Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
Win32.Backdoor Win32.Trojan PC assistance Win32.Backdoor Win32.Trojan PC assistance
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2 >
 
Thread Tools
Old 12-07-2007, 07:24 PM   #1 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 14
OS: xp


Win32.Backdoor Win32.Trojan PC assistance
I’m helping out a family members PC that came to me not being able to access the internet. I have done multiple Spybot and Ad-aware scan that keep finding and cleaning things with no luck. The pc had very outdated antivirus software so I have updated it to the avast version 4.7 Home Edition and done boot time scans and full scans that do find virus and delete the files. What it keeps picking up on is WIN32:Agent-NJB virus usually in the c:\windows\system32\drivers\ip6fw.sys & runtime.sys file. Also when the PC starts Avast picks up on different file names like http://3d.2a.354a.static.theplanet.c...00596600000001 trying to access the internet referencing WIN32: Small-EPJ. When I run Ad-Aware it consistently finds win32.Backdoor.Agent and Win32.TrojanSpy.Peed. I can’t think of anything else to do. I have run Deckards System Scanner, but I need to do it in safe mode as it would crash at the point of trying to clean temporary files. The PC is running IE 7. I have updated the system with all the latest Microsoft patches. I did install SpywareBlaster have been trying to get a Panda scan log, but it seems to bomb towards the end. Any Help is greatly appreciated.

Deckard's System Scanner v20071014.68
Run by Administrator on 2007-12-07 20:50:42
Computer is in Safe Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 2 Restore Point(s) --
2: 2007-12-08 01:33:34 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2007-12-08 01:31:03 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Administrator.exe) ---------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-12-07 20:52:19
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16544)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Temp\Scan Logs\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: gpupdate - {688ABEA7-DD8C-43B9-9EDD-F7321DF0728B} - C:\WINDOWS\system32\gpupdate.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar3.dll
O3 - Toolbar: (no name) - Url - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB9506] command /c del "C:\WINDOWS\Temp\startdrv.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2048] cmd /c del "C:\WINDOWS\Temp\startdrv.exe"
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - CmdMapping - (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub...irector/sw.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} () - https://objects.aol.com/mcafee/molbi...20/McGDMgr.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL ACS - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
O23 - Service: AOL TopSpeedMonitor - Unknown owner - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOLSVCHst - Unknown owner - C:\WINDOWS\Debug\aolhost.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: gusvc - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Print Spooler Service (il7ymi8jf3ewin64) - Unknown owner - C:\WINDOWS\system32\kbvjygx.exe /service
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft Update - Unknown owner - C:\WINDOWS\winupdtsrv.exe
O23 - Service: Microsoft Update Manager - Unknown owner - C:\WINDOWS\service.exe
O23 - Service: RasMan - Unknown owner - C:\DOCUME~1\Ryan\LOCALS~1\Temp\10918546.exe
O23 - Service: Smart Media Serviecs (Sys_SM-Service) - Unknown owner - C:\WINDOWS\repair\smrs.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


--
End of file - 7475 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20070422-134522-836 O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://65.61.160.5/staff/ScriptX/ScriptX.cab
backup-20070422-134523-958 O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
backup-20071202-210000-106 O2 - BHO: (no name) - {43A6B7D5-1A5A-4DBF-B417-70565A4233AB} - C:\Program Files\WindowsUpdate\horef24418.dll
backup-20071202-210000-253 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
backup-20071202-210000-284 R3 - Default URLSearchHook is missing
backup-20071202-210000-333 O2 - BHO: (no name) - {C2A2FD47-60D3-322E-882E-48E6788108C7} - C:\WINDOWS\system32\mvkwnc.dll
backup-20071202-210000-365 O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\bak\bak\PortAOL.exe" -Run
backup-20071202-210000-411 O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
backup-20071202-210000-436 O2 - BHO: (no name) - {90A4FF4E-6083-622D-D82E-48E678835FC6} - C:\WINDOWS\system32\xfrdfpu.dll (file missing)
backup-20071202-210000-469 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
backup-20071202-210000-481 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20071202-210000-606 O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
backup-20071202-210000-635 O2 - BHO: (no name) - {C1A2FC4E-3286-3825-DA2E-48E6788108C2} - C:\WINDOWS\system32\uupxmh.dll
backup-20071202-210000-639 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=w...05S45uncGMaWhj
backup-20071202-210000-674 O2 - BHO: (no name) - {F98DCF36-4CBE-0D3F-FF1E-09CB41B474F2} - C:\WINDOWS\system32\cgge.dll (file missing)
backup-20071202-210000-881 O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
backup-20071202-210000-920 O2 - BHO: (no name) - {C5A7FA17-3283-357C-D22E-48E67881099C} - C:\WINDOWS\system32\gmtf.dll
backup-20071202-210000-935 O3 - Toolbar: (no name) - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - (no file)
backup-20071202-210000-994 O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
backup-20071202-210001-118 O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
backup-20071202-210001-188 O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
backup-20071202-210001-641 O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/puzzlepirate...GameLoader.dll
backup-20071202-210002-221 O23 - Service: Microsoft Update Manager - Unknown owner - C:\WINDOWS\service.exe (file missing)
backup-20071202-210002-247 O23 - Service: Microsoft Update - Unknown owner - C:\WINDOWS\winupdtsrv.exe
backup-20071202-210002-296 O23 - Service: Print Spooler Service (il7ymi8jf3ewin64) - Unknown owner - C:\WINDOWS\system32\kbvjygx.exe
backup-20071202-210002-462 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
backup-20071202-210002-574 O23 - Service: RasMan - Unknown owner - C:\DOCUME~1\Ryan\LOCALS~1\Temp\10918546.exe (file missing)
backup-20071205-051654-150 O4 - HKCU\..\RunServices: [Windows System32] explorer.exe
backup-20071205-051654-307 O23 - Service: RasMan - Unknown owner - C:\DOCUME~1\Ryan\LOCALS~1\Temp\10918546.exe (file missing)
backup-20071205-051654-371 O4 - HKLM\..\RunServices: [kbvjygx] C:\WINDOWS\system32\kbvjygx.exe
backup-20071205-051654-453 O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
backup-20071205-051654-485 O23 - Service: Print Spooler Service (il7ymi8jf3ewin64) - Unknown owner - C:\WINDOWS\system32\kbvjygx.exe (file missing)
backup-20071205-051654-574 O23 - Service: Smart Media Serviecs (Sys_SM-Service) - Unknown owner - C:\WINDOWS\repair\smrs.exe
backup-20071205-051654-670 O23 - Service: gusvc - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
backup-20071206-175243-479 O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbi...3/mcinsctl.cab
backup-20071206-175249-647 O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/down.../OTOYAX29b.cab
backup-20071206-175252-399 O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.18.39/ttinst.cab
backup-20071206-175254-392 O23 - Service: AOLSVCHst - Unknown owner - C:\WINDOWS\Debug\aolhost.exe
backup-20071206-175254-527 O23 - Service: Smart Media Serviecs (Sys_SM-Service) - Unknown owner - C:\WINDOWS\repair\smrs.exe
backup-20071206-175254-659 O23 - Service: Print Spooler Service (il7ymi8jf3ewin64) - Unknown owner - C:\WINDOWS\system32\kbvjygx.exe (file missing)
backup-20071206-175254-694 O23 - Service: AOL TopSpeedMonitor - Unknown owner - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (file missing)
backup-20071206-175254-858 O23 - Service: RasMan - Unknown owner - C:\DOCUME~1\Ryan\LOCALS~1\Temp\10918546.exe (file missing)
backup-20071206-175254-880 O23 - Service: AOL ACS - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
backup-20071206-175628-614 O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - C:\Program Files\ISM\BndDrive5.dll (file missing)
backup-20071206-175723-444 F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\ntos.exe,
backup-20071206-175845-548 F2 - REG:system.ini: UserInit=C:\WINDOWS\system\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
backup-20071206-181047-424 O23 - Service: Print Spooler Service (il7ymi8jf3ewin64) - Unknown owner - C:\WINDOWS\system32\kbvjygx.exe (file missing)
backup-20071206-185528-625 F2 - REG:system.ini: UserInit=C:\WINDOWS\system\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
backup-20071206-185623-931 O23 - Service: Print Spooler Service (il7ymi8jf3ewin64) - Unknown owner - C:\WINDOWS\system32\kbvjygx.exe (file missing)
backup-20071206-185650-615 O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
S3 rdriv - c:\windows\system32\rdriv.sys (file missing)
S3 vsdatant - c:\windows\system32\vsdatant.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S2 il7ymi8jf3ewin64 (Print Spooler Service) - c:\windows\system32\kbvjygx.exe /service (file missing)
S2 Sys_SM-Service (Smart Media Serviecs) - "c:\windows\repair\smrs.exe"
S2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>
S4 AOL TopSpeedMonitor - c:\program files\common files\aol\topspeed\2.0\aoltsmon.exe (file missing)
S4 AOLSVCHst - "c:\windows\debug\aolhost.exe"
S4 Microsoft Update - "c:\windows\winupdtsrv.exe" (file missing)
S4 Microsoft Update Manager - "c:\windows\service.exe" (file missing)
S4 RasMan - c:\docume~1\ryan\locals~1\temp\10918546.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-12-03 16:24:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-11-07 and 2007-12-07 -----------------------------

2007-12-07 20:18:01 0 d-------- C:\ie-spyad_zo
2007-12-07 20:11:22 0 d-------- C:\Program Files\SpywareBlaster
2007-12-07 20:10:25 0 d-------- C:\Mike
2007-12-07 19:57:24 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-07 19:50:33 20480 --a------ C:\p00r.exe
2007-12-04 19:03:43 0 d--h----- C:\WINDOWS\PIF
2007-12-03 20:36:02 0 d-------- C:\Program Files\Alwil Software
2007-12-03 19:38:03 0 d-------- C:\WINDOWS\system32\appmgmt
2007-12-03 19:08:56 0 d-------- C:\WINDOWS\system32\NVSYS
2007-12-03 19:08:49 0 d-------- C:\dell
2007-12-03 18:13:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-12-02 21:42:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-02 21:14:00 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-02 21:09:27 0 d---s---- C:\Documents and Settings\Administrator\UserData
2007-12-02 19:53:39 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2007-12-02 19:51:19 0 d--hs---- C:\WINDOWS\CSC
2007-11-30 14:54:14 0 d-------- C:\WINDOWS\system32\T?sks
2007-11-29 21:29:48 0 d-------- C:\WINDOWS\??sks
2007-11-29 17:11:28 0 d-------- C:\Program Files\Apple Software Update
2007-11-29 17:11:00 0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-11-29 17:10:38 0 d-------- C:\Program Files\Common Files\Apple
2007-11-29 17:10:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-27 11:17:22 0 d-------- C:\Program Files\Common Files\?ymbols
2007-11-26 08:29:38 0 d-------- C:\Program Files\F?nts
2007-11-25 14:56:01 0 d-------- C:\Documents and Settings\Conner\Application Data\s?stem32
2007-11-22 19:20:12 0 d-------- C:\Program Files\s?mbols
2007-11-21 16:40:06 0 d-------- C:\Program Files\?ppPatch
2007-11-20 16:18:13 0 d--hs---- C:\found.001
2007-11-15 21:45:54 0 d-------- C:\Documents and Settings\Conner\Application Data\W?nSxS
2007-11-15 05:52:18 0 d-------- C:\Program Files\Common Files\s?stem32
2007-11-14 18:18:39 0 d-------- C:\Documents and Settings\Ryan\Application Data\AdobeUM
2007-11-08 06:38:08 0 d-------- C:\WINDOWS\system32\F?nts


-- Find3M Report ---------------------------------------------------------------

2007-12-05 19:53:55 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-05 19:45:35 0 d-------- C:\Program Files\FergusonVPN
2007-12-05 19:44:34 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-04 20:31:37 0 d-------- C:\Program Files\ISM2
2007-12-04 03:05:04 0 d-------- C:\Program Files\iTunes
2007-12-03 21:32:06 0 d-------- C:\Program Files\s?mbols
2007-12-03 06:22:24 0 d-------- C:\Program Files\Common Files\??crosoft
2007-12-03 06:22:24 0 d-------- C:\Program Files\Common Files\s?stem
2007-12-02 21:43:14 0 d-------- C:\Program Files\Lavasoft
2007-12-02 21:00:20 0 d--h----- C:\Program Files\WindowsUpdate
2007-12-02 15:36:54 0 d-------- C:\Program Files\Messenger
2007-11-30 14:54:17 2 --a------ C:\WINDOWS\system32\wcpicc32.exe
2007-11-29 22:10:48 0 d-------- C:\Program Files\Common Files
2007-11-29 17:15:10 0 d-------- C:\Program Files\QuickTime
2007-11-28 19:33:15 0 d-------- C:\Program Files\Quicken
2007-11-27 11:17:22 0 d-------- C:\Program Files\Common Files\?ymbols
2007-11-26 08:29:38 0 d-------- C:\Program Files\F?nts
2007-11-21 16:40:06 0 d-------- C:\Program Files\?ppPatch
2007-11-18 20:20:29 0 d-------- C:\Program Files\Common Files\F?nts
2007-11-15 05:52:18 0 d-------- C:\Program Files\Common Files\s?stem32
2007-11-08 11:12:57 0 d-------- C:\Program Files\?asks
2007-11-05 16:27:52 0 d-------- C:\Program Files\QdrPack
2007-11-01 19:07:30 0 d-------- C:\Program Files\Common Files\??sks
2007-10-30 16:16:32 0 d-------- C:\Program Files\QdrModule
2007-10-26 14:21:12 0 d-------- C:\Program Files\?ecurity
2007-10-26 13:53:19 0 d-------- C:\Program Files\Common Files\??curity
2007-10-24 14:00:19 0 d-------- C:\Program Files\Common Files\A?pPatch
2007-10-22 17:47:23 0 d-------- C:\Program Files\?dobe
2007-10-21 16:50:18 0 d-------- C:\Program Files\Common Files\??mantec
2007-10-18 18:55:31 0 d-------- C:\Program Files\W?nSxS
2007-10-18 14:07:16 0 d-------- C:\Program Files\Common Files\F?nts
2007-10-18 11:45:46 87552 --a------ C:\up21.exe
2007-10-18 11:26:21 300032 --a------ C:\WINDOWS\b148.exe
2007-10-16 21:41:19 286 --a------ C:\sysrestore.exe
2007-10-16 09:56:05 173568 --a------ C:\WINDOWS\b149.exe
2007-10-15 13:01:37 69632 --a------ C:\WINDOWS\b143.exe
2007-10-14 21:03:03 0 d-------- C:\Program Files\Common Files\S?mantec
2007-10-11 17:36:28 0 d-------- C:\Program Files\MSN Gaming Zone
2007-10-10 08:53:54 184320 --a------ C:\WINDOWS\b111.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{688ABEA7-DD8C-43B9-9EDD-F7321DF0728B}]
09/24/2004 06:46 PM 73728 --a------ C:\WINDOWS\system32\gpupdate.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"startdrv"="C:\WINDOWS\Temp\startdrv.exe" [12/07/2007 08:48 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 08:00 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/2007 04:46 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingB9506"=command /c del "C:\WINDOWS\Temp\startdrv.exe"
"SpybotDeletingD2048"=cmd /c del "C:\WINDOWS\Temp\startdrv.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amqmpaq]
C:\WINDOWS\system32\amqmpaq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aqkk]
C:\WINDOWS\system32\aqkk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\azumjxwvfqru]
C:\WINDOWS\system32\azumjxwvfqru.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bedgaky]
C:\WINDOWS\system32\bedgaky.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\brjufqald]
C:\WINDOWS\system32\brjufqald.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\brpwknz]
C:\WINDOWS\system32\brpwknz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cgxr]
C:\WINDOWS\system32\cgxr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Configure Plug n Play Devices]
plugnplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\curguyafguj]
C:\WINDOWS\system32\curguyafguj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cy]
C:\WINDOWS\system32\cy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dkk]
C:\WINDOWS\system32\dkk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dluqcy]
C:\WINDOWS\system32\dluqcy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlvdihvl]
C:\WINDOWS\system32\dlvdihvl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\edfzckedzzk]
C:\WINDOWS\system32\edfzckedzzk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\exnsd]
C:\WINDOWS\system32\exnsd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eye]
C:\WINDOWS\system32\eye.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fcdm]
C:\WINDOWS\system32\fcdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gjzfnpme]
C:\WINDOWS\system32\gjzfnpme.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gqggcfpg]
C:\WINDOWS\system32\gqggcfpg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\guiazr]
C:\WINDOWS\system32\guiazr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gvtpagc]
C:\WINDOWS\system32\gvtpagc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gwlqzlgtw]
C:\WINDOWS\system32\gwlqzlgtw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hbhhhls]
C:\WINDOWS\system32\hbhhhls.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hgkkpkgbmar]
C:\WINDOWS\system32\hgkkpkgbmar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hjsq]
C:\WINDOWS\system32\hjsq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hmqklznsbevt]
C:\WINDOWS\system32\hmqklznsbevt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hozytyjec]
C:\Program Files\MSN Gaming Zone\hozytyjec77798.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\huxuxvsbqkmr]
C:\WINDOWS\system32\huxuxvsbqkmr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\i]
C:\WINDOWS\system32\i.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iimz]
C:\WINDOWS\system32\iimz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\inoarl]
C:\WINDOWS\system32\inoarl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jaun]
C:\WINDOWS\system32\jaun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jl]
C:\WINDOWS\system32\jl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jtliutnj]
C:\WINDOWS\system32\jtliutnj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jv]
C:\WINDOWS\system32\jv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jyrbgxyskl]
C:\WINDOWS\system32\jyrbgxyskl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\k]
C:\WINDOWS\system32\k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kbvjygx]
C:\WINDOWS\system32\kbvjygx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kejlpwy]
C:\WINDOWS\system32\kejlpwy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kgqnsiiaiwtm]
C:\WINDOWS\system32\kgqnsiiaiwtm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\khipmksuybs]
C:\WINDOWS\system32\khipmksuybs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ks]
C:\WINDOWS\system32\ks.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lcsgx]
C:\WINDOWS\system32\lcsgx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lyffl]
C:\WINDOWS\system32\lyffl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mbslvuhbr]
C:\WINDOWS\system32\mbslvuhbr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Spooler]
wkssvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mlvx]
C:\WINDOWS\system32\mlvx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nffiopvusmj]
C:\WINDOWS\system32\nffiopvusmj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nghczzrtfc]
C:\WINDOWS\system32\nghczzrtfc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nkxm]
C:\WINDOWS\system32\nkxm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nl]
C:\WINDOWS\system32\nl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nx]
C:\WINDOWS\system32\nx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nzocquzo]
C:\WINDOWS\system32\nzocquzo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\omqskdapdy]
C:\WINDOWS\system32\omqskdapdy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\omrnrifal]
C:\WINDOWS\system32\omrnrifal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osxrtdkcor]
C:\WINDOWS\system32\osxrtdkcor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pextwvchvf]
C:\WINDOWS\system32\pextwvchvf.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pjcpvjg]
C:\WINDOWS\system32\pjcpvjg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pm]
C:\WINDOWS\system32\pm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pn]
C:\WINDOWS\system32\pn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pqhdede]
C:\WINDOWS\system32\pqhdede.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pqswpsmr]
C:\WINDOWS\system32\pqswpsmr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ptltpl]
C:\WINDOWS\system32\ptltpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pxrm]
C:\WINDOWS\system32\pxrm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pyzifgndruhy]
C:\WINDOWS\system32\pyzifgndruhy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\q]
C:\WINDOWS\system32\q.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qbhixtuqu]
C:\WINDOWS\system32\qbhixtuqu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qhoeysznvff]
C:\WINDOWS\system32\qhoeysznvff.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qpswjbbqmsq]
C:\WINDOWS\system32\qpswjbbqmsq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qrldtdofslef]
C:\WINDOWS\system32\qrldtdofslef.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qwgiusxymu]
C:\WINDOWS\system32\qwgiusxymu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qyuietkqrr]
C:\WINDOWS\system32\qyuietkqrr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\racirltik]
C:\WINDOWS\system32\racirltik.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rchunlvtjk]
C:\WINDOWS\system32\rchunlvtjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rd]
C:\WINDOWS\system32\rd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rdsfkgto]
C:\WINDOWS\system32\rdsfkgto.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rwgsmietciw]
C:\WINDOWS\system32\rwgsmietciw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rz]
C:\WINDOWS\system32\rz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sw]
C:\WINDOWS\system32\sw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tjh]
C:\WINDOWS\system32\tjh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tlkjr]
C:\WINDOWS\system32\tlkjr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\urzyysdasfh]
C:\WINDOWS\system32\urzyysdasfh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vhn]
C:\WINDOWS\system32\vhn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vz]
C:\WINDOWS\system32\vz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wgg]
C:\WINDOWS\system32\wgg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\whjyjtm]
C:\WINDOWS\system32\whjyjtm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Firewall Service]
wfsvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows System32]
explorer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winsock driver]
fivhzje.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wpzhoowyu]
C:\WINDOWS\system32\wpzhoowyu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wsokcdgo]
C:\WINDOWS\system32\wsokcdgo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xbs]
C:\WINDOWS\system32\xbs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xfarouo]
C:\WINDOWS\system32\xfarouo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xmefwskoed]
C:\WINDOWS\system32\xmefwskoed.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xosgcgvgfbg]
C:\WINDOWS\system32\xosgcgvgfbg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xvay]
C:\WINDOWS\system32\xvay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yf]
C:\WINDOWS\system32\yf.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymcwrypscgw]
C:\WINDOWS\system32\ymcwrypscgw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yqyzy]
C:\WINDOWS\system32\yqyzy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\z]
C:\WINDOWS\system32\z.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zi]
C:\WINDOWS\system32\zi.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"runner1"=C:\WINDOWS\mrofinu450.exe 61A847B5BBF72816379B284503996897C881250221C8670836AC4FA7C88332017491394662E901F3D293314D6ECF32257895769ABCF75D7551F765142DAF48BD878727122CCE7003
"Microsoft Domain Controller"=C:\WINDOWS\system32\mstc.exe
"kbvjygx"=C:\WINDOWS\system32\kbvjygx.exe
"Windows System32"=explorer.exe
"Windows DLL Loader"=C:\WINDOWS\SYSCFG16.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"amqmpaq"=C:\WINDOWS\system32\amqmpaq.exe
"aqkk"=C:\WINDOWS\system32\aqkk.exe
"azumjxwvfqru"=C:\WINDOWS\system32\azumjxwvfqru.exe
"bedgaky"=C:\WINDOWS\system32\bedgaky.exe
"brjufqald"=C:\WINDOWS\system32\brjufqald.exe
"brpwknz"=C:\WINDOWS\system32\brpwknz.exe
"cgxr"=C:\WINDOWS\system32\cgxr.exe
"cnubqrrvqkbp"=C:\WINDOWS\system32\cnubqrrvqkbp.exe
"curguyafguj"=C:\WINDOWS\system32\curguyafguj.exe
"cy"=C:\WINDOWS\system32\cy.exe
"dkk"=C:\WINDOWS\system32\dkk.exe
"dluqcy"=C:\WINDOWS\system32\dluqcy.exe
"dlvdihvl"=C:\WINDOWS\system32\dlvdihvl.exe
"edfzckedzzk"=C:\WINDOWS\system32\edfzckedzzk.exe
"eorxgwvzqidf"=C:\WINDOWS\system32\eorxgwvzqidf.exe
"exnsd"=C:\WINDOWS\system32\exnsd.exe
"fapqunidij"=C:\WINDOWS\system32\fapqunidij.exe
"eye"=C:\WINDOWS\system32\eye.exe
"fcdm"=C:\WINDOWS\system32\fcdm.exe
"gjzfnpme"=C:\WINDOWS\system32\gjzfnpme.exe
"gqggcfpg"=C:\WINDOWS\system32\gqggcfpg.exe
"guiazr"=C:\WINDOWS\system32\guiazr.exe
"gvtpagc"=C:\WINDOWS\system32\gvtpagc.exe
"gwlqzlgtw"=C:\WINDOWS\system32\gwlqzlgtw.exe
"hbhhhls"=C:\WINDOWS\system32\hbhhhls.exe
"hgkkpkgbmar"=C:\WINDOWS\system32\hgkkpkgbmar.exe
"zi"=C:\WINDOWS\system32\zi.exe
"yqyzy"=C:\WINDOWS\system32\yqyzy.exe
"z"=C:\WINDOWS\system32\z.exe
"ymcwrypscgw"=C:\WINDOWS\system32\ymcwrypscgw.exe
"yf"=C:\WINDOWS\system32\yf.exe
"wpzhoowyu"=C:\WINDOWS\system32\wpzhoowyu.exe
"wsokcdgo"=C:\WINDOWS\system32\wsokcdgo.exe
"xbs"=C:\WINDOWS\system32\xbs.exe
"xfarouo"=C:\WINDOWS\system32\xfarouo.exe
"xmefwskoed"=C:\WINDOWS\system32\xmefwskoed.exe
"xosgcgvgfbg"=C:\WINDOWS\system32\xosgcgvgfbg.exe
"xvay"=C:\WINDOWS\system32\xvay.exe
"Windows System32"=explorer.exe
"whjyjtm"=C:\WINDOWS\system32\whjyjtm.exe
"wgg"=C:\WINDOWS\system32\wgg.exe
"vz"=C:\WINDOWS\system32\vz.exe
"tlkjr"=C:\WINDOWS\system32\tlkjr.exe
"urzyysdasfh"=C:\WINDOWS\system32\urzyysdasfh.exe
"vhn"=C:\WINDOWS\system32\vhn.exe
"tjh"=C:\WINDOWS\system32\tjh.exe
"sw"=C:\WINDOWS\system32\sw.exe
"rwgsmietciw"=C:\WINDOWS\system32\rwgsmietciw.exe
"rd"=C:\WINDOWS\system32\rd.exe
"rdsfkgto"=C:\WINDOWS\system32\rdsfkgto.exe
"rz"=C:\WINDOWS\system32\rz.exe
"rchunlvtjk"=C:\WINDOWS\system32\rchunlvtjk.exe
"racirltik"=C:\WINDOWS\system32\racirltik.exe
"qyuietkqrr"=C:\WINDOWS\system32\qyuietkqrr.exe
"qwgiusxymu"=C:\WINDOWS\system32\qwgiusxymu.exe
"qrldtdofslef"=C:\WINDOWS\system32\qrldtdofslef.exe
"qpswjbbqmsq"=C:\WINDOWS\system32\qpswjbbqmsq.exe
"hjsq"=C:\WINDOWS\system32\hjsq.exe
"hmqklznsbevt"=C:\WINDOWS\system32\hmqklznsbevt.exe
"huxuxvsbqkmr"=C:\WINDOWS\system32\huxuxvsbqkmr.exe
"i"=C:\WINDOWS\system32\i.exe
"iimz"=C:\WINDOWS\system32\iimz.exe
"inoarl"=C:\WINDOWS\system32\inoarl.exe
"jaun"=C:\WINDOWS\system32\jaun.exe
"jl"=C:\WINDOWS\system32\jl.exe
"jtliutnj"=C:\WINDOWS\system32\jtliutnj.exe
"jv"=C:\WINDOWS\system32\jv.exe
"jyrbgxyskl"=C:\WINDOWS\system32\jyrbgxyskl.exe
"k"=C:\WINDOWS\system32\k.exe
"kbvjygx"=C:\WINDOWS\system32\kbvjygx.exe
"kejlpwy"=C:\WINDOWS\system32\kejlpwy.exe
"kgqnsiiaiwtm"=C:\WINDOWS\system32\kgqnsiiaiwtm.exe
"khipmksuybs"=C:\WINDOWS\system32\khipmksuybs.exe
"ks"=C:\WINDOWS\system32\ks.exe
"lcsgx"=C:\WINDOWS\system32\lcsgx.exe
"lyffl"=C:\WINDOWS\system32\lyffl.exe
"mbslvuhbr"=C:\WINDOWS\system32\mbslvuhbr.exe
"mlvx"=C:\WINDOWS\system32\mlvx.exe
"nffiopvusmj"=C:\WINDOWS\system32\nffiopvusmj.exe
"nkxm"=C:\WINDOWS\system32\nkxm.exe
"nghczzrtfc"=C:\WINDOWS\system32\nghczzrtfc.exe
"nl"=C:\WINDOWS\system32\nl.exe
"nx"=C:\WINDOWS\system32\nx.exe
"nzocquzo"=C:\WINDOWS\system32\nzocquzo.exe
"omqskdapdy"=C:\WINDOWS\system32\omqskdapdy.exe
"omrnrifal"=C:\WINDOWS\system32\omrnrifal.exe
"osxrtdkcor"=C:\WINDOWS\system32\osxrtdkcor.exe
"pextwvchvf"=C:\WINDOWS\system32\pextwvchvf.exe
"pjcpvjg"=C:\WINDOWS\system32\pjcpvjg.exe
"pm"=C:\WINDOWS\system32\pm.exe
"pn"=C:\WINDOWS\system32\pn.exe
"pqhdede"=C:\WINDOWS\system32\pqhdede.exe
"pqswpsmr"=C:\WINDOWS\system32\pqswpsmr.exe
"ptltpl"=C:\WINDOWS\system32\ptltpl.exe
"pxrm"=C:\WINDOWS\system32\pxrm.exe
"pyzifgndruhy"=C:\WINDOWS\system32\pyzifgndruhy.exe
"qbhixtuqu"=C:\WINDOWS\system32\qbhixtuqu.exe
"qhoeysznvff"=C:\WINDOWS\system32\qhoeysznvff.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices-]
"Windows System32"=explorer.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 jayloden.com
127.0.0.1 www.jayloden.com
127.0.0.1 www.hijackthis.de
127.0.0.1 analysis.seclab.tuwien.ac.at
127.0.0.1 sandbox.norman.com
127.0.0.1 www.trendsecure.com
127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com

7541 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-12-07 20:53:27 ------------
Attached Files
File Type: txt extra.txt (14.0 KB, 1 views)
doylemi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-08-2007, 06:07 AM   #2 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 14
OS: xp


Re: Win32.Backdoor Win32.Trojan PC assistance
I was finally able to get a panda scan that showed many viruses and adware. Attached is the log file. Thanks
Attached Files
File Type: txt Activescan.txt (78.3 KB, 2 views)
doylemi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-11-2007, 12:24 PM   #3 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 14
OS: xp


Re: Win32.Backdoor Win32.Trojan PC assistance
Bump (Please Help)
doylemi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-12-2007, 11:16 AM   #4 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 14
OS: xp


Re: Win32.Backdoor Win32.Trojan PC assistance
Bump, Does this look like a rebuild?
doylemi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-12-2007, 06:00 PM   #5 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 14
OS: xp


Re: Win32.Backdoor Win32.Trojan PC assistance
5 Days no help! Was it something I said or didn't say?
Please
doylemi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-13-2007, 10:15 AM   #6 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 14
OS: xp


Re: Win32.Backdoor Win32.Trojan PC assistance
Bump Bump
doylemi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-17-2007, 03:45 AM   #7 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 3,045
OS: XP


Re: Win32.Backdoor Win32.Trojan PC assistance
Hi, sorry for the delay.

The machine is very very infected.

Please post a fresh main.txt log so I can see what's happening to your machine.
__________________
Proud member of UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-17-2007, 07:43 PM   #8 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 14
OS: xp


Re: Win32.Backdoor Win32.Trojan PC assistance
Thank you for you help. I have been working on the system and think might have cleaned out a few things, but I still have problems. This is my most updated scan log.
Deckard's System Scanner v20071014.68
Run by Don on 2007-12-17 21:35:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Don.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:25 PM, on 12/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\repair\smrs.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Scan\dss.exe
C:\MGTools\Don.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://office.microsoft.com/office/r...&HelpLCID=1033
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: gpupdate - {688ABEA7-DD8C-43B9-9EDD-F7321DF0728B} - C:\WINDOWS\system32\gpupdate.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: (no name) - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1108087361\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbi...20/McGDMgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} -
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Print Spooler Service (il7ymi8jf3ewin64) - Unknown owner - C:\WINDOWS\system32\kbvjygx.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Smart Media Serviecs (Sys_SM-Service) - Unknown owner - C:\WINDOWS\repair\smrs.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7378 bytes

-- Files created between 2007-11-17 and 2007-12-17 -----------------------------

2007-12-17 21:34:37 0 d-------- C:\Scan
2007-12-16 06:28:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-16 06:27:47 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-16 05:32:33 0 d-------- C:\Documents and Settings\Linda\Application Data\Grisoft
2007-12-15 20:49:57 11254 --a------ C:\WINDOWS\system32\locate.com
2007-12-15 20:48:10 0 d-------- C:\MGtools
2007-12-15 20:48:03 1131454 --a------ C:\MGtools.exe
2007-12-15 19:27:23 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-12-15 16:43:01 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-15 16:42:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-15 07:30:05 0 d-------- C:\Program Files\CCleaner
2007-12-07 21:31:22 35328 --a------ C:\WINDOWS\system32\drivers\ctl_w32.sys
2007-12-07 20:18:01 0 d-------- C:\ie-spyad_zo
2007-12-07 20:11:22 0 d-------- C:\Program Files\SpywareBlaster
2007-12-07 20:10:25 0 d-------- C:\Mike
2007-12-07 19:57:24 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-05 19:46:16 0 --a------ C:\WINDOWS\system32\drivers\Gyx73.sys
2007-12-04 19:03:43 0 d--h----- C:\WINDOWS\PIF
2007-12-03 20:36:02 0 d-------- C:\Program Files\Alwil Software
2007-12-03 19:38:03 0 d-------- C:\WINDOWS\system32\appmgmt
2007-12-03 19:08:56 0 d-------- C:\WINDOWS\system32\NVSYS
2007-12-03 19:08:49 0 d-------- C:\dell
2007-12-03 18:13:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-12-02 21:09:27 0 d---s---- C:\Documents and Settings\Administrator\UserData
2007-12-02 19:53:39 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2007-12-02 19:51:19 0 d--hs---- C:\WINDOWS\CSC
2007-11-29 17:11:28 0 d-------- C:\Program Files\Apple Software Update
2007-11-29 17:11:00 0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-11-29 17:10:38 0 d-------- C:\Program Files\Common Files\Apple
2007-11-29 17:10:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-20 16:18:13 0 d--hs---- C:\found.001


-- Find3M Report ---------------------------------------------------------------

2007-12-16 06:27:47 0 d-------- C:\Program Files\Common Files
2007-12-15 20:54:34 0 d-------- C:\Program Files\AIM6
2007-12-05 19:53:55 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-05 19:45:35 0 d-------- C:\Program Files\FergusonVPN
2007-12-05 19:44:34 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-04 03:05:04 0 d-------- C:\Program Files\iTunes
2007-12-02 21:43:14 0 d-------- C:\Program Files\Lavasoft
2007-12-02 21:00:20 0 d--h----- C:\Program Files\WindowsUpdate
2007-12-02 15:36:54 0 d-------- C:\Program Files\Messenger
2007-11-29 17:15:10 0 d-------- C:\Program Files\QuickTime
2007-11-28 19:33:15 0 d-------- C:\Program Files\Quicken
2007-10-18 11:45:46 87552 --a------ C:\up21.exe
2007-10-16 21:41:19 286 --a------ C:\sysrestore.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{688ABEA7-DD8C-43B9-9EDD-F7321DF0728B}]
09/24/2004 06:46 PM 73728 --a------ C:\WINDOWS\system32\gpupdate.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FB5B012-E8CB-46cd-B6D2-ED428FAE9043}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 08:00 AM]
"HostManager"="C:\Program Files\Common Files\AOL\1108087361\ee\AOLSoftware.exe" []
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" []
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" []
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" []
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [10/04/2007 10:20 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)
"ForceActiveDesktopOn"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\combofix]
@="service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ctl_w32.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"runner1"=C:\WINDOWS\mrofinu450.exe 61A847B5BBF72816379B284503996897C881250221C8670836AC4FA7C88332017491394662E901F3D293314D6ECF32257895769ABCF75D7551F765142DAF48BD878727122CCE7003
"Microsoft Domain Controller"=C:\WINDOWS\system32\mstc.exe
"kbvjygx"=C:\WINDOWS\system32\kbvjygx.exe
"Windows System32"=explorer.exe
"Windows DLL Loader"=C:\WINDOWS\SYSCFG16.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"amqmpaq"=C:\WINDOWS\system32\amqmpaq.exe
"aqkk"=C:\WINDOWS\system32\aqkk.exe
"azumjxwvfqru"=C:\WINDOWS\system32\azumjxwvfqru.exe
"bedgaky"=C:\WINDOWS\system32\bedgaky.exe
"brjufqald"=C:\WINDOWS\system32\brjufqald.exe
"brpwknz"=C:\WINDOWS\system32\brpwknz.exe
"cgxr"=C:\WINDOWS\system32\cgxr.exe
"cnubqrrvqkbp"=C:\WINDOWS\system32\cnubqrrvqkbp.exe
"curguyafguj"=C:\WINDOWS\system32\curguyafguj.exe
"cy"=C:\WINDOWS\system32\cy.exe
"dkk"=C:\WINDOWS\system32\dkk.exe
"dluqcy"=C:\WINDOWS\system32\dluqcy.exe
"dlvdihvl"=C:\WINDOWS\system32\dlvdihvl.exe
"edfzckedzzk"=C:\WINDOWS\system32\edfzckedzzk.exe
"eorxgwvzqidf"=C:\WINDOWS\system32\eorxgwvzqidf.exe
"exnsd"=C:\WINDOWS\system32\exnsd.exe
"fapqunidij"=C:\WINDOWS\system32\fapqunidij.exe
"eye"=C:\WINDOWS\system32\eye.exe
"fcdm"=C:\WINDOWS\system32\fcdm.exe
"gjzfnpme"=C:\WINDOWS\system32\gjzfnpme.exe
"gqggcfpg"=C:\WINDOWS\system32\gqggcfpg.exe
"guiazr"=C:\WINDOWS\system32\guiazr.exe
"gvtpagc"=C:\WINDOWS\system32\gvtpagc.exe
"gwlqzlgtw"=C:\WINDOWS\system32\gwlqzlgtw.exe
"hbhhhls"=C:\WINDOWS\system32\hbhhhls.exe
"hgkkpkgbmar"=C:\WINDOWS\system32\hgkkpkgbmar.exe
"zi"=C:\WINDOWS\system32\zi.exe
"yqyzy"=C:\WINDOWS\system32\yqyzy.exe
"z"=C:\WINDOWS\system32\z.exe
"ymcwrypscgw"=C:\WINDOWS\system32\ymcwrypscgw.exe
"yf"=C:\WINDOWS\system32\yf.exe
"wpzhoowyu"=C:\WINDOWS\system32\wpzhoowyu.exe
"wsokcdgo"=C:\WINDOWS\system32\wsokcdgo.exe
"xbs"=C:\WINDOWS\system32\xbs.exe
"xfarouo"=C:\WINDOWS\system32\xfarouo.exe
"xmefwskoed"=C:\WINDOWS\system32\xmefwskoed.exe
"xosgcgvgfbg"=C:\WINDOWS\system32\xosgcgvgfbg.exe
"xvay"=C:\WINDOWS\system32\xvay.exe
"Windows System32"=explorer.exe
"whjyjtm"=C:\WINDOWS\system32\whjyjtm.exe
"wgg"=C:\WINDOWS\system32\wgg.exe
"vz"=C:\WINDOWS\system32\vz.exe
"tlkjr"=C:\WINDOWS\system32\tlkjr.exe
"urzyysdasfh"=C:\WINDOWS\system32\urzyysdasfh.exe
"vhn"=C:\WINDOWS\system32\vhn.exe
"tjh"=C:\WINDOWS\system32\tjh.exe
"sw"=C:\WINDOWS\system32\sw.exe
"rwgsmietciw"=C:\WINDOWS\sys