Tech Support Forum banner
Status
Not open for further replies.
1 - 20 of 22 Posts

· Registered
Joined
·
15 Posts
Discussion Starter · #1 ·
I get sporadic IE pop-ups when I'm using Mozilla, ranging from every couple minutes to every few seconds. Some of the URLs that pop up include:

http://getmusicfree.aavalue.com/?referrerID=2154264&affid=0
http://www.leadsandfeeds.com/

I have used many antivirus and antispyware programs to attempt to remove the problem, including:

AdAware 2007
AVG 7.5
Spybot Search and Destroy
Spyware Doctor
Malwarebytes' Anti-Malware
SUPERAntiSpyware
Spyware Blaster

I have also followed all five steps before posting, and I still get popups.

I have attached the requested files, and here's my DSS main log:

Deckard's System Scanner v20071014.68
Run by n8sun1 on 2008-04-20 17:50:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
70: 2008-04-20 21:50:39 UTC - RP122 - Deckard's System Scanner Restore Point
69: 2008-04-20 07:46:30 UTC - RP121 - System Checkpoint
68: 2008-04-19 04:08:46 UTC - RP120 - System Checkpoint
67: 2008-04-18 03:48:35 UTC - RP119 - System Checkpoint
66: 2008-04-12 23:43:36 UTC - RP118 - Installed SUPERAntiSpyware Free Edition


-- First Restore Point --
1: 2008-01-31 04:31:06 UTC - RP53 - Installed Windows Media Player 10


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-20 17:51:54
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\system32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\WINDOWS\explorer.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\RTHDCPL.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\Program Files\Grisoft\AVG7\avgamsvr.exe
F:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
F:\Program Files\Grisoft\AVG7\avgupsvc.exe
F:\Program Files\Grisoft\AVG7\avgemc.exe
F:\Program Files\Bonjour\mDNSResponder.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Webshots\Webshots.scr
F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Documents and Settings\n8sun1\Desktop\dss.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {A0A18F09-06DE-4CAC-7EA4-F369B2339767} - (no file)
O2 - BHO: (no name) - {A1A67F60-AA71-41FD-8EA5-667F4FF15A88} - (no file)
O2 - BHO: (no name) - {C10D9154-2374-426E-A59C-DC0758D35A13} - (no file)
O2 - BHO: (no name) - {D063771C-94D6-4748-A4A1-3686A9D686AD} - (no file)
O2 - BHO: (no name) - {F3026853-4B52-478E-9E76-04A9F235276D} - (no file)
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe " /install
O4 - HKLM\..\Run: [RTHDCPL] "RTHDCPL.EXE"
O4 - HKLM\..\Run: [IMJPMIG8.1] "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] "F:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe " /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC"
O4 - HKLM\..\Run: [PHIME2002A] "F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName"
O4 - HKLM\..\Run: [NeroFilterCheck] "F:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [LXCJCATS] "rundll32 F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll,[email protected]"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] "F:\PROGRA~1\Grisoft\AVG7\avgcc.exe " /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Webshots.lnk = F:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://onecare.live.com (HKCU)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - F:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - F:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - F:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: awsuapml - F:\WINDOWS\system32\
O20 - Winlogon Notify: xxyaxwt - F:\WINDOWS\system32\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - F:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - f:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: lxcj_device - Unknown owner - F:\WINDOWS\system32\lxcjcoms.exe
O23 - Service: NBService - Unknown owner - F:\Program Files\Nero\Nero 7\Nero
O23 - Service: NMIndexingService - Nero AG - F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Program Files\Spyware Doctor\pctsSvc.exe


--
End of file - 7681 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ndiswann - f:\windows\system32\drivers\ndiswann.sys
R3 SASENUM - f:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 catchme - f:\docume~1\n8sun1\locals~1\temp\catchme.sys (file missing)
S3 LVcKap (Logitech AEC Driver) - f:\windows\system32\drivers\lvckap.sys (file missing)
S3 LVMVDrv (Logitech Machine Vision Engine Loader) - f:\windows\system32\drivers\lvmvdrv.sys (file missing)
S3 LVPr2Mon (Logitech LVPr2Mon Driver) - f:\windows\system32\drivers\lvpr2mon.sys (file missing)
S3 LVUSBSta (Logitech USB Monitor Filter) - f:\windows\system32\drivers\lvusbsta.sys (file missing)
S3 PID_0928 (Logitech QuickCam Express(PID_0928)) - f:\windows\system32\drivers\lv561av.sys (file missing)
S3 WINFLASH - i:\winflash.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "f:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "f:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

S2 LVPrcSrv (Logitech Process Monitor) - f:\program files\common files\logitech\lvmvfm\lvprcsrv.exe (file missing)
S3 NBService - f:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-03-20 and 2008-04-20 -----------------------------

2008-04-20 10:18:20 0 d-------- F:\Program Files\SpywareBlaster
2008-04-19 15:24:06 0 d-------- F:\WINDOWS\LastGood
2008-04-19 15:23:55 0 d-------- F:\Program Files\Panda Security
2008-04-12 19:43:41 0 d-------- F:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-12 19:43:37 0 d-------- F:\Program Files\SUPERAntiSpyware
2008-04-12 19:43:37 0 d-------- F:\Documents and Settings\n8sun1\Application Data\SUPERAntiSpyware.com
2008-04-11 00:19:04 0 d---s---- F:\Documents and Settings\n8sun1\UserData
2008-04-11 00:00:14 68096 --a------ F:\WINDOWS\system32\zip.exe
2008-04-11 00:00:14 98816 --a------ F:\WINDOWS\system32\sed.exe
2008-04-11 00:00:14 80412 --a------ F:\WINDOWS\system32\grep.exe
2008-04-11 00:00:14 73728 --a------ F:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-29 14:48:36 0 d-------- F:\Documents and Settings\n8sun1\.housecall6.6
2008-03-27 00:18:24 0 d-------- F:\Program Files\Common Files\xing shared
2008-03-27 00:18:12 0 d-------- F:\Program Files\Common Files\Real
2008-03-27 00:18:09 0 d-------- F:\Documents and Settings\n8sun1\Application Data\Real


-- Find3M Report ---------------------------------------------------------------

2008-04-20 17:50:43 0 d-------- F:\Documents and Settings\n8sun1\Application Data\uTorrent
2008-04-19 15:23:56 2554 --a------ F:\WINDOWS\mozver.dat
2008-04-18 21:32:17 0 d-------- F:\Program Files\uTorrent
2008-04-17 22:05:27 0 d-------- F:\Documents and Settings\n8sun1\Application Data\AVG7
2008-04-12 19:43:27 0 d-------- F:\Program Files\Common Files\Wise Installation Wizard
2008-03-30 23:40:30 0 d-------- F:\Program Files\Common Files
2008-03-30 00:44:11 0 d-------- F:\Documents and Settings\n8sun1\Application Data\LimeWire
2008-01-28 00:39:47 10 --a------ F:\Program Files\.autoreg


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A0A18F09-06DE-4CAC-7EA4-F369B2339767}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1A67F60-AA71-41FD-8EA5-667F4FF15A88}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C10D9154-2374-426E-A59C-DC0758D35A13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D063771C-94D6-4748-A4A1-3686A9D686AD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F3026853-4B52-478E-9E76-04A9F235276D}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [02/03/2008 03:26 PM]
"NvCplDaemon"="F:\WINDOWS\system32\NvCpl.dll" [10/04/2007 06:14 PM]
"nwiz"="nwiz.exe" [10/04/2007 06:14 PM F:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [12/20/2007 05:47 PM F:\WINDOWS\RTHDCPL.exe]
"IMJPMIG8.1"="F:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [02/28/2006 08:00 AM]
"MSPY2002"="F:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [02/28/2006 08:00 AM]
"PHIME2002ASync"="F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [02/28/2006 08:00 AM]
"PHIME2002A"="F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [02/28/2006 08:00 AM]
"NeroFilterCheck"="F:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [03/01/2007 04:57 PM]
"LXCJCATS"="F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [02/24/2006 06:07 PM]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [12/14/2007 04:42 AM]
"AVG7_CC"="F:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [02/04/2008 02:17 AM]
"Adobe Reader Speed Launcher"="F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"TkBellExe"="F:\Program Files\Common Files\Real\Update_OB\realsched.exe" [03/27/2008 12:18 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [02/28/2006 08:00 AM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [06/01/2007 11:21 AM]
"SpybotSD TeaTimer"="F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 12:43 PM]
"SUPERAntiSpyware"="F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/29/2008 04:03 PM]

F:\Documents and Settings\n8sun1\Start Menu\Programs\Startup\
Webshots.lnk - F:\Program Files\Webshots\Launcher.exe [12/27/2007 1:03:28 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= F:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
F:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 F:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awsuapml]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyaxwt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6783bf8d-e165-11dc-a0e4-001aa059ccae}]
AutoRun\command- "L:\Install FreeAgent Tools.exe" /run

*Newly Created Service* - RKPAVPROC
*Newly Created Service* - SASDIFSV



-- End of Deckard's System Scanner: finished at 2008-04-20 17:52:14 ------------


Thanks so much!
 

Attachments

· Registered
Joined
·
289 Posts
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

REBOOT

Next download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close any open browsers.
  • If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
    (Vista users, please right click on OtScanIt.exe and select "Run as an Administrator")
  • Leave all the setting to the default except as noted below
    • Change the checks on both Files created and files changed from 30 days to 90 days
    • Check the box under Drivers for Non-Microsoft
    • Under Additional Scans sections, check the following
      • Reg - BotCheck
      • File - Additional Folder Scan
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file
If the log is too large to post, use the POSTYReply button, scroll down to the attachments section and attach the notepad file here.
 

· Registered
Joined
·
15 Posts
Discussion Starter · #4 ·
Code:
OTScanIt logfile created on: 4/26/2008 2:28:10 PM
OTScanIt by OldTimer - Version 1.0.11.5     Folder = F:\Documents and Settings\n8sun1\Desktop\OTScanIt
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 3.65 Gb Available in Paging File | 91.18% Paging File free
Paging file location(s): F:\pagefile.sys 1440 2880;
 
%SystemDrive% = F: | %SystemRoot% = F:\WINDOWS | %ProgramFiles% = F:\Program Files
Drive C: | 146.63 Gb Total Space | 50.11 Gb Free Space | 34.17% Space Free | Partition Type: NTFS
Drive D: | 48.83 Gb Total Space | 6.46 Gb Free Space | 13.22% Space Free | Partition Type: NTFS
Drive E: | 48.83 Gb Total Space | 24.87 Gb Free Space | 50.93% Space Free | Partition Type: NTFS
Drive F: | 33.98 Gb Total Space | 22.72 Gb Free Space | 66.85% Space Free | Partition Type: NTFS
Drive G: | 10.00 Gb Total Space | 6.37 Gb Free Space | 63.69% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
Drive I: | 4.88 Gb Total Space | 4.84 Gb Free Space | 99.02% Space Free | Partition Type: NTFS
Drive J: | 4.88 Gb Total Space | 4.84 Gb Free Space | 99.02% Space Free | Partition Type: NTFS

Computer Name: N8
Current User Name: n8sun1
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user

[Processes - Non-Microsoft Only]
aawservice.exe -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft [Ver = 7,0,2,6 | Size = 587096 bytes | Modified Date = 1/4/2008 2:27:08 PM | Attr =    ]
avgas.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 43 | Size = 6731312 bytes | Modified Date = 2/3/2008 3:26:07 PM | Attr =    ]
rthdcpl.exe -> %SystemRoot%\RTHDCPL.exe -> Realtek Semiconductor Corp. [Ver = 2.1.8.2 | Size = 16860672 bytes | Modified Date = 12/20/2007 5:47:36 PM | Attr =    ]
applemobiledeviceservice.exe -> %CommonProgramFiles%\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -> Apple, Inc. [Ver = 1, 14, 0, 0 | Size = 110592 bytes | Modified Date = 1/15/2008 3:40:04 AM | Attr =    ]
jusched.exe -> %ProgramFiles%\Java\jre1.6.0_04\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.40.12 | Size = 144784 bytes | Modified Date = 12/14/2007 4:42:38 AM | Attr =    ]
guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 8:31:10 AM | Attr =    ]
avgcc.exe -> %ProgramFiles%\Grisoft\AVG7\avgcc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.522 | Size = 579584 bytes | Modified Date = 4/24/2008 10:30:58 AM | Attr =    ]
avgamsvr.exe -> %ProgramFiles%\Grisoft\AVG7\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.496 | Size = 418816 bytes | Modified Date = 2/4/2008 2:17:20 AM | Attr =    ]
realsched.exe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.1.45 | Size = 185896 bytes | Modified Date = 3/27/2008 12:18:12 AM | Attr =    ]
nmbgmonitor.exe -> %CommonProgramFiles%\Ahead\Lib\NMBgMonitor.exe -> Nero AG [Ver = 2,0,13,1 | Size = 153136 bytes | Modified Date = 6/1/2007 11:21:08 AM | Attr =    ]
teatimer.exe -> %ProgramFiles%\Spybot - Search & Destroy\TeaTimer.exe -> Safer Networking Limited [Ver = 1, 5, 2, 16 | Size = 2097488 bytes | Modified Date = 1/28/2008 12:43:40 PM | Attr = RHS]
superantispyware.exe -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 4, 0, 0, 1154 | Size = 1481968 bytes | Modified Date = 2/29/2008 4:03:46 PM | Attr =    ]
avgupsvc.exe -> %ProgramFiles%\Grisoft\AVG7\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 49664 bytes | Modified Date = 2/4/2008 2:17:21 AM | Attr =    ]
avgemc.exe -> %ProgramFiles%\Grisoft\AVG7\avgemc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.510 | Size = 406528 bytes | Modified Date = 2/4/2008 2:17:20 AM | Attr =    ]
mdnsresponder.exe -> %ProgramFiles%\Bonjour\mDNSResponder.exe -> Apple Inc. [Ver = 1,0,4,12 | Size = 229376 bytes | Modified Date = 7/24/2007 4:17:08 PM | Attr =    ]
nvsvc32.exe -> %SystemRoot%\system32\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.11.6375 | Size = 155716 bytes | Modified Date = 10/4/2007 6:14:00 PM | Attr =    ]
webshots.scr -> %ProgramFiles%\Webshots\Webshots.scr -> Webshots.com [Ver = 3, 0, 0, 7231 | Size = 3294544 bytes | Modified Date = 10/29/2007 6:28:48 PM | Attr =    ]
avgw.exe -> %ProgramFiles%\Grisoft\AVG7\avgw.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.502 | Size = 219136 bytes | Modified Date = 2/4/2008 2:17:21 AM | Attr =    ]
nmindexingservice.exe -> %CommonProgramFiles%\Ahead\Lib\NMIndexingService.exe -> Nero AG [Ver = 2,0,13,1 | Size = 271920 bytes | Modified Date = 6/1/2007 11:21:30 AM | Attr =    ]
nmindexstoresvr.exe -> %CommonProgramFiles%\Ahead\Lib\NMIndexStoreSvr.exe -> Nero AG [Ver = 2,0,13,1 | Size = 1209904 bytes | Modified Date = 6/1/2007 11:21:30 AM | Attr =    ]
otscanit.exe -> %UserProfile%\Desktop\OTScanIt\OTScanIt.exe -> OldTimer Tools [Ver = 1.0.11.5 | Size = 370688 bytes | Modified Date = 4/24/2008 4:30:38 AM | Attr =    ]

[Win32 Services - Non-Microsoft Only]
(aawservice) Ad-Aware 2007 Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft [Ver = 7,0,2,6 | Size = 587096 bytes | Modified Date = 1/4/2008 2:27:08 PM | Attr =    ]
(Apple Mobile Device) Apple Mobile Device [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -> Apple, Inc. [Ver = 1, 14, 0, 0 | Size = 110592 bytes | Modified Date = 1/15/2008 3:40:04 AM | Attr =    ]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 8:31:10 AM | Attr =    ]
(Avg7Alrt) AVG7 Alert Manager Server [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG7\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.496 | Size = 418816 bytes | Modified Date = 2/4/2008 2:17:20 AM | Attr =    ]
(Avg7UpdSvc) AVG7 Update Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG7\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 49664 bytes | Modified Date = 2/4/2008 2:17:21 AM | Attr =    ]
(AVGEMS) AVG E-mail Scanner [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG7\avgemc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.510 | Size = 406528 bytes | Modified Date = 2/4/2008 2:17:20 AM | Attr =    ]
(Bonjour Service) Bonjour Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Bonjour\mDNSResponder.exe -> Apple Inc. [Ver = 1,0,4,12 | Size = 229376 bytes | Modified Date = 7/24/2007 4:17:08 PM | Attr =    ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %SystemRoot%\system32\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 2/28/2006 8:00:00 AM | Attr =    ]
(iPod Service) iPod Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Inc. [Ver = 7.6.0.29 | Size = 504104 bytes | Modified Date = 1/15/2008 4:22:44 AM | Attr =    ]
(LVPrcSrv) Logitech Process Monitor [Win32_Own | Auto | Stopped] -> %CommonProgramFiles%\logitech\lvmvfm\LVPrcSrv.exe -> File not found
(lxcj_device) lxcj_device [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\system32\lxcjcoms.exe ->   [Ver = 1.198.16.0 | Size = 491520 bytes | Modified Date = 10/24/2005 9:33:04 AM | Attr =    ]
(NBService) NBService [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Nero\Nero 7\Nero BackItUp\NBService.exe -> Nero AG [Ver = 2, 9, 1, 0 | Size = 792112 bytes | Modified Date = 4/13/2007 10:09:56 PM | Attr =    ]
(NMIndexingService) NMIndexingService [Win32_Own | On_Demand | Running] -> %CommonProgramFiles%\Ahead\Lib\NMIndexingService.exe -> Nero AG [Ver = 2,0,13,1 | Size = 271920 bytes | Modified Date = 6/1/2007 11:21:30 AM | Attr =    ]
(NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Running] -> %SystemRoot%\system32\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.11.6375 | Size = 155716 bytes | Modified Date = 10/4/2007 6:14:00 PM | Attr =    ]
(sdAuxService) PC Tools Auxiliary Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Spyware Doctor\pctsAuxs.exe -> PC Tools [Ver = 5.5.0.37 | Size = 747912 bytes | Modified Date = 12/10/2007 3:53:44 PM | Attr =    ]
(sdCoreService) PC Tools Security Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Spyware Doctor\pctsSvc.exe -> PC Tools [Ver = 5.5.0.68 | Size = 946568 bytes | Modified Date = 12/10/2007 3:53:46 PM | Attr =    ]

[Driver Services - Non-Microsoft Only]
(AVG Anti-Spyware Driver) AVG Anti-Spyware Driver [Kernel | System | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.sys ->  [Ver =  | Size = 11000 bytes | Modified Date = 5/30/2007 8:10:42 AM | Attr =    ]
(Avg7Core) AVG7 Kernel [Kernel | System | Running] -> %SystemRoot%\system32\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.498 | Size = 821856 bytes | Modified Date = 2/4/2008 2:17:23 AM | Attr =    ]
(Avg7RsW) AVG7 Wrap Driver [Kernel | System | Running] -> %SystemRoot%\system32\drivers\avg7rsw.sys -> GRISOFT, s.r.o. [Ver = 7,0,0,340 | Size = 4224 bytes | Modified Date = 2/4/2008 2:17:26 AM | Attr =    ]
(Avg7RsXP) AVG7 Resident Driver XP [Kernel | System | Running] -> %SystemRoot%\system32\drivers\avg7rsxp.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.442 | Size = 27776 bytes | Modified Date = 2/4/2008 2:17:26 AM | Attr =    ]
(AvgAsCln) AVG Anti-Spyware Clean Driver [Kernel | System | Running] -> %SystemRoot%\system32\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Modified Date = 5/30/2007 8:10:42 AM | Attr =    ]
(AvgClean) AVG7 Clean Driver [Kernel | System | Running] -> %SystemRoot%\system32\drivers\avgclean.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10760 bytes | Modified Date = 2/4/2008 2:17:26 AM | Attr =    ]
(AvgTdi) AVG Network Redirector [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\avgtdi.sys -> GRISOFT, s.r.o. [Ver = 7,0,0,346 | Size = 4960 bytes | Modified Date = 2/4/2008 2:17:26 AM | Attr =    ]
(catchme) catchme [Kernel | On_Demand | Stopped] -> %SystemDrive%\DOCUME~1\n8sun1\LOCALS~1\Temp\catchme.sys -> File not found
(dmboot) dmboot [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\dmboot.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 799744 bytes | Modified Date = 2/28/2006 8:00:00 AM | Attr =    ]
(dmio) Logical Disk Manager Driver [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\dmio.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 153344 bytes | Modified Date = 2/28/2006 8:00:00 AM | Attr =    ]
(dmload) dmload [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\dmload.sys -> Microsoft Corp., Veritas Software. [Ver = 2600.0.503.0 | Size = 5888 bytes | Modified Date = 2/28/2006 8:00:00 AM | Attr =    ]
(GEARAspiWDM) GEARAspiWDM [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\GEARAspiWDM.sys -> GEAR Software Inc. [Ver = 2.0.6.1 | Size = 15664 bytes | Modified Date = 9/19/2006 3:44:04 PM | Attr =    ]
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\Hdaudbus.sys -> Windows (R) Server 2003 DDK provider [Ver = 5.10.01.5013 built by: WinDDK | Size = 138752 bytes | Modified Date = 1/7/2005 6:07:18 PM | Attr =    ]
(HSFHWBS2) HSFHWBS2 [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\HSFHWBS2.sys -> Conexant Systems, Inc. [Ver = 7.06.00 | Size = 212224 bytes | Modified Date = 11/17/2003 4:59:20 PM | Attr =    ]
(HSF_DP) HSF_DP [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\HSF_DP.sys -> Conexant Systems, Inc. [Ver = 7.06.00 | Size = 1042432 bytes | Modified Date = 11/17/2003 4:56:26 PM | Attr =    ]
(IKFileSec) File Security Driver [File_System | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\ikfilesec.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1038 built by: WinDDK | Size = 41864 bytes | Modified Date = 12/10/2007 3:53:28 PM | Attr =    ]
(IKSysFlt) System Filter Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\iksysflt.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1029 | Size = 66952 bytes | Modified Date = 12/10/2007 3:53:28 PM | Attr =    ]
(IKSysSec) System Security Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\iksyssec.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1031 | Size = 81288 bytes | Modified Date = 12/10/2007 3:53:28 PM | Attr =    ]
(IntcAzAudAddService) Service for Realtek HD Audio (WDM) [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\RtkHDAud.sys -> Realtek Semiconductor Corp. [Ver = 5.10.0.5532 built by: WinDDK | Size = 4637696 bytes | Modified Date = 12/20/2007 7:00:06 PM | Attr =    ]
(mdmxsdk) mdmxsdk [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\mdmxsdk.sys -> Conexant [Ver = 1.0.2.002 | Size = 11043 bytes | Modified Date = 4/9/2003 2:48:08 PM | Attr =    ]
(ndiswann) ndiswann [Kernel | System | Running] -> %SystemRoot%\system32\drivers\ndiswann.sys ->  [Ver =  | Size = 86016 bytes | Modified Date = 1/27/2008 12:18:53 AM | Attr =    ]
(nv) nv [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\nv4_mini.sys -> NVIDIA Corporation [Ver = 6.14.11.6375 | Size = 6854464 bytes | Modified Date = 10/4/2007 6:14:00 PM | Attr =    ]
(nvata) nvata [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\nvata.sys -> NVIDIA Corporation [Ver = 5.10.2600.0692 built by: WinDDK | Size = 105472 bytes | Modified Date = 10/18/2006 5:31:38 PM | Attr =    ]
(NVENETFD) NVIDIA nForce Networking Controller Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\NVENETFD.sys -> NVIDIA Corporation [Ver = 1.00.03.06548 | Size = 58368 bytes | Modified Date = 11/27/2006 5:33:50 PM | Attr =    ]
(nvgts) nvgts [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\nvgts.sys -> NVIDIA Corporation [Ver = 5.10.2600.0998 built by: WinDDK | Size = 102400 bytes | Modified Date = 8/9/2007 12:11:00 PM | Attr =    ]
(nvnetbus) NVIDIA Network Bus Enumerator [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\nvnetbus.sys -> NVIDIA Corporation [Ver = 1.00.03.06548 | Size = 19968 bytes | Modified Date = 11/27/2006 5:33:54 PM | Attr =    ]
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ptilink.sys -> Parallel Technologies, Inc. [Ver = 1.10 (XPClient.010817-1148) | Size = 17792 bytes | Modified Date = 2/28/2006 8:00:00 AM | Attr =    ]
(SASDIFSV) SASDIFSV [Kernel | System | Running] -> %ProgramFiles%\SUPERAntiSpyware\sasdifsv.sys ->  [Ver = 1, 0, 0, 1006 | Size = 8944 bytes | Modified Date = 2/29/2008 4:03:48 PM | Attr =    ]
(SASENUM) SASENUM [Kernel | On_Demand | Running] -> %ProgramFiles%\SUPERAntiSpyware\SASENUM.SYS -> SuperAdBlocker, Inc. [Ver = 1, 0, 0, 1002 | Size = 4096 bytes | Modified Date = 2/16/2006 4:51:08 PM | Attr = R  ]
(SASKUTIL) SASKUTIL [Kernel | System | Running] -> %ProgramFiles%\SUPERAntiSpyware\SASKUTIL.SYS ->  [Ver = 1, 0, 0, 1050 | Size = 51440 bytes | Modified Date = 2/29/2008 4:03:46 PM | Attr =    ]
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\secdrv.sys -> Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. [Ver = 4.03.086 | Size = 20480 bytes | Modified Date = 11/13/2007 6:25:53 AM | Attr =    ]
(sptd) sptd [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\sptd.sys ->  [Ver =  | Size = 715248 bytes | Modified Date = 1/4/2008 4:07:28 AM | Attr =    ]
(winachsf) winachsf [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\HSF_CNXT.sys -> Conexant Systems, Inc. [Ver = 7.06.00 built by: WinDDK | Size = 680704 bytes | Modified Date = 11/17/2003 4:58:02 PM | Attr =    ]
(WINFLASH) WINFLASH [Kernel | On_Demand | Stopped] -> I:\WinFlash.sys -> File not found

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
!AVG Anti-Spyware -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe ["F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized] -> GRISOFT s.r.o. [Ver = 7, 5, 1, 43 | Size = 6731312 bytes | Modified Date = 2/3/2008 3:26:07 PM | Attr =    ]
Adobe Reader Speed Launcher -> %ProgramFiles%\Adobe\Reader 8.0\Reader\reader_sl.exe ["F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"] -> Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 39792 bytes | Modified Date = 1/11/2008 11:16:38 PM | Attr =    ]
AVG7_CC -> %ProgramFiles%\Grisoft\AVG7\avgcc.exe ["F:\PROGRA~1\Grisoft\AVG7\avgcc.exe " /STARTUP] -> GRISOFT, s.r.o. [Ver = 7.5.0.522 | Size = 579584 bytes | Modified Date = 4/24/2008 10:30:58 AM | Attr =    ]
LXCJCATS -> %SystemRoot%\system32\spool\drivers\w32x86\3\lxcjtime.dll ["rundll32 F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll,[email protected]"] ->  [Ver = 0.1.11.5 | Size = 73728 bytes | Modified Date = 2/24/2006 6:07:00 PM | Attr =    ]
MSPY2002 -> %SystemRoot%\system32\IME\PINTLGNT\IMSCINST.EXE ["F:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe " /SYNC] ->  [Ver =  | Size = 59392 bytes | Modified Date = 2/28/2006 8:00:00 AM | Attr =    ]
NeroFilterCheck -> %CommonProgramFiles%\Ahead\Lib\NeroCheck.exe ["F:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"] -> Nero AG [Ver = 1, 0, 0, 6 | Size = 153136 bytes | Modified Date = 3/1/2007 4:57:24 PM | Attr =    ]
NvCplDaemon -> %SystemRoot%\system32\nvcpl.dll ["RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup"] -> NVIDIA Corporation [Ver = 6.14.11.6375 | Size = 8491008 bytes | Modified Date = 10/4/2007 6:14:00 PM | Attr =    ]
nwiz -> %SystemRoot%\system32\nwiz.exe ["nwiz.exe " /install] ->  [Ver =  | Size = 1626112 bytes | Modified Date = 10/4/2007 6:14:00 PM | Attr =    ]
RTHDCPL -> %SystemRoot%\RTHDCPL.exe ["RTHDCPL.EXE"] -> Realtek Semiconductor Corp. [Ver = 2.1.8.2 | Size = 16860672 bytes | Modified Date = 12/20/2007 5:47:36 PM | Attr =    ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_04\bin\jusched.exe ["F:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"] -> Sun Microsystems, Inc. [Ver = 6.0.40.12 | Size = 144784 bytes | Modified Date = 12/14/2007 4:42:38 AM | Attr =    ]
TkBellExe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe ["F:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot] -> RealNetworks, Inc. [Ver = 0.1.1.45 | Size = 185896 bytes | Modified Date = 3/27/2008 12:18:12 AM | Attr =    ]
< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ -> 
IMAIL-> Installed = 1 -> 
MAPI-> Installed = 1 -> 
MSFS-> Installed = 1 -> 
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} -> %CommonProgramFiles%\Ahead\Lib\NMBgMonitor.exe ["F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"] -> Nero AG [Ver = 2,0,13,1 | Size = 153136 bytes | Modified Date = 6/1/2007 11:21:08 AM | Attr =    ]
SpybotSD TeaTimer -> %ProgramFiles%\Spybot - Search & Destroy\TeaTimer.exe ["F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"] -> Safer Networking Limited [Ver = 1, 5, 2, 16 | Size = 2097488 bytes | Modified Date = 1/28/2008 12:43:40 PM | Attr = RHS]
SUPERAntiSpyware -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe [F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe] -> SUPERAntiSpyware.com [Ver = 4, 0, 0, 1154 | Size = 1481968 bytes | Modified Date = 2/29/2008 4:03:46 PM | Attr =    ]
< n8sun1 Startup Folder > -> F:\Documents and Settings\n8sun1\Start Menu\Programs\Startup -> 
%UserProfile%\Start Menu\Programs\Startup\Webshots.lnk -> %ProgramFiles%\Webshots\Launcher.exe -> Webshots.com [Ver = 3, 0, 0, 7231 | Size = 157008 bytes | Modified Date = 10/29/2007 6:28:38 PM | Attr =    ]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks -> 
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> GRISOFT s.r.o. [Ver = 7, 5, 1, 36 | Size = 79408 bytes | Modified Date = 5/30/2007 8:29:58 AM | Attr =    ]
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 12/20/2006 12:55:48 PM | Attr =    ]
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 
!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1046 | Size = 294912 bytes | Modified Date = 4/19/2007 12:41:36 PM | Attr =    ]
awsuapml ->  -> File not found
xxyaxwt ->  -> File not found
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\DisableRegistryTools -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\HideLegacyLogonScripts -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\HideLogoffScripts -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\RunLogonScriptSync -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\RunStartupScriptSync -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\HideStartupScripts -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> -> 
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\HideLegacyLogonScripts -> 0 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\HideLogoffScripts -> 0 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\RunLogonScriptSync -> 1 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\RunStartupScriptSync -> 1 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\HideStartupScripts -> 0 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\DisableRegistryTools -> 0 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> -> 
< HOSTS File > (27 bytes) -> F:\WINDOWS\System32\drivers\etc\Hosts -> 
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm -> 
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home -> 
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\Local Page -> F:\WINDOWS\system32\blank.htm -> 
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_CURRENT_USER\: Main\\Start Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome -> 
HKEY_CURRENT_USER\: ProxyEnable -> 0 -> 
HKEY_CURRENT_USER\: ProxyOverride -> *.local -> 
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4254 domain(s) found. -> 
33 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 6372 domain(s) found. -> 
onecare_live.com [http] -> Trusted sites -> 
40 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{000123B4-9B42-4900-B3F7-F4B073EFC214} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Orbitdownloader\orbitcth.dll [Octh Class] -> Orbitdownloader.com [Ver = 2, 4, 0, 1 | Size = 187512 bytes | Modified Date = 4/2/2008 3:36:10 PM | Attr =    ]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKEY_LOCAL_MACHINE] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes | Modified Date = 10/23/2006 12:08:42 AM | Attr =    ]
{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] -> Safer Networking Limited [Ver = 1, 5, 0, 11 | Size = 1554256 bytes | Modified Date = 1/28/2008 12:43:28 PM | Attr =    ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_04\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.40.12 | Size = 509328 bytes | Modified Date = 12/14/2007 4:42:36 AM | Attr =    ]
{A0A18F09-06DE-4CAC-7EA4-F369B2339767} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
{A1A67F60-AA71-41FD-8EA5-667F4FF15A88} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
{C10D9154-2374-426E-A59C-DC0758D35A13} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
{D063771C-94D6-4748-A4A1-3686A9D686AD} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
{F3026853-4B52-478E-9E76-04A9F235276D} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Sun Java Console] -> File not found
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> Safer Networking Limited [Ver = 1, 5, 0, 11 | Size = 1554256 bytes | Modified Date = 1/28/2008 12:43:28 PM | Attr =    ]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] ->  [Sun Java Console] -> File not found
CmdMapping\\{5F52F0E7-8E1E-440A-8336-0816BD59017D} [HKEY_LOCAL_MACHINE] ->  [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> Safer Networking Limited [Ver = 1, 5, 0, 11 | Size = 1554256 bytes | Modified Date = 1/28/2008 12:43:28 PM | Attr =    ]
CmdMapping\\{FB858B22-55E2-413f-87F5-30ADC5552151} [HKEY_LOCAL_MACHINE] ->  [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ -> 
&Download by Orbit -> %ProgramFiles%\Orbitdownloader\orbitmxt.dll -> Orbitdownloader.com [Ver = 2, 1, 0, 1 | Size = 53248 bytes | Modified Date = 7/13/2007 5:23:42 PM | Attr =    ]
&Grab video by Orbit -> %ProgramFiles%\Orbitdownloader\orbitmxt.dll -> Orbitdownloader.com [Ver = 2, 1, 0, 1 | Size = 53248 bytes | Modified Date = 7/13/2007 5:23:42 PM | Attr =    ]
Do&wnload selected by Orbit -> %ProgramFiles%\Orbitdownloader\orbitmxt.dll -> Orbitdownloader.com [Ver = 2, 1, 0, 1 | Size = 53248 bytes | Modified Date = 7/13/2007 5:23:42 PM | Attr =    ]
Down&load all by Orbit -> %ProgramFiles%\Orbitdownloader\orbitmxt.dll -> Orbitdownloader.com [Ver = 2, 1, 0, 1 | Size = 53248 bytes | Modified Date = 7/13/2007 5:23:42 PM | Attr =    ]
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 
< User Agent Post Platform [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform -> 
SV1 ->  -> 
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{5585A1B8-3C11-4F1A-88B2-E41D941EB0FA} ->    (NVIDIA nForce Networking Controller) -> 
{B94F8079-802B-45F7-BB2E-B71537F6A86F} ->    () -> 
< Winsock2 Catalogs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\ -> 
NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] -> %ProgramFiles%\Bonjour\mdnsNSP.dll -> Apple Inc. [Ver = 1,0,4,12 | Size = 147456 bytes | Modified Date = 7/24/2007 4:17:08 PM | Attr =    ]
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ -> 
ipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
skype4com:{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} [HKEY_LOCAL_MACHINE] -> %CommonProgramFiles%\Skype\Skype4COM.dll[IEProtocolHandler Class] -> Skype Technologies [Ver = 1, 0, 28, 2 | Size = 1934672 bytes | Modified Date = 12/12/2007 4:20:48 PM | Attr = R  ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab[Java Plug-in 1.6.0_04] -> 
{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/products/plugin/1.4/jinstall-14_07-windows-i586.cab[Java Plug-in 1.4.1_07] -> 
{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab[Java Plug-in 1.6.0_04] -> 
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab[Java Plug-in 1.6.0_04] -> 
{D27CDB6E-AE6D-11CF-96B8-444553540000}[HKEY_LOCAL_MACHINE] -> http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[Shockwave Flash Object] -> 
< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/Downloaded Program Files/FP_AX_CAB_INSTALLER.exe\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/Downloaded Program Files/FP_AX_CAB_INSTALLER.exe\\.Owner -> {D27CDB6E-AE6D-11CF-96B8-444553540000} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\F:/WINDOWS/Downloaded Program Files/FP_AX_CAB_INSTALLER.exe\\{D27CDB6E-AE6D-11CF-96B8-444553540000} ->  -> 


[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\DefaultLaunchPermission -> [Binary data over 100 bytes] -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineLaunchRestriction -> [Binary data over 100 bytes] -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineAccessRestriction -> [Binary data over 100 bytes] -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\EnableDCOM -> Y -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{A50398B8-9075-4FBF-A7A1-456BF21937AD} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{AD65A69D-3831-40D7-9629-9B0B50A93843} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{0040D221-54A1-11D1-9DE0-006097042D69} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallOverride -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ -> ->
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages -> 
msv1_0 -> %SystemRoot%\system32\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 129536 bytes | Modified Date = 2/28/2006 8:00:00 AM | Attr =    ]
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Bounds -> 0  [binary data] -> 
*Security Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages -> 
kerberos -> %SystemRoot%\system32\kerberos.dll -> Microsoft Corporation [Ver = 5.1.2600.2698 (xpsp_sp2_gdr.050614-1522) | Size = 295936 bytes | Modified Date = 6/15/2005 1:49:30 PM | Attr =    ]
msv1_0 -> %SystemRoot%\system32\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 129536 bytes | Modified Date = 2/28/2006 8:00:00 AM | Attr =    ]
schannel -> %SystemRoot%\system32\schannel.dll -> Microsoft Corporation [Ver = 5.1.2600.3126 (xpsp_sp2_gdr.070425-0226) | Size = 144896 bytes | Modified Date = 4/25/2007 10:21:15 AM | Attr =    ]
wdigest -> %SystemRoot%\system32\wdigest.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 49152 bytes | Modified Date = 2/28/2006 8:00:00 AM | Attr =    ]
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\ImpersonatePrivilegeUpgradeToolHasRun -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\LsaPid -> 848 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\SecureBoot -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\auditbaseobjects -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\crashonauditfail -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\disabledomaincreds -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\everyoneincludesanonymous -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fipsalgorithmpolicy -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\forceguest -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fullprivilegeauditing ->  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\limitblankpassworduse -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\lmcompatibilitylevel -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nodefaultadminowner -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nolmhash -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymous -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymoussam -> 1 -> 
*Notification Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Notification Packages -> 
scecli -> %SystemRoot%\system32\scecli.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 180224 bytes | Modified Date = 2/28/2006 8:00:00 AM | Attr =    ]
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\enabledcom -> y -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\ -> -> 
*ProviderOrder* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\\ProviderOrder -> 
Windows NT Access Provider ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\\ProviderPath -> F:\WINDOWS\system32\ntmarta.dll [%SystemRoot%\system32\ntmarta.dll] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 118784 bytes | Modified Date = 2/28/2006 8:00:00 AM | Attr =    ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\\Pattern -> C3 00 25 6F 59 B5 80 60 42 25 47 70 56 7A D7 7B 64 62 64 33 34 34 38 37 00 FD 07 00 E2 19 00 00 34 FA 07 00 56 82 7C 75 20 FA 07 00 40 FD 07 00 4C FD 07 00 39 B3 D3 1A CA 3F D3 EB 33 A3 74 DB  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\\GrafBlumGroup -> CB FC D9 F9 A7 14 58 94 F7  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\\Lookup -> 19 CC 85 0E 6A 96  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\Auth132 -> F:\WINDOWS\system32\iissuba.dll [IISSUBA] -> Microsoft Corporation [Ver = 6.0.2600.0 (xpclient.010817-1148) | Size = 9216 bytes | Modified Date = 2/28/2006 8:00:00 AM | Attr =    ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\ntlmminclientsec -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\ntlmminserversec -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\\SkewMatrix -> A2 BC B0 95 08 94 1B F1 29 45 6A 99 4C C4 2F BF  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\\SSOURL -> http://www.passport.com -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\\Time -> 16 71 1B D8 88 9B C8 01  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Name -> Digest -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Comment -> Digest SSPI Authentication Package -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Capabilities -> 16464 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\RpcId -> 65535 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Version -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\TokenSize -> 65535 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Time -> 00 A0 13 80 5E 3C C6 01  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Type -> 49 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Name -> DPA -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Comment -> DPA Security Package -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Capabilities -> 55 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\RpcId -> 17 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Version -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\TokenSize -> 768 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Time -> 00 A0 13 80 5E 3C C6 01  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Type -> 49 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Name -> MSN -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Comment -> MSN Security Package -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Capabilities -> 55 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\RpcId -> 18 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Version -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\TokenSize -> 768 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Time -> 00 A0 13 80 5E 3C C6 01  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Type -> 49 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnGroup ->  -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnService -> Netman;WinMgmt; -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Description -> Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DisplayName -> Windows Firewall/Internet Connection Sharing (ICS) -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ImagePath -> F:\WINDOWS\system32\svchost.exe [%SystemRoot%\System32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 2/28/2006 8:00:00 AM | Attr =    ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ObjectName -> LocalSystem -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Start -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Type -> 32 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\\Epoch -> 11675 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\\ServiceDll -> F:\WINDOWS\system32\ipnathlp.dll [%SystemRoot%\System32\ipnathlp.dll] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 331264 bytes | Modified Date = 2/28/2006 8:00:00 AM | Attr =    ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\F:\Program Files\eDonkeyP2P\EdonkeyP2P.exe -> F:\Program Files\eDonkeyP2P\EdonkeyP2P.exe [F:\Program Files\eDonkeyP2P\EdonkeyP2P.exe:*:Enabled:EdonkeyP2P] -> File not found
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\139:TCP -> 139:TCP:*:Enabled:@xpsp2res.dll,-22004 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\445:TCP -> 445:TCP:*:Enabled:@xpsp2res.dll,-22005 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\137:UDP -> 137:UDP:*:Enabled:@xpsp2res.dll,-22001 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\138:UDP -> 138:UDP:*:Enabled:@xpsp2res.dll,-22002 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\DoNotAllowExceptions -> 0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\F:\Program Files\uTorrent\uTorrent.exe -> F:\Program Files\uTorrent\uTorrent.exe [F:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent] ->  [Ver =  | Size = 219952 bytes | Modified Date = 1/31/2008 1:04:28 AM | Attr =    ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\F:\Program Files\Grisoft\AVG7\avginet.exe -> F:\Program Files\Grisoft\AVG7\avginet.exe [F:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe] -> GRISOFT, s.r.o. [Ver = 7.5.0.522 | Size = 510976 bytes | Modified Date = 4/24/2008 10:30:58 AM | Attr =    ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\F:\Program Files\Grisoft\AVG7\avgamsvr.exe -> F:\Program Files\Grisoft\AVG7\avgamsvr.exe [F:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe] -> GRISOFT, s.r.o. [Ver = 7.5.0.496 | Size = 418816 bytes | Modified Date = 2/4/2008 2:17:20 AM | Attr =    ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\F:\Program Files\Grisoft\AVG7\avgcc.exe -> F:\Program Files\Grisoft\AVG7\avgcc.exe [F:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe] -> GRISOFT, s.r.o. [Ver = 7.5.0.522 | Size = 579584 bytes | Modified Date = 4/24/2008 10:30:58 AM | Attr =    ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\F:\Program Files\Grisoft\AVG7\avgemc.exe -> F:\Program Files\Grisoft\AVG7\avgemc.exe [F:\Program Files\Grisoft\AVG7\avgemc.exe:*:Enabled:avgemc.exe] -> GRISOFT, s.r.o. [Ver = 7.5.0.510 | Size = 406528 bytes | Modified Date = 2/4/2008 2:17:20 AM | Attr =    ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Real\RealPlayer\realplay.exe -> C:\Program Files\Real\RealPlayer\realplay.exe [C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer] -> RealNetworks, Inc. [Ver = 11.0.0.442 | Size = 214560 bytes | Modified Date = 3/27/2008 12:18:14 AM | Attr =    ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\F:\Program Files\LimeWire\LimeWire.exe -> F:\Program Files\LimeWire\LimeWire.exe [F:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire] -> Lime Wire, LLC [Ver = 1, 0, 0, 2 | Size = 147456 bytes | Modified Date = 2/8/2008 5:32:57 PM | Attr =    ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\F:\Program Files\Free Music Zilla\FMZilla.exe -> F:\Program Files\Free Music Zilla\FMZilla.exe [F:\Program Files\Free Music Zilla\FMZilla.exe:*:Enabled:FMZilla Module] ->  [Ver = 1, 0, 0, 5 | Size = 626688 bytes | Modified Date = 10/17/2007 9:45:42 AM | Attr =    ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\F:\Program Files\Orbitdownloader\orbitdm.exe -> F:\Program Files\Orbitdownloader\orbitdm.exe [F:\Program Files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit] -> Orbitdownloader.com [Ver = 2, 6, 0, 5 | Size = 1678536 bytes | Modified Date = 4/2/2008 3:36:10 PM | Attr =    ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\F:\Program Files\Orbitdownloader\orbitnet.exe -> F:\Program Files\Orbitdownloader\orbitnet.exe [F:\Program Files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit] -> Orbitdownloader.com [Ver = 2, 6, 0, 4 | Size = 356352 bytes | Modified Date = 3/18/2008 3:34:14 PM | Attr =    ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\139:TCP -> 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\445:TCP -> 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\137:UDP -> 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\138:UDP -> 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\1900:UDP -> 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\2869:TCP -> 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\\ServiceUpgrade -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\\All -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\0 -> Root\LEGACY_SHAREDACCESS\0000 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\Count -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\NextInstance -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Type -> 32 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Start -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ImagePath -> F:\WINDOWS\system32\svchost.exe [%systemroot%\system32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 2/28/2006 8:00:00 AM | Attr =    ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\DisplayName -> Automatic Updates -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ObjectName -> LocalSystem -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Description -> Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site. -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\\ServiceDll -> F:\WINDOWS\system32\wuauserv.dll [F:\WINDOWS\system32\wuauserv.dll] -> Microsoft Corporation [Ver = 5.4.3790.2180 (xpsp_sp2_rtm.040803-2158) | Size = 6656 bytes | Modified Date = 2/28/2006 8:00:00 AM | Attr =    ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\\Security -> [Binary data over 100 bytes] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\0 -> Root\LEGACY_WUAUSERV\0000 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\Count -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\NextInstance -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Description -> Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. -> 
*DependOnService* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\DependOnService -> 
RPCSS -> %SystemRoot%\system32\rpcss.dll -> Microsoft Corporation [Ver = 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) | Size = 397824 bytes | Modified Date = 7/26/2005 12:39:49 AM | Attr =    ]
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\DisplayName -> Remote Registry -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ImagePath -> F:\WINDOWS\system32\svchost.exe [%SystemRoot%\system32\svchost.exe -k LocalService] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 2/28/2006 8:00:00 AM | Attr =    ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ObjectName -> NT AUTHORITY\LocalService -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Group ->  -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Start -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Type -> 32 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\FailureActions -> 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 E0 AD 08 00 01 00 00 00 E8 03 00 00  [binary data] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters\\ServiceDll -> F:\WINDOWS\system32\regsvc.dll [%SystemRoot%\system32\regsvc.dll] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 59904 bytes | Modified Date = 2/28/2006 8:00:00 AM | Attr =    ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security\\Security -> [Binary data over 100 bytes] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\0 -> Root\LEGACY_REMOTEREGISTRY\0000 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\Count -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\NextInstance -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Type -> 16 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Start -> 4 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ImagePath -> F:\WINDOWS\system32\tlntsvr.exe [F:\WINDOWS\system32\tlntsvr.exe] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 73216 bytes | Modified Date = 2/28/2006 8:00:00 AM | Attr =    ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DisplayName -> Telnet -> 
*DependOnService* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DependOnService -> 
RPCSS -> %SystemRoot%\system32\rpcss.dll -> Microsoft Corporation [Ver = 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) | Size = 397824 bytes | Modified Date = 7/26/2005 12:39:49 AM | Attr =    ]
TCPIP ->  -> File not found
NTLMSSP ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DependOnGroup ->  -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ObjectName -> LocalSystem -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Description -> Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security\\Security -> [Binary data over 100 bytes] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\\ProxyEnable -> 0 -> 


[Files/Folders - Created Within 90 days]
$VAULT$.AVG -> %SystemDrive%\$VAULT$.AVG ->  [Folder | Created Date = 2/4/2008 3:31:02 AM | Attr = RH ]
ComboFix -> %SystemDrive%\ComboFix ->  [Folder | Created Date = 4/11/2008 12:00:12 AM | Attr =    ]
Deckard -> %SystemDrive%\Deckard ->  [Folder | Created Date = 4/20/2008 5:50:28 PM | Attr =    ]
Downloads -> %SystemDrive%\Downloads ->  [Folder | Created Date = 4/23/2008 6:48:10 PM | Attr =    ]
QooBox -> %SystemDrive%\QooBox ->  [Folder | Created Date = 4/11/2008 12:00:15 AM | Attr =    ]
avg7core.sys -> %SystemRoot%\System32\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.498 | Size = 821856 bytes | Created Date = 2/4/2008 2:17:23 AM | Attr =    ]
avg7rsw.sys -> %SystemRoot%\System32\drivers\avg7rsw.sys -> GRISOFT, s.r.o. [Ver = 7,0,0,340 | Size = 4224 bytes | Created Date = 2/4/2008 2:17:26 AM | Attr =    ]
avg7rsxp.sys -> %SystemRoot%\System32\drivers\avg7rsxp.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.442 | Size = 27776 bytes | Created Date = 2/4/2008 2:17:26 AM | Attr =    ]
AvgAsCln.sys -> %SystemRoot%\System32\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Created Date = 2/3/2008 3:25:03 PM | Attr =    ]
avgclean.sys -> %SystemRoot%\System32\drivers\avgclean.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10760 bytes | Created Date = 2/4/2008 2:17:26 AM | Attr =    ]
avgmfx86.sys -> %SystemRoot%\System32\drivers\avgmfx86.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.510 | Size = 26952 bytes | Created Date = 2/4/2008 2:17:26 AM | Attr =    ]
avgtdi.sys -> %SystemRoot%\System32\drivers\avgtdi.sys -> GRISOFT, s.r.o. [Ver = 7,0,0,346 | Size = 4960 bytes | Created Date = 2/4/2008 2:17:26 AM | Attr =    ]
core.cache.dsk -> %SystemRoot%\System32\drivers\core.cache.dsk ->  [Ver =  | Size = 167545 bytes | Created Date = 4/17/2008 10:04:12 PM | Attr =    ]
ikfilesec.sys -> %SystemRoot%\System32\drivers\ikfilesec.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1038 built by: WinDDK | Size = 41864 bytes | Created Date = 2/9/2008 9:45:00 AM | Attr =    ]
iksysflt.sys -> %SystemRoot%\System32\drivers\iksysflt.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1029 | Size = 66952 bytes | Created Date = 2/9/2008 9:45:00 AM | Attr =    ]
iksyssec.sys -> %SystemRoot%\System32\drivers\iksyssec.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1031 | Size = 81288 bytes | Created Date = 2/9/2008 9:45:00 AM | Attr =    ]
kcom.sys -> %SystemRoot%\System32\drivers\kcom.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1008 | Size = 29576 bytes | Created Date = 2/9/2008 9:45:00 AM | Attr =    ]
A8A9ABA8ADA5A7 -> %SystemRoot%\System32\A8A9ABA8ADA5A7 ->  [Folder | Created Date = 1/28/2008 6:16:38 AM | Attr =    ]
2 F:\WINDOWS\System32\*.tmp files -> F:\WINDOWS\System32\*.tmp -> 
en-US -> %SystemRoot%\System32\en-US ->  [Folder | Created Date = 2/1/2008 7:28:19 PM | Attr =    ]
fdsv.exe -> %SystemRoot%\System32\fdsv.exe -> Smallfrogs Studio [Ver = 1.0.0.10 | Size = 73728 bytes | Created Date = 4/11/2008 12:00:14 AM | Attr =    ]
grep.exe -> %SystemRoot%\System32\grep.exe ->  [Ver =  | Size = 80412 bytes | Created Date = 4/11/2008 12:00:14 AM | Attr =    ]
ikhcore.cfg -> %SystemRoot%\System32\ikhcore.cfg ->  [Ver =  | Size = 100 bytes | Created Date = 3/26/2008 3:02:42 PM | Attr =    ]
pncrt.dll -> %SystemRoot%\System32\pncrt.dll -> Real Networks, Inc [Ver = 6.0.0.0 | Size = 278528 bytes | Created Date = 3/27/2008 12:18:14 AM | Attr =    ]
pndx5016.dll -> %SystemRoot%\System32\pndx5016.dll -> RealNetworks, Inc. [Ver = 5.0.0.0 | Size = 6656 bytes | Created Date = 3/27/2008 12:18:14 AM | Attr =    ]
pndx5032.dll -> %SystemRoot%\System32\pndx5032.dll -> RealNetworks, Inc. [Ver = 5.0.0.0 | Size = 5632 bytes | Created Date = 3/27/2008 12:18:14 AM | Attr =    ]
rmoc3260.dll -> %SystemRoot%\System32\rmoc3260.dll -> RealNetworks, Inc. [Ver = 6.0.10.50 | Size = 185944 bytes | Created Date = 3/27/2008 12:18:19 AM | Attr =    ]
sed.exe -> %SystemRoot%\System32\sed.exe ->  [Ver =  | Size = 98816 bytes | Created Date = 4/11/2008 12:00:14 AM | Attr =    ]
spupdsvc.inf -> %SystemRoot%\System32\spupdsvc.inf ->  [Ver =  | Size = 230 bytes | Created Date = 2/9/2008 9:12:17 AM | Attr =    ]
swreg.exe -> %SystemRoot%\System32\swreg.exe -> SteelWerX [Ver = 3.0.0.0 | Size = 161792 bytes | Created Date = 1/31/2008 12:13:04 AM | Attr =    ]
swsc.exe -> %SystemRoot%\System32\swsc.exe -> SteelWerX [Ver = 2.0.0.5 | Size = 136704 bytes | Created Date = 1/31/2008 12:13:04 AM | Attr =    ]
swxcacls.exe -> %SystemRoot%\System32\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 4/11/2008 12:00:14 AM | Attr =    ]
VFind.exe -> %SystemRoot%\System32\VFind.exe ->  [Ver =  | Size = 49152 bytes | Created Date = 1/31/2008 12:13:04 AM | Attr =    ]
zip.exe -> %SystemRoot%\System32\zip.exe ->  [Ver =  | Size = 68096 bytes | Created Date = 4/11/2008 12:00:14 AM | Attr =    ]
$NtServicePackUninstallIDNMitigationAPIs$ -> %SystemRoot%\$NtServicePackUninstallIDNMitigationAPIs$ ->  [Folder | Created Date = 2/1/2008 7:26:07 PM | Attr =  H ]
4 F:\WINDOWS\*.tmp files -> F:\WINDOWS\*.tmp -> 
$NtServicePackUninstallNLSDownlevelMapping$ -> %SystemRoot%\$NtServicePackUninstallNLSDownlevelMapping$ ->  [Folder | Created Date = 2/1/2008 7:25:37 PM | Attr =  H ]
erdnt -> %SystemRoot%\erdnt ->  [Folder | Created Date = 1/31/2008 12:13:43 AM | Attr =    ]
Nircmd.exe -> %SystemRoot%\Nircmd.exe -> NirSoft [Ver = 2.05 | Size = 28160 bytes | Created Date = 4/11/2008 12:00:14 AM | Attr =    ]
QTFont.for -> %SystemRoot%\QTFont.for ->  [Ver =  | Size = 1409 bytes | Created Date = 1/31/2008 12:45:22 AM | Attr =    ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn ->  [Ver =  | Size = 54156 bytes | Created Date = 1/31/2008 12:45:22 AM | Attr =  H ]
TEMP -> %SystemRoot%\TEMP ->  [Folder | Created Date = 4/11/2008 12:05:06 AM | Attr =    ]
WBEM -> %SystemRoot%\WBEM ->  [Folder | Created Date = 2/1/2008 7:28:22 PM | Attr =    ]
wininit.ini -> %SystemRoot%\wininit.ini ->  [Ver =  | Size = 1246 bytes | Created Date = 1/28/2008 4:01:05 AM | Attr =    ]
[Files Created - Additional Folder Scans - Non-Microsoft Only]
Apple -> %AllUsersProfile%\Application Data\Apple ->  [Folder | Created Date = 1/31/2008 12:44:15 AM | Attr =    ]
Apple Computer -> %AllUsersProfile%\Application Data\Apple Computer ->  [Folder | Created Date = 1/31/2008 12:44:39 AM | Attr =    ]
avg7 -> %AllUsersProfile%\Application Data\avg7 ->  [Folder | Created Date = 2/4/2008 2:17:18 AM | Attr =    ]
Grisoft -> %AllUsersProfile%\Application Data\Grisoft ->  [Folder | Created Date = 2/3/2008 3:26:12 PM | Attr =    ]
Lavasoft -> %AllUsersProfile%\Application Data\Lavasoft ->  [Folder | Created Date = 2/1/2008 7:13:56 PM | Attr =    ]
Malwarebytes -> %AllUsersProfile%\Application Data\Malwarebytes ->  [Folder | Created Date = 2/17/2008 11:52:30 PM | Attr =    ]
Spybot - Search & Destroy -> %AllUsersProfile%\Application Data\Spybot - Search & Destroy ->  [Folder | Created Date = 1/27/2008 6:05:32 PM | Attr =    ]
SUPERAntiSpyware.com -> %AllUsersProfile%\Application Data\SUPERAntiSpyware.com ->  [Folder | Created Date = 4/12/2008 7:43:41 PM | Attr =    ]
TEMP -> %AllUsersProfile%\Application Data\TEMP ->  [Folder | Created Date = 2/9/2008 9:45:04 AM | Attr =    ]
@Alternate Data Stream - 140 bytes -> %AllUsersProfile%\Application Data\TEMP:DFC5A2B2
Apple Computer -> %AppData%\Apple Computer ->  [Folder | Created Date = 1/31/2008 12:45:22 AM | Attr =    ]
AVG7 -> %AppData%\AVG7 ->  [Folder | Created Date = 2/4/2008 2:17:35 AM | Attr =    ]
FMZilla -> %AppData%\FMZilla ->  [Folder | Created Date = 4/23/2008 6:22:49 PM | Attr =    ]
Grisoft -> %AppData%\Grisoft ->  [Folder | Created Date = 2/3/2008 3:25:15 PM | Attr =    ]
Malwarebytes -> %AppData%\Malwarebytes ->  [Folder | Created Date = 2/17/2008 11:52:33 PM | Attr =    ]
Orbit -> %AppData%\Orbit ->  [Folder | Created Date = 4/23/2008 6:48:04 PM | Attr =    ]
PC Tools -> %AppData%\PC Tools ->  [Folder | Created Date = 2/9/2008 9:44:56 AM | Attr =    ]
Real -> %AppData%\Real ->  [Folder | Created Date = 3/27/2008 12:18:09 AM | Attr =    ]
SUPERAntiSpyware.com -> %AppData%\SUPERAntiSpyware.com ->  [Folder | Created Date = 4/12/2008 7:43:37 PM | Attr =    ]
WinRAR -> %AppData%\WinRAR ->  [Folder | Created Date = 1/31/2008 1:06:21 AM | Attr =    ]
Xi -> %AppData%\Xi ->  [Folder | Created Date = 1/31/2008 12:10:39 AM | Attr =    ]
Apple -> %UserProfile%\Local Settings\Application Data\Apple ->  [Folder | Created Date = 1/31/2008 12:44:30 AM | Attr =    ]
Apple Computer -> %UserProfile%\Local Settings\Application Data\Apple Computer ->  [Folder | Created Date = 1/31/2008 12:43:55 AM | Attr =    ]
IconCache.db -> %UserProfile%\Local Settings\Application Data\IconCache.db ->  [Ver =  | Size = 5898100 bytes | Created Date = 3/31/2008 12:22:00 PM | Attr =  H ]
Chesterton -> %UserProfile%\Desktop\Chesterton ->  [Folder | Created Date = 4/19/2008 1:01:41 PM | Attr =    ]
Chesterton Paper.doc -> %UserProfile%\Desktop\Chesterton Paper.doc ->  [Ver =  | Size = 44544 bytes | Created Date = 4/20/2008 2:14:03 AM | Attr =    ]
OTScanIt -> %UserProfile%\Desktop\OTScanIt ->  [Folder | Created Date = 4/26/2008 2:26:47 PM | Attr =    ]
OTScanIt.exe -> %UserProfile%\Desktop\OTScanIt.exe ->  [Ver =  | Size = 541685 bytes | Created Date = 4/26/2008 2:24:15 PM | Attr =    ]
SCF '09 description FINAL 4.18.08.doc -> %UserProfile%\Desktop\SCF '09 description FINAL 4.18.08.doc ->  [Ver =  | Size = 56832 bytes | Created Date = 4/19/2008 11:59:51 AM | Attr =    ]
sermon river church nyc070527.mp3 -> %UserProfile%\Desktop\sermon river church nyc070527.mp3 ->  [Ver =  | Size = 12137839 bytes | Created Date = 4/23/2008 8:49:09 AM | Attr =    ]
Webshots.lnk -> %UserProfile%\Start Menu\Programs\Startup\Webshots.lnk ->  [Ver =  | Size = 683 bytes | Created Date = 2/7/2008 8:41:49 AM | Attr =    ]
Adobe -> %CommonProgramFiles%\Adobe ->  [Folder | Created Date = 2/12/2008 3:14:06 AM | Attr =    ]
Apple -> %CommonProgramFiles%\Apple ->  [Folder | Created Date = 1/31/2008 12:44:16 AM | Attr =    ]
Real -> %CommonProgramFiles%\Real ->  [Folder | Created Date = 3/27/2008 12:18:12 AM | Attr =    ]
xing shared -> %CommonProgramFiles%\xing shared ->  [Folder | Created Date = 3/27/2008 12:18:24 AM | Attr =    ]

[Files/Folders - Modified Within 90 days]
$VAULT$.AVG -> %SystemDrive%\$VAULT$.AVG ->  [Folder | Modified Date = 4/22/2008 5:41:38 AM | Attr = RH ]
BJPrinter -> %SystemDrive%\BJPrinter ->  [Folder | Modified Date = 4/22/2008 10:51:33 AM | Attr =  H ]
ComboFix -> %SystemDrive%\ComboFix ->  [Folder | Modified Date = 4/11/2008 12:05:08 AM | Attr =    ]
Deckard -> %SystemDrive%\Deckard ->  [Folder | Modified Date = 4/20/2008 5:50:28 PM | Attr =    ]
Downloads -> %SystemDrive%\Downloads ->  [Folder | Modified Date = 4/23/2008 7:12:27 PM | Attr =    ]
Program Files -> %ProgramFiles% ->  [Folder | Modified Date = 4/23/2008 6:48:04 PM | Attr = R  ]
QooBox -> %SystemDrive%\QooBox ->  [Folder | Modified Date = 4/11/2008 12:04:52 AM | Attr =    ]
Temp -> %SystemDrive%\Temp ->  [Folder | Modified Date = 4/13/2008 2:25:22 PM | Attr =    ]
WINDOWS -> %SystemRoot% ->  [Folder | Modified Date = 4/24/2008 10:29:46 AM | Attr =    ]
avg7core.sys -> %SystemRoot%\System32\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.498 | Size = 821856 bytes | Modified Date = 2/4/2008 2:17:23 AM | Attr =    ]
avg7rsw.sys -> %SystemRoot%\System32\drivers\avg7rsw.sys -> GRISOFT, s.r.o. [Ver = 7,0,0,340 | Size = 4224 bytes | Modified Date = 2/4/2008 2:17:26 AM | Attr =    ]
avg7rsxp.sys -> %SystemRoot%\System32\drivers\avg7rsxp.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.442 | Size = 27776 bytes | Modified Date = 2/4/2008 2:17:26 AM | Attr =    ]
avgclean.sys -> %SystemRoot%\System32\drivers\avgclean.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10760 bytes | Modified Date = 2/4/2008 2:17:26 AM | Attr =    ]
avgmfx86.sys -> %SystemRoot%\System32\drivers\avgmfx86.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.510 | Size = 26952 bytes | Modified Date = 2/4/2008 2:17:26 AM | Attr =    ]
avgtdi.sys -> %SystemRoot%\System32\drivers\avgtdi.sys -> GRISOFT, s.r.o. [Ver = 7,0,0,346 | Size = 4960 bytes | Modified Date = 2/4/2008 2:17:26 AM | Attr =    ]
core.cache.dsk -> %SystemRoot%\System32\drivers\core.cache.dsk ->  [Ver =  | Size = 167545 bytes | Modified Date = 4/17/2008 10:04:13 PM | Attr =    ]
etc -> %SystemRoot%\System32\drivers\etc ->  [Folder | Modified Date = 4/11/2008 12:02:35 AM | Attr =    ]
hosts -> %SystemRoot%\System32\drivers\etc\hosts ->  [Ver =  | Size = 27 bytes | Modified Date = 4/11/2008 12:02:35 AM | Attr =    ]
hosts.20080209-092251.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080209-092251.backup ->  [Ver =  | Size = 27 bytes | Modified Date = 2/1/2008 6:14:20 PM | Attr =    ]
hosts.20080209-092301.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080209-092301.backup ->  [Ver =  | Size = 224069 bytes | Modified Date = 2/9/2008 10:22:51 AM | Attr =    ]
hosts.20080209-092313.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080209-092313.backup ->  [Ver =  | Size = 224069 bytes | Modified Date = 2/9/2008 10:22:51 AM | Attr =    ]
hosts.20080217-225314.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080217-225314.backup ->  [Ver =  | Size = 224069 bytes | Modified Date = 2/9/2008 10:22:51 AM | Attr =    ]
hosts.20080227-211722.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080227-211722.backup ->  [Ver =  | Size = 224069 bytes | Modified Date = 2/9/2008 10:22:51 AM | Attr =    ]
hosts.20080227-211731.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080227-211731.backup ->  [Ver =  | Size = 224069 bytes | Modified Date = 2/9/2008 10:22:51 AM | Attr =    ]
hosts.20080227-211742.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080227-211742.backup ->  [Ver =  | Size = 224069 bytes | Modified Date = 2/9/2008 10:22:51 AM | Attr =    ]
hosts.20080323-235733.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080323-235733.backup ->  [Ver =  | Size = 224069 bytes | Modified Date = 2/9/2008 10:22:51 AM | Attr =    ]
hosts.20080323-235740.backup -> %SystemRoot%\System32\drivers\etc\hosts.20080323-235740.backup ->  [Ver =  | Size = 228085 bytes | Modified Date = 3/23/2008 11:57:33 PM | Attr =    ]
A8A9ABA8ADA5A7 -> %SystemRoot%\System32\A8A9ABA8ADA5A7 ->  [Folder | Modified Date = 1/28/2008 6:16:38 AM | Attr =    ]
2 F:\WINDOWS\System32\*.tmp files -> F:\WINDOWS\System32\*.tmp -> 
amcompat.tlb -> %SystemRoot%\System32\amcompat.tlb ->  [Ver =  | Size = 16832 bytes | Modified Date = 1/31/2008 12:31:36 AM | Attr =    ]
CatRoot -> %SystemRoot%\System32\CatRoot ->  [Folder | Modified Date = 1/31/2008 3:35:26 AM | Attr =    ]
CatRoot2 -> %SystemRoot%\System32\CatRoot2 ->  [Folder | Modified Date = 4/26/2008 1:48:18 AM | Attr =    ]
config -> %SystemRoot%\System32\config ->  [Folder | Modified Date = 2/1/2008 7:28:25 PM | Attr =    ]
dllcache -> %SystemRoot%\System32\dllcache ->  [Folder | Modified Date = 4/11/2008 3:01:28 AM | Attr = RHS]
drivers -> %SystemRoot%\System32\drivers ->  [Folder | Modified Date = 4/20/2008 2:18:12 AM | Attr =    ]
en-US -> %SystemRoot%\System32\en-US ->  [Folder | Modified Date = 2/9/2008 9:14:37 AM | Attr =    ]
ets1 -> %SystemRoot%\System32\ets1 ->  [Folder | Modified Date = 2/18/2008 1:23:00 AM | Attr =    ]
FNTCACHE.DAT -> %SystemRoot%\System32\FNTCACHE.DAT ->  [Ver =  | Size = 212880 bytes | Modified Date = 4/11/2008 3:08:10 AM | Attr =    ]
ikhcore.cfg -> %SystemRoot%\System32\ikhcore.cfg ->  [Ver =  | Size = 100 bytes | Modified Date = 3/26/2008 3:02:42 PM | Attr =    ]
inetsrv -> %SystemRoot%\System32\inetsrv ->  [Folder | Modified Date = 3/30/2008 11:40:30 PM | Attr =    ]
mui -> %SystemRoot%\System32\mui ->  [Folder | Modified Date = 4/12/2008 3:01:19 AM | Attr =    ]
nip4 -> %SystemRoot%\System32\nip4 ->  [Folder | Modified Date = 2/2/2008 12:18:26 AM | Attr =    ]
nscompat.tlb -> %SystemRoot%\System32\nscompat.tlb ->  [Ver =  | Size = 23392 bytes | Modified Date = 1/31/2008 12:31:36 AM | Attr =    ]
perfc009.dat -> %SystemRoot%\System32\perfc009.dat ->  [Ver =  | Size = 59780 bytes | Modified Date = 4/12/2008 3:01:44 AM | Attr =    ]
perfh009.dat -> %SystemRoot%\System32\perfh009.dat ->  [Ver =  | Size = 397560 bytes | Modified Date = 4/12/2008 3:01:44 AM | Attr =    ]
PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI ->  [Ver =  | Size = 443766 bytes | Modified Date = 4/12/2008 3:01:44 AM | Attr =    ]
pncrt.dll -> %SystemRoot%\System32\pncrt.dll -> Real Networks, Inc [Ver = 6.0.0.0 | Size = 278528 bytes | Modified Date = 3/27/2008 12:18:14 AM | Attr =    ]
pndx5016.dll -> %SystemRoot%\System32\pndx5016.dll -> RealNetworks, Inc. [Ver = 5.0.0.0 | Size = 6656 bytes | Modified Date = 3/27/2008 12:18:14 AM | Attr =    ]
pndx5032.dll -> %SystemRoot%\System32\pndx5032.dll -> RealNetworks, Inc. [Ver = 5.0.0.0 | Size = 5632 bytes | Modified Date = 3/27/2008 12:18:14 AM | Attr =    ]
rmoc3260.dll -> %SystemRoot%\System32\rmoc3260.dll -> RealNetworks, Inc. [Ver = 6.0.10.50 | Size = 185944 bytes | Modified Date = 3/27/2008 12:18:19 AM | Attr =    ]
spupdsvc.inf -> %SystemRoot%\System32\spupdsvc.inf ->  [Ver =  | Size = 230 bytes | Modified Date = 2/9/2008 9:12:17 AM | Attr =    ]
wnis6 -> %SystemRoot%\System32\wnis6 ->  [Folder | Modified Date = 2/2/2008 12:18:26 AM | Attr =    ]
wpa.dbl -> %SystemRoot%\System32\wpa.dbl ->  [Ver =  | Size = 13684 bytes | Modified Date = 4/26/2008 2:20:32 PM | Attr =    ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ ->  [Folder | Modified Date = 4/11/2008 3:01:31 AM | Attr =  H ]
4 F:\WINDOWS\*.tmp files -> F:\WINDOWS\*.tmp -> 
$NtServicePackUninstallIDNMitigationAPIs$ -> %SystemRoot%\$NtServicePackUninstallIDNMitigationAPIs$ ->  [Folder | Modified Date = 2/1/2008 7:26:07 PM | Attr =  H ]
$NtServicePackUninstallNLSDownlevelMapping$ -> %SystemRoot%\$NtServicePackUninstallNLSDownlevelMapping$ ->  [Folder | Modified Date = 2/1/2008 7:25:37 PM | Attr =  H ]
assembly -> %SystemRoot%\assembly ->  [Folder | Modified Date = 4/12/2008 3:04:47 AM | Attr = R S]
bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 2048 bytes | Modified Date = 4/26/2008 2:18:09 PM | Attr =   S]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files ->  [Folder | Modified Date = 4/23/2008 6:05:11 PM | Attr =   S]
erdnt -> %SystemRoot%\erdnt ->  [Folder | Modified Date = 4/20/2008 5:50:39 PM | Attr =    ]
Help -> %SystemRoot%\Help ->  [Folder | Modified Date = 2/9/2008 9:14:37 AM | Attr =    ]
imsins.BAK -> %SystemRoot%\imsins.BAK ->  [Ver =  | Size = 1374 bytes | Modified Date = 4/11/2008 3:01:30 AM | Attr =    ]
inf -> %SystemRoot%\inf ->  [Folder | Modified Date = 4/19/2008 3:24:09 PM | Attr =  H ]
Installer -> %SystemRoot%\Installer ->  [Folder | Modified Date = 4/12/2008 7:43:39 PM | Attr =  HS]
Media -> %SystemRoot%\Media ->  [Folder | Modified Date = 2/1/2008 7:28:09 PM | Attr =    ]
Microsoft.NET -> %SystemRoot%\Microsoft.NET ->  [Folder | Modified Date = 4/12/2008 3:04:48 AM | Attr =    ]
mozver.dat -> %SystemRoot%\mozver.dat ->  [Ver =  | Size = 2554 bytes | Modified Date = 4/19/2008 3:23:56 PM | Attr =    ]
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini ->  [Ver =  | Size = 69 bytes | Modified Date = 4/26/2008 12:46:13 PM | Attr =    ]
Prefetch -> %SystemRoot%\Prefetch ->  [Folder | Modified Date = 4/26/2008 2:26:32 PM | Attr =    ]
QTFont.for -> %SystemRoot%\QTFont.for ->  [Ver =  | Size = 1409 bytes | Modified Date = 1/31/2008 12:45:32 AM | Attr =    ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn ->  [Ver =  | Size = 54156 bytes | Modified Date = 4/17/2008 10:09:52 PM | Attr =  H ]
RegisteredPackages -> %SystemRoot%\RegisteredPackages ->  [Folder | Modified Date = 1/29/2008 11:08:15 AM | Attr =    ]
Registration -> %SystemRoot%\Registration ->  [Folder | Modified Date = 4/26/2008 2:11:18 PM | Attr =    ]
security -> %SystemRoot%\security ->  [Folder | Modified Date = 1/31/2008 3:35:33 AM | Attr =    ]
system -> %SystemRoot%\system ->  [Folder | Modified Date = 2/4/2008 2:15:55 AM | Attr =    ]
system.ini -> %SystemRoot%\system.ini ->  [Ver =  | Size = 227 bytes | Modified Date = 4/11/2008 12:03:42 AM | Attr =    ]
system32 -> %SystemRoot%\system32 ->  [Folder | Modified Date = 4/24/2008 10:28:22 AM | Attr =    ]
Tasks -> %SystemRoot%\Tasks ->  [Folder | Modified Date = 2/9/2008 9:59:05 AM | Attr =   S]
TEMP -> %SystemRoot%\TEMP ->  [Folder | Modified Date = 4/26/2008 2:20:35 PM | Attr =    ]
WBEM -> %SystemRoot%\WBEM ->  [Folder | Modified Date = 2/9/2008 9:11:09 AM | Attr =    ]
wininit.ini -> %SystemRoot%\wininit.ini ->  [Ver =  | Size = 1246 bytes | Modified Date = 3/23/2008 11:57:18 PM | Attr =    ]
WinSxS -> %SystemRoot%\WinSxS ->  [Folder | Modified Date = 4/12/2008 3:01:41 AM | Attr =    ]
WMSysPr9.prx -> %SystemRoot%\WMSysPr9.prx ->  [Ver =  | Size = 316640 bytes | Modified Date = 1/31/2008 12:31:22 AM | Attr =    ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 4/26/2008 2:18:22 PM | Attr =  H ]
F:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\ -> F:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader ->  [Folder | Modified Date = 12/27/2007 12:05:04 AM | Attr =    ]
qmgr0.dat -> F:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat ->  [Ver =  | Size = 6708 bytes | Modified Date = 4/11/2008 7:49:37 PM | Attr =    ]
qmgr1.dat -> F:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat ->  [Ver =  | Size = 5470 bytes | Modified Date = 4/11/2008 7:49:37 PM | Attr =    ]
F:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\ -> F:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA ->  [Folder | Modified Date = 12/27/2007 2:43:24 AM | Attr =    ]
opa11.dat -> F:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa11.dat ->  [Ver =  | Size = 11072 bytes | Modified Date = 12/27/2007 2:43:31 AM | Attr =    ]
F:\Documents and Settings\n8sun1\Local Settings\Temp\ -> F:\Documents and Settings\n8sun1\Local Settings\Temp ->  [Folder | Modified Date = 4/26/2008 2:28:22 PM | Attr =    ]
SSUPDATE.EXE -> F:\Documents and Settings\n8sun1\Local Settings\Temp\SSUPDATE.EXE -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1030 | Size = 146672 bytes | Modified Date = 2/29/2008 4:03:44 PM | Attr =    ]
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
Adobe -> %AllUsersProfile%\Application Data\Adobe ->  [Folder | Modified Date = 2/12/2008 3:14:11 AM | Attr =    ]
Apple -> %AllUsersProfile%\Application Data\Apple ->  [Folder | Modified Date = 1/31/2008 12:44:15 AM | Attr =    ]
Apple Computer -> %AllUsersProfile%\Application Data\Apple Computer ->  [Folder | Modified Date = 1/31/2008 12:45:08 AM | Attr =    ]
avg7 -> %AllUsersProfile%\Application Data\avg7 ->  [Folder | Modified Date = 2/4/2008 3:30:59 AM | Attr =    ]
Grisoft -> %AllUsersProfile%\Application Data\Grisoft ->  [Folder | Modified Date = 2/4/2008 2:17:18 AM | Attr =    ]
Lavasoft -> %AllUsersProfile%\Application Data\Lavasoft ->  [Folder | Modified Date = 2/1/2008 7:14:55 PM | Attr =    ]
Malwarebytes -> %AllUsersProfile%\Application Data\Malwarebytes ->  [Folder | Modified Date = 2/17/2008 11:52:30 PM | Attr =    ]
Spybot - Search & Destroy -> %AllUsersProfile%\Application Data\Spybot - Search & Destroy ->  [Folder | Modified Date = 2/9/2008 10:01:03 AM | Attr =    ]
SUPERAntiSpyware.com -> %AllUsersProfile%\Application Data\SUPERAntiSpyware.com ->  [Folder | Modified Date = 4/12/2008 7:43:41 PM | Attr =    ]
TEMP -> %AllUsersProfile%\Application Data\TEMP ->  [Folder | Modified Date = 3/30/2008 11:47:14 PM | Attr =    ]
@Alternate Data Stream - 140 bytes -> %AllUsersProfile%\Application Data\TEMP:DFC5A2B2
Apple Computer -> %AppData%\Apple Computer ->  [Folder | Modified Date = 1/31/2008 12:45:22 AM | Attr =    ]
AVG7 -> %AppData%\AVG7 ->  [Folder | Modified Date = 4/26/2008 2:19:08 PM | Attr =    ]
dvdcss -> %AppData%\dvdcss ->  [Folder | Modified Date = 2/2/2008 12:21:52 AM | Attr =    ]
FMZilla -> %AppData%\FMZilla ->  [Folder | Modified Date = 4/23/2008 6:26:10 PM | Attr =    ]
Grisoft -> %AppData%\Grisoft ->  [Folder | Modified Date = 2/3/2008 3:25:15 PM | Attr =    ]
LimeWire -> %AppData%\LimeWire ->  [Folder | Modified Date = 3/30/2008 12:44:11 AM | Attr =    ]
Malwarebytes -> %AppData%\Malwarebytes ->  [Folder | Modified Date = 2/17/2008 11:52:33 PM | Attr =    ]
Microsoft -> %AppData%\Microsoft ->  [Folder | Modified Date = 3/30/2008 11:40:30 PM | Attr =   S]
Orbit -> %AppData%\Orbit ->  [Folder | Modified Date = 4/24/2008 11:05:50 PM | Attr =    ]
PC Tools -> %AppData%\PC Tools ->  [Folder | Modified Date = 2/9/2008 9:44:56 AM | Attr =    ]
Real -> %AppData%\Real ->  [Folder | Modified Date = 3/27/2008 12:23:37 AM | Attr =    ]
SUPERAntiSpyware.com -> %AppData%\SUPERAntiSpyware.com ->  [Folder | Modified Date = 4/12/2008 7:43:37 PM | Attr =    ]
uTorrent -> %AppData%\uTorrent ->  [Folder | Modified Date = 4/26/2008 1:02:39 PM | Attr =    ]
WinRAR -> %AppData%\WinRAR ->  [Folder | Modified Date = 1/31/2008 1:06:21 AM | Attr =    ]
Xi -> %AppData%\Xi ->  [Folder | Modified Date = 1/31/2008 12:10:39 AM | Attr =    ]
Apple -> %UserProfile%\Local Settings\Application Data\Apple ->  [Folder | Modified Date = 1/31/2008 12:44:30 AM | Attr =    ]
Apple Computer -> %UserProfile%\Local Settings\Application Data\Apple Computer ->  [Folder | Modified Date = 1/31/2008 12:45:22 AM | Attr =    ]
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> %UserProfile%\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini ->  [Ver =  | Size = 45056 bytes | Modified Date = 4/26/2008 12:46:12 PM | Attr =    ]
IconCache.db -> %UserProfile%\Local Settings\Application Data\IconCache.db ->  [Ver =  | Size = 5898100 bytes | Modified Date = 4/26/2008 2:17:10 PM | Attr =  H ]
Microsoft -> %UserProfile%\Local Settings\Application Data\Microsoft ->  [Folder | Modified Date = 4/26/2008 2:11:20 PM | Attr =    ]
My Music -> %AllUsersProfile%\Documents\My Music ->  [Folder | Modified Date = 1/29/2008 11:07:59 AM | Attr = R  ]
desktop.ini -> %UserProfile%\My Documents\desktop.ini ->  [Ver =  | Size = 77 bytes | Modified Date = 2/3/2008 3:17:52 PM | Attr =  HS]
My Music -> %UserProfile%\My Documents\My Music ->  [Folder | Modified Date = 2/3/2008 3:17:52 PM | Attr = R  ]
My Pictures -> %UserProfile%\My Documents\My Pictures ->  [Folder | Modified Date = 2/3/2008 3:17:52 PM | Attr = R  ]
My Videos -> %UserProfile%\My Documents\My Videos ->  [Folder | Modified Date = 3/27/2008 12:32:16 AM | Attr = R  ]
Chesterton -> %UserProfile%\Desktop\Chesterton ->  [Folder | Modified Date = 4/19/2008 1:01:49 PM | Attr =    ]
Chesterton Paper.doc -> %UserProfile%\Desktop\Chesterton Paper.doc ->  [Ver =  | Size = 44544 bytes | Modified Date = 4/26/2008 2:16:46 PM | Attr =    ]
OTScanIt -> %UserProfile%\Desktop\OTScanIt ->  [Folder | Modified Date = 4/26/2008 2:26:47 PM | Attr =    ]
OTScanIt.exe -> %UserProfile%\Desktop\OTScanIt.exe ->  [Ver =  | Size = 541685 bytes | Modified Date = 4/26/2008 2:23:54 PM | Attr =    ]
SCF '09 description FINAL 4.18.08.doc -> %UserProfile%\Desktop\SCF '09 description FINAL 4.18.08.doc ->  [Ver =  | Size = 56832 bytes | Modified Date = 4/19/2008 11:59:48 AM | Attr =    ]
sermon river church nyc070527.mp3 -> %UserProfile%\Desktop\sermon river church nyc070527.mp3 ->  [Ver =  | Size = 12137839 bytes | Modified Date = 4/23/2008 8:49:56 AM | Attr =    ]
Webshots.lnk -> %UserProfile%\Start Menu\Programs\Startup\Webshots.lnk ->  [Ver =  | Size = 683 bytes | Modified Date = 4/13/2008 1:52:02 PM | Attr =    ]
Adobe -> %CommonProgramFiles%\Adobe ->  [Folder | Modified Date = 2/12/2008 3:14:16 AM | Attr =    ]
Apple -> %CommonProgramFiles%\Apple ->  [Folder | Modified Date = 1/31/2008 12:44:16 AM | Attr =    ]
Logitech -> %CommonProgramFiles%\Logitech ->  [Folder | Modified Date = 2/11/2008 2:46:34 PM | Attr =    ]
Real -> %CommonProgramFiles%\Real ->  [Folder | Modified Date = 3/27/2008 12:18:20 AM | Attr =    ]
Wise Installation Wizard -> %CommonProgramFiles%\Wise Installation Wizard ->  [Folder | Modified Date = 4/12/2008 7:43:27 PM | Attr =    ]
xing shared -> %CommonProgramFiles%\xing shared ->  [Folder | Modified Date = 3/27/2008 12:18:24 AM | Attr =    ]

< End of report >
 

· Registered
Joined
·
289 Posts
Sorry, not sure how I missed your replys.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 u6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". (4th one down)
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windowsi586-p.exe to install the newest version.
Open the OTScnIt folder on your desktop and start OtScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code:
 [Kill Explorer]
[Unregister Dlls]
[Driver Services - Non-Microsoft Only]
YN -> (catchme) catchme [Kernel | On_Demand | Stopped] -> %SystemDrive%\DOCUME~1\n8sun1\LOCALS~1\Temp\catchme.sys
YY -> (WINFLASH) WINFLASH [Kernel | On_Demand | Stopped] -> I:\WinFlash.sys
[Registry - Non-Microsoft Only]
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YN -> awsuapml -> 
YN -> xxyaxwt -> 
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> 33 domain(s) and sub-domain(s) not assigned to a zone. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> 40 domain(s) and sub-domain(s) not assigned to a zone. -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {A0A18F09-06DE-4CAC-7EA4-F369B2339767} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {A1A67F60-AA71-41FD-8EA5-667F4FF15A88} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {C10D9154-2374-426E-A59C-DC0758D35A13} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {D063771C-94D6-4748-A4A1-3686A9D686AD} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {F3026853-4B52-478E-9E76-04A9F235276D} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab[Java Plug-in 1.6.0_04]
YN -> {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/products/plugin/1.4/jinstall-14_07-windows-i586.cab[Java Plug-in 1.4.1_07]
YN -> {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab[Java Plug-in 1.6.0_04]
YN -> {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab[Java Plug-in 1.6.0_04]
[Files/Folders - Created Within 90 days]
NY -> ComboFix -> %SystemDrive%\ComboFix
NY -> QooBox -> %SystemDrive%\QooBox
NY -> core.cache.dsk -> %SystemRoot%\System32\drivers\core.cache.dsk
NY -> A8A9ABA8ADA5A7 -> %SystemRoot%\System32\A8A9ABA8ADA5A7
NY -> 2 F:\WINDOWS\System32\*.tmp files -> F:\WINDOWS\System32\*.tmp
NY -> 4 F:\WINDOWS\*.tmp files -> F:\WINDOWS\*.tmp
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> @Alternate Data Stream - 140 bytes -> %AllUsersProfile%\Application Data\TEMP:DFC5A2B2
[Files/Folders - Modified Within 90 days]
NY -> ComboFix -> %SystemDrive%\ComboFix
NY -> QooBox -> %SystemDrive%\QooBox
NY -> core.cache.dsk -> %SystemRoot%\System32\drivers\core.cache.dsk
NY -> A8A9ABA8ADA5A7 -> %SystemRoot%\System32\A8A9ABA8ADA5A7
NY -> 2 F:\WINDOWS\System32\*.tmp files -> F:\WINDOWS\System32\*.tmp
NY -> 4 F:\WINDOWS\*.tmp files -> F:\WINDOWS\*.tmp
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> @Alternate Data Stream - 140 bytes -> %AllUsersProfile%\Application Data\TEMP:DFC5A2B2
[Empty Temp Folders]
[Start Explorer]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.

If it reboots this may not happen. If you need to manually find the file it is at Desktop\OTScanIt\MovedFiles\04082008_163441.log or what ever yours is named(Date/Time you ran the fix)

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on the Start Scanning button at bottom of page.
  • Accept the License Agreement and the ActiveX install.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report to your Desktop for posting.

Please post
  • OTscan it "results" log (described above)
  • F-Secure log
  • Fresh OtScanIt log made after F-secure
in your next reply here
 

· Registered
Joined
·
15 Posts
Discussion Starter · #8 ·
Attached are the two OTScanIt files, and here is the F-Secure Scan Report:

Scanning Report
Friday, May 02, 2008 10:30:15 - 11:47:31

Computer name: N8
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\ E:\ F:\ G:\ I:\ J:\
Result: 1 malware found
Rootkit.Win32.Agent (virus)

* System

Statistics
Scanned:

* Files: 62207
* System: 3486
* Not scanned: 10

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 1
* Submitted: 0

Files not scanned:

* C:\HIBERFIL.SYS
* F:\PAGEFILE.SYS
* F:\WINDOWS\SYSTEM32\DRIVERS\NDISWANN.SYS
* F:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
* F:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* F:\WINDOWS\SYSTEM32\CONFIG\SAM
* F:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* F:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* F:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* F:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{AD315206-6BDA-4430-8079-D69F1033EF71}.BIN

Options
Scanning engines:

* F-Secure USS: 2.30.0
* F-Secure Hydra: 2.8.8110, 2008-05-02
* F-Secure AVP: 7.0.171, 2008-05-02
* F-Secure Pegasus: 1.20.0, 2008-02-28
* F-Secure Blacklight: 1.0.64

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics
 

Attachments

· Registered
Joined
·
289 Posts
Every thing is looking real good. I want to look into one more thing. Would you post the following and tell how your computer is running now please.

If you still have it, run dss.exe, but use these instructions:

Click Start>Select 'Run' - then copy/paste the following text into the run box & click OK

Code:
"%userprofile%\desktop\dss.exe" /config
Click on "Check All"
Click Scan!

When finished, it shall produce main.txt and extra.txt for you. Post/attach those here please.
 

· Registered
Joined
·
289 Posts
I'm still getting popups at almost the same frequency..
I had a feeling you were gonna say that...

Let's change tact a little bit.

Please visit the webpage HERE for instructions for downloading and running ComboFix.
Post the log from ComboFix once you done that.
 

· Registered
Joined
·
15 Posts
Discussion Starter · #12 ·
I have also attached the file:

ComboFix 08-05-01.3 - n8sun1 2008-05-05 13:53:54.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2546 [GMT -4:00]
Running from: F:\Documents and Settings\n8sun1\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-04-05 to 2008-05-05 )))))))))))))))))))))))))))))))
.

2008-05-02 10:17 . 2008-05-02 10:17 <DIR> d-------- F:\Program Files\Common Files\Java
2008-05-02 10:17 . 2008-03-25 02:37 69,632 --a------ F:\WINDOWS\system32\javacpl.cpl
2008-04-30 06:58 . 2008-04-30 06:58 54,156 --ah----- F:\WINDOWS\QTFont.qfn
2008-04-30 06:58 . 2008-04-30 06:58 1,409 --a------ F:\WINDOWS\QTFont.for
2008-04-27 20:05 . 2008-04-27 20:19 <DIR> d-------- F:\Documents and Settings\n8sun1\Application Data\UseNeXT
2008-04-26 16:28 . 2008-04-26 16:28 <DIR> d-------- F:\Program Files\Common Files\Totem Shared
2008-04-26 16:28 . 2008-04-26 16:28 4 --a------ F:\WINDOWS\info147.sys
2008-04-26 16:28 . 2008-04-26 16:28 4 --a------ F:\WINDOWS\data4711.bak
2008-04-26 16:14 . 2008-04-26 16:26 20,358 --a------ F:\WINDOWS\vgirl.prf
2008-04-23 18:48 . 2008-04-23 18:48 <DIR> d-------- F:\Program Files\Orbitdownloader
2008-04-23 18:48 . 2008-04-23 19:12 <DIR> d-------- F:\Downloads
2008-04-23 18:48 . 2008-04-27 08:25 <DIR> d-------- F:\Documents and Settings\n8sun1\Application Data\Orbit
2008-04-23 18:22 . 2008-05-02 16:48 <DIR> d-------- F:\Program Files\Free Music Zilla
2008-04-23 18:22 . 2008-04-23 18:26 <DIR> d-------- F:\Documents and Settings\n8sun1\Application Data\FMZilla
2008-04-20 17:50 . 2008-04-20 17:50 <DIR> d-------- F:\Deckard
2008-04-19 15:23 . 2008-04-19 15:24 <DIR> d-------- F:\Program Files\Panda Security
2008-04-17 22:04 . 2008-05-05 13:55 932 --a------ F:\WINDOWS\system32\drivers\core.cache.dsk
2008-04-12 19:43 . 2008-05-02 10:16 <DIR> d-------- F:\Program Files\SUPERAntiSpyware
2008-04-12 19:43 . 2008-05-02 10:16 <DIR> d-------- F:\Documents and Settings\n8sun1\Application Data\SUPERAntiSpyware.com
2008-04-12 19:43 . 2008-04-12 19:43 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-11 00:19 . 2008-04-11 00:19 <DIR> d---s---- F:\Documents and Settings\n8sun1\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-05 17:46 --------- d-----w F:\Documents and Settings\n8sun1\Application Data\AVG7
2008-05-02 14:17 --------- d-----w F:\Program Files\Java
2008-05-02 14:16 --------- d-----w F:\Program Files\Common Files\Wise Installation Wizard
2008-05-02 14:14 --------- d---a-w F:\Documents and Settings\All Users\Application Data\TEMP
2008-05-02 14:10 --------- d-----w F:\Program Files\Common Files\InstallShield
2008-04-28 08:04 --------- d-----w F:\Documents and Settings\n8sun1\Application Data\uTorrent
2008-04-19 01:32 --------- d-----w F:\Program Files\uTorrent
2008-03-30 04:44 --------- d-----w F:\Documents and Settings\n8sun1\Application Data\LimeWire
2008-03-27 04:18 --------- d-----w F:\Program Files\Common Files\xing shared
2008-03-27 04:18 --------- d-----w F:\Program Files\Common Files\Real
2008-03-19 09:47 1,845,248 ----a-w F:\WINDOWS\system32\win32k.sys
2008-02-20 06:51 282,624 ----a-w F:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w F:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w F:\WINDOWS\system32\wininet.dll
2008-01-08 01:17 32 ----a-w F:\Documents and Settings\All Users\Application Data\ezsid.dat
2006-02-28 12:00 73,728 --sha-w F:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.

((((((((((((((((((((((((((((( [email protected]_13.47.48.42 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-05 17:45:15 2,048 --s-a-w F:\WINDOWS\bootstat.dat
+ 2008-05-05 17:56:05 2,048 --s-a-w F:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 11:21 153136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="F:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 F:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-20 17:47 16860672 F:\WINDOWS\RTHDCPL.exe]
"IMJPMIG8.1"="F:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-02-28 08:00 208952]
"MSPY2002"="F:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 08:00 59392]
"PHIME2002ASync"="F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-02-28 08:00 455168]
"PHIME2002A"="F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-02-28 08:00 455168]
"NeroFilterCheck"="F:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 16:57 153136]
"LXCJCATS"="F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2006-02-24 18:07 73728]
"AVG7_CC"="F:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-24 10:30 579584]
"Adobe Reader Speed Launcher"="F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"TkBellExe"="F:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-27 00:18 185896]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="F:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-04 02:17 219136]

F:\Documents and Settings\n8sun1\Start Menu\Programs\Startup\
Webshots.lnk - F:\Program Files\Webshots\Launcher.exe [2007-12-27 01:03:28 157008]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"F:\\Program Files\\uTorrent\\uTorrent.exe"=
"F:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"F:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"F:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"F:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"F:\\Program Files\\LimeWire\\LimeWire.exe"=
"F:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"F:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"F:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

R0 nvgts;nvgts;F:\WINDOWS\system32\DRIVERS\nvgts.sys [2007-08-09 12:11]
R1 ndiswann;ndiswann;F:\WINDOWS\system32\drivers\ndiswann.sys [2008-01-27 00:18]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6783bf8d-e165-11dc-a0e4-001aa059ccae}]
\Shell\AutoRun\command - "L:\Install FreeAgent Tools.exe" /run

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-05 13:56:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\Program Files\Webshots\Webshots.scr
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\Program Files\Bonjour\mDNSResponder.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\wdfmgr.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
F:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-05 13:58:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-05 17:58:19
ComboFix2.txt 2008-05-05 17:48:00
ComboFix3.txt 2008-04-11 04:05:05

Pre-Run: 24,432,214,016 bytes free
Post-Run: 24,418,738,176 bytes free

133 --- E O F --- 2008-04-12 07:02:02
 

Attachments

· Registered
Joined
·
289 Posts
Open a new notepad 'page' and copy/paste the text in the codebox below to it:

Code:
File::
F:\WINDOWS\system32\drivers\core.cache.dsk
F:\WINDOWS\info147.sys
F:\WINDOWS\data4711.bak
F:\WINDOWS\vgirl.prf

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6783bf8d-e165-11dc-a0e4-001aa059ccae}]
Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot post the contents of Combofix.txt in your next reply

Also you seem to have a wealth of filesharing apps. I'm not going to give you the don't do that speech... BUT i will implore you to dump Limewire. It is fast becomming one of the largest infection sources we deal with.
It is getting harder and harder to get a non infected file from there.
 

· Registered
Joined
·
15 Posts
Discussion Starter · #14 ·
I uninstalled Limewire.

I'm not sure, but I think this virus might have come from a program called QQ, a Chinese chatting program, equivalent to AIM. I uninstalled it a long time ago, deleted everything from it, but still, the popups remain. I've had this thing for quite some time now, for over a couple months...

ComboFix 08-05-01.3 - n8sun1 2008-05-06 2:01:24.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2505 [GMT -4:00]
Running from: F:\Documents and Settings\n8sun1\Desktop\ComboFix.exe
Command switches used :: F:\Documents and Settings\n8sun1\Desktop\CFScript.txt
* Created a new restore point

FILE ::
F:\WINDOWS\data4711.bak
F:\WINDOWS\info147.sys
F:\WINDOWS\system32\drivers\core.cache.dsk
F:\WINDOWS\vgirl.prf
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\WINDOWS\data4711.bak
F:\WINDOWS\info147.sys
F:\WINDOWS\vgirl.prf
F:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-04-06 to 2008-05-06 )))))))))))))))))))))))))))))))
.

2008-05-02 10:17 . 2008-05-02 10:17 <DIR> d-------- F:\Program Files\Common Files\Java
2008-05-02 10:17 . 2008-03-25 02:37 69,632 --a------ F:\WINDOWS\system32\javacpl.cpl
2008-04-30 06:58 . 2008-04-30 06:58 54,156 --ah----- F:\WINDOWS\QTFont.qfn
2008-04-30 06:58 . 2008-04-30 06:58 1,409 --a------ F:\WINDOWS\QTFont.for
2008-04-27 20:05 . 2008-04-27 20:19 <DIR> d-------- F:\Documents and Settings\n8sun1\Application Data\UseNeXT
2008-04-26 16:28 . 2008-04-26 16:28 <DIR> d-------- F:\Program Files\Common Files\Totem Shared
2008-04-23 18:48 . 2008-04-23 18:48 <DIR> d-------- F:\Program Files\Orbitdownloader
2008-04-23 18:48 . 2008-04-23 19:12 <DIR> d-------- F:\Downloads
2008-04-23 18:48 . 2008-04-27 08:25 <DIR> d-------- F:\Documents and Settings\n8sun1\Application Data\Orbit
2008-04-23 18:22 . 2008-05-02 16:48 <DIR> d-------- F:\Program Files\Free Music Zilla
2008-04-23 18:22 . 2008-04-23 18:26 <DIR> d-------- F:\Documents and Settings\n8sun1\Application Data\FMZilla
2008-04-20 17:50 . 2008-04-20 17:50 <DIR> d-------- F:\Deckard
2008-04-19 15:23 . 2008-04-19 15:24 <DIR> d-------- F:\Program Files\Panda Security
2008-04-17 22:04 . 2008-05-06 02:03 932 --a------ F:\WINDOWS\system32\drivers\core.cache.dsk
2008-04-12 19:43 . 2008-05-02 10:16 <DIR> d-------- F:\Program Files\SUPERAntiSpyware
2008-04-12 19:43 . 2008-05-02 10:16 <DIR> d-------- F:\Documents and Settings\n8sun1\Application Data\SUPERAntiSpyware.com
2008-04-12 19:43 . 2008-04-12 19:43 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-11 00:19 . 2008-04-11 00:19 <DIR> d---s---- F:\Documents and Settings\n8sun1\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-05 17:46 --------- d-----w F:\Documents and Settings\n8sun1\Application Data\AVG7
2008-05-02 14:17 --------- d-----w F:\Program Files\Java
2008-05-02 14:16 --------- d-----w F:\Program Files\Common Files\Wise Installation Wizard
2008-05-02 14:14 --------- d---a-w F:\Documents and Settings\All Users\Application Data\TEMP
2008-05-02 14:10 --------- d-----w F:\Program Files\Common Files\InstallShield
2008-04-28 08:04 --------- d-----w F:\Documents and Settings\n8sun1\Application Data\uTorrent
2008-04-19 01:32 --------- d-----w F:\Program Files\uTorrent
2008-03-30 04:44 --------- d-----w F:\Documents and Settings\n8sun1\Application Data\LimeWire
2008-03-27 04:18 --------- d-----w F:\Program Files\Common Files\xing shared
2008-03-27 04:18 --------- d-----w F:\Program Files\Common Files\Real
2008-01-08 01:17 32 ----a-w F:\Documents and Settings\All Users\Application Data\ezsid.dat
2006-02-28 12:00 73,728 --sha-w F:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.

((((((((((((((((((((((((((((( [email protected]_13.47.48.42 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-05 17:45:15 2,048 --s-a-w F:\WINDOWS\bootstat.dat
+ 2008-05-06 06:03:23 2,048 --s-a-w F:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 11:21 153136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="F:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 F:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-20 17:47 16860672 F:\WINDOWS\RTHDCPL.exe]
"IMJPMIG8.1"="F:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-02-28 08:00 208952]
"MSPY2002"="F:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 08:00 59392]
"PHIME2002ASync"="F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-02-28 08:00 455168]
"PHIME2002A"="F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-02-28 08:00 455168]
"NeroFilterCheck"="F:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 16:57 153136]
"LXCJCATS"="F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2006-02-24 18:07 73728]
"AVG7_CC"="F:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-24 10:30 579584]
"Adobe Reader Speed Launcher"="F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"TkBellExe"="F:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-27 00:18 185896]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="F:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-04 02:17 219136]

F:\Documents and Settings\n8sun1\Start Menu\Programs\Startup\
Webshots.lnk - F:\Program Files\Webshots\Launcher.exe [2007-12-27 01:03:28 157008]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"F:\\Program Files\\uTorrent\\uTorrent.exe"=
"F:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"F:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"F:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"F:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"F:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"F:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"F:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

R0 nvgts;nvgts;F:\WINDOWS\system32\DRIVERS\nvgts.sys [2007-08-09 12:11]
R1 ndiswann;ndiswann;F:\WINDOWS\system32\drivers\ndiswann.sys [2008-01-27 00:18]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-06 02:03:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\Program Files\Webshots\Webshots.scr
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\Program Files\Bonjour\mDNSResponder.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\wdfmgr.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
F:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-06 2:05:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-06 06:05:24
ComboFix2.txt 2008-05-05 17:58:22
ComboFix3.txt 2008-05-05 17:48:00
ComboFix4.txt 2008-04-11 04:05:05

Pre-Run: 24,428,072,960 bytes free
Post-Run: 24,422,559,744 bytes free

134 --- E O F --- 2008-04-12 07:02:02
 

· Registered
Joined
·
289 Posts
Sorry been a REAL hectic few days here.

Open a new notepad 'page' and copy/paste the text in the codebox below to it:

Code:
Rootkit::F:\WINDOWS\system32\drivers\core.cache.dsk
Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot post the contents of Combofix.txt in your next reply
 

· Registered
Joined
·
15 Posts
Discussion Starter · #16 ·
ComboFix 08-05-01.3 - n8sun1 2008-05-09 23:34:49.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2582 [GMT -4:00]
Running from: F:\Documents and Settings\n8sun1\Desktop\ComboFix.exe
Command switches used :: F:\Documents and Settings\n8sun1\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Rootkit::F:\WINDOWS\system32\drivers\core.cache.dsk
F:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-04-10 to 2008-05-10 )))))))))))))))))))))))))))))))
.

2008-05-07 03:22 . 2008-05-07 03:22 54,156 --ah----- F:\WINDOWS\QTFont.qfn
2008-05-07 03:22 . 2008-05-07 03:22 1,409 --a------ F:\WINDOWS\QTFont.for
2008-05-07 03:17 . 2008-05-07 03:17 151 --a------ F:\WINDOWS\PhotoSnapViewer.INI
2008-05-06 03:01 . 2008-05-06 03:03 1,440,054 --a------ F:\WINDOWS\webshots.bmp
2008-05-06 03:00 . 2008-05-06 03:00 180,224 --a------ F:\WINDOWS\UninstallWSST.exe
2008-05-06 03:00 . 2008-05-06 03:00 28,672 --a------ F:\WINDOWS\system32\ssconfig.exe
2008-05-06 03:00 . 2008-05-06 03:03 148 --a------ F:\WINDOWS\WSST_Screen_Saver.ini
2008-05-02 10:17 . 2008-05-02 10:17 <DIR> d-------- F:\Program Files\Common Files\Java
2008-05-02 10:17 . 2008-03-25 02:37 69,632 --a------ F:\WINDOWS\system32\javacpl.cpl
2008-04-27 20:05 . 2008-04-27 20:19 <DIR> d-------- F:\Documents and Settings\n8sun1\Application Data\UseNeXT
2008-04-26 16:28 . 2008-04-26 16:28 <DIR> d-------- F:\Program Files\Common Files\Totem Shared
2008-04-23 18:48 . 2008-04-23 18:48 <DIR> d-------- F:\Program Files\Orbitdownloader
2008-04-23 18:48 . 2008-04-23 19:12 <DIR> d-------- F:\Downloads
2008-04-23 18:48 . 2008-05-08 21:50 <DIR> d-------- F:\Documents and Settings\n8sun1\Application Data\Orbit
2008-04-23 18:22 . 2008-05-07 20:13 <DIR> d-------- F:\Program Files\Free Music Zilla
2008-04-23 18:22 . 2008-04-23 18:26 <DIR> d-------- F:\Documents and Settings\n8sun1\Application Data\FMZilla
2008-04-20 17:50 . 2008-04-20 17:50 <DIR> d-------- F:\Deckard
2008-04-19 15:23 . 2008-05-09 23:32 <DIR> d-------- F:\Program Files\Panda Security
2008-04-17 22:04 . 2008-05-09 23:36 932 --a------ F:\WINDOWS\system32\drivers\core.cache.dsk
2008-04-12 19:43 . 2008-05-02 10:16 <DIR> d-------- F:\Program Files\SUPERAntiSpyware
2008-04-12 19:43 . 2008-05-02 10:16 <DIR> d-------- F:\Documents and Settings\n8sun1\Application Data\SUPERAntiSpyware.com
2008-04-12 19:43 . 2008-04-12 19:43 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-11 00:19 . 2008-04-11 00:19 <DIR> d---s---- F:\Documents and Settings\n8sun1\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-10 03:31 --------- d-----w F:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-10 03:31 --------- d-----w F:\Documents and Settings\All Users\Application Data\avg7
2008-05-10 03:27 --------- d-----w F:\Documents and Settings\n8sun1\Application Data\AVG7
2008-05-10 03:24 --------- d-----w F:\Documents and Settings\n8sun1\Application Data\uTorrent
2008-05-02 14:17 --------- d-----w F:\Program Files\Java
2008-05-02 14:16 --------- d-----w F:\Program Files\Common Files\Wise Installation Wizard
2008-05-02 14:14 --------- d---a-w F:\Documents and Settings\All Users\Application Data\TEMP
2008-05-02 14:10 --------- d-----w F:\Program Files\Common Files\InstallShield
2008-04-19 01:32 --------- d-----w F:\Program Files\uTorrent
2008-03-30 04:44 --------- d-----w F:\Documents and Settings\n8sun1\Application Data\LimeWire
2008-03-27 04:18 --------- d-----w F:\Program Files\Common Files\xing shared
2008-03-27 04:18 --------- d-----w F:\Program Files\Common Files\Real
2008-03-19 09:47 1,845,248 ----a-w F:\WINDOWS\system32\win32k.sys
2008-02-20 06:51 282,624 ----a-w F:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w F:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w F:\WINDOWS\system32\wininet.dll
2008-01-08 01:17 32 ----a-w F:\Documents and Settings\All Users\Application Data\ezsid.dat
2006-02-28 12:00 73,728 --sha-w F:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.

((((((((((((((((((((((((((((( [email protected]_13.47.48.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-07 18:54:15 53,248 ----a-w F:\WINDOWS\assembly\GAC_MSIL\msfeeds\1.0.0.0__7df935e7b230192c\msfeeds.dll
- 2008-05-05 17:45:15 2,048 --s-a-w F:\WINDOWS\bootstat.dat
+ 2008-05-10 03:36:23 2,048 --s-a-w F:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 11:21 153136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="F:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 F:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-20 17:47 16860672 F:\WINDOWS\RTHDCPL.exe]
"IMJPMIG8.1"="F:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-02-28 08:00 208952]
"MSPY2002"="F:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 08:00 59392]
"PHIME2002ASync"="F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-02-28 08:00 455168]
"PHIME2002A"="F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-02-28 08:00 455168]
"NeroFilterCheck"="F:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 16:57 153136]
"LXCJCATS"="F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2006-02-24 18:07 73728]
"Adobe Reader Speed Launcher"="F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"TkBellExe"="F:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-27 00:18 185896]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"QuickTime Task"="F:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]

F:\Documents and Settings\n8sun1\Start Menu\Programs\Startup\
Webshots.lnk - F:\Program Files\Webshots\Launcher.exe [2007-12-27 01:03:28 157008]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"F:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"F:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"F:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"F:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

R0 nvgts;nvgts;F:\WINDOWS\system32\DRIVERS\nvgts.sys [2007-08-09 12:11]
R1 ndiswann;ndiswann;F:\WINDOWS\system32\drivers\ndiswann.sys [2008-01-27 00:18]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 23:36:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\Bonjour\mDNSResponder.exe
F:\Program Files\Webshots\Webshots.scr
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\wdfmgr.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2008-05-09 23:38:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-10 03:38:37
ComboFix2.txt 2008-05-10 03:29:34
ComboFix3.txt 2008-05-06 06:05:27
ComboFix4.txt 2008-05-05 17:58:22
ComboFix5.txt 2008-05-05 17:48:00

Pre-Run: 24,745,926,656 bytes free
Post-Run: 24,736,436,224 bytes free

130 --- E O F --- 2008-04-12 07:02:02
 

· Registered
Joined
·
289 Posts
Download Gmer from HERE

Unzip it to its own folder.
Disconnect from internet and disable your Antivirus. <<--- Important step
Shut down any other running apps including browser windows.(Even this one)
The less stuff we got running the less chance of false positives in log.
Double click gmer.exe to run it.
Allow driver to install if asked (gmer.sys)
You may get a warning when the program starts about possible rootkit activity and do you want to run scan.

Say OK to run scan.
Or just click "scan" if no warning.
Let the scan finish.
Once done press "save"
In the new window that pops up, name the log and save it to your desktop.

Re-enable your antivirus, re-connect to internet then post your log here please
 
1 - 20 of 22 Posts
Status
Not open for further replies.
Top