Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
Another "whataboutadog" victim Another "whataboutadog" victim
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
 
Thread Tools
Old 10-24-2007, 06:48 AM   #1 (permalink)
Registered User
 
Join Date: Oct 2007
Location: Pittsburgh, PA, USA
Posts: 9
OS: XP Media Edition


Another "whataboutadog" victim
I am running windows XP media center and IE 7.0. My computer has been infected by whatabouta dog and doginhispen. I believe the infection happended about two weeks ago when I started getting crashes when running PCcillin, adware, spybot etc scans. I found a file at the time in i396 called pwrnmw that was causing the crashes and was able to replace the file with a copy from and identical computer. Since then, I have been able to get most everything else working by retoring original settings (IE) or downloading and replacing the program (adware, spybot). At this point, the only things obviously not working are media center and my Linksys music bridge, though I am suspicious that PCcillin and the adware programs are scanning, but not finding the problem. Also, when I try to report spam to TrendMicro, the email is not sent but rather sent to the delete file in Outlook.

I have been trying to run scans with system restore off while in safe mode, but nothing seems to be able to get rid of this thing and it keeps coming back. Can you help?

I have proviced a copy of my hijackthis log and the find.awf log below.

Thank you.

Ryly


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:05 AM, on 10/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OL\TMAS_OL.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Documents and Settings\Philip Troy\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotsheet.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1185403290671
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/...l/gtdownde.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 6691 bytes






Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Wed 10/24/2007
The current time is: 8:00:37.15


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

05/11/2000 02:00 AM 90,112 UpdReg.EXE
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\DELLSU~1\BAK

03/15/2007 11:09 AM 460,784 DSAgnt.exe
1 File(s) 460,784 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

10/13/2004 12:24 PM 1,694,208 msmsgs.exe
1 File(s) 1,694,208 bytes

Directory of C:\PROGRA~1\PDF-XC~1\BAK

02/21/2003 02:16 PM 61,440 PDFSaver.exe
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

04/18/2007 04:17 PM 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\SPYBOT~1\BAK

08/31/2007 04:46 PM 1,460,560 TeaTimer.exe
1 File(s) 1,460,560 bytes

Directory of C:\PROGRA~1\WIRELE~1\BAK

02/20/2006 04:47 AM 1,171,456 WMB54G.exe
1 File(s) 1,171,456 bytes

Directory of C:\WINDOWS\EHOME\BAK

09/29/2005 03:01 PM 67,584 ehtray.exe
1 File(s) 67,584 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

10/05/2005 01:38 PM 32,768 CmFlywav.exe
10/22/2007 02:50 PM 89 Flywave.dll
2 File(s) 32,857 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/10/2004 06:00 AM 15,360 ctfmon.exe
01/13/2006 02:46 AM 311,296 hphmon03.exe
2 File(s) 326,656 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

08/05/2005 10:05 PM 344,064 atiptaxx.exe
1 File(s) 344,064 bytes

Directory of C:\PROGRA~1\COREL\CORELP~1\BAK

02/09/2006 06:34 PM 106,496 MediaDetect.exe
1 File(s) 106,496 bytes

Directory of C:\PROGRA~1\CREATIVE\VOICEC~1\BAK

09/19/2005 08:42 AM 1,159,168 AndreaVC.exe
1 File(s) 1,159,168 bytes

Directory of C:\PROGRA~1\DELL\MEDIAE~1\BAK

05/03/2006 03:12 AM 98,304 DMXLauncher.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK

08/15/2007 04:19 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\GRISOFT\AVG7\BAK

09/30/2007 10:57 AM 421,888 avgcc.exe
1 File(s) 421,888 bytes

Directory of C:\PROGRA~1\GRISOFT\AVGANT~1.5\BAK

06/11/2007 05:25 AM 6,731,312 avgas.exe
1 File(s) 6,731,312 bytes

Directory of C:\PROGRA~1\HP\HPSHAR~1\BAK

04/17/2002 11:42 AM 69,632 hpgs2wnd.exe
1 File(s) 69,632 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

02/19/2006 03:41 AM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\INTEL\INTELM~1\BAK

06/17/2005 08:56 AM 139,264 iaanotif.exe
1 File(s) 139,264 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~3\BAK

09/08/2005 08:20 PM 8,192 mimboot.exe
1 File(s) 8,192 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~1\BAK

08/30/2005 05:42 PM 823,362 pccguide.exe
1 File(s) 823,362 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

09/08/2005 06:20 AM 122,940 DLACTRLW.EXE
1 File(s) 122,940 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 03:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

06/10/2005 11:44 AM 81,920 issch.exe
06/10/2005 11:44 AM 249,856 isuspm.exe
2 File(s) 331,776 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

10/09/2006 05:28 PM 185,784 realsched.exe
1 File(s) 185,784 bytes

Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\DETECTOR\BAK

12/02/2004 07:23 PM 102,400 CTDetect.exe
1 File(s) 102,400 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDIGY\SURROU~1\BAK

09/15/2005 10:47 AM 57,344 CTSysVol.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~1\TMAS_OE\BAK

04/11/2006 07:39 PM 176,201 TMAS_OEMon.exe
1 File(s) 176,201 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

01/13/2006 02:46 AM 196,608 hpztsb04.exe
1 File(s) 196,608 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

28172 Oct 4 2007 "C:\WINDOWS\UpdReg.EXE"
90112 May 11 2000 "C:\WINDOWS\bak\UpdReg.EXE"
28172 Oct 4 2007 "C:\Program Files\DellSupport\DSAgnt.exe"
460784 Mar 15 2007 "C:\Program Files\DellSupport\bak\DSAgnt.exe"
28172 Oct 4 2007 "C:\Program Files\Messenger\msmsgs.exe"
1694208 Oct 13 2004 "C:\Program Files\Messenger\bak\msmsgs.exe"
1694208 Oct 13 2004 "C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe"
28172 Oct 4 2007 "C:\Program Files\PDF-XChangeSDKEU\PDFSaver.exe"
61440 Feb 21 2003 "C:\Program Files\PDF-XChangeSDKEU\bak\PDFSaver.exe"
28172 Oct 4 2007 "C:\Program Files\QuickTime\qttask.exe"
155648 Apr 18 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
1460560 Aug 31 2007 "C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
28172 Oct 4 2007 "C:\Program Files\Wireless-G Music Bridge\WMB54G.exe"
1077327 Dec 1 2006 "C:\Linksys Driver\WMB54G_20061207\Utility\WMB54G.exe"
1171456 Feb 20 2006 "C:\Program Files\Wireless-G Music Bridge\bak\WMB54G.exe"
59392 Aug 10 2004 "C:\WINDOWS\$NtUninstallKB900325$\ehtray.exe"
64512 Aug 5 2005 "C:\WINDOWS\$NtUninstallKB908246$\ehtray.exe"
28172 Oct 4 2007 "C:\WINDOWS\ehome\ehtray.exe"
67584 Sep 29 2005 "C:\WINDOWS\ehome\bak\ehtray.exe"
28172 Oct 4 2007 "C:\WINDOWS\system\CmFlywav.exe"
32768 Oct 5 2005 "C:\Program Files\Wireless-G Music Bridge\Driver\Cmflywav.exe"
32768 Oct 5 2005 "C:\WINDOWS\system\bak\CmFlywav.exe"
89 Oct 3 2007 "C:\WINDOWS\system\Flywave.dll"
89 Oct 22 2007 "C:\WINDOWS\system\bak\Flywave.dll"
15360 Aug 10 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 10 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
28172 Oct 4 2007 "C:\WINDOWS\system32\hphmon03.exe"
311296 Jan 13 2006 "C:\WINDOWS\system32\bak\hphmon03.exe"
311296 Jan 13 2006 "C:\temp\photosmart\enu\drivers\win2k_xp\HPHmon03.exe"
311296 Jan 13 2006 "C:\Program Files\hp photosmart\hphinstall\enu\drivers\win2k_xp\HPHmon03.exe"
344064 Feb 9 2006 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
344064 Aug 5 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
28172 Oct 4 2007 "C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe"
106496 Feb 9 2006 "C:\Program Files\Corel\Corel Photo Album 6\bak\MediaDetect.exe"
106496 Aug 31 2005 "C:\WINDOWS\Installer\$PatchCache$\Managed\8418B9A87DDDF844DBC65338683D3245\6.0.0\mediadetect.exe"
28172 Oct 4 2007 "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe"
1159168 Sep 19 2005 "C:\Program Files\Creative\VoiceCenter\bak\AndreaVC.exe"
28172 Oct 4 2007 "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
98304 May 3 2006 "C:\Program Files\Dell\Media Experience\bak\DMXLauncher.exe"
40960 Aug 14 2007 "C:\Program Files\Google\googletoolbar1user.exe"
69632 May 24 2007 "C:\Program Files\Google\Google Earth\googleearth.exe"
583696 Oct 9 2006 "C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
138168 Aug 14 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
68856 Aug 15 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
26694 Jul 13 2007 "C:\Documents and Settings\Philip Troy\Application Data\Microsoft\Installer\{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe"
1146880 Apr 11 2007 "F:\wd_windows_tools\Google\GoogleInstaller.exe"
1854264 Mar 26 2007 "F:\wd_windows_tools\Google\Desktop\GoogleDesktopSetup_de.exe"
1240104 Jan 29 2007 "F:\wd_windows_tools\Google\Toolbar\W2KXP\GoogleToolbarInstaller_WDIB_de_signed.exe"
421888 Sep 30 2007 "C:\Program Files\Grisoft\AVG7\bak\avgcc.exe"
6731312 Jun 11 2007 "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\bak\avgas.exe"
28172 Oct 4 2007 "C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe"
69632 Apr 17 2002 "C:\Program Files\HP\HP Share-to-Web\bak\hpgs2wnd.exe"
28172 Oct 4 2007 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
49152 Feb 19 2006 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
28172 Oct 4 2007 "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe"
139264 Jun 17 2005 "C:\Program Files\Intel\Intel Matrix Storage Manager\bak\iaanotif.exe"
28172 Oct 4 2007 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mimboot.exe"
8192 Sep 8 2005 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mimboot.exe"
8192 Sep 8 2005 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mimboot.exe"
823362 Aug 22 2005 "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
823362 Aug 30 2005 "C:\Program Files\Trend Micro\Internet Security 12\bak\pccguide.exe"
823362 Aug 22 2005 "C:\Documents and Settings\Philip Troy\Local Settings\Temp\Temporary Directory 1 for GM_1017_20050825.zip\Setup\Programs\PCC\pccguide.exe"
28172 Oct 4 2007 "C:\WINDOWS\system32\DLA\DLACTRLW.EXE"
122940 Sep 8 2005 "C:\Program Files\Roxio\DLA\install\dlactrlw.exe"
122940 Sep 8 2005 "C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE"
28172 Oct 4 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
28172 Oct 4 2007 "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe"
81920 Jun 10 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
28172 Oct 4 2007 "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe"
249856 Jun 10 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe"
28172 Oct 4 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
185784 Oct 9 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
28172 Oct 4 2007 "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe"
102400 Dec 2 2004 "C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe"
28172 Oct 4 2007 "C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe"
57344 Sep 15 2005 "C:\Program Files\Creative\SBAudigy\Surround Mixer\bak\CTSysVol.exe"
32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
28172 Oct 4 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
356425 Apr 11 2006 "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEImp.exe"
86089 Apr 11 2006 "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OL\TMAS_OLImp.exe"
176201 Apr 11 2006 "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\bak\TMAS_OEMon.exe"
356425 Apr 11 2006 "C:\Program Files\Trend Micro\Internet Security 12\Temp\aupcc\product\TMAS_OE\TMAS_OEImp.exe"
86089 Apr 11 2006 "C:\Program Files\Trend Micro\Internet Security 12\Temp\aupcc\product\TMAS_OL\TMAS_OLImp.exe"
28172 Oct 4 2007 "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe"
196608 Jan 13 2006 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb04.exe"


end of report
Ryly is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-25-2007, 07:58 PM   #2 (permalink)
Registered User
 
Join Date: Oct 2007
Location: Pittsburgh, PA, USA
Posts: 9
OS: XP Media Edition


Confused What should I do to get a response?
Did I do something wrong? The only reply I have gotten for two days was a hello kiss for submitting a question on whataboutadog. Is there something I need to do?
Ryly is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-25-2007, 09:15 PM   #3 (permalink)
dai
Manager, Hardware Forums
 
Join Date: Jul 2004
Location: west australia
Posts: 44,939
OS: vista 32x ultimate retail


Re: What should I do to get a response?
patiently wait
__________________
dai is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-25-2007, 11:22 PM   #4 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 20,048
OS: WinXP and Vista


Re: Another "whataboutadog" victim
Please take a moment to read our sticky topic (Updated!) IMPORTANT - Read This Before Posting A Log

**Please note this section of the forum is very busy, so please familiarize yourself with the Bumping Rules also found in Step 5 of our sticky topic mentioned above.

One of our Analysts will review your log as soon as possible.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-26-2007, 05:45 AM   #5 (permalink)
Registered User
 
Join Date: Oct 2007
Location: Pittsburgh, PA, USA
Posts: 9
OS: XP Media Edition


Re: Another "whataboutadog" victim
Thanks for the reply. Since these were my first posts, I was conerned that I had done something incorrectly and that was why there was no reply. I will certainly wait patiently for a reply now that I know the systems works.
Ryly is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-26-2007, 07:09 AM   #6 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 20,048
OS: WinXP and Vista


Re: Another "whataboutadog" victim
Hello Ryly,

I'll pick this one up since you've already provided the essentials of what we need to begin.
Quote:
At this point, the only things obviously not working are media center and my Linksys music bridge...
The AWF infection impersonates and takes over legit programs that run at startup. In your case, quite a few have been taken over, even though you may not have noticed the others involved. We're going to move the legit files to these programs, back where they belong.

This will take a few rounds to clean properly, so please stay with me until I give you the 'all clear'.


Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's important to carry out the instructions in the sequence listed below.

***************************************************

Download: ResetProtocolDefaults.reg and save it to your desktop.

--------------------------------------------------------------------

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Double-click FindAWF.exe to start the tool.
  • Select option #2 - Restore files from bak folders bu typing 2 and press 'Enter'
  • A text file will open up. Please copy/paste the following bolded text into the text file: ( be sure to include the quote marks around those file paths)


    "C:\WINDOWS\bak\UpdReg.EXE"
    "C:\Program Files\DellSupport\bak\DSAgnt.exe"
    "C:\Program Files\Messenger\bak\msmsgs.exe"
    "C:\Program Files\PDF-XChangeSDKEU\bak\PDFSaver.exe"
    "C:\Program Files\QuickTime\bak\qttask.exe"
    "C:\Program Files\Wireless-G Music Bridge\bak\WMB54G.exe"
    "C:\WINDOWS\ehome\bak\ehtray.exe"
    "C:\WINDOWS\system\bak\CmFlywav.exe"
    "C:\WINDOWS\system32\bak\hphmon03.exe"
    "C:\Program Files\Corel\Corel Photo Album 6\bak\MediaDetect.exe"
    "C:\Program Files\Creative\VoiceCenter\bak\AndreaVC.exe"
    "C:\Program Files\Dell\Media Experience\bak\DMXLauncher.exe"
    "C:\Program Files\HP\HP Share-to-Web\bak\hpgs2wnd.exe"
    "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
    "C:\Program Files\Intel\Intel Matrix Storage Manager\bak\iaanotif.exe"
    "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mimboot.exe"
    "C:\Program Files\Roxio\DLA\install\dlactrlw.exe"
    "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
    "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
    "C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe"
    "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
    "C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe"
    "C:\Program Files\Creative\SBAudigy\Surround Mixer\bak\CTSysVol.exe"
    "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
    "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb04.exe"
    "C:\Program Files\Trend Micro\Internet Security 12\bak\pccguide.exe"

  • Close the .txt file and click 'Yes' to save the changes.
  • When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply.
--------------------------------------------------------------

Double-click FindAWF.exe to start the tool once again.
  • Select option #4 - Reset Domain Zones by typing 4 and press 'Enter'
  • You will be prompted to answer "Reset the domain zones?" Type 1 and press Enter.
  • After completion, then type E and press 'Enter'
Note: if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

-------------------------------------------------------------------------------------

Locate "ResetProtocolDefaults.reg" on your desktop. Right-click and select Merge (Ok the prompt)

-------------------------------------------------------------------------------------

Reboot back into Normal Mode.

-------------------------------------------------------------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------------

Download Deckard's System Scanner (DSS) to your Desktop.

What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review.
  • DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.
--------------------------------------------------------------------

Please include the following in your next reply:

awf.txt
Panda results
main.txt
extra.txt
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-26-2007, 07:38 AM   #7 (permalink)
Registered User
 
Join Date: Oct 2007
Location: Pittsburgh, PA, USA
Posts: 9
OS: XP Media Edition


Re: Another "whataboutadog" victim
Will do and get back to you. thanks
Ryly is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-26-2007, 09:23 AM   #8 (permalink)
Registered User
 
Join Date: Oct 2007
Location: Pittsburgh, PA, USA
Posts: 9
OS: XP Media Edition


Re: Another "whataboutadog" victim
Thanks for the instructions. I have taken the steps you directed and have either attached the information you requested or included it below. Thanks agains. Awaiting further instructions.



Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Fri 10/26/2007
The current time is: 9:48:16.64


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

05/11/2000 02:00 AM 90,112 UpdReg.EXE
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\DELLSU~1\BAK

03/15/2007 11:09 AM 460,784 DSAgnt.exe
1 File(s) 460,784 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

10/13/2004 12:24 PM 1,694,208 msmsgs.exe
1 File(s) 1,694,208 bytes

Directory of C:\PROGRA~1\PDF-XC~1\BAK

02/21/2003 02:16 PM 61,440 PDFSaver.exe
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

04/18/2007 04:17 PM 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\SPYBOT~1\BAK

08/31/2007 04:46 PM 1,460,560 TeaTimer.exe
1 File(s) 1,460,560 bytes

Directory of C:\PROGRA~1\WIRELE~1\BAK

02/20/2006 04:47 AM 1,171,456 WMB54G.exe
1 File(s) 1,171,456 bytes

Directory of C:\WINDOWS\EHOME\BAK

09/29/2005 03:01 PM 67,584 ehtray.exe
1 File(s) 67,584 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

10/05/2005 01:38 PM 32,768 CmFlywav.exe
10/22/2007 02:50 PM 89 Flywave.dll
2 File(s) 32,857 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/10/2004 06:00 AM 15,360 ctfmon.exe
01/13/2006 02:46 AM 311,296 hphmon03.exe
2 File(s) 326,656 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

08/05/2005 10:05 PM 344,064 atiptaxx.exe
1 File(s) 344,064 bytes

Directory of C:\PROGRA~1\COREL\CORELP~1\BAK

02/09/2006 06:34 PM 106,496 MediaDetect.exe
1 File(s) 106,496 bytes

Directory of C:\PROGRA~1\CREATIVE\VOICEC~1\BAK

09/19/2005 08:42 AM 1,159,168 AndreaVC.exe
1 File(s) 1,159,168 bytes

Directory of C:\PROGRA~1\DELL\MEDIAE~1\BAK

05/03/2006 03:12 AM 98,304 DMXLauncher.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK

08/15/2007 04:19 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\GRISOFT\AVG7\BAK

09/30/2007 10:57 AM 421,888 avgcc.exe
1 File(s) 421,888 bytes

Directory of C:\PROGRA~1\GRISOFT\AVGANT~1.5\BAK

06/11/2007 05:25 AM 6,731,312 avgas.exe
1 File(s) 6,731,312 bytes

Directory of C:\PROGRA~1\HP\HPSHAR~1\BAK

04/17/2002 11:42 AM 69,632 hpgs2wnd.exe
1 File(s) 69,632 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

02/19/2006 03:41 AM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\INTEL\INTELM~1\BAK

06/17/2005 08:56 AM 139,264 iaanotif.exe
1 File(s) 139,264 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~3\BAK

09/08/2005 08:20 PM 8,192 mimboot.exe
1 File(s) 8,192 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~1\BAK

08/30/2005 05:42 PM 823,362 pccguide.exe
1 File(s) 823,362 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

09/08/2005 06:20 AM 122,940 DLACTRLW.EXE
1 File(s) 122,940 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 03:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

06/10/2005 11:44 AM 81,920 issch.exe
06/10/2005 11:44 AM 249,856 isuspm.exe
2 File(s) 331,776 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

10/09/2006 05:28 PM 185,784 realsched.exe
1 File(s) 185,784 bytes

Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\DETECTOR\BAK

12/02/2004 07:23 PM 102,400 CTDetect.exe
1 File(s) 102,400 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDIGY\SURROU~1\BAK

09/15/2005 10:47 AM 57,344 CTSysVol.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~1\TMAS_OE\BAK

04/11/2006 07:39 PM 176,201 TMAS_OEMon.exe
1 File(s) 176,201 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

01/13/2006 02:46 AM 196,608 hpztsb04.exe
1 File(s) 196,608 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

90112 May 11 2000 "C:\WINDOWS\UpdReg.EXE"
90112 May 11 2000 "C:\WINDOWS\bak\UpdReg.EXE"
460784 Mar 15 2007 "C:\Program Files\DellSupport\DSAgnt.exe"
460784 Mar 15 2007 "C:\Program Files\DellSupport\bak\DSAgnt.exe"
1694208 Oct 13 2004 "C:\Program Files\Messenger\msmsgs.exe"
1694208 Oct 13 2004 "C:\Program Files\Messenger\bak\msmsgs.exe"
1694208 Oct 13 2004 "C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe"
61440 Feb 21 2003 "C:\Program Files\PDF-XChangeSDKEU\PDFSaver.exe"
61440 Feb 21 2003 "C:\Program Files\PDF-XChangeSDKEU\bak\PDFSaver.exe"
155648 Apr 18 2007 "C:\Program Files\QuickTime\qttask.exe"
155648 Apr 18 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
1460560 Aug 31 2007 "C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
1171456 Feb 20 2006 "C:\Program Files\Wireless-G Music Bridge\WMB54G.exe"
1077327 Dec 1 2006 "C:\Linksys Driver\WMB54G_20061207\Utility\WMB54G.exe"
1171456 Feb 20 2006 "C:\Program Files\Wireless-G Music Bridge\bak\WMB54G.exe"
59392 Aug 10 2004 "C:\WINDOWS\$NtUninstallKB900325$\ehtray.exe"
64512 Aug 5 2005 "C:\WINDOWS\$NtUninstallKB908246$\ehtray.exe"
67584 Sep 29 2005 "C:\WINDOWS\ehome\ehtray.exe"
67584 Sep 29 2005 "C:\WINDOWS\ehome\bak\ehtray.exe"
32768 Oct 5 2005 "C:\WINDOWS\system\CmFlywav.exe"
32768 Oct 5 2005 "C:\Program Files\Wireless-G Music Bridge\Driver\Cmflywav.exe"
32768 Oct 5 2005 "C:\WINDOWS\system\bak\CmFlywav.exe"
89 Oct 3 2007 "C:\WINDOWS\system\Flywave.dll"
89 Oct 22 2007 "C:\WINDOWS\system\bak\Flywave.dll"
15360 Aug 10 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 10 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
311296 Jan 13 2006 "C:\WINDOWS\system32\hphmon03.exe"
311296 Jan 13 2006 "C:\WINDOWS\system32\bak\hphmon03.exe"
311296 Jan 13 2006 "C:\temp\photosmart\enu\drivers\win2k_xp\HPHmon03.exe"
311296 Jan 13 2006 "C:\Program Files\hp photosmart\hphinstall\enu\drivers\win2k_xp\HPHmon03.exe"
344064 Feb 9 2006 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
344064 Aug 5 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
106496 Feb 9 2006 "C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe"
106496 Feb 9 2006 "C:\Program Files\Corel\Corel Photo Album 6\bak\MediaDetect.exe"
106496 Aug 31 2005 "C:\WINDOWS\Installer\$PatchCache$\Managed\8418B9A87DDDF844DBC65338683D3245\6.0.0\mediadetect.exe"
1159168 Sep 19 2005 "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe"
1159168 Sep 19 2005 "C:\Program Files\Creative\VoiceCenter\bak\AndreaVC.exe"
98304 May 3 2006 "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
98304 May 3 2006 "C:\Program Files\Dell\Media Experience\bak\DMXLauncher.exe"
40960 Aug 14 2007 "C:\Program Files\Google\googletoolbar1user.exe"
69632 May 24 2007 "C:\Program Files\Google\Google Earth\googleearth.exe"
583696 Oct 9 2006 "C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
138168 Aug 14 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
68856 Aug 15 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
26694 Jul 13 2007 "C:\Documents and Settings\Philip Troy\Application Data\Microsoft\Installer\{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe"
1146880 Apr 11 2007 "F:\wd_windows_tools\Google\GoogleInstaller.exe"
1854264 Mar 26 2007 "F:\wd_windows_tools\Google\Desktop\GoogleDesktopSetup_de.exe"
1240104 Jan 29 2007 "F:\wd_windows_tools\Google\Toolbar\W2KXP\GoogleToolbarInstaller_WDIB_de_signed.exe"
421888 Sep 30 2007 "C:\Program Files\Grisoft\AVG7\bak\avgcc.exe"
6731312 Jun 11 2007 "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\bak\avgas.exe"
69632 Apr 17 2002 "C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe"
69632 Apr 17 2002 "C:\Program Files\HP\HP Share-to-Web\bak\hpgs2wnd.exe"
49152 Feb 19 2006 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
49152 Feb 19 2006 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
139264 Jun 17 2005 "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe"
139264 Jun 17 2005 "C:\Program Files\Intel\Intel Matrix Storage Manager\bak\iaanotif.exe"
8192 Sep 8 2005 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mimboot.exe"
8192 Sep 8 2005 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mimboot.exe"
8192 Sep 8 2005 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mimboot.exe"
823362 Aug 30 2005 "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
823362 Aug 30 2005 "C:\Program Files\Trend Micro\Internet Security 12\bak\pccguide.exe"
823362 Aug 22 2005 "C:\Documents and Settings\Philip Troy\Local Settings\Temp\Temporary Directory 1 for GM_1017_20050825.zip\Setup\Programs\PCC\pccguide.exe"
28172 Oct 4 2007 "C:\WINDOWS\system32\DLA\DLACTRLW.EXE"
122940 Sep 8 2005 "C:\Program Files\Roxio\DLA\install\dlactrlw.exe"
122940 Sep 8 2005 "C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
81920 Jun 10 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe"
81920 Jun 10 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
249856 Jun 10 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe"
249856 Jun 10 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe"
185784 Oct 9 2006 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
185784 Oct 9 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
102400 Dec 2 2004 "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe"
102400 Dec 2 2004 "C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe"
57344 Sep 15 2005 "C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe"
57344 Sep 15 2005 "C:\Program Files\Creative\SBAudigy\Surround Mixer\bak\CTSysVol.exe"
32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
356425 Apr 11 2006 "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEImp.exe"
86089 Apr 11 2006 "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OL\TMAS_OLImp.exe"
176201 Apr 11 2006 "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\bak\TMAS_OEMon.exe"
356425 Apr 11 2006 "C:\Program Files\Trend Micro\Internet Security 12\Temp\aupcc\product\TMAS_OE\TMAS_OEImp.exe"
86089 Apr 11 2006 "C:\Program Files\Trend Micro\Internet Security 12\Temp\aupcc\product\TMAS_OL\TMAS_OLImp.exe"
196608 Jan 13 2006 "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe"
196608 Jan 13 2006 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb04.exe"


end of report



Panda Activescan results:

Incident Status Location

Virus:Trj/Agent.GMR Disinfected C:\149.tmp
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Philip Troy\Cookies\philip_troy@ad.yieldmanager[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Philip Troy\Desktop\Anti Spyware Tools\SmitfraudFix\Process.exe
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Philip Troy\Desktop\Anti Spyware Tools\SmitfraudFix\Reboot.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Philip Troy\Desktop\Anti Spyware Tools\SmitfraudFix\restart.exe
Virus:Eicar.Mod Not disinfected C:\Documents and Settings\Philip Troy\Desktop\GM_1017_20050825.zip[Setup/Programs/PCC/tmhelp.chm][/PCC12/Test_virus.htm]
Virus:Eicar.Mod Not disinfected C:\Documents and Settings\Philip Troy\Local Settings\Temp\Temporary Directory 1 for GM_1017_20050825.zip\Setup\Programs\PCC\tmhelp.chm[/PCC12/Test_virus.htm]
Virus:Eicar.Mod Not disinfected C:\Program Files\Trend Micro\Internet Security 12\tmhelp.chm[/PCC12/Test_virus.htm]
Virus:Trj/Dropper.WF


Main.TXT:

Deckard's System Scanner v20071014.68
Run by Philip Troy on 2007-10-26 11:10:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2007-10-26 15:10:53 UTC - RP4 - Deckard's System Scanner Restore Point
3: 2007-10-26 12:14:53 UTC - RP3 - System Checkpoint
2: 2007-10-25 12:10:41 UTC - RP2 - System Checkpoint
1: 2007-10-24 11:51:42 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Philip Troy.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:26 AM, on 10/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Philip Troy\Desktop\dss.exe
C:\DOCUME~1\PHILIP~1\Desktop\Philip Troy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotsheet.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1185403290671
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/...l/gtdownde.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 6544 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ELhid - c:\windows\system32\drivers\elhid.sys <Not Verified; Intel Corporation; Intel(R) Quick Resume Technology>
R1 ELkbd - c:\windows\system32\drivers\elkbd.sys <Not Verified; Intel Corporation; Intel(R) Quick Resume Technology>
R1 ELmon - c:\windows\system32\drivers\elmon.sys <Not Verified; Intel Corporation; Intel(R) Quick Resume Technology>
R1 ELmou - c:\windows\system32\drivers\elmou.sys <Not Verified; Intel Corporation; Intel(R) Quick Resume Technology>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R1 tmtdi (Trend Micro TDI Driver) - c:\windows\system32\drivers\tmtdi.sys <Not Verified; Trend Micro Inc.; Trend Micro Network Security Component 1.0>
R2 tm_cfw (Common Firewall Driver) - c:\windows\system32\drivers\tm_cfw.sys <Not Verified; Trend Micro Inc.; Trend Network Security Component 1.0>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
S4 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ELService (Intel® Quick Resume Technology Drivers) - "c:\program files\intel\inteldh\intel(r) quick resume technology\elservice.exe" <Not Verified; Intel Corporation; Intel(R) Quick Resume Technology>
R2 PcCtlCom (Trend Micro Central Control Component) - c:\progra~1\trendm~1\intern~1\pcctlcom.exe <Not Verified; Trend Micro Incorporated.; Trend Micro Internet Security>
R2 Tmntsrv (Trend Micro Real-time Service) - c:\progra~1\trendm~1\intern~1\tmntsrv.exe <Not Verified; Trend Micro Incorporated.; Trend Micro Internet Security>
R2 TmPfw (Trend Micro Personal Firewall) - c:\progra~1\trendm~1\intern~1\tmpfw.exe <Not Verified; Trend Micro Inc.; Trend Network Security Component 1.0>
R2 tmproxy (Trend Micro Proxy Service) - c:\progra~1\trendm~1\intern~1\tmproxy.exe <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 1.0>

S3 Creative Labs Licensing Service - "c:\program files\common files\creative labs shared\service\creativelicensing.exe" <Not Verified; Creative Labs; Creative Labs Licensing Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: TI Technologies Inc.
Description: RADEON X300 SE 128MB HyperMemory Secondary
Device ID: PCI\VEN_1002&DEV_5B70&SUBSYS_06031002&REV_00\4&1A646D2D&0&0108
Manufacturer: ATI Technologies Inc.
Name: RADEON X300 SE 128MB HyperMemory Secondary
PNP Device ID: PCI\VEN_1002&DEV_5B70&SUBSYS_06031002&REV_00\4&1A646D2D&0&0108
Service: ati2mtag


-- Files created between 2007-09-26 and 2007-10-26 -----------------------------

2007-10-26 08:57:15 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-10-23 17:36:26 520192 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2007-10-23 16:14:41 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-23 16:14:35 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-10-23 16:14:35 0 d-------- C:\Documents and Settings\Philip Troy\Application Data\SUPERAntiSpyware.com
2007-10-23 16:14:16 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-23 15:54:37 1290 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-23 15:46:57 0 d-------- C:\WINDOWS\pss
2007-10-23 15:45:08 0 d-------- C:\Program Files\Citrix
2007-10-23 15:37:10 0 d--hs---- C:\WINDOWS\CSC
2007-10-22 19:12:18 0 d-------- C:\Program Files\Lavasoft
2007-10-22 17:35:16 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2007-10-09 12:36:11 0 d-------- C:\Linksys Driver
2007-10-09 09:31:28 0 d-------- C:\Documents and Settings\Philip Troy\Application Data\Grisoft
2007-10-08 21:36:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-10-08 17:16:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-10-08 15:09:50 0 d-------- C:\Program Files\Western Digital Technologies
2007-10-05 19:27:44 0 d-------- C:\Program Files\WinBudget
2007-10-03 21:14:00 0 d-------- C:\WINDOWS\system\bak
2007-10-03 21:13:57 0 d-------- C:\WINDOWS\bak
2007-10-03 21:13:55 0 d-------- C:\WINDOWS\system32\bak
2007-10-02 09:45:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Dell
2007-09-30 11:30:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-30 10:57:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-28 17:08:52 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-28 17:08:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec


-- Find3M Report ---------------------------------------------------------------

2007-10-26 10:36:47 0 d-------- C:\Program Files\Common Files\Sonic Shared
2007-10-26 09:48:15 0 d-------- C:\Program Files\Wireless-G Music Bridge
2007-10-26 09:48:15 0 d-------- C:\Program Files\QuickTime
2007-10-26 09:48:15 0 d-------- C:\Program Files\PDF-XChangeSDKEU
2007-10-26 09:48:15 0 d-------- C:\Program Files\Messenger
2007-10-26 09:48:15 0 d-------- C:\Program Files\DellSupport
2007-10-23 17:36:11 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-23 17:36:05 0 d-------- C:\Program Files\ATI Technologies
2007-10-23 16:14:16 0 d-------- C:\Program Files\Common Files
2007-10-22 19:12:48 0 d-------- C:\Documents and Settings\Philip Troy\Application Data\Lavasoft
2007-10-21 19:49:21 5852 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-10-02 09:45:49 0 d-------- C:\Program Files\Dell
2007-09-30 11:54:13 0 d-------- C:\Program Files\Corel
2007-09-28 20:42:49 104 -r-hs---- C:\WINDOWS\system32\60102C9BCD.sys


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [02/09/2006 09:05 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 06:00 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll 08/03/2007 08:00 AM 10792 C:\Program Files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor.lnk
backup=C:\WINDOWS\pss\Monitor.lnkCommon Startup