGZ Messenger<IGZMES~1>
2007-01-12 21:15:51 1314816 --a------ C:\pbsetup.exe
2007-01-11 11:34:19 81920 --a------ C:\WINDOWS\system32\ElbyCDIO.dll
2007-01-04 2010 36808256 --a------ C:\iTunesSetup.exe<ITUNES~1.EXE>
2007-01-02 10:32:14 3044944 --a------ C:\Program Files\LimeWireWin.exe<LIMEWI~1.EXE>
2006-12-19 21:21:58 1497680 --a------ C:\ccsetup136.exe<CCSETU~1.EXE>


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"IESet"="\"IExplorer.dll .dbt\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"IESet"="\"IExplorer.dll .dbt\""
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"IESet"="\"IExplorer.dll .dbt\""


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"IESet"="IExplorer.dll .dbt"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ipsC71

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-03-19 at 21:45:00 ---------
Attached Files
File Type: txt extra.txt (7.4 KB, 4 views)
KiLLTaCuLaR is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 03-19-2007, 08:14 PM   #4 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 26,734
OS: 2000 Pro; XP Pro; XP Home


Re: Help With Removal of Amaena
Thanks for providing that information.

We'll get to fixing your machine shortly....Im subscribed to this thread and will watch for your reply.

Can you please upload the following files to VirusTotal and report the findings:

C:\sysbqdg.exe
C:\WINDOWS\system32\Explorer.exe
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 03-20-2007, 07:22 PM   #5 (permalink)
Registered User
 
Join Date: Mar 2007
Posts: 10
OS: Windows XP


Re: Help With Removal of Amaena
I couldn't find C:\sysbqdg.exe but heres the results for the other one.

Antivirus Version Update Result
AhnLab-V3 2007.3.21.0 03.20.2007 no virus found
AntiVir 7.3.1.44 03.20.2007 no virus found
Authentium 4.93.8 03.20.2007 no virus found
Avast 4.7.936.0 03.20.2007 no virus found
AVG 7.5.0.447 03.20.2007 no virus found
BitDefender 7.2 03.21.2007 no virus found
CAT-QuickHeal 9.00 03.20.2007 no virus found
ClamAV devel-20070312 03.21.2007 no virus found
DrWeb 4.33 03.20.2007 no virus found
eSafe 7.0.14.0 03.20.2007 no virus found
eTrust-Vet 30.6.3496 03.20.2007 no virus found
Ewido 4.0 03.20.2007 no virus found
FileAdvisor 1 03.21.2007 no virus found
Fortinet 2.85.0.0 03.20.2007 no virus found
F-Prot 4.3.1.45 03.20.2007 no virus found
F-Secure 6.70.13030.0 03.21.2007 no virus found
Ikarus T3.1.1.3 03.20.2007 no virus found
Kaspersky 4.0.2.24 03.21.2007 no virus found
McAfee 4988 03.20.2007 no virus found
Microsoft 1.2306 03.21.2007 no virus found
NOD32v2 2129 03.20.2007 no virus found
Norman 5.80.02 03.20.2007 no virus found
Panda 9.0.0.4 03.20.2007 no virus found
Prevx1 V2 03.21.2007 Trojan.SystemPoser
Sophos 4.15.0 03.13.2007 no virus found
Sunbelt 2.2.907.0 03.16.2007 no virus found
Symantec 10 03.21.2007 no virus found
TheHacker 6.1.6.078 03.20.2007 no virus found
UNA 1.83 03.16.2007 no virus found
VBA32 3.11.2 03.19.2007 no virus found
VirusBuster 4.3.7:9 03.20.2007 no virus found
Webwasher-Gateway 6.0.1 03.20.2007 no virus found


Aditional Information
File size: 36864 bytes
MD5: 80e03902afc4e9266726bce0068af339
SHA1: b578b8dcdcd92eb4e5f44acc16fbd69eaf7491da
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=65d283211254
KiLLTaCuLaR is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 03-20-2007, 07:44 PM   #6 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 26,734
OS: 2000 Pro; XP Pro; XP Home


Re: Help With Removal of Amaena
Ok, let's get to work.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

I have attached a file to this post - KiLLTaCuLaR.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry.

---------------------------------------------------------------------------------------------
  1. Download combofix from one of these locations:

    * IMPORTANT !!! Place it on your Desktop.

  2. Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK
    "%userprofile%\desktop\combofix.exe" /v ipsC71 awtrpop
  3. When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O2 - BHO: (no name) - {36DBC179-A19F-48F2-B16A-6A3E19B42A87} - (no file)
O4 - HKLM\..\Run: [IESet] "IExplorer.dll .dbt"
O4 - HKLM\..\RunServices: [IESet] "IExplorer.dll .dbt"
O4 - HKCU\..\Run: [IESet] "IExplorer.dll .dbt"


Close HijackThis now.

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.


Delete the following if they exist:

IExplorer.dll .dbt <<<This is likely located in C:\Windows\System32. If you cannot find it there, perform a search using Start>Search>All Files and Folders
C:\sysbqdg.exe<<<DSS reports this file in it's log, though you said you could not find it. please look again, or use the search function
C:\WINDOWS\system32\Explorer.exe<<<From this location only!!
C:\WINDOWS\system32\geedb.exe


---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Run Deckard's System Scanner again, and post the resulting log.

---------------------------------------------------------------------------------------------

So, please return with results from:

C:\ComboFix.txt
Panda online scan
C:\Deckard\System Scan\main.txt
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
Last edited by tetonbob : 03-27-2007 at 08:59 PM.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 03-23-2007, 04:43 AM   #7 (permalink)
Registered User
 
Join Date: Mar 2007
Posts: 10
OS: Windows XP


Re: Help With Removal of Amaena
"Phil" - 07-03-22 19:36:33 Service Pack 2
ComboFix 07-03-22.2 - Running from: "C:\Documents and Settings\Phil\desktop"
Command switches used :: /v ipsC71 awtrpop

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\Program Files\Common Files\MCROSO~1


((((((((((((((((((((((((((((((( Files Created from 2007-02-22 to 2007-03-22 ))))))))))))))))))))))))))))))))))


2007-03-19 22:07 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-19 21:43 <DIR> d-------- C:\Deckard
2007-03-18 14:03 21,568 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-03-18 14:03 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-03-18 14:03 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-03-18 14:03 128,064 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-03-18 14:03 <DIR> d-------- C:\Program Files\Webroot
2007-03-18 14:03 <DIR> d-------- C:\DOCUME~1\LOCALS~1.000\APPLIC~1\Webroot
2007-03-18 14:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Webroot
2007-03-18 12:48 <DIR> d-------- C:\DOCUME~1\Phil\APPLIC~1\Webroot
2007-03-18 11:07 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-03-18 11:07 299,392 --a------ C:\WINDOWS\system32\imon.dll
2007-03-18 11:07 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-03-18 10:54 684,032 --a------ C:\WINDOWS\system32\libeay32.dll
2007-03-18 10:54 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-03-17 23:51 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-03-17 23:51 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-03-17 23:31 <DIR> d-------- C:\Program Files\SpywareGuard
2007-03-17 23:30 2,062,665 --a------ C:\spywareguardsetup.exe
2007-03-17 23:26 2,566,736 --a------ C:\spywareblastersetup351.exe
2007-03-17 23:26 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-03-17 22:02 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-03-17 21:29 <DIR> d-------- C:\VundoFix Backups
2007-03-17 21:21 <DIR> d-------- C:\DOCUME~1\Phil\APPLIC~1\Motive
2007-03-17 18:17 <DIR> d-------- C:\DOCUME~1\Phil\APPLIC~1\Lavasoft
2007-03-17 18:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-03-17 18:06 0 --a------ C:\WINDOWS\nsreg.dat
2007-03-17 16:53 488,144 --a------ C:\HJTsetup.exe
2007-03-16 17:40 27,188 --a------ C:\WINDOWS\system32\geedb.exe
2007-03-15 16:51 <DIR> d-------- C:\Program Files\Smart Projects
2007-03-07 20:20 <DIR> d-------- C:\Program Files\Apple Software Update
2007-03-02 19:24 <DIR> d-------- C:\DOCUME~1\Phil\APPLIC~1\Google
2007-03-02 19:15 <DIR> d-------- C:\DOCUME~1\Phil\APPLIC~1\Adobe
2007-03-02 19:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Adobe
2007-03-02 19:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Google
2007-03-02 16:16 <DIR> d-------- C:\DOCUME~1\Phil\APPLIC~1\Intuit
2007-03-02 16:15 <DIR> d-------- C:\Program Files\ItsDeductible2006
2007-03-02 16:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Intuit
2007-03-02 16:13 1,716,297 --------- C:\WINDOWS\system32\InetClnt.dll
2007-03-02 16:12 <DIR> d-------- C:\DOCUME~1\Phil\APPLIC~1\InstallShield


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-22 05:34 -------- d-------- C:\DOCUME~1\Phil\APPLIC~1\utorrent
2007-03-20 16:25 -------- d-------- C:\Program Files\winrar_v3[1].61_final___crack
2007-03-20 06:33 -------- d-------- C:\Program Files\pokerroom.com
2007-03-20 06:33 -------- d-------- C:\Program Files\Common Files\motive
2007-03-19 16:30 -------- d-------- C:\Program Files\itunes
2007-03-19 16:30 -------- d-------- C:\Program Files\ipod
2007-03-19 16:28 -------- d-------- C:\Program Files\quicktime
2007-03-18 12:21 -------- d-------- C:\Program Files\Common Files\ąpppatch
2007-03-18 11:04 12038580 --a------ C:\Program Files\nod32[1].antivirus.system.v2.70.16_-_final.rar
2007-03-18 10:53 13410729 --a------ C:\Program Files\wrss4flz.rar
2007-03-18 00:30 -------- d-------- C:\Program Files\gamepark
2007-03-17 22:25 -------- d-------- C:\Program Files\google
2007-03-16 13:36 -------- d-------- C:\DOCUME~1\Phil\APPLIC~1\vso
2007-03-05 20:19 -------- d-------- C:\Program Files\verizon
2007-03-02 16:05 -------- d-------- C:\Program Files\turbotax
2007-02-15 20:44 -------- d-------- C:\Program Files\xaimer
2007-02-14 12:35 359040 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-02-11 02:02 -------- d--h----- C:\Program Files\installshield installation information
2007-02-11 01:49 -------- d-------- C:\Program Files\ccleaner
2007-02-09 16:18 -------- d-------- C:\Program Files\bamboo technology
2007-02-09 15:41 81920 --a------ C:\DOCUME~1\Phil\APPLIC~1\ezpinst.exe
2007-02-09 15:41 7176 --a------ C:\DOCUME~1\Phil\APPLIC~1\pcouffin.cat
2007-02-09 15:41 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-02-09 15:41 47360 --a------ C:\DOCUME~1\Phil\APPLIC~1\pcouffin.sys
2007-02-09 15:41 34 --a------ C:\DOCUME~1\Phil\APPLIC~1\pcouffin.log
2007-02-09 15:41 1144 --a------ C:\DOCUME~1\Phil\APPLIC~1\pcouffin.inf
2007-02-08 21:02 -------- d-------- C:\DOCUME~1\Phil\APPLIC~1\pinnacle systems
2007-02-08 20:52 -------- d-------- C:\Program Files\playlinc
2007-02-08 19:46 95 --a------ C:\AUTOEXEC.BAT
2007-02-08 19:35 2683984 --a------ C:\Program Files\ccsetup137.exe
2007-02-08 19:09 -------- d-------- C:\Program Files\messenger
2007-02-08 19:04 -------- d-------- C:\Program Files\movie maker
2007-02-08 19:03 -------- d-------- C:\Program Files\windows nt
2007-02-08 17:16 -------- d--h----- C:\Program Files\windowsupdate
2007-02-04 20:49 -------- d-------- C:\Program Files\supportsoft
2007-01-27 13:06 -------- d-------- C:\DOCUME~1\Phil\APPLIC~1\nero
2007-01-27 13:02 -------- d-------- C:\DOCUME~1\Phil\APPLIC~1\slysoft
2007-01-27 12:59 -------- d-------- C:\Program Files\slysoft
2007-01-27 12:58 1284302 --a------ C:\Program Files\anydvd 6[1].1.1.0 beta.rar
2007-01-26 19:33 645670 --a------ C:\Program Files\utorrent-1.6-install.exe
2007-01-26 19:33 -------- d-------- C:\Program Files\utorrent
2007-01-26 19:10 -------- d-------- C:\DOCUME~1\Phil\APPLIC~1\apple computer
2007-01-26 19:06 -------- d-------- C:\DOCUME~1\Phil\APPLIC~1\bittorrent
2007-01-26 18:06 -------- d-------- C:\DOCUME~1\Phil\APPLIC~1\dvdcss
2007-01-26 18:00 -------- d-------- C:\Program Files\Common Files\download manager
2007-01-25 21:30 -------- d-------- C:\Program Files\igz messenger
2007-01-12 21:15 1314816 --a------ C:\pbsetup.exe
2007-01-11 11:34 81920 --a------ C:\WINDOWS\system32\elbycdio.dll
2007-01-04 20:06 36808256 --a------ C:\iTunesSetup.exe
2007-01-02 10:32 3044944 --a------ C:\Program Files\limewirewin.exe
2006-12-13 00:28 1035271 --a------ C:\Program Files\wrar362.exe
2006-12-12 16:10 62 --ahs---- C:\DOCUME~1\Phil\APPLIC~1\desktop.ini
2006-12-02 20:15 3101332 --a------ C:\Program Files\modem_booster_5[1].0_www.warezrips.com.rar


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"IESet"="\"IExplorer.dll .dbt\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"IESet"="\"IExplorer.dll .dbt\""
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"IESet"="\"IExplorer.dll .dbt\""


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-22 19:38:28



Incident Status Location

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Phil\Cookies\phil@com[1].txt
Adware:Adware/Mytoolbar Not disinfected C:\System Volume Information\_restore{235D2866-9D13-4581-9AD2-3B0E8A0B53E8}\RP121\A0147370.exe

Deckard's System Scanner v20070318.32
Run by Phil on 2007-03-23 at 05:38:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Phil.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:38:18 AM, on 3/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Phil\Desktop\dss.exe
C:\DOCUME~1\Phil\Desktop\Phil.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bm...hoo&bm=yh_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - https://activatemydsl.verizon.net/sd...SL/tgctlcm.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1170972936624
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1170972923725
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C087977D-B0D0-4AAB-83CC-2364E68885C7}: NameServer = 192.168.2.1,192.168.2.3
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


-- Files created between 2007-02-23 and 2007-03-23 -----------------------------

2007-03-19 22:07:41 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-18 14:03:19 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\Webroot
2007-03-18 14:03:06 21056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-03-18 14:03:06 128064 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-03-18 14:03:06 21568 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-03-18 14:03:06 20544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-03-18 14:03:00 0 d-------- C:\Program Files\Webroot
2007-03-18 14:03:00 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Webroot
2007-03-18 12:48:14 0 d-------- C:\Documents and Settings\Phil\Application Data\Webroot
2007-03-18 11:07:41 299392 --a------ C:\WINDOWS\system32\imon.dll
2007-03-18 11:07:40 15424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-03-18 11:07:40 512096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-03-18 10:54:36 155648 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-03-18 10:54:36 684032 --a------ C:\WINDOWS\system32\libeay32.dll
2007-03-17 23:51:28 0 d-------- C:\WINDOWS\system32\PreInstall<PREINS~1>
2007-03-17 23:51:23 0 d--h----- C:\WINDOWS\$hf_mig$
2007-03-17 23:31:18 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~3>
2007-03-17 23:30:49 2062665 --a------ C:\spywareguardsetup.exe<SPYWAR~2.EXE>
2007-03-17 23:26:55 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~2>
2007-03-17 23:26:21 2566736 --a------ C:\spywareblastersetup351.exe<SPYWAR~1.EXE>
2007-03-17 22:02:23 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-03-17 21:29:51 0 d-------- C:\VundoFix Backups<VUNDOF~1>
2007-03-17 21:21:40 0 d-------- C:\Documents and Settings\Phil\Application Data\Motive
2007-03-17 18:17:08 0 d-------- C:\Documents and Settings\Phil\Application Data\Lavasoft
2007-03-17 18:16:35 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-03-17 1816 0 --a------ C:\WINDOWS\nsreg.dat
2007-03-17 16:53:34 488144 --a------ C:\HJTsetup.exe
2007-03-15 16:51:03 0 d-------- C:\Program Files\Smart Projects<SMARTP~1>
2007-03-07 20:20:35 0 d-------- C:\Program Files\Apple Software Update<APPLES~1>
2007-03-02 19:24:56 0 d-------- C:\Documents and Settings\Phil\Application Data\Google
2007-03-02 19:15:41 0 d-------- C:\Documents and Settings\Phil\Application Data\Adobe
2007-03-02 19:12:54 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Adobe
2007-03-02 19:11:16 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Google
2007-03-02 16:16:19 0 d-------- C:\Documents and Settings\Phil\Application Data\Intuit
2007-03-02 16:15:42 0 d-------- C:\Program Files\ItsDeductible2006<ITSDED~2>
2007-03-02 16:14:20 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Intuit
2007-03-02 16:13:36 1716297 -----n--- C:\WINDOWS\system32\InetClnt.dll
2007-03-02 16:12:18 0 d-------- C:\Documents and Settings\Phil\Application Data\InstallShield<INSTAL~1>


-- Find3M Report ---------------------------------------------------------------

2007-03-23 05:32:38 0 d-------- C:\Documents and Settings\Phil\Application Data\uTorrent
2007-03-22 20:40:35 0 d-------- C:\Program Files\iTunes
2007-03-22 20:36:57 0 d-------- C:\Program Files\Google
2007-03-20 16:25:23 0 d-------- C:\Program Files\WinRAR_v3[1].61_Final___CRACK<WINRAR~1.61_>
2007-03-20 06:33:45 0 d-------- C:\Program Files\Common Files\Motive
2007-03-20 06:33:44 0 d-------- C:\Program Files\PokerRoom.com<POKERR~1.CO