# Solved: Best way to check for trojans and adware



## GlennU (Jul 25, 2005)

Can anyone provide assistance in removing trojans ands adware? See HJT file below.

Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:53 PM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\AOL\1134674526\ee\AOLSoftware.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\E-Color\Colorific\hgcctl95.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.media-search.net/nph-search.cgi?track=mssb1&look=sbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hhttp://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {E76B596A-EBFF-9473-F1DF-BFDEC9B65BC8} - C:\WINDOWS\system32\pjmwdihr.dll (file missing)
O2 - BHO: (no name) - {EE4F7C6B-B88A-BC52-F7DF-BFDEC9B60B92} - C:\WINDOWS\system32\pps.dll (file missing)
O2 - BHO: ProxyReset Class - {FFCBEECE-FB0C-11D2-AB16-00104B9BBBD2} - C:\WINDOWS\System32\AHIEHelp.DLL (file missing)
O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [Detect] C:\Program Files\iNTERNET Turbo\iDetect.exe /auto
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SZMsgSvc.exe] C:\Program Files\STOPzilla!\SZMsgSvc.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134674526\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ptrun32] C:\WINDOWS\system32\ptrun32\ptrun32.exe -startup
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [NBCUniversal Media Manager Tray] "C:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe" /CustomId:NBCUniversal
O4 - HKLM\..\Run: [{E4B942B6-050F-1033-1114-010430200001}] "C:\Program Files\Common Files\{E4B942B6-050F-1033-1114-010430200001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [{E4B942B6-050E-1033-1114-010430200001}] "C:\Program Files\Common Files\{E4B942B6-050E-1033-1114-010430200001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [{CC46C41C-050F-1033-1114-010430200001}] "C:\Program Files\Common Files\{CC46C41C-050F-1033-1114-010430200001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [PSD Tools Channel] C:\Program Files\Common Files\PSD Tools\ChannelUp.exe
O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - HKCU\..\Run: [PTRUN32] C:\WINDOWS\system32\ptrun32\ptr32w.exe
O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\system32\STEM32~1\csrss.exe" -vt yazb
O4 - HKCU\..\Run: [Pxaj] C:\WINDOWS\F?nts\w?nword.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [imzz] C:\PROGRA~1\COMMON~1\imzz\imzzm.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Policies\Explorer\Run: [{E4B942B6-050F-1033-1114-010430200001}] "C:\Program Files\Common Files\{E4B942B6-050F-1033-1114-010430200001}\Update.exe" te-110-12-0000213
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Colorific.lnk = C:\Program Files\E-Color\Colorific\hgcctl95.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SonnReg.lnk = C:\Program Files\E-Color\Registration\SonnReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {0D68CB5D-F53A-4446-9C8F-BFEDF5D63C7B} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O9 - Extra button: @Home - {681A93F4-BE60-49D0-88CF-73489AA78B89} - http://home.excite.com (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://home.excite.com/
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/99...W/win/019-0123.20031218.zes4d/iTunesSetup.exe
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by130fd.bay130.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.buddylinks.net/ShellInstaller.cab
O20 - AppInit_DLLs: 
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe

--
End of file - 11876 bytes

Thanks,
Glenn U.


----------



## Jintan (Oct 4, 2007)

Hello GlennU,

Some serious infection showing here, as well as some extremely outdated and mostly useless Ewido software (long since replaced when purchased by AVG). Let's start some repairs and make chanegs as we go.

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Important, so please take the time to do this when doing these repairs.

Download SDFix.exe and save it to your desktop.

Then disconnect from net access. If cable/dsl physically disconnect the modem cable, if dial-up disconnect the phone line. This will keep infection from reinstalling right now.

===================================================

Reboot into *Safe Mode* (at startup tap the F8 key and select Safe Mode).

In Safe Mode, click the SDFix.exe and allow it to extract to it's own folder (C:\SDFix). Navigate to that folder and double click *RunThis.bat* to start the script.

Next type *Y* to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files.

When the desktop loads the Fixtool will complete the removal and display *Finished*, then press any key to end the script and load your desktop icons.

Then open the C:\SDFix folder and copy and paste the contents of the results file *Report.txt* back here.

=============================

After the reboot reconnect to net access and Download Malwarebytes' Anti-Malware from Here or Here.

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.

============================

Then Download Deckard's System Scanner (dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

*"%userprofile%\desktop\dss.exe" /config*

When the DSS Configuration display opens click the "Check All" button (if the "Uncheck All" button shows, click that, then click "Check All"). Next, Under Main Log, uncheck the following:

*System Restore*
*Temp Cleanup*
*Process Modules*

Then under Options, place a check next to the following:

*Backup Registry Hives*

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here (main.txt). Also a second text file, extra.txt, will show as minimized in your Task Bar. Maximize/Open this, and copy/paste those contents back here along with the main.txt please. (The logs can also be found in the C:\Deckard\System Scanner folder)

Post those along with the MBAM log and the SDFix report.txt log please.


----------



## GlennU (Jul 25, 2005)

Jintan...I ran SDfix and the report is below. However, while running Malwarebytes, my computer shut down. I ran Malwarebytes 2 more times and each time the computer shutdown. As a note, I replaced my power supply a few weeks ago because the computer was shutting down by itself. Today, after I unsuccessfully running Malwarebyte, I left the computer on for a few hours, but did not run the Malwarebtyes program, and the computer did not turn off.

Thanks,
GlennU


----------



## GlennU (Jul 25, 2005)

*SDFix: Version 1.175 *
Run by Larry Miller on Sat 04/26/2008 at 10:20 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix\SDFix

*Checking Services *:

*Name *: 
COM+ Messages

*Path *:
"C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000213

COM+ Messages - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

*Checking Files *:

Trojan Files Found:

C:\Documents and Settings\Larry Miller\Application Data\Install.dat - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt - Deleted
C:\WINDOWS\smdat32a.sys - Deleted

Folder C:\Documents and Settings\LocalService\Application Data\NetMon - Removed

Removing Temp Files

*ADS Check *:

*Final Check *:


----------



## GlennU (Jul 25, 2005)

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 10:42:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"OfflineDetectionPending"=dword:00000001

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

*Remaining Services *:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"

*Remaining Files *:

File Backups: - C:\sdfix\SDFix\backups\backups.zip

*Files with Hidden Attributes *:

Tue 7 Feb 2006 4,789,792 ...H. --- "C:\Program Files\Picasa2\setup.exe"
Wed 24 Mar 2004 52 A..H. --- "C:\Program Files\STOPzilla!\swin32z.sys"
Thu 3 Apr 2008 16,384 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc195.tmp"
Mon 17 Sep 2007 16,384 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc196.tmp"
Tue 15 Apr 2008 65,536 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc197.tmp"
Mon 17 Sep 2007 98,304 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc198.tmp"
Tue 6 Mar 2007 65,536 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc199.tmp"
Sat 12 Apr 2008 16,384 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc200.tmp"
Mon 21 Apr 2008 114,688 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc201.tmp"
Thu 9 Aug 2001 64,512 A..H. --- "C:\WINDOWS\system32\PackethSvc.exe"
Mon 3 May 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 3 May 2004 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv15.bak"
Mon 21 Apr 2008 19,871,600 A..H. --- "C:\Documents and Settings\Larry Miller\Desktop\aaw2007.exe"
Wed 5 Feb 2003 6,804,794 A..H. --- "C:\Documents and Settings\Larry Miller\Desktop\BullGuard.exe"
Wed 14 Dec 2005 7,211,880 A..H. --- "C:\Documents and Settings\Larry Miller\Desktop\ewido-setup.exe"
Mon 21 Apr 2008 7,574,256 A..H. --- "C:\Documents and Settings\Larry Miller\Desktop\Free-SpyHunter-Scanner-Install.exe"
Mon 21 Apr 2008 812,344 A..H. --- "C:\Documents and Settings\Larry Miller\Desktop\HJTInstall.exe"
Wed 11 Apr 2007 17,464,248 A..H. --- "C:\Documents and Settings\Larry Miller\Desktop\IE7Setup_G.exe"
Mon 10 Feb 2003 42,678 A..H. --- "C:\Documents and Settings\Larry Miller\Desktop\killad.zip"
Fri 23 Dec 2005 24,630,127 A..H. --- "C:\Documents and Settings\Larry Miller\Desktop\NAV11_Microsoft.exe"
Sun 9 Feb 2003 2,948,541 A..H. --- "C:\Documents and Settings\Larry Miller\Desktop\ned_2001.exe"
Mon 21 Apr 2008 2,167,568 A..H. --- "C:\Documents and Settings\Larry Miller\Desktop\noadware.exe"
Sun 13 Apr 2008 509,423 A..H. --- "C:\Documents and Settings\Larry Miller\Desktop\SMC1211Driver.zip"
Wed 7 Jul 2004 4,354,084 A..H. --- "C:\Documents and Settings\Larry Miller\Desktop\spybotsd13.exe"
Thu 15 Dec 2005 913 A..H. --- "C:\Documents and Settings\Larry Miller\.limewire\fileurns.bak"
Sun 4 Aug 2002 148,752 A..H. --- "C:\Documents and Settings\Larry Miller\My Documents\KaZaA.exe"
Tue 27 May 2003 28,672 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL0105.tmp"
Wed 28 May 2003 36,352 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL0126.tmp"
Wed 28 May 2003 34,304 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL0307.tmp"
Tue 27 May 2003 26,624 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL0560.tmp"
Tue 27 May 2003 27,648 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL0571.tmp"
Wed 28 May 2003 34,816 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL0613.tmp"
Wed 28 May 2003 32,768 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL0762.tmp"
Wed 28 May 2003 38,400 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL0778.tmp"
Tue 7 Nov 2006 22,016 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL0808.tmp"
Sun 12 Nov 2006 22,528 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL0850.tmp"
Tue 7 Nov 2006 20,992 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL0921.tmp"
Thu 29 May 2003 45,056 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL0936.tmp"
Mon 26 May 2003 24,576 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL1092.tmp"
Tue 27 May 2003 26,112 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL1232.tmp"
Tue 7 Nov 2006 21,504 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL1258.tmp"
Mon 26 May 2003 23,552 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL1377.tmp"
Tue 3 Jan 2006 19,968 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL1465.tmp"
Sun 12 Nov 2006 23,552 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL1554.tmp"
Wed 28 May 2003 32,256 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL1624.tmp"
Wed 28 May 2003 32,256 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL1713.tmp"
Mon 26 May 2003 24,064 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL1777.tmp"
Thu 29 May 2003 41,984 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL1850.tmp"
Tue 27 May 2003 26,112 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL1894.tmp"
Thu 29 May 2003 43,008 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL2118.tmp"
Mon 26 May 2003 24,576 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL2156.tmp"
Wed 28 May 2003 37,376 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL2236.tmp"
Tue 7 Nov 2006 20,992 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL2253.tmp"
Tue 27 May 2003 28,672 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL2270.tmp"
Sun 12 Nov 2006 22,528 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL2413.tmp"
Wed 28 May 2003 38,400 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL2516.tmp"
Tue 27 May 2003 27,136 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL2537.tmp"
Wed 28 May 2003 36,864 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL2734.tmp"
Thu 29 May 2003 43,520 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL2772.tmp"
Mon 26 Dec 2005 19,968 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL2803.tmp"
Wed 28 May 2003 32,768 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL2866.tmp"
Wed 28 May 2003 34,304 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL2867.tmp"
Thu 29 May 2003 44,032 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL3024.tmp"
Tue 7 Nov 2006 22,016 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL3056.tmp"
Thu 29 May 2003 42,496 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL3063.tmp"
Wed 28 May 2003 35,840 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL3074.tmp"
Thu 29 May 2003 38,912 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL3182.tmp"
Tue 27 May 2003 26,112 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL3200.tmp"
Tue 7 Nov 2006 20,992 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL3224.tmp"
Tue 7 Nov 2006 21,504 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL3367.tmp"
Sun 12 Nov 2006 23,040 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL3391.tmp"
Sun 12 Nov 2006 23,040 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL3426.tmp"
Wed 28 May 2003 37,888 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL3721.tmp"
Wed 28 May 2003 30,208 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL3788.tmp"
Sun 12 Nov 2006 22,528 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL3877.tmp"
Tue 7 Nov 2006 22,016 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL3918.tmp"
Tue 7 Nov 2006 20,480 ...H. --- "C:\Documents and Settings\Larry Miller\My Documents\~WRL3926.tmp"
Thu 5 Aug 2004 310 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti4A5.tmp"
Sat 3 Mar 2007 215 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti5.tmp"
Tue 27 Sep 2005 86,016 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc17.tmp\SecurityUtil.dll"
Mon 5 Mar 2007 10,240 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc19.tmp\System.dll"
Sun 4 Mar 2007 10,240 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc20.tmp\System.dll"
Mon 10 Feb 2003 1,206 A..HR --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc213\ccReg.reg"
Mon 10 Feb 2003 12,368 A..HR --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc213\CommonClient.reg"
Tue 18 Mar 2003 22,016 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL0001.tmp"
Tue 30 Dec 2003 40,448 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL0002.tmp"
Mon 31 May 2004 24,576 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL0003.tmp"
Sun 7 Dec 2003 20,992 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL0005.tmp"
Mon 28 Oct 2002 20,992 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL0075.tmp"
Thu 1 Jan 2004 62,464 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL0084.tmp"
Wed 26 Mar 2003 45,056 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL0087.tmp"
Wed 31 Dec 2003 41,984 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL0159.tmp"
Thu 27 Mar 2003 45,568 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL0189.tmp"
Wed 31 Dec 2003 43,008 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL0240.tmp"
Thu 20 Mar 2003 20,992 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL0262.tmp"
Wed 26 Mar 2003 39,424 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL0299.tmp"
Thu 1 Jan 2004 45,056 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL0301.tmp"
Thu 1 Jan 2004 45,056 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL0344.tmp"
Thu 20 Mar 2003 20,992 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL0520.tmp"
Tue 15 Oct 2002 21,504 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL0536.tmp"
Mon 28 Oct 2002 23,552 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL0626.tmp"
Thu 20 Mar 2003 22,528 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL0634.tmp"
Wed 26 Mar 2003 39,424 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL0665.tmp"
Wed 26 Mar 2003 31,744 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL0681.tmp"
Mon 14 Oct 2002 19,968 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL0695.tmp"
Thu 1 Jan 2004 62,976 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL0916.tmp"
Wed 26 Mar 2003 43,008 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL0920.tmp"
Thu 1 Jan 2004 62,976 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL0938.tmp"
Wed 26 Mar 2003 31,744 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL0965.tmp"
Thu 1 Jan 2004 51,200 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL0994.tmp"
Thu 1 Jan 2004 51,200 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL1057.tmp"
Sun 7 Dec 2003 21,504 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL1101.tmp"
Thu 1 Jan 2004 47,616 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL1160.tmp"
Thu 1 Jan 2004 62,976 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL1187.tmp"
Thu 20 Mar 2003 21,504 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL1205.tmp"
Thu 1 Jan 2004 58,880 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL1271.tmp"
Wed 26 Mar 2003 39,424 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL1325.tmp"
Thu 20 Mar 2003 22,528 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL1363.tmp"
Thu 20 Mar 2003 22,528 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL1396.tmp"
Thu 1 Jan 2004 58,880 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL1424.tmp"
Tue 15 Oct 2002 24,064 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL1518.tmp"
Sun 7 Dec 2003 23,040 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL1549.tmp"
Wed 26 Mar 2003 44,032 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL1607.tmp"
Tue 15 Oct 2002 21,504 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL1614.tmp"
Mon 28 Oct 2002 20,480 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL1712.tmp"
Thu 27 Mar 2003 45,568 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL1770.tmp"
Wed 26 Mar 2003 30,720 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL1782.tmp"
Thu 1 Jan 2004 62,976 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL1814.tmp"
Thu 1 Jan 2004 60,928 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL2010.tmp"
Thu 1 Jan 2004 51,200 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL2092.tmp"
Thu 1 Jan 2004 64,512 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL2102.tmp"
Thu 1 Jan 2004 45,568 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL2116.tmp"
Thu 1 Jan 2004 57,856 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL2137.tmp"
Tue 15 Oct 2002 20,480 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL2220.tmp"
Thu 1 Jan 2004 50,176 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL2221.tmp"
Thu 1 Jan 2004 65,024 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL2238.tmp"
Thu 27 Mar 2003 45,568 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL2335.tmp"
Tue 15 Oct 2002 22,528 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL2346.tmp"
Sun 7 Dec 2003 23,040 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL2449.tmp"
Thu 1 Jan 2004 45,568 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL2611.tmp"
Wed 26 Mar 2003 31,744 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL2624.tmp"
Wed 31 Dec 2003 40,960 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL2675.tmp"
Thu 20 Mar 2003 22,528 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL2726.tmp"
Thu 1 Jan 2004 62,976 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL2812.tmp"
Thu 27 Mar 2003 45,568 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL2853.tmp"
Mon 28 Oct 2002 19,968 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL2923.tmp"
Wed 26 Mar 2003 42,496 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL2966.tmp"
Sun 27 Oct 2002 19,968 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL2968.tmp"
Thu 1 Jan 2004 64,000 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL2976.tmp"
Thu 1 Jan 2004 62,976 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL3171.tmp"
Thu 1 Jan 2004 59,392 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL3321.tmp"
Wed 26 Mar 2003 31,744 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL3330.tmp"
Wed 31 Dec 2003 43,520 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL3351.tmp"
Mon 28 Oct 2002 20,992 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL3362.tmp"
Thu 1 Jan 2004 48,640 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL3404.tmp"
Wed 26 Mar 2003 31,744 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL3418.tmp"
Thu 1 Jan 2004 62,976 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL3471.tmp"
Wed 26 Mar 2003 43,008 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL3480.tmp"
Mon 7 Jun 2004 24,576 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL3544.tmp"
Tue 15 Oct 2002 24,576 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL3580.tmp"
Wed 26 Mar 2003 24,576 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL3623.tmp"
Wed 26 Mar 2003 31,232 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL3680.tmp"
Tue 15 Oct 2002 22,016 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL3707.tmp"
Thu 20 Mar 2003 22,528 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL3714.tmp"
Wed 26 Mar 2003 43,008 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL3848.tmp"
Wed 31 Dec 2003 43,520 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL3863.tmp"
Wed 31 Dec 2003 40,960 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL3916.tmp"
Thu 1 Jan 2004 62,976 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc225\~WRL4021.tmp"
Thu 27 Jan 2000 30,720 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc229\killad.exe"
Thu 27 Jan 2000 5,120 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc229\killdll.dll"
Sat 3 Mar 2007 36 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\T10.tmp"
Sun 4 Mar 2007 18,945 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\T11.tmp"
Sat 3 Mar 2007 224 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\T17.tmp"
Sat 3 Mar 2007 36 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\T19.tmp"
Sat 3 Mar 2007 18,945 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\T1A.tmp"
Sat 3 Mar 2007 224 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\T3.tmp"
Sat 3 Mar 2007 224 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\T4.tmp"
Sat 3 Mar 2007 36 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\T5.tmp"
Sat 3 Mar 2007 18,945 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\T6.tmp"
Sat 3 Mar 2007 224 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\T7.tmp"
Thu 22 Feb 2007 224 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\T71D.tmp"
Thu 22 Feb 2007 36 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\T71F.tmp"
Sat 24 Feb 2007 14,869 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\T720.tmp"
Sat 3 Mar 2007 36 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\T8.tmp"
Sat 3 Mar 2007 36 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\T9.tmp"
Sat 3 Mar 2007 18,945 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\TA.tmp"
Sun 4 Mar 2007 18,945 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\TB.tmp"
Mon 26 Feb 2007 224 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\TB9C.tmp"
Mon 26 Feb 2007 36 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\TB9E.tmp"
Mon 26 Feb 2007 14,869 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\TB9F.tmp"
Sat 3 Mar 2007 224 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\TC.tmp"
Sat 3 Mar 2007 224 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\TCF.tmp"
Sat 3 Mar 2007 224 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\TD.tmp"
Sat 3 Mar 2007 36 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\TD1.tmp"
Sat 3 Mar 2007 19,055 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\TD2.tmp"
Tue 27 Feb 2007 224 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\TDE1.tmp"
Tue 27 Feb 2007 36 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\TDE3.tmp"
Tue 27 Feb 2007 14,869 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\TDE4.tmp"
Sat 3 Mar 2007 36 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\TE.tmp"
Sun 4 Mar 2007 18,945 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\TF.tmp"
Tue 27 Feb 2007 224 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\TF93.tmp"
Tue 27 Feb 2007 36 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\TF95.tmp"
Sat 3 Mar 2007 18,945 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc24\TF96.tmp"
Fri 17 Aug 2001 98,816 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc27\migload.exe"
Sat 1 Sep 2007 159,744 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc6\IGdi.dll"
Tue 1 Apr 2003 327,680 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc6\ISRT.DLL"
Wed 5 Mar 2003 290,816 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc6\_ISRES.DLL"
Sat 1 Sep 2007 270,336 A..H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc6\_ISUSER.DLL"
Mon 17 Sep 2007 3,634,176 A..H. --- "C:\Documents and Settings\Larry Miller\Desktop\alex\F5D6050z.exe"
Wed 26 Feb 2003 2,598,120 A..H. --- "C:\Documents and Settings\Larry Miller\Desktop\alex\Install_AIM.exe"
Sun 21 Mar 2004 19,979,192 A..H. --- "C:\Documents and Settings\Larry Miller\Desktop\alex\iTunesSetup.exe"
Thu 15 Dec 2005 359,112 A..H. --- "C:\Documents and Settings\Larry Miller\Desktop\alex\LimeWireWin.exe"
Sat 2 Sep 2000 65,536 A..H. --- "C:\Documents and Settings\Larry Miller\Desktop\ned\NED.exe"
Wed 11 Jul 2001 23,153 A..H. --- "C:\Documents and Settings\Larry Miller\Desktop\WINXP\SMC1211.SYS"
Fri 8 Sep 2006 3,064,200 A..H. --- "C:\Documents and Settings\Larry Miller\.limewire\.NetworkShare\LimeWireWin4.12.6-fixed.exe"
Tue 12 Sep 2006 4,519,880 A..H. --- "C:\Documents and Settings\Larry Miller\.limewire\.NetworkShare\LimeWireWin4.12.6-nopack2.exe"
Fri 24 Nov 2006 928 A..H. --- "C:\Program Files\Common Files\AOL\IPHSend\IPH.BAK"
Fri 18 Jan 2008 400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"
Fri 18 Jan 2008 403 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"
Thu 17 Jan 2002 239 A..H. --- "C:\Documents and Settings\Larry Miller\Application Data\Microsoft\Internet Explorer\brndlog.bak"
Thu 16 Feb 2006 59,736 A..H. --- "C:\Documents and Settings\Larry Miller\Application Data\Microsoft\Office\fbc2A58.tmp"
Thu 14 Dec 2006 110,592 A..H. --- "C:\Documents and Settings\Larry Miller\Application Data\U3\0000185E25701D89\cleanup.exe"
Fri 9 Feb 2007 4,603,904 A..H. --- "C:\Documents and Settings\Larry Miller\Application Data\U3\0000185E25701D89\LaunchPad.exe"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\Larry Miller\Application Data\U3\0000185E25701D89\Launchpad Removal.exe"
Mon 12 Feb 2007 2,260,992 A..H. --- "C:\Documents and Settings\Larry Miller\Application Data\U3\0000185E25701D89\SanDiskSecurityExtension.dll"
Mon 12 Feb 2007 528,384 A..H. --- "C:\Documents and Settings\Larry Miller\Application Data\U3\0000185E25701D89\SanDiskFormatExtension.dll"
Thu 14 Dec 2006 49,152 A..H. --- "C:\Documents and Settings\Larry Miller\Application Data\U3\0000185E25701D89\U3AccessGrant.exe"
Mon 12 Feb 2007 1,163,264 A..H. --- "C:\Documents and Settings\Larry Miller\Application Data\U3\0000185E25701D89\u3dapi10.dll"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\Larry Miller\Application Data\U3\temp\Launchpad Removal.exe"
Thu 15 Sep 2005 444,000 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc23\SYMSHARE\SPBBC\BBRGEN.DLL"
Thu 15 Sep 2005 389,728 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc23\SYMSHARE\SPBBC\SPBBCDRV.SYS"
Thu 15 Sep 2005 714,336 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc23\SYMSHARE\SPBBC\SPBBCEVT.DLL"
Thu 15 Sep 2005 1,160,800 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc23\SYMSHARE\SPBBC\SPBBCSVC.EXE"
Thu 15 Sep 2005 730,720 ...H. --- "C:\RECYCLER\S-1-5-21-1887795725-3604470327-847386435-1006\Dc23\SYMSHARE\SPBBC\UPDMGR.EXE"
Mon 23 Apr 2007 325 A..H. --- "C:\Documents and Settings\Larry Miller\Local Settings\Application Data\Microsoft\Internet Explorer\brndlog.bak"
Fri 8 Dec 2006 7,394 A..H. --- "C:\Documents and Settings\Larry Miller\Application Data\Mozilla\Profiles\default\wdabjpwp.slt\bookmarks.html.sbsd.bak"
Tue 4 Jul 2006 2,541 A..H. --- "C:\Documents and Settings\Larry Miller\Local Settings\Application Data\toaster\packages\670d5118-c267-46ce-822f-7e9adc66a898\imApp.zip"
Fri 30 Jun 2006 20,425 A..H. --- "C:\Documents and Settings\Larry Miller\Local Settings\Application Data\toaster\packages\849a1981-ccd7-4868-b3b5-56a1232d18fe\ActiveUpdate.zip"
Tue 2 May 2006 797,088 A..H. --- "C:\Documents and Settings\Larry Miller\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe"
Wed 25 Oct 2006 20,425 A..H. --- "C:\Documents and Settings\Larry Miller\Local Settings\Application Data\toaster\packages\en-US\d36f1a87-a0ca-4f6d-bdae-3b7989a5967a\ActiveUpdate.zip"

*Finished!*


----------



## Jintan (Oct 4, 2007)

Never sure if it isn't security software, like the drivers from that older Ewido software, interfering with success or malware issues. There is a user mode rootkit involved in some way there, but not coming out in the logs just yet (and SDFix may have picked up a piece of that). 


Go ahead and run and post the Deckards logs and let's see what our next moves will be please.


----------



## GlennU (Jul 25, 2005)

Backed up registry hives.

Percentage of Memory in Use: 84% (more than 75%).
Total Physical Memory: 255 MiB (512 MiB recommended).

-- HijackThis (run as Larry Miller.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:58 PM, on 4/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1134674526\ee\AOLSoftware.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\E-Color\Colorific\hgcctl95.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Larry Miller\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Larry Miller.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\system32\dwwin.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.media-search.net/nph-search.cgi?track=mssb1&look=sbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hhttp://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {E76B596A-EBFF-9473-F1DF-BFDEC9B65BC8} - C:\WINDOWS\system32\pjmwdihr.dll (file missing)
O2 - BHO: (no name) - {EE4F7C6B-B88A-BC52-F7DF-BFDEC9B60B92} - C:\WINDOWS\system32\pps.dll (file missing)
O2 - BHO: ProxyReset Class - {FFCBEECE-FB0C-11D2-AB16-00104B9BBBD2} - C:\WINDOWS\System32\AHIEHelp.DLL (file missing)
O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [Detect] C:\Program Files\iNTERNET Turbo\iDetect.exe /auto
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SZMsgSvc.exe] C:\Program Files\STOPzilla!\SZMsgSvc.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134674526\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ptrun32] C:\WINDOWS\system32\ptrun32\ptrun32.exe -startup
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [NBCUniversal Media Manager Tray] "C:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe" /CustomId:NBCUniversal
O4 - HKLM\..\Run: [{E4B942B6-050F-1033-1114-010430200001}] "C:\Program Files\Common Files\{E4B942B6-050F-1033-1114-010430200001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [{E4B942B6-050E-1033-1114-010430200001}] "C:\Program Files\Common Files\{E4B942B6-050E-1033-1114-010430200001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [{CC46C41C-050F-1033-1114-010430200001}] "C:\Program Files\Common Files\{CC46C41C-050F-1033-1114-010430200001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [PSD Tools Channel] C:\Program Files\Common Files\PSD Tools\ChannelUp.exe
O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - HKCU\..\Run: [PTRUN32] C:\WINDOWS\system32\ptrun32\ptr32w.exe
O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\system32\STEM32~1\csrss.exe" -vt yazb
O4 - HKCU\..\Run: [Pxaj] C:\WINDOWS\F?nts\w?nword.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [imzz] C:\PROGRA~1\COMMON~1\imzz\imzzm.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: Alienware Dock.lnk = C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe
O4 - Global Startup: Colorific.lnk = C:\Program Files\E-Color\Colorific\hgcctl95.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SonnReg.lnk = C:\Program Files\E-Color\Registration\SonnReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {0D68CB5D-F53A-4446-9C8F-BFEDF5D63C7B} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O9 - Extra button: @Home - {681A93F4-BE60-49D0-88CF-73489AA78B89} - http://home.excite.com (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://home.excite.com/
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/99...W/win/019-0123.20031218.zes4d/iTunesSetup.exe
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by130fd.bay130.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.buddylinks.net/ShellInstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C87E1BCE-99F0-46D9-A3B5-A0754566D056}: NameServer = 71.242.0.12 71.252.0.12
O20 - AppInit_DLLs: ,wbsys.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 11893 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,71
.bat - batfile - shell\open\command - "%1" %*
.bat - batfile - shell\edit\command - %SystemRoot%\System32\NOTEPAD.EXE %1
.cmd - cmdfile - DefaultIcon - %SystemRoot%\System32\shell32.dll,-153
.cmd - cmdfile - shell\open\command - "%1" %*
.cmd - cmdfile - shell\edit\command - %SystemRoot%\System32\NOTEPAD.EXE %1
.chm - chm.file - DefaultIcon - C:\WINDOWS\hh.exe,0
.chm - chm.file - shell\open\command - "C:\WINDOWS\hh.exe" %1
.com - comfile - DefaultIcon - %SystemRoot%\System32\shell32.dll,2
.com - comfile - shell\open\command - "%1" %*
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.exe - exefile - DefaultIcon - %1
.exe - exefile - shell\open\command - "%1" %*
.hlp - hlpfile - DefaultIcon - %SystemRoot%\System32\shell32.dll,23
.hlp - hlpfile - shell\open\command - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,69
.inf - inffile - shell\open\command - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,69
.ini - inifile - shell\open\command - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - DefaultIcon - %SystemRoot%\System32\WScript.exe,3
.js - JSFile - shell\open\command - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - CLSID - {00021401-0000-0000-C000-000000000046}
.pif - piffile - shell\open\command - "%1" %*
.reg - regfile - DefaultIcon - %SystemRoot%\regedit.exe,1
.reg - regfile - shell\open\command - regedit.exe "%1"
.reg - regfile - shell\edit\command - %SystemRoot%\system32\NOTEPAD.EXE %1
.scr - scrfile - shell\open\command - "%1" /S
.txt - txtfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,70
.txt - txtfile - shell\open\command - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - DefaultIcon - %SystemRoot%\System32\WScript.exe,2
.vbs - VBSFile - shell\open\command - %SystemRoot%\System32\WScript.exe "%1" %*
.vbs - VBSFile - shell\edit\command - %SystemRoot%\System32\Notepad.exe %1


----------



## GlennU (Jul 25, 2005)

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 ACPI (Microsoft ACPI Driver) - c:\windows\system32\drivers\acpi.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 atapi (Standard IDE/ESDI Hard Disk Controller) - c:\windows\system32\drivers\atapi.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 Disk (Disk Driver) - c:\windows\system32\drivers\disk.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 FltMgr - c:\windows\system32\drivers\fltmgr.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 Ftdisk (Volume Manager Driver) - c:\windows\system32\drivers\ftdisk.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 IntelIde - c:\windows\system32\drivers\intelide.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 isapnp (PnP ISA/EISA Bus Driver) - c:\windows\system32\drivers\isapnp.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 KSecDD - c:\windows\system32\drivers\ksecdd.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 MountMgr (Mount Point Manager) - c:\windows\system32\drivers\mountmgr.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 Mup - c:\windows\system32\drivers\mup.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 NDIS (NDIS System Driver) - c:\windows\system32\drivers\ndis.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 PartMgr (Partition Manager) - c:\windows\system32\drivers\partmgr.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 PCI (PCI Bus Driver) - c:\windows\system32\drivers\pci.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 PxHelp20 - c:\windows\system32\drivers\pxhelp20.sys <Not Verified; Sonic Solutions; PxHelp20>
R0 sr (System Restore Filter Driver) - c:\windows\system32\drivers\sr.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 Vmodem (W2K Vmodem) - c:\windows\system32\drivers\vmodem.sys <Not Verified; PCTEL, INC.; HSP Modem Modem Device>
R0 VolSnap - c:\windows\system32\drivers\volsnap.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 Vpctcom (W2K Vpctcom) - c:\windows\system32\drivers\vpctcom.sys <Not Verified; PCtel, Inc.; HSP Modem Virtual Control Device>
R0 Vvoice (W2K Vvoice) - c:\windows\system32\drivers\vvoice.sys <Not Verified; PCtel, Inc.; PCTEL HSP Modem Voice Device>
R1 AFD (AFD Networking Support Environment) - c:\windows\system32\drivers\afd.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 Beep - c:\windows\system32\drivers\beep.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 Cdrom (CD-ROM Driver) - c:\windows\system32\drivers\cdrom.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 eeCtrl (Symantec Eraser Control driver) - c:\program files\common files\symantec shared\eengine\eectrl.sys <Not Verified; Symantec Corporation; ERASER ENGINE>
R1 Fips - c:\windows\system32\drivers\fips.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 i8042prt (i8042 Keyboard and PS/2 Mouse Port Driver) - c:\windows\system32\drivers\i8042prt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 IPSec (IPSEC driver) - c:\windows\system32\drivers\ipsec.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 Kbdclass (Keyboard Class Driver) - c:\windows\system32\drivers\kbdclass.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 kbdhid (Keyboard HID Driver) - c:\windows\system32\drivers\kbdhid.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 mnmdd - c:\windows\system32\drivers\mnmdd.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 Mouclass (Mouse Class Driver) - c:\windows\system32\drivers\mouclass.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 MRxSmb - c:\windows\system32\drivers\mrxsmb.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 Msfs - c:\windows\system32\drivers\msfs.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 NetBIOS (NetBIOS Interface) - c:\windows\system32\drivers\netbios.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 NetBT - c:\windows\system32\drivers\netbt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 Npfs - c:\windows\system32\drivers\npfs.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 Null - c:\windows\system32\drivers\null.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 P3 (Intel PentiumIII Processor Driver) - c:\windows\system32\drivers\p3.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 RasAcd (Remote Access Auto Connection Driver) - c:\windows\system32\drivers\rasacd.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 Rdbss - c:\windows\system32\drivers\rdbss.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 RDPCDD - c:\windows\system32\drivers\rdpcdd.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 redbook (Digital CD Audio Playback Filter Driver) - c:\windows\system32\drivers\redbook.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 Serial (Serial port driver) - c:\windows\system32\drivers\serial.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 SPBBCDrv - c:\program files\common files\symantec shared\spbbc\spbbcdrv.sys <Not Verified; Symantec Corporation; SPBBC>
R1 SRTSPX - c:\windows\system32\drivers\srtspx.sys <Not Verified; Symantec Corporation; AutoProtect>
R1 SYMTDI - c:\windows\system32\drivers\symtdi.sys <Not Verified; Symantec Corporation; Symantec Security Drivers>
R1 Tcpip (TCP/IP Protocol Driver) - c:\windows\system32\drivers\tcpip.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 TermDD (Terminal Device Driver) - c:\windows\system32\drivers\termdd.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 VgaSave (VGA Display Controller.) - c:\windows\system32\drivers\vga.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.3.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.3.0>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 CO_Mon - c:\windows\system32\drivers\co_mon.sys <Not Verified; Symantec Corporation; Behavior Blocker>
R2 ParVdm - c:\windows\system32\drivers\parvdm.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 Secdrv - c:\windows\system32\drivers\secdrv.sys <Not Verified; Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.; Macrovision SECURITY Driver>
R3 aeaudio - c:\windows\system32\drivers\aeaudio.sys <Not Verified; Andrea Electronics Corporation; Andrea Audio Driver>
R3 audstub (Audio Stub Driver) - c:\windows\system32\drivers\audstub.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 EraserUtilRebootDrv - c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys <Not Verified; Symantec Corporation; ERASER ENGINE>
R3 Fdc (Floppy Disk Controller Driver) - c:\windows\system32\drivers\fdc.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 Flpydisk (Floppy Disk Driver) - c:\windows\system32\drivers\flpydisk.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 GEARAspiWDM (GEAR CDRom Filter) - c:\windows\system32\drivers\gearaspiwdm.sys <Not Verified; GEAR Software; GEARAspi>
R3 Gpc (Generic Packet Classifier) - c:\windows\system32\drivers\msgpc.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 hidusb (Microsoft HID Class Driver) - c:\windows\system32\drivers\hidusb.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 HTTP - c:\windows\system32\drivers\http.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 i81x - c:\windows\system32\drivers\i81xnt5.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
R3 IpNat (IP Network Address Translator) - c:\windows\system32\drivers\ipnat.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 Modem - c:\windows\system32\drivers\modem.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 MRxDAV (WebDav Client Redirector) - c:\windows\system32\drivers\mrxdav.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 mssmbios (Microsoft System Management BIOS Driver) - c:\windows\system32\drivers\mssmbios.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 NAVENG - c:\program files\common files\symantec shared\virusdefs\20080426.003\naveng.sys <Not Verified; Symantec Corporation; Symantec Antivirus Engine>
R3 NAVEX15 - c:\program files\common files\symantec shared\virusdefs\20080426.003\navex15.sys <Not Verified; Symantec Corporation; Symantec Antivirus Engine>
R3 NdisTapi (Remote Access NDIS TAPI Driver) - c:\windows\system32\drivers\ndistapi.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 Ndisuio (NDIS Usermode I/O Protocol) - c:\windows\system32\drivers\ndisuio.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 NdisWan (Remote Access NDIS WAN Driver) - c:\windows\system32\drivers\ndiswan.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 NDProxy (NDIS Proxy) - c:\windows\system32\drivers\ndproxy.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 Parport (Parallel port driver) - c:\windows\system32\drivers\parport.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 PptpMiniport (WAN Miniport (PPTP)) - c:\windows\system32\drivers\raspptp.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 PSched (QoS Packet Scheduler) - c:\windows\system32\drivers\psched.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 Ptilink (Direct Parallel Link Driver) - c:\windows\system32\drivers\ptilink.sys <Not Verified; Parallel Technologies, Inc.; Microsoft® Windows® Operating System>
R3 Ptserial (W2K Pctel Serial Device Driver) - c:\windows\system32\drivers\ptserial.sys <Not Verified; PCTEL, INC.; HSP Modem Serial Device>
R3 Rasl2tp (WAN Miniport (L2TP)) - c:\windows\system32\drivers\rasl2tp.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 RasPppoe (Remote Access PPPOE Driver) - c:\windows\system32\drivers\raspppoe.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 Raspti (Direct Parallel) - c:\windows\system32\drivers\raspti.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 RT73 (Belkin USB Network Adapter) - c:\windows\system32\drivers\rt73.sys <Not Verified; Ralink Technology, Corp.; Ralink 802.11 Wireless Adapters>
R3 serenum (Serenum Filter Driver) - c:\windows\system32\drivers\serenum.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 smwdm - c:\windows\system32\drivers\smwdm.sys <Not Verified; Analog Devices, Inc.; SoundMAX Digital Audio Driver>
R3 SRTSP - c:\windows\system32\drivers\srtsp.sys <Not Verified; Symantec Corporation; AutoProtect>
R3 Srv - c:\windows\system32\drivers\srv.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 swenum (Software Bus Driver) - c:\windows\system32\drivers\swenum.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
R3 SYMDNS - c:\windows\system32\drivers\symdns.sys <Not Verified; Symantec Corporation; Symantec Security Drivers>
R3 SymEvent - c:\windows\system32\drivers\symevent.sys <Not Verified; Symantec Corporation; SYMEVENT>
R3 SYMFW - c:\windows\system32\drivers\symfw.sys <Not Verified; Symantec Corporation; Symantec Security Drivers>
R3 SYMIDS - c:\windows\system32\drivers\symids.sys <Not Verified; Symantec Corporation; Symantec Security Drivers>
R3 SYMIDSCO - c:\program files\common files\symantec shared\symcdata\ipsdefs\20080425.001\symidsco.sys <Not Verified; Symantec Corporation; Symantec Intrusion Detection>
R3 SymIMMP - c:\windows\system32\drivers\symim.sys <Not Verified; Symantec Corporation; Symantec Security Drivers>
R3 SYMNDIS - c:\windows\system32\drivers\symndis.sys <Not Verified; Symantec Corporation; Symantec Security Drivers>
R3 SYMREDRV - c:\windows\system32\drivers\symredrv.sys <Not Verified; Symantec Corporation; Symantec Security Drivers>
R3 sysaudio (Microsoft Kernel System Audio Device) - c:\windows\system32\drivers\sysaudio.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 Update (Microcode Update Driver) - c:\windows\system32\drivers\update.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 usbccgp (Microsoft USB Generic Parent Driver) - c:\windows\system32\drivers\usbccgp.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 usbhub (Microsoft USB Standard Hub Driver) - c:\windows\system32\drivers\usbhub.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 usbuhci (Microsoft USB Universal Host Controller Miniport Driver) - c:\windows\system32\drivers\usbuhci.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 Wanarp (Remote Access IP ARP Driver) - c:\windows\system32\drivers\wanarp.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 wdmaud (Microsoft WINMM WDM Audio Compatibility Driver) - c:\windows\system32\drivers\wdmaud.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R4 Cdfs - c:\windows\system32\drivers\cdfs.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R4 ewido security suite driver - c:\program files\ewido\security suite\guard.sys (file missing)
R4 Fastfat - c:\windows\system32\drivers\fastfat.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R4 Ntfs - c:\windows\system32\drivers\ntfs.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

S1 Cdaudio - c:\windows\system32\drivers\cdaudio.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S1 EACMOS - c:\windows\system32\drivers\eacmos.sys (file missing)
S1 EAWDMFD - c:\windows\system32\drivers\eawdmfd.sys (file missing)
S1 Imapi (CD-Burning Filter Driver) - c:\windows\system32\drivers\imapi.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S1 Processor (Processor Driver) - c:\windows\system32\drivers\processr.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S1 Sfloppy - c:\windows\system32\drivers\sfloppy.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 ac97intc (Intel(r) 82801 Audio Driver Install Service (WDM)) - c:\windows\system32\drivers\ac97intc.sys <Not Verified; Intel Corporation; Intel(r) Integrated Controller Hub Audio Driver>
S3 aec (Microsoft Kernel Acoustic Echo Canceller) - c:\windows\system32\drivers\aec.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 AsyncMac (RAS Asynchronous Media Driver) - c:\windows\system32\drivers\asyncmac.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 Atmarpc (ATM ARP Client Protocol) - c:\windows\system32\drivers\atmarpc.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 Belkin Belkin 11Mbps Wireless USB Network Adapter(R) (Belkin Belkin 11Mbps Wireless USB Network Adapter(R) Service for Belkin 11Mbps Wireless USB Network Adapter) - c:\windows\system32\drivers\bkusbxp.sys (file missing)
S3 catchme - c:\docume~1\larrym~1\locals~1\temp\catchme.sys (file missing)
S3 COH_Mon - c:\windows\system32\drivers\coh_mon.sys <Not Verified; Symantec Corporation; Confidence Online Utility Driver>
S3 DMusic (Microsoft Kernel DLS Syntheiszer) - c:\windows\system32\drivers\dmusic.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 drmkaud (Microsoft Kernel DRM Audio Descrambler) - c:\windows\system32\drivers\drmkaud.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 Gcr432 - c:\windows\system32\drivers\gcr432.sys <Not Verified; Gemplus; VISA Usb Smart Card Reader GCR432>
S3 iAimFP0 - c:\windows\system32\drivers\wadv01nt.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
S3 iAimFP1 - c:\windows\system32\drivers\wadv02nt.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
S3 iAimFP2 - c:\windows\system32\drivers\wadv05nt.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
S3 iAimFP3 - c:\windows\system32\drivers\wsiintxx.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
S3 iAimFP4 - c:\windows\system32\drivers\wvchntxx.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
S3 iAimTV0 - c:\windows\system32\drivers\watv01nt.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
S3 iAimTV1 - c:\windows\system32\drivers\watv02nt.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
S3 iAimTV3 - c:\windows\system32\drivers\watv04nt.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
S3 iAimTV4 - c:\windows\system32\drivers\wch7xxnt.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
S3 Ip6Fw (IPv6 Windows Firewall Driver) - c:\windows\system32\drivers\ip6fw.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 IpFilterDriver (IP Traffic Filter Driver) - c:\windows\system32\drivers\ipfltdrv.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 IpInIp (IP in IP Tunnel Driver) - c:\windows\system32\drivers\ipinip.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 IRENUM (IR Enumerator Service) - c:\windows\system32\drivers\irenum.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 kmixer (Microsoft Kernel Wave Audio Mixer) - c:\windows\system32\drivers\kmixer.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 MSKSSRV (Microsoft Streaming Service Proxy) - c:\windows\system32\drivers\mskssrv.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
S3 MSPCLOCK (Microsoft Streaming Clock Proxy) - c:\windows\system32\drivers\mspclock.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
S3 MSPQM (Microsoft Streaming Quality Manager Proxy) - c:\windows\system32\drivers\mspqm.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 NwlnkFlt (IPX Traffic Filter Driver) - c:\windows\system32\drivers\nwlnkflt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 NwlnkFwd (IPX Traffic Forwarder Driver) - c:\windows\system32\drivers\nwlnkfwd.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 PCANDIS5 (PCANDIS5 Protocol Driver) - c:\windows\system32\pcandis5.sys (file missing)
S3 Ptserlp (PCTEL Serial Device Driver for PCI) - c:\windows\system32\drivers\ptserlp.sys <Not Verified; PCTEL, INC.; HSP Modem Serial Device>
S3 RDPWD - c:\windows\system32\drivers\rdpwd.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 rtl8139 (Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver) - c:\windows\system32\drivers\rtl8139.sys <Not Verified; Realtek Semiconductor Corporation; Realtek RTL8139 Family Fast Ethernet Adapter>
S3 SMC1211 (SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver) - c:\windows\system32\drivers\smc1211.sys <Not Verified; SMC Networks Inc.; SMC EZ Card 10/100 PCI (SMC1211 Series)>
S3 SONYPVU1 (Sony USB Filter Driver (SONYPVU1)) - c:\windows\system32\drivers\sonypvu1.sys <Not Verified; Sony Corporation; Sony USB Lower Filter driver>
S3 splitter (Microsoft Kernel Audio Splitter) - c:\windows\system32\drivers\splitter.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 SRTSPL - c:\windows\system32\drivers\srtspl.sys <Not Verified; Symantec Corporation; AutoProtect>
S3 swmidi (Microsoft Kernel GS Wavetable Synthesizer) - c:\windows\system32\drivers\swmidi.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 SymIM (Symantec Network Security Intermediate Filter Service) - c:\windows\system32\drivers\symim.sys <Not Verified; Symantec Corporation; Symantec Security Drivers>
S3 TDPIPE - c:\windows\system32\drivers\tdpipe.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 TDTCP - c:\windows\system32\drivers\tdtcp.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 usbscan (USB Scanner Driver) - c:\windows\system32\drivers\usbscan.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 USBSTOR (USB Mass Storage Driver) - c:\windows\system32\drivers\usbstor.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 wandrv (WAN Network Driver) - c:\windows\system32\drivers\wandrv.sys <Not Verified; America Online, Inc.; WAN Network Driver>
S4 ACPIEC - c:\windows\system32\drivers\acpiec.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S4 cbidf2k - c:\windows\system32\drivers\cbidf2k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S4 dmboot - c:\windows\system32\drivers\dmboot.sys <Not Verified; Microsoft Corp., Veritas Software; VERITAS® NT Disk Manager>
S4 dmio - c:\windows\system32\drivers\dmio.sys <Not Verified; Microsoft Corp., Veritas Software; VERITAS® NT Disk Manager>
S4 dmload - c:\windows\system32\drivers\dmload.sys <Not Verified; Microsoft Corp., Veritas Software.; Logical Disk Manager for Windows NT>
S4 Pcmcia - c:\windows\system32\drivers\pcmcia.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S4 Udfs - c:\windows\system32\drivers\udfs.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


----------



## GlennU (Jul 25, 2005)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft; Ad-Aware 2007 Service>
R2 AudioSrv (Windows Audio) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 Automatic LiveUpdate Scheduler - "c:\program files\symantec\liveupdate\aluschedulersvc.exe" <Not Verified; Symantec Corporation; LiveUpdate>
R2 Belkin Wireless USB Network Adapter Service (Belkin Wireless USB Network Adapter) - c:\program files\belkin\belkin wireless network utility\wlservice.exe
R2 Browser (Computer Browser) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 ccEvtMgr (Symantec Event Manager) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon <Not Verified; Symantec Corporation; Symantec Security Technologies>
R2 ccSetMgr (Symantec Settings Manager) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon <Not Verified; Symantec Corporation; Symantec Security Technologies>
R2 CLTNetCnService (Symantec Lic NetConnect service) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon <Not Verified; Symantec Corporation; Symantec Security Technologies>
R2 CryptSvc (Cryptographic Services) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 DcomLaunch (DCOM Server Process Launcher) - c:\windows\system32\svchost -k dcomlaunch <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 Dhcp (DHCP Client) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 Dnscache (DNS Client) - c:\windows\system32\svchost.exe -k networkservice <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 ERSvc (Error Reporting Service) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 Eventlog (Event Log) - c:\windows\system32\services.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 GEARSecurity (Gear Security Service) - c:\windows\system32\gearsec.exe <Not Verified; GEAR Software; gearsec>
R2 helpsvc (Help and Support) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 HidServ (HID Input Service) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 lanmanserver (Server) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 lanmanworkstation (Workstation) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 LiveUpdate Notice - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon <Not Verified; Symantec Corporation; Symantec Security Technologies>
R2 LmHosts (TCP/IP NetBIOS Helper) - c:\windows\system32\svchost.exe -k localservice <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 PlugPlay (Plug and Play) - c:\windows\system32\services.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 PolicyAgent (IPSEC Services) - c:\windows\system32\lsass.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 ProtectedStorage (Protected Storage) - c:\windows\system32\lsass.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 RasAuto (Remote Access Auto Connection Manager) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 RpcSs (Remote Procedure Call (RPC)) - c:\windows\system32\svchost -k rpcss <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 SamSs (Security Accounts Manager) - c:\windows\system32\lsass.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 SCardSvr (Smart Card) - c:\windows\system32\scardsvr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 Schedule (Task Scheduler) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 seclogon (Secondary Logon) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 SENS (System Event Notification) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 SharedAccess (Windows Firewall/Internet Connection Sharing (ICS)) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 ShellHWDetection (Shell Hardware Detection) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 Spooler (Print Spooler) - c:\windows\system32\spoolsv.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 stisvc (Windows Image Acquisition (WIA)) - c:\windows\system32\svchost.exe -k imgsvc <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 Themes - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 TrkWks (Distributed Link Tracking Client) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 W32Time (Windows Time) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 WebClient - c:\windows\system32\svchost.exe -k localservice <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 winmgmt (Windows Management Instrumentation) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 wuauserv (Automatic Updates) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 WZCSVC (Wireless Zero Configuration) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 ALG (Application Layer Gateway Service) - c:\windows\system32\alg.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 EventSystem (COM+ Event System) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 FastUserSwitchingCompatibility (Fast User Switching Compatibility) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 iPodService (iPod Service) - "c:\program files\ipod\bin\ipodservice.exe" <Not Verified; Apple Computer, Inc.; iTunes>
R3 Netman (Network Connections) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 Nla (Network Location Awareness (NLA)) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 RasMan (Remote Access Connection Manager) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 SSDPSRV (SSDP Discovery Service) - c:\windows\system32\svchost.exe -k localservice <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 Symantec Core LC - c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe
R3 TapiSrv (Telephony) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 TermService (Terminal Services) - c:\windows\system32\svchost -k dcomlaunch <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

S2 Pctspk (PCTEL Speaker Phone) - c:\windows\system32\pctspk.exe <Not Verified; ; pctvoice Application>
S2 srservice (System Restore Service) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 AppMgmt (Application Management) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 aspnet_state (ASP.NET State Service) - c:\windows\microsoft.net\framework\v1.1.4322\aspnet_state.exe <Not Verified; Microsoft Corporation; Microsoft (R) .NET Framework>
S3 BITS (Background Intelligent Transfer Service) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 cisvc (Indexing Service) - c:\windows\system32\cisvc.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 comHost (COM Host) - "c:\program files\common files\symantec shared\vascanner\comhost.exe" <Not Verified; Symantec Corporation; Firewall Component>
S3 COMSysApp (COM+ System Application) - c:\windows\system32\dllhost.exe /processid:{02d4b3f1-fd88-11d1-960d-00805fc79235} <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 dmadmin (Logical Disk Manager Administrative Service) - c:\windows\system32\dmadmin.exe /com <Not Verified; Microsoft Corp., Veritas Software; Logical Disk Manager for Windows NT>
S3 dmserver (Logical Disk Manager) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 gusvc (Google Updater Service) - "c:\program files\google\common\google updater\googleupdaterservice.exe" <Not Verified; Google; Google Updater>
S3 HTTPFilter (HTTP SSL) - c:\windows\system32\svchost.exe -k httpfilter <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 ImapiService (IMAPI CD-Burning COM Service) - c:\windows\system32\imapi.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 LiveUpdate - "c:\program files\symantec\liveupdate\lucomserver_3_4.exe" <Not Verified; Symantec Corporation; LiveUpdate>
S3 mnmsrvc (NetMeeting Remote Desktop Sharing) - c:\windows\system32\mnmsrvc.exe <Not Verified; Microsoft Corporation; Windows® NetMeeting®>
S3 MSDTC (Distributed Transaction Coordinator) - c:\windows\system32\msdtc.exe <Not Verified; Microsoft Corporation; Microsoft Distributed Transaction Coordinator>
S3 MSIServer (Windows Installer) - c:\windows\system32\msiexec.exe /v <Not Verified; Microsoft Corporation; Windows Installer - Unicode>
S3 Netlogon (Net Logon) - c:\windows\system32\lsass.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 NtLmSsp (NT LM Security Support Provider) - c:\windows\system32\lsass.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 NtmsSvc (Removable Storage) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 RDSessMgr (Remote Desktop Help Session Manager) - c:\windows\system32\sessmgr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 RpcLocator (Remote Procedure Call (RPC) Locator) - c:\windows\system32\locator.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 RSVP (QoS RSVP) - c:\windows\system32\rsvp.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 SwPrv (MS Software Shadow Copy Provider) - c:\windows\system32\dllhost.exe /processid:{cc5031ca-381c-4c87-bb2d-0011746573f9} <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 SysmonLog (Performance Logs and Alerts) - c:\windows\system32\smlogsvc.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 upnphost (Universal Plug and Play Device Host) - c:\windows\system32\svchost.exe -k localservice <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 UPS (Uninterruptible Power Supply) - c:\windows\system32\ups.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 VSS (Volume Shadow Copy) - c:\windows\system32\vssvc.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 WmdmPmSN (Portable Media Serial Number Service) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 WmiApSrv (WMI Performance Adapter) - c:\windows\system32\wbem\wmiapsrv.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 xmlprov (Network Provisioning Service) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S4 Alerter - c:\windows\system32\svchost.exe -k localservice <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S4 ClipSrv (ClipBook) - c:\windows\system32\clipsrv.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S4 Messenger - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S4 NetDDE (Network DDE) - c:\windows\system32\netdde.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S4 NetDDEdsdm (Network DDE DSDM) - c:\windows\system32\netdde.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S4 RemoteAccess (Routing and Remote Access) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S4 wscsvc (Security Center) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Device ID: ACPI\PNP0303\4&268D196D&0
Manufacturer: (Standard keyboards)
Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&268D196D&0
Service: i8042prt

-- Scheduled Tasks -------------------------------------------------------------

2008-04-23 09:47:28 636 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Larry Miller.job
2002-01-13 08:30:13 258 --a------ C:\WINDOWS\Tasks\Registration reminder 3.job
2002-01-13 08:30:13 258 --a------ C:\WINDOWS\Tasks\Registration reminder 2.job

-- Files created between 2008-03-26 and 2008-04-26 -----------------------------

2008-04-26 21:46:46 0 d-------- C:\WINDOWS\ERDNT
2008-04-26 21:44:15 0 d-------- C:\Deckard
2008-04-26 11:09:03 0 d-------- C:\Documents and Settings\Larry Miller\Application Data\Malwarebytes
2008-04-26 11:08:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-26 11:08:46 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 10:38:45 266850304 --ahs---- C:\hiberfil.sys
2008-04-26 10:15:58 0 d-------- C:\WINDOWS\ERUNT
2008-04-26 10:14:29 0 d-------- C:\sdfix
2008-04-26 10:07:07 0 d--h---c- C:\WINDOWS\$NtUninstallKB891122$
2008-04-26 10:03:37 0 d--h---c- C:\WINDOWS\$NtUninstallKB896344$
2008-04-24 22:06:55 0 d-------- C:\Documents and Settings\Larry Miller\Application Data\FrostWire
2008-04-24 22:06:23 0 d-------- C:\Program Files\FrostWire
2008-04-24 19:55:55 36864 --a------ C:\WINDOWS\system32\wbsys.dll <Not Verified; Stardock.Net, Inc; WindowBlinds 4.x for x86 machines>
2008-04-24 19:55:54 0 d-------- C:\Program Files\Common Files\Stardock
2008-04-24 19:55:54 0 d-------- C:\Program Files\AlienGUIse
2008-04-24 19:52:30 0 d-------- C:\Documents and Settings\Larry Miller\Application Data\Aim
2008-04-24 19:16:38 2560 --a------ C:\WINDOWS\system32\drivers\mchInjDrv.sys
2008-04-23 09:33:22 0 d-------- C:\Program Files\Windows Sidebar
2008-04-23 09:31:14 0 d-------- C:\Program Files\Norton Internet Security
2008-04-23 09:28:56 60800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL <Not Verified; Symantec Corporation; SYMEVENT>
2008-04-23 09:28:56 123952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS <Not Verified; Symantec Corporation; SYMEVENT>
2008-04-21 21:13:51 0 d--h---c- C:\WINDOWS\$NtUninstallKB943460$
2008-04-21 21:13:43 0 d--h---c- C:\WINDOWS\$NtUninstallKB948881$
2008-04-21 21:13:36 0 d--h---c- C:\WINDOWS\$NtUninstallKB933729$
2008-04-21 21:13:29 0 d--h---c- C:\WINDOWS\$NtUninstallKB936021$
2008-04-21 21:13:22 0 d--h---c- C:\WINDOWS\$NtUninstallKB938828$
2008-04-21 21:13:11 0 d--h---c- C:\WINDOWS\$NtUninstallKB936782_WMP9$
2008-04-21 21:12:43 0 d--h---c- C:\WINDOWS\$NtUninstallKB941644$
2008-04-21 21:12:36 0 d--h---c- C:\WINDOWS\$NtUninstallKB936357$
2008-04-21 21:12:28 0 d--h---c- C:\WINDOWS\$NtUninstallKB941693$
2008-04-21 21:12:22 0 d--h---c- C:\WINDOWS\$NtUninstallKB946026$
2008-04-21 21:11:21 0 d--h---c- C:\WINDOWS\$NtUninstallKB942763$
2008-04-21 21:11:09 0 d--h---c- C:\WINDOWS\$NtUninstallKB941569$
2008-04-21 21:10:39 0 d--h---c- C:\WINDOWS\$NtUninstallKB941202$
2008-04-21 21:10:33 0 d--h---c- C:\WINDOWS\$NtUninstallKB941568$
2008-04-21 21:10:24 0 d--h---c- C:\WINDOWS\$NtUninstallKB948590$
2008-04-21 21:08:59 0 d--h---c- C:\WINDOWS\$NtUninstallKB943485$
2008-04-21 21:08:35 0 d--h---c- C:\WINDOWS\$NtUninstallKB945553$
2008-04-21 21:08:21 0 d--h---c- C:\WINDOWS\$NtUninstallKB943055$
2008-04-21 21:08:11 0 d--h---c- C:\WINDOWS\$NtUninstallKB944653$
2008-04-21 17:58:22 0 d-------- C:\Program Files\Lavasoft
2008-04-21 17:58:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-21 17:57:28 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-21 17:34:47 0 d-------- C:\Program Files\Enigma Software Group
2008-04-21 17:28:19 0 d-------- C:\Program Files\NoAdware5.0
2008-04-21 17:06:46 0 d-------- C:\Program Files\Trend Micro
2008-04-15 20:51:46 0 d--h----- C:\Documents and Settings\Larry Miller\Application Data\Webroot
2008-04-09 19:34:28 20747 --a------ C:\WINDOWS\system32\drivers\AegisP.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.3.0>
2008-04-09 19:33:41 40960 --a------ C:\WINDOWS\system32\B11gUSB.dll
2008-04-09 19:33:37 94208 --a------ C:\WINDOWS\system32\GTW32N50.dll
2008-04-09 19:33:37 15872 --a------ C:\WINDOWS\system32\GTNDIS5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-04-08 21:04:30 2048 -ra------ C:\WINDOWS\system32\drivers\rt73.bin
2008-04-08 20:40:59 232192 --a------ C:\WINDOWS\system32\drivers\rt73.sys <Not Verified; Ralink Technology, Corp.; Ralink 802.11 Wireless Adapters>
2008-04-03 19:22:01 0 d-------- C:\Program Files\Belkin

-- Find3M Report ---------------------------------------------------------------

2008-04-26 17:54:28 0 d-------- C:\Program Files\Common Files\Microsoft Shared
2008-04-26 14:14:14 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-26 13:50:00 2048 --a-s---- C:\WINDOWS\bootstat.dat
2008-04-26 13:49:50 402653184 --ahs---- C:\pagefile.sys
2008-04-24 19:55:54 0 d-------- C:\Program Files\Common Files
2008-04-24 19:51:54 0 d-------- C:\Program Files\AIM95
2008-04-24 19:22:01 0 d-------- C:\Program Files\iTunes
2008-04-23 09:37:53 0 d--h----- C:\Documents and Settings\Larry Miller\Application Data\Symantec
2008-04-23 09:34:36 0 d-------- C:\Program Files\Symantec
2008-04-22 23:27:21 0 d-------- C:\Program Files\Internet Explorer
2008-04-22 19:32:59 142032 --a------ C:\WINDOWS\system32\FNTCACHE.DAT
2008-04-21 14:27:16 0 d--h----- C:\Documents and Settings\Larry Miller\Application Data\Google
2008-04-12 15:46:58 0 d-------- C:\Program Files\quickenw
2008-04-09 17:37:50 45056 --a------ C:\WINDOWS\NCUNINST.EXE <Not Verified; Northern Codeworks; Uninstall>
2008-04-09 17:37:42 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-08 21:10:04 0 d---s---- C:\Documents and Settings\Larry Miller\Application Data\Microsoft
2008-04-05 22:56:22 19836024 --a------ C:\WINDOWS\system32\MRT.exe <Not Verified; Microsoft Corporation; Microsoft Windows Malicious Software Removal Tool>
2008-03-20 18:06:36 1480232 --a------ C:\WINDOWS\system32\LegitCheckControl.dll <Not Verified; Microsoft Corporation; Windows Genuine Advantage>
2008-03-20 14:41:20 14640 -----n--- C:\WINDOWS\system32\spmsg.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-19 05:47:00 1845248 --a------ C:\WINDOWS\system32\win32k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-01 18:36:30 3591680 --a------ C:\WINDOWS\system32\mshtml.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:31 826368 --a------ C:\WINDOWS\system32\wininet.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:30 233472 --a------ C:\WINDOWS\system32\webcheck.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:30 1159680 --a------ C:\WINDOWS\system32\urlmon.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:29 105984 --a------ C:\WINDOWS\system32\url.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:29 44544 --a------ C:\WINDOWS\system32\pngfilt.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:29 102912 --a------ C:\WINDOWS\system32\occache.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:29 671232 --a------ C:\WINDOWS\system32\mstime.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:28 193024 --a------ C:\WINDOWS\system32\msrating.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:28 478208 --a------ C:\WINDOWS\system32\mshtmled.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:26 52224 --a------ C:\WINDOWS\system32\msfeedsbs.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:26 459264 --a------ C:\WINDOWS\system32\msfeeds.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:25 27648 --a------ C:\WINDOWS\system32\jsproxy.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:25 267776 --a------ C:\WINDOWS\system32\iertutil.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:24 44544 --a------ C:\WINDOWS\system32\iernonce.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:24 6066176 --a------ C:\WINDOWS\system32\ieframe.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:22 384512 --a------ C:\WINDOWS\system32\iedkcs32.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:22 383488 --a------ C:\WINDOWS\system32\ieapfltr.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:21 230400 --a------ C:\WINDOWS\system32\ieaksie.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:21 153088 --a------ C:\WINDOWS\system32\ieakeng.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:21 63488 --a------ C:\WINDOWS\system32\icardie.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:21 133120 --a------ C:\WINDOWS\system32\extmgr.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:21 214528 --a------ C:\WINDOWS\system32\dxtrans.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:21 347136 --a------ C:\WINDOWS\system32\dxtmsft.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:20 124928 --a------ C:\WINDOWS\system32\advpack.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-02-29 04:55:23 70656 --a------ C:\WINDOWS\system32\ie4uinit.exe <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-02-22 06:00:51 13824 --a------ C:\WINDOWS\system32\ieudinit.exe <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-02-20 02:51:05 282624 --a------ C:\WINDOWS\system32\gdi32.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-02-20 01:32:43 45568 --a------ C:\WINDOWS\system32\dnsrslvr.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-02-20 01:32:43 148992 --a------ C:\WINDOWS\system32\dnsapi.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-02-15 01:44:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-02-06 17:43:54 207240 --a------ C:\WINDOWS\system32\SymRedir.dll <Not Verified; Symantec Corporation; Symantec Security Drivers>
2008-02-06 17:43:54 579464 --a------ C:\WINDOWS\system32\SymNeti.dll <Not Verified; Symantec Corporation; Symantec Security Drivers>


----------



## GlennU (Jul 25, 2005)

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
02/07/2008 12:05 AM	349552	--a------	C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
04/23/2008 09:32 AM	116088	--a------	C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E76B596A-EBFF-9473-F1DF-BFDEC9B65BC8}]
C:\WINDOWS\system32\pjmwdihr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE4F7C6B-B88A-BC52-F7DF-BFDEC9B60B92}]
C:\WINDOWS\system32\pps.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll [02/07/2008 12:05 AM 349552]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPQEASYACC"="C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe" []
"WorksFUD"="" []
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" []
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" []
"srmclean"="C:\Cpqs\Scom\srmclean.exe" []
"DownloadAccelerator"="C:\PROGRA~1\DAP\DAP.exe" []
"Detect"="C:\Program Files\iNTERNET Turbo\iDetect.exe" []
"PCTVOICE"="pctspk.exe" [08/14/2002 06:48 PM C:\WINDOWS\system32\pctspk.exe]
"SZMsgSvc.exe"="C:\Program Files\STOPzilla!\SZMsgSvc.exe" []
"DeadAIM"="C:\Program Files\AIM95\\DeadAIM.ocm" [02/24/2003 05:11 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/16/2003 12:06 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" []
"HostManager"="C:\Program Files\Common Files\AOL\1134674526\ee\AOLSoftware.exe" [05/09/2006 08:24 PM]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" []
"ptrun32"="C:\WINDOWS\system32\ptrun32\ptrun32.exe" []
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" []
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [02/17/2006 12:59 PM]
"NBCUniversal Media Manager Tray"="C:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe" []
"{E4B942B6-050F-1033-1114-010430200001}"="C:\Program Files\Common Files\{E4B942B6-050F-1033-1114-010430200001}\Update.exe" []
"{E4B942B6-050E-1033-1114-010430200001}"="C:\Program Files\Common Files\{E4B942B6-050E-1033-1114-010430200001}\Update.exe" []
"{CC46C41C-050F-1033-1114-010430200001}"="C:\Program Files\Common Files\{CC46C41C-050F-1033-1114-010430200001}\Update.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/25/2008 09:47 PM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [02/07/2008 02:49 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PSD Tools Channel"="C:\Program Files\Common Files\PSD Tools\ChannelUp.exe" []
"BLMessagingIntegration"="C:\Program Files\Common Files\PSD Tools\blengine.exe" []
"Aim6"="" []
"PTRUN32"="C:\WINDOWS\system32\ptrun32\ptr32w.exe" []
"Aaou"="C:\WINDOWS\system32\STEM32~1\csrss.exe" []
"Pxaj"="C:\WINDOWS\F?nts\w?nword.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"imzz"="C:\PROGRA~1\COMMON~1\imzz\imzzm.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/16/2007 03:15 PM]
"AIM"="C:\PROGRA~1\AIM95\aim.exe" [11/13/2002 08:50 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

C:\Documents and Settings\Larry Miller\Start Menu\Programs\Startup\
Alienware Dock.lnk - C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe [4/24/2008 7:56:17 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Colorific.lnk - C:\Program Files\E-Color\Colorific\hgcctl95.exe [7/7/2002 10:26:25 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [7/13/2000 4:00:00 PM]
SonnReg.lnk - C:\Program Files\E-Color\Registration\SonnReg.exe [7/7/2002 10:26:26 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB] 
C:\Program Files\AlienGUIse\fastload.dll 12/20/2001 11:34 PM 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= ,wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ca84dec-cc33-11db-bec4-806d6172696f}]
AutoRun\command- D:\CDSTART.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b54d96a-ca96-11db-88a4-0030f139d52e}]
AutoRun\command- H:\setupSNK.exe

*Newly Created Service* - COMHOST

-- End of Deckard's System Scanner: finished at 2008-04-26 21:53:10 ------------


----------



## GlennU (Jul 25, 2005)

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Celeron(TM) CPU 1300MHz
Percentage of Memory in Use: 57%
Physical Memory (total/avail): 254.42 MiB / 108.08 MiB
Pagefile Memory (total/avail): 624.39 MiB / 259.61 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1970.85 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 166.81 GiB total, 145.12 GiB free. 
E: is CDROM (No Media)
F: is CDROM (No Media)
H: is Fixed (FAT32) - 19.49 GiB total, 19.48 GiB free.

\\.\PHYSICALDRIVE0 - MAXTOR STM3200820A - 186.31 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 166.81 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 19.5 GiB - H:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: Norton Internet Security v15.5.0.23 (Symantec Corporation)
AV: Norton Internet Security v15.5.0.23 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Larry Miller\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=AtHomeUser
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Larry Miller
LOGONSERVER=\\AtHomeUser
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 11 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0b01
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\LARRYM~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\LARRYM~1\LOCALS~1\Temp
USERDOMAIN=AtHomeUser
USERNAME=Larry Miller
USERPROFILE=C:\Documents and Settings\Larry Miller
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Owner _(new local, admin)_
Larry Miller _(admin)_
Administrator _(admin)_

-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
(B) MS-C wordfinder --> "C:\Program Files\msnet\v9\msnet.EXE" /R F
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 4.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.dll"
AlienGUIse Theme Manager --> C:\PROGRA~1\ALIENG~1\thememgr.exe /uninstallwise
AOL Instant Messenger --> C:\Program Files\AIM95\uninstll.exe -LOG= C:\Program Files\AIM95\install.log -OEM=
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Belkin 54g USB Network Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\Belkin\Belkin Wireless Network Utility\setup.exe" -l0x9 
ccCommon --> MsiExec.exe /I{B24E05CC-46FF-4787-BBB8-5CD516AFB118}
Colorific --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\E-Color\Colorific\cfmunins.isu" -c"C:\PROGRA~1\E-Color\COLORI~1\cfmunins.dll" ProdNameColorific
Comcast Rhapsody --> "C:\Program Files\Comcast Rhapsody\Unwise32.exe" C:\PROGRA~1\COMCAS~1\Install.log
Compaq Advisor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C4C1AFCD-2C72-48B4-AE2E-A7354A525E87}\Setup.exe" UNINSTALL
Compaq Wallpaper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{03AAA1D8-D4CF-48BD-9C66-78B41D80DF06}\setup.exe" 
Compaq WinDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL
Component Framework --> MsiExec.exe /I{31478BE1-CDE5-4753-A8B2-F6D4BC1FBE09}
DeadAIM --> MsiExec.exe /I{25AF0BD1-DF07-4447-8E91-28E99617C556}
Easy Access Button Support --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{93539D60-1817-11D1-9504-00805F26A89C}\setup.exe" -uninst 
Encarta Online --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C0A23442-6214-11D3-8CDF-0080C768385C}\setup.exe" -uninst 
Entriq MediaSphere 3.4.0.15 --> "C:\Program Files\Entriq\MediaSphere\unins000.exe"
FrostWire 4.13.1.7 BETA --> C:\Program Files\FrostWire\Uninstall.exe
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864) --> "C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows XP (KB896344) --> "C:\WINDOWS\$NtUninstallKB896344$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB914440) --> "C:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915865) --> "C:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"
HSP56 MicroModem Drivers --> ptuninst.exe
HyperLoad --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Nabisco\HyperLoad\Uninst.isu"
Image Resizer Powertoy for Windows XP --> MsiExec.exe /I{1CB92574-96F2-467B-B793-5CEB35C40C29}
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
InterVideo Installer --> "C:\Program Files\Compaq\Installer\IVIUninstaller.exe" "C:\Program Files\Compaq\Installer"
iTunes --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{9705A7E1-3DD1-4BAC-8CA9-FE7B1473BEC9} 
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
LiveUpdate (Symantec Corporation) --> MsiExec.exe /x {E80F62FF-5D3C-4A19-8409-9721F2928206} /l*v "C:\Documents and Settings\All Users\Application Data\LuUninstall.LiveUpdate"
LiveUpdate (Symantec Corporation) --> MsiExec.exe /X{E80F62FF-5D3C-4A19-8409-9721F2928206}
LiveUpdate 3.1 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MaxBlast 4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{639858DD-4966-40F3-A706-7C838BCF3A2B}\setup.exe" 
MediaLoads --> "C:\Program Files\MediaLoads\v1\ml.exe" /R
Microsoft .NET Framework (English) --> MsiExec.exe /X{B43357AA-3A6D-4D94-B56E-43C44D09E548}
Microsoft .NET Framework (English) v1.0.3705 --> C:\WINDOWS\Microsoft.NET\Framework\Install.exe /u /p Microsoft .NET Framework Full v1.0.3705 (1033)
Microsoft .NET Framework 1.0 Hotfix (KB886906) --> "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Updates\M886906\M886906Uninstall.msp"
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 Hotfix (KB886903) --> "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M886903\M886903Uninstall.msp"
Microsoft Internationalized Domain Names Mitigation APIs --> "C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs --> "C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office XP Professional --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Microsoft Works 6.0 --> MsiExec.exe /I{F8D0829C-9C6F-11D3-8080-00C04FA329AA}
MS B Help --> "C:\Program Files\msnet\v9\msnet.EXE" /R B
MS IE assistant --> "C:\Program Files\msnet\v9\msnet.EXE" /R I
MS.C help --> "C:\Program Files\msnet\v9\msnet.EXE" /R E
NBC Universal 1.0.0.3 --> "C:\Program Files\NBC Universal\MediaSphere\unins000.exe"
NoAdware v5.0 --> "C:\Program Files\NoAdware5.0\unins000.exe"
Norton AntiVirus --> MsiExec.exe /X{77FFBA7E-0973-4F39-BBDB-AC2F537578D2}
Norton AntiVirus Help --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Confidential Core --> MsiExec.exe /I{55A6283C-638A-4EE0-B491-51118554BDA2}
Norton Internet Security --> MsiExec.exe /I{C1C185CA-C531-49F5-A6FA-B838405A049D}
Norton Internet Security (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{C1C185CA-C531-49F5-A6FA-B838405A049D}_15_5_0_23\Setup.exe" /X
Norton Protection Center --> MsiExec.exe /I{62120008-8E1E-4807-860D-A8B48F8552DB}
OIN Search --> C:\Program Files\OIN Search\Uninstall.exe
PCFriendly --> C:\Program Files\PCFriendly\inuninst.exe
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PT32 for AIM --> "C:\WINDOWS\system32\ptrun32\unins000.exe"
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Search MS.C --> "C:\Program Files\msnet\v9\msnet.EXE" /R S
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB928090) --> "C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768) --> "C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566) --> "C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127) --> "C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB911564) --> "C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398) --> "C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB911565) --> "C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734) --> "C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB936782) --> "C:\WINDOWS\$NtUninstallKB936782_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046) --> "C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893066) --> "C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756) --> "C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358) --> "C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896422) --> "C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423) --> "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896424) --> "C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428) --> "C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587) --> "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591) --> "C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725) --> "C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017) --> "C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214) --> "C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400) --> "C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB904706) --> "C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414) --> "C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749) --> "C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905915) --> "C:\WINDOWS\$NtUninstallKB905915$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519) --> "C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562) --> "C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927) --> "C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912919) --> "C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913446) --> "C:\WINDOWS\$NtUninstallKB913446$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580) --> "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388) --> "C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389) --> "C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344) --> "C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917422) --> "C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917953) --> "C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118) --> "C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439) --> "C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007) --> "C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213) --> "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670) --> "C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683) --> "C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685) --> "C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921398) --> "C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922616) --> "C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819) --> "C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191) --> "C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414) --> "C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689) --> "C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923694) --> "C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923980) --> "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924191) --> "C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270) --> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496) --> "C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667) --> "C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925454) --> "C:\WINDOWS\$NtUninstallKB925454$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925486) --> "C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902) --> "C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255) --> "C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436) --> "C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779) --> "C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802) --> "C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928090) --> "C:\WINDOWS\$NtUninstallKB928090$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255) --> "C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843) --> "C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929123) --> "C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929969) --> "C:\WINDOWS\$NtUninstallKB929969$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178) --> "C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261) --> "C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931784) --> "C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168) --> "C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933729) --> "C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839) --> "C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840) --> "C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Security Update for Windows XP (KB936021) --> "C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941202) --> "C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941568) --> "C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569) --> "C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941644) --> "C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941693) --> "C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943055) --> "C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943460) --> "C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943485) --> "C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944653) --> "C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB945553) --> "C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946026) --> "C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948590) --> "C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948881) --> "C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
SpyHunter --> "C:\Program Files\Enigma Software Group\SpyHunter\Uninstall.exe" "C:\Program Files\Enigma Software Group\SpyHunter\install.log" -u
Symantec Real Time Storage Protection Component --> MsiExec.exe /I{D6E6FA4A-5445-4850-8365-CF216C1CBB7A}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Update for Windows XP (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900485) --> "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB904942) --> "C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Update for Windows XP (KB908531) --> "C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Update for Windows XP (KB910437) --> "C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB911280) --> "C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Update for Windows XP (KB916595) --> "C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920872) --> "C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582) --> "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB927891) --> "C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update for Windows XP (KB929338) --> "C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe"
Update for Windows XP (KB930916) --> "C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update for Windows XP (KB931836) --> "C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Update for Windows XP (KB936357) --> "C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Update for Windows XP (KB938828) --> "C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Update for Windows XP (KB942763) --> "C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Media Player\\mtsAxInstaller.exe /u
Windows Genuine Advantage Notifications (KB905474) --> 
Windows Genuine Advantage v1.3.0254.0 --> MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Genuine Advantage Validation Tool (KB892130) --> 
Windows Genuine Advantage Validation Tool (KB892130) --> 
Windows Installer 3.1 (KB893803) --> "C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Internet Explorer 7 --> "C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Media Player 9 Hotfix [See KB885492 for more information] --> C:\WINDOWS\$NtUninstallKB885492$\spuninst\spuninst.exe
Windows XP Hotfix - KB885250 --> C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835 --> C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836 --> C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB885884 --> C:\WINDOWS\$NtUninstallKB885884$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185 --> C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887472 --> C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP Hotfix - KB887742 --> C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP Hotfix - KB888113 --> C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302 --> C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859 --> "C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781 --> C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Service Pack 2 --> C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
Your MS.C Assistant --> "C:\Program Files\msnet\v9\msnet.EXE" /R H

-- Application Event Log -------------------------------------------------------

Event Record #/Type60664 / Error
Event Submitted/Written: 04/26/2008 09:50:19 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type60644 / Error
Event Submitted/Written: 04/26/2008 03:45:27 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16640, faulting module msls31.dll, version 3.10.349.0, fault address 0x00003dd9.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type60360 / Error
Event Submitted/Written: 04/25/2008 04:05:48 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module wblind.dll, version 4.6.0.1, fault address 0x00053d3b.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type60311 / Error
Event Submitted/Written: 04/24/2008 10:18:39 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application wmplayer.exe, version 9.0.0.3250, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type60310 / Error
Event Submitted/Written: 04/24/2008 10:18:39 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application wmplayer.exe, version 9.0.0.3250, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type31467 / Error
Event Submitted/Written: 04/26/2008 05:55:02 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error: 
%%126

Event Record #/Type31464 / Error
Event Submitted/Written: 04/26/2008 05:55:00 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error: 
%%126

Event Record #/Type31461 / Error
Event Submitted/Written: 04/26/2008 05:54:59 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error: 
%%126

Event Record #/Type31458 / Error
Event Submitted/Written: 04/26/2008 05:54:59 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error: 
%%126

Event Record #/Type31455 / Error
Event Submitted/Written: 04/26/2008 05:54:59 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error: 
%%126

-- End of Deckard's System Scanner: finished at 2008-04-26 21:53:10 ------------


----------



## Jintan (Oct 4, 2007)

Something not quite right with the startups there - almost all show as having no files associated with them. The first log had one item suggestion a form of Tonebac infection, so let's redirect our attentions for now.

Go here and download and run FindAWF.

Press 1 then hit enter to scan for bak folders. A text file will open, please save the file to your Desktop and copy and paste the information here please.


----------



## GlennU (Jul 25, 2005)

Jintan...here you go.

GlennU


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sun 04/27/2008 
The current time is: 14:33:11.79


bak folders found
~~~~~~~~~~~


Directory of C:\CPQS\SCOM\BAK

07/24/2001 05:34 PM 36,864 srmclean.exe
1 File(s) 36,864 bytes

Directory of C:\PROGRA~1\DAP\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\INTERN~2\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

12/16/2003 01:06 PM 229,376 iTunesHelper.exe
1 File(s) 229,376 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MIF2B0~1\BAK

07/13/2000 04:00 PM 28,739 WkDetect.exe
07/13/2000 04:00 PM 311,350 WksSb.exe
2 File(s) 340,089 bytes

Directory of C:\PROGRA~1\PICASA2\BAK

01/27/2006 12:37 AM 421,888 PicasaMediaDetector.exe
1 File(s) 421,888 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

03/21/2004 12:15 AM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\STOPZI~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\PSDTOO~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMPAQ\EASYAC~1\BAK

08/15/2001 02:50 PM 28,672 StartEAK.exe
1 File(s) 28,672 bytes

Directory of C:\PROGRA~1\REAL\REALPL~1\BAK

11/29/2001 03:45 PM 26,112 RealPlay.exe
1 File(s) 26,112 bytes

Directory of C:\PROGRA~1\VIEWPO~1\VIEWPO~1\BAK

11/11/2004 12:15 AM 111,816 ViewMgr.exe
1 File(s) 111,816 bytes

Directory of C:\WINDOWS\SYSTEM32\PTRUN32\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\IPHSEND\BAK

02/17/2006 12:59 PM 124,520 IPHSend.exe
1 File(s) 124,520 bytes

Directory of C:\PROGRA~1\ENTRIQ\MEDIAS~1\BIN\BAK

09/06/2006 04:35 PM 372,736 EntriqMediaTray.exe
1 File(s) 372,736 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

04/13/2005 04:48 AM 36,975 jusched.exe
1 File(s) 36,975 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\113467~1\EE\BAK

04/20/2006 01:10 PM 50,792 AOLSoftware.exe
1 File(s) 50,792 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

36864 Jul 24 2001 "C:\CPQS\scom\bak\srmclean.exe"
229376 Dec 16 2003 "C:\Program Files\iTunes\iTunesHelper.exe"
229376 Dec 16 2003 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
28739 Jul 13 2000 "C:\Program Files\Microsoft Works\bak\WkDetect.exe"
28739 Jul 13 2000 "C:\Program Files\COMPAQ\Works6.0\PFiles\MSWorks\WkDetect.exe"
311350 Jul 13 2000 "C:\Program Files\Microsoft Works\bak\WksSb.exe"
311350 Jul 13 2000 "C:\Program Files\COMPAQ\Works6.0\PFiles\MSWorks\wkssb.exe"
421888 Jan 27 2006 "C:\Program Files\Picasa2\bak\PicasaMediaDetector.exe"
655360 Jan 27 2006 "C:\Program Files\Picasa2\cdautorun\PicasaRestore.exe"
98304 Mar 21 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
28672 Aug 15 2001 "C:\Program Files\COMPAQ\Easy Access Button Support\bak\StartEAK.exe"
26112 Nov 29 2001 "C:\Program Files\Real\RealPlayer\bak\RealPlay.exe"
111816 Nov 11 2004 "C:\Program Files\Viewpoint\Viewpoint Manager\bak\ViewMgr.exe"
124520 Feb 17 2006 "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
124520 Feb 17 2006 "C:\Program Files\Common Files\AOL\IPHSend\bak\IPHSend.exe"
909312 Sep 6 2006 "C:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaServer.exe"
372736 Sep 6 2006 "C:\Program Files\Entriq\MediaSphere\Bin\bak\EntriqMediaTray.exe"
36975 Apr 13 2005 "C:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe"
50760 May 9 2006 "C:\Program Files\Common Files\AOL\1134674526\ee\AOLSoftware.exe"
50792 Apr 20 2006 "C:\Program Files\Common Files\AOL\1134674526\ee\bak\AOLSoftware.exe"


end of report


----------



## Jintan (Oct 4, 2007)

No, not looking like Tonebac. Look through the following list, and check it against installed software and/or look in Explorer (right click Start, left click Explore) and see if in fact the files are not there. Post back what you find please.

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [Detect] C:\Program Files\iNTERNET Turbo\iDetect.exe /auto
O4 - HKLM\..\Run: [SZMsgSvc.exe] C:\Program Files\STOPzilla!\SZMsgSvc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ptrun32] C:\WINDOWS\system32\ptrun32\ptrun32.exe -startup
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NBCUniversal Media Manager Tray] "C:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe" /CustomId:NBCUniversal
O4 - HKCU\..\Run: [PSD Tools Channel] C:\Program Files\Common Files\PSD Tools\ChannelUp.exe
O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - HKCU\..\Run: [PTRUN32] C:\WINDOWS\system32\ptrun32\ptr32w.exe


----------



## Jintan (Oct 4, 2007)

Also go to Start - Run, type *cmd* (and Enter). At the prompt copy/paste the following, then press Enter.

*
(dir /s "c:\srmclean*.*" & dir /s "c:\ViewMgr*.*" & dir /s "c:\jusched*.*") >c:\find3.txt & start notepad c:\find3.txt*

A quick scan will run and then notepad will open - copy/paste those contents back here please (these will also be located at c:\find3.txt)


----------



## GlennU (Jul 25, 2005)

Did not see any of the files you listed in the explorer folder.

See results below. 

Volume in drive C is DRV2_VOL1
Volume Serial Number is CC46-C41C

Directory of c:\CPQS\scom\bak

07/24/2001 05:34 PM 36,864 srmclean.exe
1 File(s) 36,864 bytes

Total Files Listed:
1 File(s) 36,864 bytes
0 Dir(s) 155,240,210,432 bytes free
Volume in drive C is DRV2_VOL1
Volume Serial Number is CC46-C41C

Directory of c:\Program Files\Viewpoint\Viewpoint Manager

12/23/2005 10:24 AM 406,728 ViewMgrCore.dll
11/11/2004 12:15 AM 86,076 ViewMgrInstaller.exe
2 File(s) 492,804 bytes

Directory of c:\Program Files\Viewpoint\Viewpoint Manager\bak

11/11/2004 12:15 AM 111,816 ViewMgr.exe
1 File(s) 111,816 bytes

Total Files Listed:
3 File(s) 604,620 bytes
0 Dir(s) 155,240,206,336 bytes free
Volume in drive C is DRV2_VOL1
Volume Serial Number is CC46-C41C

Directory of c:\Program Files\Java\jre1.5.0_03\bin\bak

04/13/2005 04:48 AM 36,975 jusched.exe
1 File(s) 36,975 bytes

Total Files Listed:
1 File(s) 36,975 bytes
0 Dir(s) 155,240,206,336 bytes free


----------



## Jintan (Oct 4, 2007)

Just older files in those Bak folders as well. We'll go with these many startups are in fact remnants then, but for now just leave them be. We can do a cleanup after infection removal is completed. The one area I am sensing a hidden infection working from is more or less combined with a WindowsBlinds file loading in the same fashion. Feel free to uninstall WindowsBlinds to give us a clear shot here if it is not too difficult.

On the off chance issues continue I would like to check what just occurred when MBAM shutdown the system. Navigate to the following folder:

c:\windows\*minidump*

And if one is there, locate in it any recent minidump(date-somenumber).dmp files created, where "date-somenumber" matches dates of any recent crashes there. If they exist, then just zip a copy of it, and send it to [email protected] as an attachment. Please place "Submitted Files - GlennU" as the email Subject.

------------------------------------

Go to Start > Run and type

*cmd*

and OK. At the prompt type (or copy\paste) the below commands and hit "Enter" after each line

*cd\
sc config ewido security suite driver start= disabled
sc stop ewido security suite driver
sc delete ewido security suite driver*

Type Exit to close.

-----------------------------------------

Just to clear some of the malware remnants away Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select "Fix Checked" and close HijackThis.

*O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\system32\STEM32~1\csrss.exe" -vt yazb
O4 - HKCU\..\Run: [Pxaj] C:\WINDOWS\F?nts\w?nword.exe
O4 - HKCU\..\Run: [imzz] C:\PROGRA~1\COMMON~1\imzz\imzzm.exe
O4 - HKLM\..\Run: [{E4B942B6-050F-1033-1114-010430200001}] "C:\Program Files\Common Files\{E4B942B6-050F-1033-1114-010430200001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [{E4B942B6-050E-1033-1114-010430200001}] "C:\Program Files\Common Files\{E4B942B6-050E-1033-1114-010430200001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [{CC46C41C-050F-1033-1114-010430200001}] "C:\Program Files\Common Files\{CC46C41C-050F-1033-1114-010430200001}\Update.exe" te-110-12-0000213*

--------------------------------------

Then although I really don't like stacking a system with installs, go here and download the free version of SUPERAntiSpyware and install it.

After installation accept any prompts to allow SUPERAntiSpyware to install the latest infection definition files. Next follow the prompts to complete the installation. For now, uncheck the option to have SUPERAntiSpyware "Automatically check for program and definition updates". Providing an email address and allowing the software to send diagnostic reports to it's research center are up to you. Do NOT allow SUPERAntiSpyware to Protect your Home Page settings.

Once the installation is complete open SUPERAntiSpyware and press the *Preferences* button. Under the General and Startup tab, uncheck the following (leaving all other settings as is).

*Start-up Options:*
*Start SUPERAntiSpyware when Windows starts

*Automatic Updates:*
*Check for program updates when the application starts.
*Start-up Scanning:*
*Check for updates before scanning on startup.

Then select Close. Don't scan just yet though.

Also Go Here and download ATF cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF).

If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective.

On Windows Vista that "Windows Temp" is disabled, to empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator"

===============================================

Reboot into *Safe Mode* (at startup tap the F8 key and select Safe Mode).

Open SUPERAntiSpyware and click the *Scan your Computer* button. You may need to start SUPERAntiSpyware, then right click the Taskbar icon (the little bug shaped icon) and select "Scan for Spyware, Adware, Malware..." to access the scan panel. Making sure that Fixed Drive (NTFS) is checked (typically the C Drive), check "Perform Complete Scan", then click Next. SUPERAntiSpyware will now complete a system scan.

SUPERAntiSpyware will now scan your computer and when its finished it will list all the infections it has found. Make sure that they all have a check next to them and click next. If prompted allow the reboot (or manually reboot at this time), and after the reboot open SUPERAntiSpyware again (double click the bug-shaped Taskbar icon).

Click Preferences, then under the Statistics/Logs tab, click to select the most recent Scan Log, then click View Log. Save the log to your desktop, and copy/paste the text from the log back here.

------------------------------------------

Still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

*"%userprofile%\desktop\dss.exe" /config*

When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

*System Restore*
*Temp Cleanup*
*Process Modules*

Then under Extra Log, uncheck all the boxes.

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)

Post that and the Super log please.


----------



## GlennU (Jul 25, 2005)

Could not find minidump file.

Not sure if following files executed properly
sc config ewido security suite driver start= disabled
sc stop ewido security suite driver
sc delete ewido security suite driver

ran SuperAntispyware...found lots of trojans and adware. Results below.

Dss results will be sent in the next post.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/30/2008 at 09:46 PM

Application Version : 4.0.1154

Core Rules Database Version : 3412
Trace Rules Database Version: 1404

Scan type : Complete Scan
Total Scan Time : 01:16:55

Memory items scanned  : 170
Memory threats detected : 0
Registry items scanned : 5073
Registry threats detected : 57
File items scanned : 23087
File threats detected : 81

Adware.ClickSpring/Outer Info Network
HKLM\Software\Classes\CLSID\{B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8}
HKCR\CLSID\{B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8}
HKCR\CLSID\{B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8}
HKCR\CLSID\{B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8}#AppID
HKCR\CLSID\{B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8}\InprocServer32
HKCR\CLSID\{B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8}\InprocServer32#ThreadingModel
HKCR\CLSID\{B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8}\ProgID
HKCR\CLSID\{B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8}\Programmable
HKCR\CLSID\{B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8}\TypeLib
HKCR\CLSID\{B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8}\VersionIndependentProgID
C:\PROGRAM FILES\OIN SEARCH\OINSEARCH.DLL
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8}
HKCR\OINSearchToolbar.OINSBarBand.1
HKCR\OINSearchToolbar.OINSBarBand.1\CLSID
HKCR\OINSearchToolbar.OINSBarBand
HKCR\OINSearchToolbar.OINSBarBand\CLSID
HKCR\OINSearchToolbar.OINSBarBand\CurVer
HKCR\TypeLib\{1377B27B-E1EC-413D-A1DE-49A5EE7D6562}
HKCR\AppId\JamingoToolbar.DLL
HKCR\AppId\JamingoToolbar.DLL#AppID
HKCR\AppId\{3689DAB5-D3B0-49BD-A7BD-EE5D71419BE8}
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1332\A0098516.EXE

Trojan.NewDotNet
HKU\.DEFAULT\Software\New.net
HKU\S-1-5-18\Software\New.net

Trojan.cmdService
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc

Adware.MyWay
HKLM\Software\MyWay
HKLM\Software\MyWay\myBar
HKLM\Software\MyWay\myBar#Dir
HKLM\Software\MyWay\myBar#ShzmCurInstall
HKLM\Software\MyWay\myBar#pid
HKLM\Software\MyWay\myBar#CurInstall
HKLM\Software\MyWay\myBar#sr
HKLM\Software\MyWay\myBar#pl
HKLM\Software\MyWay\myBar#Id
HKLM\Software\MyWay\myBar#Build
HKLM\Software\MyWay\myBar#CacheDir
HKLM\Software\MyWay\myBar#HistoryDir
HKLM\Software\MyWay\myBar#Visible
HKLM\Software\MyWay\myBar#Maximized
HKLM\Software\MyWay\myBar#SettingsDir
HKLM\Software\MyWay\myBar#ConfigRevisionURL
HKLM\Software\MyWay\myBar#ConfigDateStamp
HKLM\Software\MyWay\myBar\partner
HKLM\Software\MyWay\myBar\partner#bitmap
HKLM\Software\MyWay\myBar\partner#name
HKLM\Software\MyWay\myBar\partner#test
HKLM\Software\MyWay\myBar\partner#PM-Home
HKLM\Software\MyWay\myBar\partner#PM-Points
HKLM\Software\MyWay\myBar\partner#PM-Redeem
HKLM\Software\MyWay\myBar\partner#PM-Wallet
HKLM\Software\MyWay\myBar\partner#PM-Settings
C:\Program Files\MyWay\myBar\History\search
C:\Program Files\MyWay\myBar\History
C:\Program Files\MyWay\myBar\Settings\prevcfg.htm
C:\Program Files\MyWay\myBar\Settings
C:\Program Files\MyWay\myBar
C:\Program Files\MyWay

Adware.TargetSaver
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076888.EXE

Trojan.Downloader-YAY
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076871.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076880.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076886.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076887.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076889.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076890.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076894.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076895.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076900.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076901.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076902.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076903.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076909.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076910.EXE

Trojan.Downloader-Gen/Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076872.EXE

TargetSaver, Inc. Process
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076873.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076874.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076912.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1332\A0096304.EXE

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076875.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076877.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076878.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076905.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076916.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1259\A0086024.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1260\A0086425.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1262\A0087727.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1263\A0088012.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1264\A0088024.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1280\A0089151.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1284\A0091194.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1311\A0091355.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1293\A0091252.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1300\A0091283.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1301\A0091290.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1302\A0091297.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1303\A0091304.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1304\A0091317.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1305\A0091331.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1315\A0091385.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1321\A0091587.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1332\A0096303.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1332\A0096513.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1332\A0096514.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1332\A0096515.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1332\A0173591.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1332\A0173593.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1332\A0173594.EXE

Unclassified.Unknown Origin/System
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076876.DLL

Trojan.Downloader-Gen
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076879.EXE

Adware.ToolBar888
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076881.DLL

Trojan.Freeprod
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076891.EXE

Unclassified.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1259\A0086022.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1261\A0086678.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1264\A0088018.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1301\A0091284.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1303\A0091298.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1304\A0091312.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1332\A0096305.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1332\A0096307.EXE

Trojan.Downloader-XBO
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1262\A0087726.DLL

Adware.ClickSpring
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1280\A0089146.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1311\A0091350.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1293\A0091246.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1293\A0091247.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1301\A0091285.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1305\A0091326.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1315\A0091380.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1321\A0091584.EXE

Trojan.Hacktool
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1329\A0092065.DLL

Adware.TargetSavers
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1332\A0096306.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1332\A0096308.EXE


----------



## GlennU (Jul 25, 2005)

Main.txt log below. Super log to follow in next post

Deckard's System Scanner v20071014.68
Run by Larry Miller on 2008-04-30 22:16:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 255 MiB (512 MiB recommended).

-- HijackThis (run as Larry Miller.exe) ----------------------------------------

logfile has no content; running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-30 22:16:39
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1134674526\ee\AOLSoftware.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\E-Color\Colorific\hgcctl95.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Larry Miller\Desktop\dss.exe
C:\Program Files\Trend Micro\HijackThis\Larry Miller.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = home.netscape.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.media-search.net/nph-search.cgi?track=mssb1&look=sbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Common Files\Symantec Shared\IDS\IPSBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {E76B596A-EBFF-9473-F1DF-BFDEC9B65BC8} - C:\WINDOWS\system32\pjmwdihr.dll (file missing)
O2 - BHO: (no name) - {EE4F7C6B-B88A-BC52-F7DF-BFDEC9B60B92} - C:\WINDOWS\system32\pps.dll (file missing)
O2 - BHO: ProxyReset Class - {FFCBEECE-FB0C-11D2-AB16-00104B9BBBD2} - C:\WINDOWS\System32\AHIEHelp.DLL (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [Detect] C:\Program Files\iNTERNET Turbo\iDetect.exe /auto
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SZMsgSvc.exe] C:\Program Files\STOPzilla!\SZMsgSvc.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134674526\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ptrun32] C:\WINDOWS\system32\ptrun32\ptrun32.exe -startup
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [NBCUniversal Media Manager Tray] "C:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe" /CustomId:NBCUniversal
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [PSD Tools Channel] C:\Program Files\Common Files\PSD Tools\ChannelUp.exe
O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - HKCU\..\Run: [PTRUN32] C:\WINDOWS\system32\ptrun32\ptr32w.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Colorific.lnk = C:\Program Files\E-Color\Colorific\hgcctl95.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: SonnReg.lnk = C:\Program Files\E-Color\Registration\SonnReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://register.apple.com (HKCU)
O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/voxacm.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} () - http://a1408.g.akamai.net/7/1408/99...W/win/019-0123.20031218.zes4d/iTunesSetup.exe
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by130fd.bay130.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38068.613125
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} () - http://download.buddylinks.net/ShellInstaller.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{C87E1BCE-99F0-46D9-A3B5-A0754566D056}: NameServer = 71.242.0.12 71.252.0.12
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 12047 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080430-201049-259 O4 - HKCU\..\Run: [Pxaj] C:\WINDOWS\F?nts\w?nword.exe
backup-20080430-201049-394 O4 - HKLM\..\Run: [{E4B942B6-050E-1033-1114-010430200001}] "C:\Program Files\Common Files\{E4B942B6-050E-1033-1114-010430200001}\Update.exe" te-110-12-0000213
backup-20080430-201049-507 O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\system32\STEM32~1\csrss.exe" -vt yazb
backup-20080430-201049-539 O4 - HKLM\..\Run: [{E4B942B6-050F-1033-1114-010430200001}] "C:\Program Files\Common Files\{E4B942B6-050F-1033-1114-010430200001}\Update.exe" te-110-12-0000213
backup-20080430-201049-613 O4 - HKCU\..\Run: [imzz] C:\PROGRA~1\COMMON~1\imzz\imzzm.exe
backup-20080430-201049-705 O4 - HKLM\..\Run: [{CC46C41C-050F-1033-1114-010430200001}] "C:\Program Files\Common Files\{CC46C41C-050F-1033-1114-010430200001}\Update.exe" te-110-12-0000213

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,71
.inf - inffile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,69
.ini - inifile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,69
.txt - txtfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,70

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R3 i81x - c:\windows\system32\drivers\i81xnt5.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
R3 RT73 (Belkin USB Network Adapter) - c:\windows\system32\drivers\rt73.sys <Not Verified; Ralink Technology, Corp.; Ralink 802.11 Wireless Adapters>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S1 EACMOS - c:\windows\system32\drivers\eacmos.sys (file missing)
S1 EAWDMFD - c:\windows\system32\drivers\eawdmfd.sys (file missing)
S3 Belkin Belkin 11Mbps Wireless USB Network Adapter(R) (Belkin Belkin 11Mbps Wireless USB Network Adapter(R) Service for Belkin 11Mbps Wireless USB Network Adapter) - c:\windows\system32\drivers\bkusbxp.sys (file missing)
S3 catchme - c:\docume~1\larrym~1\locals~1\temp\catchme.sys (file missing)
S3 iAimFP4 - c:\windows\system32\drivers\wvchntxx.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
S3 iAimTV0 - c:\windows\system32\drivers\watv01nt.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
S3 iAimTV1 - c:\windows\system32\drivers\watv02nt.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
S3 iAimTV3 - c:\windows\system32\drivers\watv04nt.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
S3 iAimTV4 - c:\windows\system32\drivers\wch7xxnt.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
S3 PCANDIS5 (PCANDIS5 Protocol Driver) - c:\windows\system32\pcandis5.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Belkin Wireless USB Network Adapter Service (Belkin Wireless USB Network Adapter) - c:\program files\belkin\belkin wireless network utility\wlservice.exe
R2 GEARSecurity (Gear Security Service) - c:\windows\system32\gearsec.exe <Not Verified; GEAR Software; gearsec>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Device ID: ACPI\PNP0303\4&268D196D&0
Manufacturer: (Standard keyboards)
Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&268D196D&0
Service: i8042prt

-- Scheduled Tasks -------------------------------------------------------------

2008-04-29 19:33:24 636 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Larry Miller.job
2002-01-13 08:30:13 258 --a------ C:\WINDOWS\Tasks\Registration reminder 3.job
2002-01-13 08:30:13 258 --a------ C:\WINDOWS\Tasks\Registration reminder 2.job

-- Files created between 2008-03-30 and 2008-04-30 -----------------------------

2008-04-30 20:17:51 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-30 20:17:28 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-30 20:17:28 0 d-------- C:\Documents and Settings\Larry Miller\Application Data\SUPERAntiSpyware.com
2008-04-28 18:49:25 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-04-26 11:09:03 0 d-------- C:\Documents and Settings\Larry Miller\Application Data\Malwarebytes
2008-04-26 11:08:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-26 11:08:46 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 10:15:58 0 d-------- C:\WINDOWS\ERUNT
2008-04-24 22:06:55 0 d-------- C:\Documents and Settings\Larry Miller\Application Data\FrostWire
2008-04-24 22:06:23 0 d-------- C:\Program Files\FrostWire
2008-04-24 19:55:55 36864 --a------ C:\WINDOWS\system32\wbsys.dll <Not Verified; Stardock.Net, Inc; WindowBlinds 4.x for x86 machines>
2008-04-24 19:55:54 0 d-------- C:\Program Files\AlienGUIse
2008-04-24 19:52:30 0 d-------- C:\Documents and Settings\Larry Miller\Application Data\Aim
2008-04-24 19:16:38 2560 --a------ C:\WINDOWS\system32\drivers\mchInjDrv.sys
2008-04-23 09:33:22 0 d-------- C:\Program Files\Windows Sidebar
2008-04-23 09:31:14 0 d-------- C:\Program Files\Norton Internet Security
2008-04-21 17:58:22 0 d-------- C:\Program Files\Lavasoft
2008-04-21 17:58:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-21 17:57:28 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-21 17:34:47 0 d-------- C:\Program Files\Enigma Software Group
2008-04-21 17:28:19 0 d-------- C:\Program Files\NoAdware5.0
2008-04-21 17:06:46 0 d-------- C:\Program Files\Trend Micro
2008-04-15 20:51:46 0 d--h----- C:\Documents and Settings\Larry Miller\Application Data\Webroot
2008-04-09 19:33:41 40960 --a------ C:\WINDOWS\system32\B11gUSB.dll
2008-04-09 19:33:37 94208 --a------ C:\WINDOWS\system32\GTW32N50.dll
2008-04-09 19:33:37 15872 --a------ C:\WINDOWS\system32\GTNDIS5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-04-08 21:04:30 2048 -ra------ C:\WINDOWS\system32\drivers\rt73.bin
2008-04-08 20:40:59 232192 --a------ C:\WINDOWS\system32\drivers\rt73.sys <Not Verified; Ralink Technology, Corp.; Ralink 802.11 Wireless Adapters>
2008-04-03 19:22:01 0 d-------- C:\Program Files\Belkin

-- Find3M Report ---------------------------------------------------------------

2008-04-30 22:11:20 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-30 21:53:12 0 d-------- C:\Program Files\OIN Search
2008-04-28 19:01:04 0 d-------- C:\Program Files\Comcast Rhapsody
2008-04-28 18:49:03 0 d-------- C:\Program Files\Common Files
2008-04-24 19:51:54 0 d-------- C:\Program Files\AIM95
2008-04-24 19:22:01 0 d-------- C:\Program Files\iTunes
2008-04-23 09:37:53 0 d--h----- C:\Documents and Settings\Larry Miller\Application Data\Symantec
2008-04-23 09:34:36 0 d-------- C:\Program Files\Symantec
2008-04-21 14:27:16 0 d--h----- C:\Documents and Settings\Larry Miller\Application Data\Google
2008-04-12 15:46:58 0 d-------- C:\Program Files\quickenw
2008-04-09 17:37:50 45056 --a------ C:\WINDOWS\NCUNINST.EXE <Not Verified; Northern Codeworks; Uninstall>
2008-04-09 17:37:42 0 d--h----- C:\Program Files\InstallShield Installation Information

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
02/07/2008 12:05 AM	349552	--a------	C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
04/23/2008 09:32 AM	116088	--a------	C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E76B596A-EBFF-9473-F1DF-BFDEC9B65BC8}]
C:\WINDOWS\system32\pjmwdihr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE4F7C6B-B88A-BC52-F7DF-BFDEC9B60B92}]
C:\WINDOWS\system32\pps.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll [02/07/2008 12:05 AM 349552]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPQEASYACC"="C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe" []
"WorksFUD"="" []
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" []
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" []
"srmclean"="C:\Cpqs\Scom\srmclean.exe" []
"DownloadAccelerator"="C:\PROGRA~1\DAP\DAP.exe" []
"Detect"="C:\Program Files\iNTERNET Turbo\iDetect.exe" []
"PCTVOICE"="pctspk.exe" [08/14/2002 06:48 PM C:\WINDOWS\system32\pctspk.exe]
"SZMsgSvc.exe"="C:\Program Files\STOPzilla!\SZMsgSvc.exe" []
"DeadAIM"="C:\Program Files\AIM95\\DeadAIM.ocm" [02/24/2003 05:11 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/16/2003 12:06 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" []
"HostManager"="C:\Program Files\Common Files\AOL\1134674526\ee\AOLSoftware.exe" [05/09/2006 08:24 PM]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" []
"ptrun32"="C:\WINDOWS\system32\ptrun32\ptrun32.exe" []
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" []
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [02/17/2006 12:59 PM]
"NBCUniversal Media Manager Tray"="C:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/25/2008 09:47 PM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [02/07/2008 02:49 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PSD Tools Channel"="C:\Program Files\Common Files\PSD Tools\ChannelUp.exe" []
"BLMessagingIntegration"="C:\Program Files\Common Files\PSD Tools\blengine.exe" []
"Aim6"="" []
"PTRUN32"="C:\WINDOWS\system32\ptrun32\ptr32w.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/16/2007 03:15 PM]
"AIM"="C:\Program Files\AIM95\aim.exe" [11/13/2002 08:50 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Colorific.lnk - C:\Program Files\E-Color\Colorific\hgcctl95.exe [7/7/2002 10:26:25 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [7/13/2000 4:00:00 PM]
SonnReg.lnk - C:\Program Files\E-Color\Registration\SonnReg.exe [7/7/2002 10:26:26 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ca84dec-cc33-11db-bec4-806d6172696f}]
AutoRun\command- D:\CDSTART.EXE

*Newly Created Service* - COMHOST

-- End of Deckard's System Scanner: finished at 2008-04-30 22:17:48 ------------


----------



## GlennU (Jul 25, 2005)

no super log found


----------



## Jintan (Oct 4, 2007)

My slow typing leads me to cheat a little, so "Super" meant the SUPERAntiSpyware log, which you did post. It removed the Domain Service reg entries which I had though would be gone, and the remainder was expected. Much of the log references infeciton more or less held harmless in System Restore. I see you did remove Windows Blinds, and now the registry value I was referring to shows some telltale signs of a hidden function there. Let's clean some and check why.

Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select Fix Checked and close HijackThis.

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.media-search.net/nph-s...k=stmpl1&find=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.media-search.net/nph-s...k=stmpl1&find=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.media-search.net/nph-s...=sbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {E76B596A-EBFF-9473-F1DF-BFDEC9B65BC8} - C:\WINDOWS\system32\pjmwdihr.dll (file missing)
O2 - BHO: (no name) - {EE4F7C6B-B88A-BC52-F7DF-BFDEC9B60B92} - C:\WINDOWS\system32\pps.dll (file missing)
O2 - BHO: ProxyReset Class - {FFCBEECE-FB0C-11D2-AB16-00104B9BBBD2} - C:\WINDOWS\System32\AHIEHelp.DLL (file missing)
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [Detect] C:\Program Files\iNTERNET Turbo\iDetect.exe /auto
O4 - HKLM\..\Run: [SZMsgSvc.exe] C:\Program Files\STOPzilla!\SZMsgSvc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ptrun32] C:\WINDOWS\system32\ptrun32\ptrun32.exe -startup
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NBCUniversal Media Manager Tray] "C:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe" /CustomId:NBCUniversal
O4 - HKCU\..\Run: [PSD Tools Channel] C:\Program Files\Common Files\PSD Tools\ChannelUp.exe
O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - HKCU\..\Run: [PTRUN32] C:\WINDOWS\system32\ptrun32\ptr32w.exe
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} () - http://download.buddylinks.net/ShellInstaller.cab*

-------------------------------------

Download System Repair Engineer. Use either of the Local Download buttons to download sreng2.zip

1. Extract it to it's own folder on your Desktop, then double click SREng.exe to run it.
2. Select 'Smart Scan' & tick "Verify Digital Signatures"
3. Click on the [Scan] button
4. When finished, click on the [Save Reports] button & save the log to Desktop.

Please post that log back here for review - it will be large, so use extra posts as needed.

For now just post that for review before we add another Deckards log as well.


----------



## GlennU (Jul 25, 2005)

could not find: R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore.

Not sure what happened to it. Looked a lot.

SREng report below.


```
2008-05-01,19:41:52

System Repair Engineer 2.5.16.900
Smallfrogs (http://www.KZTechs.com)

Windows XP Home Edition Service Pack 2 (Build 2600) - Administrative User - Completed Functions Allowed

Follow item(s) have been choosed:
    All Boot Items (Including Registry, Startup Folders, Services and so on)
    Browser Add-ons
    Runing Processes (Including process model information)
    File Associations
    Winsock Provider
    Autorun.Inf
    HOSTS File
    Process Privileges Scan

Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <Aim6><>  [N/A]
    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Publisher]
    <swg><C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe>  [(Verified)Google Inc]
    <AIM><C:\Program Files\AIM95\aim.exe -cnetwait.odl>  [N/A]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <WorksFUD><>  [N/A]
    <PCTVOICE><pctspk.exe>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
    <DeadAIM><rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs>  [N/A]
    <iTunesHelper><C:\Program Files\iTunes\iTunesHelper.exe>  [Apple Computer, Inc.]
    <HostManager><C:\Program Files\Common Files\AOL\1134674526\ee\AOLSoftware.exe>  [(Verified)"Americ]
    <IPHSend><C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe>  [(Verified)"Americ]
    <ccApp><"C:\Program Files\Common Files\Symantec Shared\ccApp.exe">  [(Verified)Symantec Corporation]
    <osCheck><"C:\Program Files\Norton Internet Security\osCheck.exe">  [(Verified)Symantec Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows Component Publisher]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs>< >  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}><C:\Program Files\SUPERAntiSpyware\SASSEH.DLL>  [SuperAdBlocker.com]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
    <WinlogonNotify: !SASWinLogon><C:\Program Files\SUPERAntiSpyware\SASWINLO.dll>  [SUPERAntiSpyware.com]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
    <WinlogonNotify: WgaLogon><WgaLogon.dll>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
    <IE7 Uninstall Stub><C:\WINDOWS\system32\ieudinit.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
    <Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
    <Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
    <Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
    <NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
    <Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
    <Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
    <Address Book 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
    <N/A><c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install>  [(Verified)Microsoft Corporation]

==================================
Startup Folders
[Colorific]
  <C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Colorific.lnk --> C:\PROGRA~1\E-Color\COLORI~1\hgcctl95.exe [E-Color, Inc. formerly Sonnetech Ltd.]><N>
[Microsoft Office]
  <C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk --> C:\PROGRA~1\MICROS~4\Office10\OSA.EXE [Microsoft Corporation]><N>
[Microsoft Works Calendar Reminders]
  <C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk --> C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\WkCalRem.exe [Microsoft® Corporation]><N>
[SonnReg]
  <C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SonnReg.lnk --> C:\PROGRA~1\E-Color\REGIST~1\SonnReg.exe [E-Color, Inc.]><N>

==================================
Services
[Ad-Aware 2007 Service / aawservice][Running/Auto Start]
  <"C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"><Lavasoft>
[Application Management / AppMgmt][Stopped/Manual Start]
  <C:\WINDOWS\system32\svchost.exe -k netsvcs-->%SystemRoot%\System32\appmgmts.dll><N/A>
[Automatic LiveUpdate Scheduler / Automatic LiveUpdate Scheduler][Running/Auto Start]
  <"C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe"><Symantec Corporation>
[Belkin Wireless USB Network Adapter / Belkin Wireless USB Network Adapter Service][Running/Auto Start]
  <C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe><N/A>
[Symantec Event Manager / ccEvtMgr][Running/Auto Start]
  <"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon><Symantec Corporation>
[Symantec Settings Manager / ccSetMgr][Running/Auto Start]
  <"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon><Symantec Corporation>
[Symantec Lic NetConnect service / CLTNetCnService][Running/Auto Start]
  <"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon><Symantec Corporation>
[COM Host / comHost][Stopped/Manual Start]
  <"C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe"><Symantec Corporation>
[Gear Security Service / GEARSecurity][Running/Auto Start]
  <C:\WINDOWS\System32\gearsec.exe><GEAR Software>
[Google Updater Service / gusvc][Stopped/Manual Start]
  <"C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"><Google>
[iPod Service / iPodService][Running/Manual Start]
  <"C:\Program Files\iPod\bin\iPodService.exe"><Apple Computer, Inc.>
[LiveUpdate / LiveUpdate][Stopped/Manual Start]
  <"C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE"><Symantec Corporation>
[LiveUpdate Notice / LiveUpdate Notice][Running/Auto Start]
  <"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon><Symantec Corporation>
[PCTEL Speaker Phone / Pctspk][Stopped/Auto Start]
  <C:\WINDOWS\system32\pctspk.exe><>
[Symantec Core LC / Symantec Core LC][Running/Manual Start]
  <C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe><>

==================================
Drivers
[Intel(r) 82801 Audio Driver Install Service (WDM) / ac97intc][Stopped/Manual Start]
  <system32\drivers\ac97intc.sys><Intel Corporation>
[aeaudio / aeaudio][Running/Manual Start]
  <system32\drivers\aeaudio.sys><Andrea Electronics Corporation>
[AEGIS Protocol (IEEE 802.1x) v3.4.3.0 / AegisP][Running/Auto Start]
  <system32\DRIVERS\AegisP.sys><Meetinghouse Data Communications>
[Belkin Belkin 11Mbps Wireless USB Network Adapter(R) Service for Belkin 11Mbps Wireless USB Network Adapter / Belkin Belkin 11Mbps Wireless USB Network Adapter(R)][Stopped/Manual Start]
  <system32\DRIVERS\bkusbxp.sys><N/A>
[catchme / catchme][Stopped/Manual Start]
  <\??\C:\DOCUME~1\LARRYM~1\LOCALS~1\Temp\catchme.sys><N/A>
[COH_Mon / COH_Mon][Running/Manual Start]
  <\??\C:\WINDOWS\system32\Drivers\COH_Mon.sys><Symantec Corporation>
[CO_Mon / CO_Mon][Running/Auto Start]
  <\??\C:\WINDOWS\system32\drivers\CO_Mon.sys><Symantec Corporation>
[EACMOS / EACMOS][Stopped/System Start]
  <\SystemRoot\system32\drivers\EACMOS.SYS><N/A>
[EAWDMFD / EAWDMFD][Stopped/System Start]
  <\SystemRoot\system32\drivers\EAWDMFD.sys><N/A>
[Symantec Eraser Control driver / eeCtrl][Running/System Start]
  <\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys><Symantec Corporation>
[EraserUtilRebootDrv / EraserUtilRebootDrv][Running/Manual Start]
  <\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys><Symantec Corporation>
[Gcr432 / Gcr432][Stopped/Manual Start]
  <System32\Drivers\gcr432.sys><Gemplus>
[GEAR CDRom Filter / GEARAspiWDM][Running/Manual Start]
  <SYSTEM32\DRIVERS\GEARAspiWDM.sys><GEAR Software>
[i81x / i81x][Running/Manual Start]
  <System32\DRIVERS\i81xnt5.sys><Intel(R) Corporation>
[iAimFP0 / iAimFP0][Stopped/Manual Start]
  <System32\DRIVERS\wADV01nt.sys><Intel(R) Corporation>
[iAimFP1 / iAimFP1][Stopped/Manual Start]
  <System32\DRIVERS\wADV02NT.sys><Intel(R) Corporation>
[iAimFP2 / iAimFP2][Stopped/Manual Start]
  <System32\DRIVERS\wADV05NT.sys><Intel(R) Corporation>
[iAimFP3 / iAimFP3][Stopped/Manual Start]
  <System32\DRIVERS\wSiINTxx.sys><Intel(R) Corporation>
[iAimFP4 / iAimFP4][Stopped/Manual Start]
  <System32\DRIVERS\wVchNTxx.sys><Intel(R) Corporation>
[iAimTV0 / iAimTV0][Stopped/Manual Start]
  <System32\DRIVERS\wATV01nt.sys><Intel(R) Corporation>
[iAimTV1 / iAimTV1][Stopped/Manual Start]
  <System32\DRIVERS\wATV02NT.sys><Intel(R) Corporation>
[iAimTV3 / iAimTV3][Stopped/Manual Start]
  <System32\DRIVERS\wATV04nt.sys><Intel(R) Corporation>
[iAimTV4 / iAimTV4][Stopped/Manual Start]
  <System32\DRIVERS\wCh7xxNT.sys><Intel(R) Corporation>
[NAVENG / NAVENG][Running/Manual Start]
  <\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080501.019\NAVENG.SYS><Symantec Corporation>
[NAVEX15 / NAVEX15][Running/Manual Start]
  <\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080501.019\NAVEX15.SYS><Symantec Corporation>
[PCANDIS5 Protocol Driver / PCANDIS5][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\PCANDIS5.SYS><N/A>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[W2K Pctel Serial Device Driver / Ptserial][Running/Manual Start]
  <System32\DRIVERS\ptserial.sys><PCTEL, INC.>
[PCTEL Serial Device Driver for PCI / Ptserlp][Stopped/Manual Start]
  <System32\DRIVERS\ptserlp.sys><PCTEL, INC.>
[PxHelp20 / PxHelp20][Running/Boot Start]
  <\SystemRoot\System32\Drivers\PxHelp20.sys><Sonic Solutions>
[Belkin USB Network Adapter / RT73][Running/Manual Start]
  <system32\DRIVERS\rt73.sys><Ralink Technology, Corp.>
[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Stopped/Manual Start]
  <System32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[SASDIFSV / SASDIFSV][Running/System Start]
  <\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS><>
[SASENUM / SASENUM][Stopped/Manual Start]
  <\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS><SuperAdBlocker, Inc.>
[SASKUTIL / SASKUTIL][Running/System Start]
  <\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys><>
[Secdrv / Secdrv][Running/Auto Start]
  <System32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
[SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver / SMC1211][Stopped/Manual Start]
  <System32\DRIVERS\SMC1211.SYS><SMC Networks Inc.>
[smwdm / smwdm][Running/Manual Start]
  <system32\drivers\smwdm.sys><Analog Devices, Inc.>
[Sony USB Filter Driver (SONYPVU1) / SONYPVU1][Stopped/Manual Start]
  <System32\DRIVERS\SONYPVU1.SYS><Sony Corporation>
[SPBBCDrv / SPBBCDrv][Running/System Start]
  <\??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys><Symantec Corporation>
[SRTSP / SRTSP][Running/Manual Start]
  <System32\Drivers\SRTSP.SYS><Symantec Corporation>
[SRTSPL / SRTSPL][Stopped/Manual Start]
  <System32\Drivers\SRTSPL.SYS><Symantec Corporation>
[SRTSPX / SRTSPX][Running/System Start]
  <System32\Drivers\SRTSPX.SYS><Symantec Corporation>
[SYMDNS / SYMDNS][Running/Manual Start]
  <\SystemRoot\System32\Drivers\SYMDNS.SYS><Symantec Corporation>
[SymEvent / SymEvent][Running/Manual Start]
  <\??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS><Symantec Corporation>
[SYMFW / SYMFW][Running/Manual Start]
  <\SystemRoot\System32\Drivers\SYMFW.SYS><Symantec Corporation>
[SYMIDS / SYMIDS][Running/Manual Start]
  <\SystemRoot\System32\Drivers\SYMIDS.SYS><Symantec Corporation>
[SYMIDSCO / SYMIDSCO][Running/Manual Start]
  <\??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\ipsdefs\20080429.001\SymIDSCo.sys><Symantec Corporation>
[Symantec Network Security Intermediate Filter Service / SymIM][Stopped/Manual Start]
  <system32\DRIVERS\SymIM.sys><Symantec Corporation>
[SymIMMP / SymIMMP][Running/Manual Start]
  <system32\DRIVERS\SymIM.sys><Symantec Corporation>
[SYMNDIS / SYMNDIS][Running/Manual Start]
  <\SystemRoot\System32\Drivers\SYMNDIS.SYS><Symantec Corporation>
[SYMREDRV / SYMREDRV][Running/Manual Start]
  <\SystemRoot\System32\Drivers\SYMREDRV.SYS><Symantec Corporation>
[SYMTDI / SYMTDI][Running/System Start]
  <\SystemRoot\System32\Drivers\SYMTDI.SYS><Symantec Corporation>
[W2K Vmodem / Vmodem][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\vmodem.sys><PCTEL, INC.>
[W2K Vpctcom / Vpctcom][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\vpctcom.sys><PCtel, Inc.>
[W2K Vvoice / Vvoice][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\vvoice.sys><PCtel, Inc.>
[WAN Network Driver / wandrv][Stopped/Manual Start]
  <System32\DRIVERS\wandrv.sys><America Online, Inc.>

==================================
Browser Add-ons
[Yahoo! Toolbar Helper]
  {02478D38-C3F9-4EFB-9B51-7695ECA05670} <C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll, Yahoo! Inc.>
[]
  {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} <C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll, Symantec Corporation>
[Symantec Intrusion Prevention]
  {6D53EC84-6AAE-4787-AEEE-F4628F01010C} <C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll, Symantec Corporation>
[Google Toolbar Helper]
  {AA58ED58-01DD-4d91-8333-CF10577473F7} <c:\program files\google\googletoolbar2.dll, Google Inc.>
[Google Toolbar Notifier BHO]
  {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} <C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll, Google Inc.>
[AIM]
  {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} <C:\Program Files\AIM95\aim.exe, America Online, Inc.>
[Real.com]
  {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} <C:\WINDOWS\System32\Shdocvw.dll, Microsoft Corporation>
[]
  {e2e2dd38-d088-4134-82b7-f2ba38496583} <%windir%\Network Diagnostic\xpnetdiag.exe, N/A>
[Messenger]
  {FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, Microsoft Corporation>
[Support]
  {0D68CB5D-F53A-4446-9C8F-BFEDF5D63C7B} <C:\Program Files\Internet Explorer\SIGNUP\Presario.htm, N/A>
[@Home]
  {681A93F4-BE60-49D0-88CF-73489AA78B89} <http://home.excite.com, N/A>
[Yahoo! Toolbar]
  {EF99BD32-C1FB-11D2-892F-0090271D4F88} <C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll, Yahoo! Inc.>
[&Google]
  {2318C2B1-4965-11d4-9B18-009027A5CD4F} <c:\program files\google\googletoolbar2.dll, Google Inc.>
[Show Norton Toolbar]
  {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} <C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll, Symantec Corporation>
[Symantec Script Runner Class]
  {44990301-3C9D-426D-81DF-AAB636FA4345} <C:\PROGRA~1\COMMON~1\SYMANT~1\SUPPOR~1\tgctlsr.dll, Symantec Corporation>
[MSN Photo Upload Tool]
  {4F1E5B1A-2A80-42CA-8532-2D05CB959537} <C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll, Microsoft® Corporation>
[Facebook Photo Uploader Control]
  {5F8469B4-B055-49DD-83F7-62B522420ECC} <C:\WINDOWS\Downloaded Program Files\FacebookPhotoUploader.ocx, The Facebook>
[Downloader Class]
  {CA034DCC-A580-4333-B52F-15F98C42E04C} <C:\WINDOWS\DOWNLO~1\dwnldr.dll, N/A>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash8b.ocx, Macromedia, Inc.>
[Google Script Object]
  {00EF2092-6AC5-47C0-BD25-CF2D5D657FEB} <c:\program files\google\googletoolbar2.dll, Google Inc.>
[Yahoo! Toolbar Helper]
  {02478D38-C3F9-4EFB-9B51-7695ECA05670} <C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll, Yahoo! Inc.>
[QuickTime Object]
  {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} <C:\Program Files\QuickTime\QTPlugin.ocx, Apple Computer, Inc.>
[MetaStreamCtl Class]
  {03F998B2-0E00-11D3-A498-00104B6EB52E} <C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream_0305000D.dll, Viewpoint Corporation>
[Web Browser Applet Control]
  {08B0E5C0-4FCB-11CF-AAA5-00401C608501} <C:\WINDOWS\System32\msjava.dll, Microsoft Corporation>
[Windows Genuine Advantage Validation Tool]
  {17492023-C23A-453E-A040-C7C580BBF700} <C:\WINDOWS\system32\legitcheckcontrol.dll, Microsoft Corporation>
[Windows Media Player]
  {22D6F312-B0F6-11D0-94AB-0080C74C7E95} <C:\WINDOWS\system32\wmpdxm.dll, Microsoft Corporation>
[&Google]
  {2318C2B1-4965-11D4-9B18-009027A5CD4F} <c:\program files\google\googletoolbar2.dll, Google Inc.>
[HTML Document]
  {25336920-03F9-11CF-8FD0-00AA00686F13} <C:\WINDOWS\system32\mshtml.dll, Microsoft Corporation>
[XML DOM Document]
  {2933BF90-7B36-11D2-B20E-00C04F983E60} <C:\WINDOWS\System32\msxml3.dll, Microsoft Corporation>
[DHTML Edit Control Safe for Scripting for IE5]
  {2D360201-FFF5-11D1-8D03-00A0C959BC0A} <C:\Program Files\Common Files\Microsoft Shared\Triedit\dhtmled.ocx, Microsoft Corporation>
[Symantec Script Runner Class]
  {44990301-3C9D-426D-81DF-AAB636FA4345} <C:\PROGRA~1\COMMON~1\SYMANT~1\SUPPOR~1\tgctlsr.dll, Symantec Corporation>
[XML Document]
  {48123BC4-99D9-11D1-A6B3-00C04FD91555} <C:\WINDOWS\System32\msxml3.dll, Microsoft Corporation>
[Facebook Photo Uploader Control]
  {5F8469B4-B055-49DD-83F7-62B522420ECC} <C:\WINDOWS\Downloaded Program Files\FacebookPhotoUploader.ocx, The Facebook>
[]
  {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} <C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll, Symantec Corporation>
[WUWebControl Class]
  {6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, Microsoft Corporation>
[Windows Media Player]
  {6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[Symantec Intrusion Prevention]
  {6D53EC84-6AAE-4787-AEEE-F4628F01010C} <C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll, Symantec Corporation>
[MUWebControl Class]
  {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} <C:\WINDOWS\system32\muweb.dll, Microsoft Corporation>
[Show Norton Toolbar]
  {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} <C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll, Symantec Corporation>
[Microsoft Web Browser]
  {8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\system32\ieframe.dll, Microsoft Corporation>
[RMGetLicense Class]
  {A9FC132B-096D-460B-B7D5-1DB0FAE0C062} <C:\WINDOWS\system32\msnetobj.dll, Microsoft Corporation>
[Google Toolbar Helper]
  {AA58ED58-01DD-4D91-8333-CF10577473F7} <c:\program files\google\googletoolbar2.dll, Google Inc.>
[Microsoft Scriptlet Component]
  {AE24FDAE-03C6-11D1-8B76-0080C744F389} <C:\WINDOWS\system32\mshtml.dll, Microsoft Corporation>
[Google Toolbar Notifier BHO]
  {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} <C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll, Google Inc.>
[SearchAssistantOC]
  {B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\system32\shdocvw.dll, N/A>
[RDS.DataSpace]
  {BD96C556-65A3-11D0-983A-00C04FC29E36} <C:\Program Files\Common Files\System\msadc\msadco.dll, Microsoft Corporation>
[Acrobat Control for ActiveX]
  {CA8A9780-280D-11CF-A24D-444553540000} <C:\Program Files\Adobe\Acrobat 4.0\Reader\ActiveX\pdf.ocx, Adobe Systems Incorporated>
[CentrinoCheck Control]
  {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} <C:\WINDOWS\system32\cpucheck.ocx, Intel Corporation>
[AUDIO__BASIC Moniker Class]
  {CD3AFA73-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[AUDIO__MID Moniker Class]
  {CD3AFA74-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[AUDIO__MP3 Moniker Class]
  {CD3AFA76-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[AUDIO__MPEGURL Moniker Class]
  {CD3AFA78-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[AUDIO__WAV Moniker Class]
  {CD3AFA7B-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[AUDIO__X_MS_WMA Moniker Class]
  {CD3AFA84-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[VIDEO__AVI Moniker Class]
  {CD3AFA88-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[VIDEO__MPEG Moniker Class]
  {CD3AFA89-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[VIDEO__X_MS_ASF Moniker Class]
  {CD3AFA8F-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[VIDEO__X_MS_WMV Moniker Class]
  {CD3AFA94-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[VIDEO__X_MS_WVX Moniker Class]
  {CD3AFA95-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[MediaControl Class]
  {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} <C:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaControl.dll, Entriq, Inc.>
[Msxml]
  {CFC399AF-D876-11D0-9C10-00C04FC99C8E} <C:\WINDOWS\System32\msxml3.dll, Microsoft Corporation>
[RealPlayer G2 Control]
  {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} <C:\WINDOWS\System32\rmoc3260.dll, RealNetworks>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash8b.ocx, Macromedia, Inc.>
[iTunesDetector Class]
  {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} <C:\Program Files\iTunes\ITDetector.ocx, >
[NBCUniversal Class]
  {DE0FB644-C59B-46D1-B650-88BA945BC98F} <C:\Program Files\NBC Universal\MediaSphere\Ver\ProductVersion.Dll, Entriq, Inc.>
[QuickTimeCheck Class]
  {DE4AF3B0-F4D4-11D3-B41A-0050DA2E6C21} <C:\WINDOWS\System32\QuickTimeCheck.OCX, Apple Computer, Inc.>
[XML HTTP Request]
  {ED8C108E-4349-11D2-91A4-00C04F7969E8} <C:\WINDOWS\System32\msxml3.dll, Microsoft Corporation>
[Yahoo! Toolbar]
  {EF99BD32-C1FB-11D2-892F-0090271D4F88} <C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll, Yahoo! Inc.>
[XML DOM Document 3.0]
  {F5078F32-C551-11D3-89B9-0000F81FE221} <C:\WINDOWS\System32\msxml3.dll, Microsoft Corporation>
[XML HTTP]
  {F6D90F16-9C73-11D3-B32E-00C04F990BB4} <C:\WINDOWS\System32\msxml3.dll, Microsoft Corporation>
[E&xport to Microsoft Excel]
  <res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000, N/A>
```


----------



## GlennU (Jul 25, 2005)

==================================
Running Processes
[PID: 456 / SYSTEM][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 840 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 864 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\SUPERAntiSpyware\SASWINLO.dll] [SUPERAntiSpyware.com, 1, 0, 0, 1046]
[PID: 908 / SYSTEM][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 920 / SYSTEM][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1060 / SYSTEM][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1120 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1160 / SYSTEM][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1224 / NETWORK SERVICE][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1380 / LOCAL SERVICE][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1528 / Larry Miller][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234)]
[C:\Program Files\Common Files\Symantec Shared\NPC\2.0\NPCEXT.dll] [Symantec Corporation, 2008.6.00.18]
[C:\Program Files\Common Files\Symantec Shared\ccL70U.dll] [Symantec Corporation, 107.0.4.2]
[C:\Program Files\SUPERAntiSpyware\SASSEH.DLL] [SuperAdBlocker.com, 1, 0, 0, 1008]
[PID: 1776 / SYSTEM][C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe] [Symantec Corporation, 107.0.4.2]
[C:\Program Files\Common Files\Symantec Shared\ccL70U.dll] [Symantec Corporation, 107.0.4.2]
[C:\Program Files\Common Files\Symantec Shared\ccVrTrst.dll] [Symantec Corporation, 107.0.4.2]
[C:\Program Files\Common Files\Symantec Shared\ccSvc.dll] [Symantec Corporation, 107.0.4.2]
[C:\Program Files\Common Files\Symantec Shared\CCIPC.dll] [Symantec Corporation, 107.0.4.2]
[C:\Program Files\Common Files\Symantec Shared\ccSet.dll] [Symantec Corporation, 107.0.4.2]
[C:\PROGRA~1\COMMON~1\SYMANT~1\CCSETPLG.DLL] [Symantec Corporation, 107.0.4.2]
[C:\PROGRA~1\NORTON~1\NORTON~1\AVPSVC32.DLL] [Symantec Corporation, 15.5.0.23]
[C:\Program Files\Norton Internet Security\Norton AntiVirus\AVSubmit.dll] [Symantec Corporation, 15.5.0.23]
[C:\PROGRA~1\COMMON~1\SYMANT~1\CCSUBENG.DLL] [Symantec Corporation, 107.0.4.2]
[C:\PROGRA~1\COMMON~1\SYMANT~1\HOMENET\HNCORE.DLL] [Symantec Corporation, 3.5.0.14]
[C:\PROGRA~1\NORTON~1\ISDATASV.DLL] [Symantec Corporation, 15.5.0.32]
[C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSVC.DLL] [Symantec Corporation, 8.0.1.18]
[C:\Program Files\Common Files\Symantec Shared\ccL70.dll] [Symantec Corporation, 107.0.4.2]
[C:\PROGRA~1\COMMON~1\SYMANT~1\SPBBC\TPROCPLG.DLL] [Symantec Corporation, 4.1.0.15]
[C:\PROGRA~1\COMMON~1\SYMANT~1\NPC\2.0\WMIMONTR.DLL] [Symantec Corporation, 2008.6.00.18]
[C:\PROGRA~1\COMMON~1\SYMANT~1\CCEVTPLG.DLL] [Symantec Corporation, 107.0.4.2]
[C:\PROGRA~1\COMMON~1\SYMANT~1\APPCORE\APPPLG32.DLL] [Symantec Corporation, 1.3.00.68]
[C:\PROGRA~1\COMMON~1\SYMANT~1\HTEC\HTEC.DLL] [Symantec Corporation, 2.0.0.48]
[C:\Program Files\Common Files\Symantec Shared\AppCore\AppMgr32.dll] [Symantec Corporation, 1.3.00.68]
[C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSPLUG.DLL] [Symantec Corporation, 8.2.0.81]
[C:\Program Files\Common Files\Symantec Shared\AppCore\AppSet32.dll] [Symantec Corporation, 1.3.00.68]
[C:\Program Files\Common Files\Symantec Shared\ccEvtCli.dll] [Symantec Corporation, 107.0.4.2]
[C:\PROGRA~1\COMMON~1\SYMANT~1\NCWHYPEX\NCWHYPEX.DLL] [Symantec Corporation, 15.5.0.32]
[C:\PROGRA~1\COMMON~1\SYMANT~1\FIREWALL\FWAGENT.DLL] [Symantec Corporation, 3.5.0.12]
[C:\PROGRA~1\COMMON~1\SYMANT~1\PIF\{96E26~1\PIFENG.DLL] [Symantec Corporation, 1.5.0.12]
[C:\Program Files\Common Files\Symantec Shared\AntiVirus\avDefMgr.dll] [Symantec Corporation, 3.5.00.14]
[C:\PROGRA~1\COMMON~1\SYMANT~1\SPBBC\SPBBCEVT.DLL] [Symantec Corporation, 4.1.0.15]
[C:\WINDOWS\system32\SymNeti.dll] [Symantec Corporation, 8.0.1.18]
[C:\Program Files\Common Files\Symantec Shared\AntiVirus\AVScan.dll] [Symantec Corporation, 3.5.00.14]
[C:\Program Files\Common Files\Symantec Shared\AntiVirus\avModule.dll] [Symantec Corporation, 3.5.00.14]
[C:\PROGRA~1\COMMON~1\SYMANT~1\SRTSP\SRTSP32.DLL] [Symantec Corporation, 10.2.3.9]
[C:\Program Files\Common Files\Symantec Shared\ccProSub.dll] [Symantec Corporation, 107.0.4.2]
[C:\PROGRA~1\COMMON~1\SYMANT~1\CCSETEVT.DLL] [Symantec Corporation, 107.0.4.2]
[C:\PROGRA~1\NORTON~1\NORTON~1\NAVEVENT.DLL] [Symantec Corporation, 15.5.0.23]
[C:\Program Files\Common Files\Symantec Shared\QBackup.dll] [Symantec Corporation, 3.5.00.14]
[C:\Program Files\Norton Internet Security\SetEvtHp.dll] [Symantec Corporation, 15.5.0.32]
[C:\Program Files\Common Files\Symantec Shared\Firewall\FWHelper.dll] [Symantec Corporation, 3.5.0.12]
[C:\Program Files\Norton Internet Security\isDataCl.dll] [Symantec Corporation, 15.5.0.32]
[C:\Program Files\Common Files\Symantec Shared\AntiVirus\AVIfc.dll] [Symantec Corporation, 3.5.00.14]
[C:\Program Files\Common Files\Symantec Shared\SPBBC\ccTrstPc.dll] [Symantec Corporation, 4.1.0.15]
[C:\Program Files\Norton Internet Security\fwPlugin.dll] [Symantec Corporation, 15.5.0.32]
[C:\Program Files\Norton Internet Security\fwEvent.dll] [Symantec Corporation, 15.5.0.32]
[C:\PROGRA~1\COMMON~1\SYMANT~1\OPC\{C86EA~1\CLTNETCN.DLL] [Symantec Corporation, 8.1.0.27]
[C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\SyKnAppS\SyKnAppS.dll] [Symantec Corporation, 2.5.0.22]
[C:\Program Files\Common Files\Symantec Shared\coShared\WA\2.5\NppCCWkr.dll] [Symantec Corporation, 2008.2.5.32]
[C:\Program Files\Common Files\Symantec Shared\coShared\WA\2.5\NppDSMgr.dll] [Symantec Corporation, 2008.2.5.32]
[C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coRegMon.dll] [Symantec Corporation, 2008.2.5.32]
[C:\Program Files\Common Files\Symantec Shared\coShared\CW\2.5\CWBB.dll] [Symantec Corporation, 2008.2.5.32]
[C:\Program Files\Common Files\Symantec Shared\COL\BBIF.DLL] [Symantec Corporation, 2007.1.1.1009]
[C:\Program Files\Common Files\Symantec Shared\coShared\CW\2.5\CWCon.dll] [Symantec Corporation, 2008.2.5.32]
[C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCCli.dll] [Symantec Corporation, 4.1.0.15]
[C:\Program Files\Norton Internet Security\IMCfg.dll] [Symantec Corporation, 15.5.0.32]
[C:\Program Files\Common Files\Symantec Shared\SPBBC\bbRGen.dll] [Symantec Corporation, 4.1.0.15]
[C:\PROGRA~1\COMMON~1\SYMANT~1\PIF\{96E26~1\PollMgr.dll] [Symantec Corporation, 1.5.0.12]
[C:\Program Files\Common Files\Symantec Shared\ccSEBind.dll] [Symantec Corporation, 107.0.4.2]
[C:\Program Files\Common Files\Symantec Shared\HTEC\HTECSub.dll] [Symantec Corporation, 2.0.0.48]
[C:\Program Files\Common Files\Symantec Shared\coShared\CW\2.5\coSubmit.dll] [Symantec Corporation, 2008.2.5.32]
[C:\Program Files\Common Files\Symantec Shared\coShared\CW\2.5\coSubXLT.dll] [Symantec Corporation, 2008.2.5.32]
[C:\Program Files\Common Files\Symantec Shared\ccALEng.dll] [Symantec Corporation, 107.0.4.2]
[C:\Program Files\Common Files\Symantec Shared\ccScanw.dll] [Symantec Corporation, 107.0.4.2]
[C:\Program Files\Common Files\Symantec Shared\ecmldr32.DLL] [Symantec Corporation, 71.3.0.25]
[C:\Program Files\Common Files\Symantec Shared\MSL\msl.dll] [Symantec Corporation, 107.0.4.2]
[C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080501.019\ccEraser.dll] [Symantec Corporation, 107.4.1.2]
[C:\Program Files\Common Files\Symantec Shared\DefUtDCD.dll] [Symantec Corporation, 3.3.16.0]
[C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080501.019\ecmsvr32.dll] [Symantec Corporation, 71.4.0.15]
[C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080501.019\NAVEX32a.DLL] [Symantec Corporation, 20071.4.3.10]
[C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080501.019\NAVENG32.DLL] [Symantec Corporation, 20071.4.3.10]
[PID: 264 / SYSTEM][C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe] [Lavasoft, 7,0,2,7]
[C:\Program Files\Lavasoft\Ad-Aware 2007\CEAPI.dll] [Lavasoft, 7,0,2,6]
[C:\Program Files\Lavasoft\Ad-Aware 2007\PKArchive85u.dll] [PKWARE, Inc., 8.4.1045.0]
[C:\Program Files\Lavasoft\Ad-Aware 2007\lavalicense.dll] [Lavasoft AB, 7, 0, 2, 6]
[PID: 548 / SYSTEM][C:\WINDOWS\system32\spoolsv.exe] [Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]
[PID: 636 / LOCAL SERVICE][C:\WINDOWS\System32\SCardSvr.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 824 / SYSTEM][C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe] [Symantec Corporation, 3.4.1.232]
[C:\Program Files\Common Files\Symantec Shared\ccVrTrst.dll] [Symantec Corporation, 107.0.4.2]
[C:\Program Files\Common Files\Symantec Shared\ccL70U.dll] [Symantec Corporation, 107.0.4.2]
[PID: 1184 / SYSTEM][C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe] [N/A, ]
[PID: 1284 / SYSTEM][C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe] [, 1, 0, 7, 4]
[C:\Program Files\Belkin\Belkin Wireless Network Utility\PINGDLL.dll] [N/A, ]
[C:\Program Files\Belkin\Belkin Wireless Network Utility\ProcNICs.dll] [, 1, 0, 0, 7]
[C:\Program Files\Belkin\Belkin Wireless Network Utility\Ralinktek.dll] [GemTK, 1, 0, 1, 5]
[C:\Program Files\Belkin\Belkin Wireless Network Utility\GEMWEP.DLL] [, 1, 0, 0, 1]
[C:\Program Files\Belkin\Belkin Wireless Network Utility\Security.dll] [, 1, 0, 2, 8]
[C:\Program Files\Belkin\Belkin Wireless Network Utility\RM_DEV_CODE.dll] [, 1, 0, 1, 2]
[C:\Program Files\Belkin\Belkin Wireless Network Utility\0004\AegisE5.dll] [Meetinghouse Data Communications, 3, 3, 3, 0]
[PID: 1308 / SYSTEM][C:\WINDOWS\System32\gearsec.exe] [GEAR Software, 1, 0, 0, 6]
[PID: 1716 / SYSTEM][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1992 / LOCAL SERVICE][C:\WINDOWS\system32\wdfmgr.exe] [Microsoft Corporation, 5.2.3790.1230 built by: dnsrv(bld4act)]
[PID: 2172 / Larry Miller][C:\WINDOWS\system32\pctspk.exe] [, 1, 0, 0, 1]
[PID: 2196 / Larry Miller][C:\Program Files\iTunes\iTunesHelper.exe] [Apple Computer, Inc., 4.2.0.72]
[PID: 2208 / Larry Miller][C:\Program Files\Common Files\AOL\1134674526\ee\AOLSoftware.exe] [America Online, Inc., 1.5.3.1]
[C:\Program Files\Common Files\AOL\1134674526\ee\xprt5.dll] [AOL LLC, 5.2.3.5014]
[C:\Program Files\Common Files\AOL\1134674526\ee\AOLSvcMgr.dll] [America Online, Inc., 1.5.3.1]
[C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll] [AOL LLC, 3.3.10.1]
[C:\Program Files\Common Files\AOL\1134674526\ee\AOLHostMgr.dll] [America Online, Inc., 1.5.3.1]
[c:\program files\common files\aol\1134674526\ee\services\os\ver4_2_7_1\OS.dll] [America Online, Inc., 4.2.7.1]
[c:\program files\common files\aol\1134674526\ee\services\os\ver4_2_7_1\AOLIdleMon.dll] [America Online, Inc., 4.2.7.1]
[c:\program files\common files\aol\1134674526\ee\services\notification\ver6_2_5_2\Notify.dll] [America Online, Inc., 6.2.5.2]
[c:\program files\common files\aol\1134674526\ee\services\localStorage\ver4_7_2_1\clsSvc.dll] [America Online, Inc., 4.7.2.1]
[c:\program files\common files\aol\1134674526\ee\services\aolsystrayservice\ver3_0_3_1\AOLSysTrayService.dll] [America Online, Inc., 3.0.3.1]
[c:\program files\common files\aol\1134674526\ee\services\metrics\ver3_6_13_2\cmls.dll] [America Online, Inc., 3.6.13.2]
[c:\program files\common files\aol\1134674526\ee\services\suiteframework\ver2_30_12_1\suiteFramework.dll] [America Online, Inc., 2.30.12.1]
[PID: 2252 / Larry Miller][C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe] [Symantec Corporation, 107.0.4.2]
[C:\Program Files\Common Files\Symantec Shared\ccL70U.dll] [Symantec Corporation, 107.0.4.2]
[C:\Program Files\Common Files\Symantec Shared\ccVrTrst.dll] [Symantec Corporation, 107.0.4.2]
[C:\Program Files\Common Files\Symantec Shared\ccSvc.dll] [Symantec Corporation, 107.0.4.2]
[C:\Program Files\Common Files\Symantec Shared\CCIPC.dll] [Symantec Corporation, 107.0.4.2]
[C:\Program Files\Common Files\Symantec Shared\ccSet.dll] [Symantec Corporation, 107.0.4.2]
[C:\PROGRA~1\COMMON~1\SYMANT~1\COL\SESHLP.DLL] [Symantec Corporation, 6.1.2.4]
[C:\Program Files\Common Files\Symantec Shared\auCOLPwd.dll] [Symantec Corporation, 2007.1.1.1009]
[C:\PROGRA~1\COMMON~1\SYMANT~1\CCAPPPLG.DLL] [Symantec Corporation, 107.0.4.2]
[C:\PROGRA~1\COMMON~1\SYMANT~1\NPC\NPCLU.DLL] [Symantec Corporation, 2008.6.00.18]
[C:\Program Files\Common Files\Symantec Shared\AppCore\AppPlg32.dll] [Symantec Corporation, 1.3.00.68]
[C:\PROGRA~1\COMMON~1\SYMANT~1\NPC\2.0\NPCTRAY.DLL] [Symantec Corporation, 2008.6.00.18]
[C:\Program Files\Common Files\Symantec Shared\AppCore\AppMgr32.dll] [Symantec Corporation, 1.3.00.68]
[C:\Program Files\Common Files\Symantec Shared\AppCore\AppSet32.dll] [Symantec Corporation, 1.3.00.68]
[C:\Program Files\Common Files\Symantec Shared\NPC\2.0\uiAlert.dll] [Symantec Corporation, 2008.6.00.18]
[C:\Program Files\Common Files\Symantec Shared\NPC\DataPvdr.dll] [Symantec Corporation, 2008.6.00.18]
[C:\PROGRA~1\COMMON~1\SYMANT~1\CCALERT.DLL] [Symantec Corporation, 107.0.4.2]
[C:\Program Files\Common Files\Symantec Shared\NPC\2.0\uiHost.dll] [Symantec Corporation, 2008.6.00.18]
[C:\PROGRA~1\COMMON~1\SYMANT~1\CCEMLPXY.DLL] [Symantec Corporation, 107.0.4.2]
[C:\Program Files\Norton Internet Security\fwAlert.dll] [Symantec Corporation, 15.5.0.32]
[C:\Program Files\Common Files\Symantec Shared\ccSetEvt.dll] [Symantec Corporation, 107.0.4.2]
[C:\Program Files\Norton Internet Security\ISDataCl.dll] [Symantec Corporation, 15.5.0.32]
[C:\Program Files\Norton Internet Security\coDataPr.dll] [Symantec Corporation, 2008.2.5.32]
[C:\Program Files\Norton Internet Security\09\01\coDataPr.loc] [Symantec Corporation, 2008.2.5.32]
[C:\Program Files\Common Files\Symantec Shared\ccProSub.dll] [Symantec Corporation, 107.0.4.2]
[C:\Program Files\Common Files\Symantec Shared\NPC\2.0\uiDataCl.dll] [Symantec Corporation, 2008.6.00.18]
[C:\PROGRA~1\NORTON~1\NORTON~1\AVPAPP32.DLL] [Symantec Corporation, 15.5.0.23]
[C:\PROGRA~1\COMMON~1\SYMANT~1\ccEvtCli.dll] [Symantec Corporation, 107.0.4.2]
[C:\PROGRA~1\NORTON~1\NISTRAY.DLL] [Symantec Corporation, 15.5.0.23]
[C:\PROGRA~1\NORTON~1\ISLALERT.DLL] [Symantec Corporation, 15.5.0.32]
[C:\Program Files\Common Files\Symantec Shared\NPC\2.0\pcStatus.dll] [Symantec Corporation, 2008.6.00.18]
[C:\Program Files\Common Files\Symantec Shared\PIF\{96E26A03-A25A-400b-B9B4-564C9BD00F46}\AlertEng.dll] [Symantec Corporation, 1.5.0.9]
[C:\Program Files\Common Files\Symantec Shared\COH\sesHlp.dll] [Symantec Corporation, 6.1.6.2]
[C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\NPC\2.0\UICNTNR.DLL] [Symantec Corporation, 2008.6.00.18]
[C:\Program Files\Norton Internet Security\SetEvtHp.dll] [Symantec Corporation, 15.5.0.32]
[C:\Program Files\Common Files\Symantec Shared\NPC\2.0\WSCRHLPR.dll] [Symantec Corporation, 2008.6.00.18]
[C:\Program Files\Common Files\Symantec Shared\COH\sH0003.dll] [Symantec Corporation, 6,1,6,2]
[C:\WINDOWS\system32\SymNeti.dll] [Symantec Corporation, 8.0.1.18]
[C:\Program Files\Norton Internet Security\fwEvent.dll] [Symantec Corporation, 15.5.0.32]
[C:\Program Files\Common Files\Symantec Shared\AntiVirus\AVIfc.dll] [Symantec Corporation, 3.5.00.14]
[C:\WINDOWS\system32\SymRedir.dll] [Symantec Corporation, 8.0.1.18]
[C:\Program Files\Common Files\Symantec Shared\AntiVirus\AVMail.dll] [Symantec Corporation, 3.5.00.14]
[C:\Program Files\Common Files\Symantec Shared\NPC\2.0\WSCRMain.dll] [Symantec Corporation, 2008.6.00.18]
[C:\Program Files\Common Files\Symantec Shared\NPC\2.0\WmiClnt.dll] [Symantec Corporation, 2008.6.00.18]
[C:\Program Files\Common Files\Symantec Shared\NPC\2.0\WmiData.dll] [Symantec Corporation, 2008.6.00.18]
[C:\Program Files\Common Files\Symantec Shared\NPC\2.0\uiLicPlg.dll] [Symantec Corporation, 2008.6.00.18]
[C:\Program Files\Common Files\Symantec Shared\NPC\PEPEvnt.dll] [Symantec Corporation, 2008.6.00.18]
[C:\Program Files\Common Files\Symantec Shared\CF\PEP2.dll] [Symantec Corporation, 2006.1.03.35]
[C:\Program Files\Common Files\Symantec Shared\coShared\CIM\2.5\AcctMgr.dll] [Symantec Corporation, 2008.2.5.32]
[C:\Program Files\Common Files\Symantec Shared\coShared\CIM\2.5\DSMigrat.dll] [Symantec Corporation, 2008.2.5.32]
[C:\Program Files\Common Files\Symantec Shared\coShared\CIM\2.5\coParse.dll] [Symantec Corporation, 1, 0, 0, 1]
[C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll] [Symantec Corporation, 2.0.00.20]
[C:\PROGRA~1\COMMON~1\SYMANT~1\PIF\{96E26~1\AlertUi.dll] [Symantec Corporation, 1.5.0.9]
[PID: 2332 / Larry Miller][C:\WINDOWS\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2352 / Larry Miller][C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe] [Google Inc., 2, 0, 301, 1654]
[C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\gtn.dll] [Google Inc., 2, 0, 301, 7164]
[C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\res_en.dll] [Google Inc., 2, 0, 301, 7164]
[C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll] [Google Inc., 2, 0, 301, 7164]
[PID: 2424 / Larry Miller][C:\Program Files\E-Color\Colorific\hgcctl95.exe] [E-Color, Inc. formerly Sonnetech Ltd., 99, 30, 0, 28]
[C:\Program Files\E-Color\Colorific\HGCUtil.dll] [E-Color, Inc. formerly Sonnetech, Ltd., 99, 30, 0, 28]
[C:\Program Files\E-Color\Colorific\HGCBUILD.dll] [E-Color, Inc. formerly Sonnetech, Ltd., 99, 20, 0, 22]
[C:\Program Files\E-Color\Colorific\SonnICM.dll] [E-Color, Inc. formerly Sonnetech, Ltd, 99, 20, 0, 6]
[C:\Program Files\E-Color\Colorific\LCDBUILD.dll] [E-Color, Inc. formerly Sonnetech, Ltd., 99, 30, 0, 30]
[C:\Program Files\E-Color\Colorific\HGCRES95.DLL] [E-Color, Inc. formerly Sonnetech Ltd., 99, 30, 0, 33]
[PID: 2480 / Larry Miller][C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe] [Microsoft® Corporation, 6.00.1828.1]
[PID: 3920 / SYSTEM][C:\Program Files\iPod\bin\iPodService.exe] [Apple Computer, Inc., 4.2.0.72]
[PID: 2076 / LOCAL SERVICE][C:\WINDOWS\System32\alg.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1192 / SYSTEM][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 3356 / Larry Miller][C:\WINDOWS\system32\wuauclt.exe] [Microsoft Corporation, 7.0.6000.381 (winmain(wmbla).070730-1740)]
[PID: 3756 / SYSTEM][C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe] [, ]
[C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcnet.dll] [, ]
[PID: 2100 / Larry Miller][C:\Program Files\Internet Explorer\iexplore.exe] [Microsoft Corporation, 7.00.6000.16640 (vista_gdr.080213-1606)]
[C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll] [Symantec Corporation, 2008.2.5.32]
[C:\Program Files\Common Files\Symantec Shared\ccL70U.dll] [Symantec Corporation, 107.0.4.2]
[C:\Program Files\Common Files\Symantec Shared\AppCore\AppMgr32.dll] [Symantec Corporation, 1.3.00.68]
[C:\Program Files\Common Files\Symantec Shared\ccVrTrst.dll] [Symantec Corporation, 107.0.4.2]
[C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coCoreFw.dll] [Symantec Corporation, 2008.2.5.32]
[C:\Program Files\Common Files\Symantec Shared\AppCore\AppSet32.dll] [Symantec Corporation, 1.3.00.68]
[C:\Program Files\Common Files\Symantec Shared\SymHTML\2.0\SymHTML.DLL] [Symantec Corporation, 2.0.00.73]
[C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll] [Yahoo! Inc., 2006, 7, 7, 1]
[C:\Program Files\Common Files\Symantec Shared\coShared\WP\2.5\coWCID.dll] [Symantec Corporation, 2008.2.5.32]
[C:\Program Files\Common Files\Symantec Shared\ccIPC.dll] [Symantec Corporation, 107.0.4.2]
[C:\Program Files\Common Files\Symantec Shared\coShared\WP\2.5\nppw.dll] [Symantec Corporation, 2008.2.0.5003]
[C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coUICtlr.dll] [Symantec Corporation, 2008.2.5.32]
[C:\Program Files\Common Files\Symantec Shared\coShared\WA\2.5\coWbAuth.dll] [Symantec Corporation, 2008.2.5.32]
[C:\Program Files\Common Files\Symantec Shared\coShared\CIM\2.5\IVPlugin.dll] [Symantec Corporation, 2008.2.5.32]
[C:\Program Files\Common Files\Symantec Shared\coShared\CIM\2.5\rf.dll] [Siber Systems, 6-9-86]
[C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll] [Symantec Corporation, 8.2.0.81]
[C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\ipsdefs\20080429.001\Scxpx86.dll] [Symantec Corporation, 8.2.2.6]
[c:\program files\google\googletoolbar2.dll] [Google Inc., 4, 0, 1601, 4978]
[C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll] [Google Inc., 2, 0, 301, 7164]
[C:\Program Files\Yahoo!\Companion\Installs\cpn\pubmod.dll] [Yahoo! Inc., 2005, 12, 16, 1]
[C:\Program Files\Yahoo!\Companion\Installs\cpn\ypubc.dll] [Yahoo! Inc., 2006.1.25.01]
[C:\Program Files\Yahoo!\Companion\Installs\cpn\YTAntiSpy.dll] [Yahoo!, Inc., 2006, 05, 22, 01]
[C:\Program Files\Yahoo!\Companion\Installs\cpn\YMERemote.dll] [Yahoo! Inc., 2006, 3, 21, 1]
[C:\WINDOWS\system32\Macromed\Flash\Flash8b.ocx] [Macromedia, Inc., 8,0,24,0]
[C:\Program Files\Common Files\Symantec Shared\coShared\CIM\2.5\coParse.dll] [Symantec Corporation, 1, 0, 0, 1]
[PID: 3348 / Larry Miller][C:\Documents and Settings\Larry Miller\Desktop\sreng2\SREngPS.EXE] [Smallfrogs Studio, 2.5.16.900]
[C:\Documents and Settings\Larry Miller\Desktop\sreng2\Upload\3rdUpd.DLL] [Smallfrogs Studio, 2, 1, 0, 15]

==================================
File Associations
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock Provider
N/A

==================================
Autorun.Inf
[H:\]
[autorun]
OPEN=setupSNK.exe
ICON=\SMRTNTKY\fcw.ico
ACTION=Wireless Network Setup Wizard

==================================
HOSTS File
127.0.0.1 localhost

==================================
Process Privileges Scan
Special Privilege Enabled: SeLoadDriverPrivilege [PID = 1284, C:\PROGRAM FILES\BELKIN\BELKIN WIRELESS NETWORK UTILITY\WLANCFGG.EXE]
Special Privilege Enabled: SeLoadDriverPrivilege [PID = 2424, C:\PROGRAM FILES\E-COLOR\COLORIFIC\HGCCTL95.EXE]
Special Privilege Enabled: SeLoadDriverPrivilege [PID = 2480, C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE]
Special Privilege Enabled: SeLoadDriverPrivilege [PID = 3920, C:\PROGRAM FILES\IPOD\BIN\IPODSERVICE.EXE]

==================================
API HOOK
N/A

==================================
Hidden Process
N/A

==================================

[/CODE]


----------



## Jintan (Oct 4, 2007)

Nothing showing as unwanted activity in that view but an eXcite entry leftover from something. We'll do a guaranteed change to the registry entry in question then an additional scan to be sure. Overkill using Avenger, but an assurance of change. How are things running there right now?

Download The Avenger by Swandog from here and save it to your Desktop.

Okay the warning. When the Avenger display opens copy/paste the following text inside the Code box into the Avenger box titled "Input script here:". Then click the Execute button to run the repair, click Yes, then allow Avenger to reboot your system.


```
Registry values to replace with dummy: 
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs
```
Your system may reboot twice to complete the repairs. After the reboot a text will open - copy/paste those contents back here please. The log can also be found at C:\avenger.txt.

----------------------------

After the reboot go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).

To use the scan, once the download has completed click Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click My Computer to begin the scan. Save the Report as a text file and post that back here.

To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".

--------------------------------

Still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

*"%userprofile%\desktop\dss.exe" /config*

When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

*System Restore*
*Temp Cleanup*
*Process Modules*

Then under Extra Log, uncheck all the boxes.

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)

Post back the that log along with the Kaspersky log and the avenger.txt log please.


----------



## GlennU (Jul 25, 2005)

Computer seems a bit smother. Time will tell. Still noticing the Windows update shield appearing even after updating.

Ran Avenger, Kaspersky and DSS. Had to rerun Avenger after running Kaspersky and DSS because Avenger wanted a password to open the file.

Avenger file below:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: could not query size of registry value "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DL"
Replacement with dummy of registry value "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DL" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Sat May 03 21:25:54 2008

21:25:54: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!

*Kaspersky file below:*

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, May 03, 2008 11:15:06 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/05/2008
Kaspersky Anti-Virus database records: 736284
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
E:\
F:\
H:\

Scan Statistics:
Total number of scanned objects: 72280
Number of viruses found: 22
Number of infected objects: 73
Number of suspicious objects: 0
Duration of the scan process: 02:02:35

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\ccSubSDK\submissions.idx	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.DAT	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\volatile.DAT	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{0C9CD8F1-DB03-4237-9346-135BA7046485}.DAT	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{749F2CE1-6968-4A2A-928A-BAE2D6C2E19D}.DAT	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{C4C5BC92-3E9E-4C44-9F0F-59CDC96EE5F5}.DAT	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-05-03_Log.ALUSchedulerSvc.LiveUpdate	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0D4144C2.DLL	Infected: not-a-virus:AdWare.Win32.WindowEnhancer	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\17564CCA	Infected: not-a-virus:AdWare.Win32.Cydoor	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3D47785A	Infected: not-a-virus:AdWare.Win32.SmartPops.b	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\49457E46.exe	Infected: Backdoor.Win32.SdBot.ahj	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F335EAB	Infected: not-a-virus:AdWare.Win32.SmartPops.a	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F3708A7/SaveNow.exe	Infected: not-a-virus:AdWare.Win32.SaveNow.ar	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F3708A7	CAB: infected - 1	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F3708A7	CryptFF: infected - 1	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60E3103B	Infected: Trojan-Downloader.NSIS.Agent.e	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{5DF424E9-A8BC-45CD-A527-E2F569755C1A}.ldb	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{5DF424E9-A8BC-45CD-A527-E2F569755C1A}.sds	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\35B3AF05.TMP	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log	Object is locked	skipped
C:\Documents and Settings\Larry Miller\Application Data\Symantec\NPMDataStore\CIMStore.xml	Object is locked	skipped
C:\Documents and Settings\Larry Miller\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\Larry Miller\Desktop\itunes\11 lupe fiasco lil weapons.mp3	Infected: Trojan-Downloader.WMA.Wimad.n	skipped
C:\Documents and Settings\Larry Miller\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls	Object is locked	skipped
C:\Documents and Settings\Larry Miller\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\Larry Miller\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\Larry Miller\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Larry Miller\Local Settings\Temp\~DFDD94.tmp	Object is locked	skipped
C:\Documents and Settings\Larry Miller\Local Settings\Temp\~DFDDB1.tmp	Object is locked	skipped
C:\Documents and Settings\Larry Miller\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat	Object is locked	skipped
C:\Documents and Settings\Larry Miller\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Larry Miller\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\Larry Miller\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log	Object is locked	skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log	Object is locked	skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log	Object is locked	skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log	Object is locked	skipped
C:\Program Files\WinBudget\bin\crap.1165481044.old/data0000	Infected: Trojan-Clicker.Win32.BHO.r	skipped
C:\Program Files\WinBudget\bin\crap.1165481044.old	EmbeddedEXE: infected - 1	skipped
C:\Program Files\WinBudget\bin\crap.1165481044.old	UPX: infected - 1	skipped
C:\Program Files\WinBudget\bin\crap.1165481044.old	PE_Patch.UPX: infected - 1	skipped
C:\RECYCLER\NPROTECT\00526383	Infected: not-a-virus:AdWare.Win32.Cydoor	skipped
C:\RECYCLER\NPROTECT\00526384	Infected: not-a-virus:AdWare.Win32.SmartPops.b	skipped
C:\RECYCLER\NPROTECT\00526385	Infected: not-a-virus:AdWare.Win32.SmartPops.a	skipped
C:\RECYCLER\NPROTECT\00526386/SaveNow.exe	Infected: not-a-virus:AdWare.Win32.SaveNow.ar	skipped
C:\RECYCLER\NPROTECT\00526386	CAB: infected - 1	skipped
C:\RECYCLER\NPROTECT\00526386	CryptFF: infected - 1	skipped
C:\RECYCLER\NPROTECT\00526387	Infected: Trojan-Downloader.NSIS.Agent.e	skipped
C:\System Volume Information\MountPointManagerRemoteDatabase	Object is locked	skipped
C:\System Volume Information\_restore{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076882.exe/stream/data0002	Infected: not-a-virus:AdWare.Win32.Mostofate.u	skipped
C:\System Volume Information\_restore{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076882.exe/stream	Infected: not-a-virus:AdWare.Win32.Mostofate.u	skipped
C:\System Volume Information\_restore{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076882.exe	NSIS: infected - 2	skipped
C:\System Volume Information\_restore{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076883.exe	Infected: not-a-virus:AdWare.Win32.Mostofate.ac	skipped
C:\System Volume Information\_restore{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076884.exe	Infected: not-a-virus:AdWare.Win32.Mostofate.ac	skipped
C:\System Volume Information\_restore{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076885.exe	Infected: not-a-virus:AdWare.Win32.Mostofate.ac	skipped
C:\System Volume Information\_restore{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076892.exe	Infected: Trojan-Downloader.Win32.PurityScan.eh	skipped
C:\System Volume Information\_restore{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076893.exe	Infected: Trojan-Dropper.Win32.VB.nn	skipped
C:\System Volume Information\_restore{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076904.old	Infected: Trojan-Clicker.Win32.BHO.s	skipped
C:\System Volume Information\_restore{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076911.exe	Infected: Trojan-Downloader.Win32.Agent.bca	skipped
C:\System Volume Information\_restore{8BCE8E48-11ED-4316-88A2-E63DE8E72AFE}\RP441\A0076917.exe	Infected: not-a-virus:AdWare.Win32.NewDotNet	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1280\A0089147.exe/data0002	Infected: not-a-virus:AdWare.Win32.PurityScan.fl	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1280\A0089147.exe/data0003	Infected: not-a-virus:AdWare.Win32.PurityScan.bu	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1280\A0089147.exe	NSIS: infected - 2	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1293\A0091248.exe/data0002	Infected: not-a-virus:AdWare.Win32.PurityScan.fk	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1293\A0091248.exe/data0003	Infected: not-a-virus:AdWare.Win32.PurityScan.bu	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1293\A0091248.exe	NSIS: infected - 2	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1300\A0091279.exe/data0002	Infected: not-a-virus:AdWare.Win32.PurityScan.fk	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1300\A0091279.exe/data0003	Infected: not-a-virus:AdWare.Win32.PurityScan.bu	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1300\A0091279.exe	NSIS: infected - 2	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1301\A0091286.exe/data0002	Infected: not-a-virus:AdWare.Win32.PurityScan.fk	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1301\A0091286.exe/data0003	Infected: not-a-virus:AdWare.Win32.PurityScan.bu	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1301\A0091286.exe	NSIS: infected - 2	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1302\A0091293.exe/data0002	Infected: not-a-virus:AdWare.Win32.PurityScan.fk	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1302\A0091293.exe/data0003	Infected: not-a-virus:AdWare.Win32.PurityScan.bu	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1302\A0091293.exe	NSIS: infected - 2	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1303\A0091299.exe	Infected: not-a-virus:AdWare.Win32.PurityScan.hj	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1303\A0091300.exe/data0002	Infected: not-a-virus:AdWare.Win32.PurityScan.fk	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1303\A0091300.exe/data0003	Infected: not-a-virus:AdWare.Win32.PurityScan.bu	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1303\A0091300.exe	NSIS: infected - 2	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1304\A0091313.exe/data0002	Infected: not-a-virus:AdWare.Win32.PurityScan.fk	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1304\A0091313.exe/data0003	Infected: not-a-virus:AdWare.Win32.PurityScan.bu	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1304\A0091313.exe	NSIS: infected - 2	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1304\A0091324.exe	Infected: not-a-virus:AdWare.Win32.PurityScan.hj	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1305\A0091327.exe/data0002	Infected: not-a-virus:AdWare.Win32.PurityScan.fk	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1305\A0091327.exe/data0003	Infected: not-a-virus:AdWare.Win32.PurityScan.bu	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1305\A0091327.exe	NSIS: infected - 2	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1311\A0091351.exe/data0002	Infected: not-a-virus:AdWare.Win32.PurityScan.fk	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1311\A0091351.exe/data0003	Infected: not-a-virus:AdWare.Win32.PurityScan.bu	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1311\A0091351.exe	NSIS: infected - 2	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1315\A0091381.exe/data0002	Infected: not-a-virus:AdWare.Win32.PurityScan.fk	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1315\A0091381.exe/data0003	Infected: not-a-virus:AdWare.Win32.PurityScan.bu	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1315\A0091381.exe	NSIS: infected - 2	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1329\A0092066.exe	Infected: not-a-virus:AdWare.Win32.Mostofate.u	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1332\A0098514.exe/data0002	Infected: not-a-virus:AdWare.Win32.PurityScan.fk	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1332\A0098514.exe/data0003	Infected: not-a-virus:AdWare.Win32.PurityScan.bu	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1332\A0098514.exe	NSIS: infected - 2	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1332\A0111472.exe	Infected: not-a-virus:AdWare.Win32.Rond.a	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1332\A0164733.dll	Infected: Trojan-Clicker.Win32.BHO.r	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1332\A0174239.old	Infected: Trojan-Clicker.Win32.BHO.r	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1332\A0180227.reg	Infected: Trojan.WinREG.StartPage	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1332\A0180233.reg	Infected: Trojan.WinREG.StartPage	skipped
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP1332\change.log	Object is locked	skipped
C:\WINDOWS\Debug\PASSWD.LOG	Object is locked	skipped
C:\WINDOWS\SchedLgU.Txt	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log	Object is locked	skipped
C:\WINDOWS\Sti_Trace.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\edb.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb	Object is locked	skipped
C:\WINDOWS\system32\config\AppEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\default	Object is locked	skipped
C:\WINDOWS\system32\config\default.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\Internet.evt	Object is locked	skipped
C:\WINDOWS\system32\config\SAM	Object is locked	skipped
C:\WINDOWS\system32\config\SAM.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SecEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\software	Object is locked	skipped
C:\WINDOWS\system32\config\software.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SysEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\system	Object is locked	skipped
C:\WINDOWS\system32\config\system.LOG	Object is locked	skipped
C:\WINDOWS\system32\h323log.txt	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP	Object is locked	skipped
C:\WINDOWS\Temp\JET7678.tmp	Object is locked	skipped
C:\WINDOWS\wiadebug.log	Object is locked	skipped
C:\WINDOWS\wiaservc.log	Object is locked	skipped
C:\WINDOWS\WindowsUpdate.log	Object is locked	skipped

Scan process completed.

*
DSS to follow.*


----------



## GlennU (Jul 25, 2005)

Deckard's System Scanner v20071014.68
Run by Larry Miller on 2008-05-03 11:22:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 255 MiB (512 MiB recommended).

-- HijackThis (run as Larry Miller.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:27 AM, on 5/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1134674526\ee\AOLSoftware.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\E-Color\Colorific\hgcctl95.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Larry Miller\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\LARRYM~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hhttp://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134674526\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Colorific.lnk = C:\Program Files\E-Color\Colorific\hgcctl95.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SonnReg.lnk = C:\Program Files\E-Color\Registration\SonnReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {0D68CB5D-F53A-4446-9C8F-BFEDF5D63C7B} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O9 - Extra button: @Home - {681A93F4-BE60-49D0-88CF-73489AA78B89} - http://home.excite.com (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://home.excite.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/99...W/win/019-0123.20031218.zes4d/iTunesSetup.exe
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by130fd.bay130.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O20 - AppInit_DLLs: 
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 8213 bytes

-- Files created between 2008-04-03 and 2008-05-03 -----------------------------

2008-05-02 22:52:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-02 22:52:10 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-02 22:52:08 0 d-------- C:\WINDOWS\LastGood
2008-04-30 20:17:51 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-30 20:17:28 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-30 20:17:28 0 d-------- C:\Documents and Settings\Larry Miller\Application Data\SUPERAntiSpyware.com
2008-04-28 18:49:25 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-04-26 11:09:03 0 d-------- C:\Documents and Settings\Larry Miller\Application Data\Malwarebytes
2008-04-26 11:08:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-26 11:08:46 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 10:15:58 0 d-------- C:\WINDOWS\ERUNT
2008-04-24 22:06:55 0 d-------- C:\Documents and Settings\Larry Miller\Application Data\FrostWire
2008-04-24 22:06:23 0 d-------- C:\Program Files\FrostWire
2008-04-24 19:55:55 36864 --a------ C:\WINDOWS\system32\wbsys.dll <Not Verified; Stardock.Net, Inc; WindowBlinds 4.x for x86 machines>
2008-04-24 19:55:54 0 d-------- C:\Program Files\AlienGUIse
2008-04-24 19:52:30 0 d-------- C:\Documents and Settings\Larry Miller\Application Data\Aim
2008-04-24 19:16:38 2560 --a------ C:\WINDOWS\system32\drivers\mchInjDrv.sys
2008-04-23 09:33:22 0 d-------- C:\Program Files\Windows Sidebar
2008-04-23 09:31:14 0 d-------- C:\Program Files\Norton Internet Security
2008-04-21 17:58:22 0 d-------- C:\Program Files\Lavasoft
2008-04-21 17:58:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-21 17:57:28 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-21 17:34:47 0 d-------- C:\Program Files\Enigma Software Group
2008-04-21 17:28:19 0 d-------- C:\Program Files\NoAdware5.0
2008-04-21 17:06:46 0 d-------- C:\Program Files\Trend Micro
2008-04-15 20:51:46 0 d--h----- C:\Documents and Settings\Larry Miller\Application Data\Webroot
2008-04-09 19:33:41 40960 --a------ C:\WINDOWS\system32\B11gUSB.dll
2008-04-09 19:33:37 94208 --a------ C:\WINDOWS\system32\GTW32N50.dll
2008-04-09 19:33:37 15872 --a------ C:\WINDOWS\system32\GTNDIS5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-04-08 21:04:30 2048 -ra------ C:\WINDOWS\system32\drivers\rt73.bin
2008-04-08 20:40:59 232192 --a------ C:\WINDOWS\system32\drivers\rt73.sys <Not Verified; Ralink Technology, Corp.; Ralink 802.11 Wireless Adapters>
2008-04-03 19:22:01 0 d-------- C:\Program Files\Belkin

-- Find3M Report ---------------------------------------------------------------

2008-05-02 23:04:52 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-30 21:53:12 0 d-------- C:\Program Files\OIN Search
2008-04-28 19:01:04 0 d-------- C:\Program Files\Comcast Rhapsody
2008-04-28 18:49:03 0 d-------- C:\Program Files\Common Files
2008-04-24 19:51:54 0 d-------- C:\Program Files\AIM95
2008-04-24 19:22:01 0 d-------- C:\Program Files\iTunes
2008-04-23 09:37:53 0 d--h----- C:\Documents and Settings\Larry Miller\Application Data\Symantec
2008-04-23 09:34:36 0 d-------- C:\Program Files\Symantec
2008-04-21 14:27:16 0 d--h----- C:\Documents and Settings\Larry Miller\Application Data\Google
2008-04-12 15:46:58 0 d-------- C:\Program Files\quickenw
2008-04-09 17:37:50 45056 --a------ C:\WINDOWS\NCUNINST.EXE <Not Verified; Northern Codeworks; Uninstall>
2008-04-09 17:37:42 0 d--h----- C:\Program Files\InstallShield Installation Information

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
02/07/2008 12:05 AM	349552	--a------	C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
04/23/2008 09:32 AM	116088	--a------	C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll [02/07/2008 12:05 AM 349552]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WorksFUD"="" []
"PCTVOICE"="pctspk.exe" [08/14/2002 06:48 PM C:\WINDOWS\system32\pctspk.exe]
"DeadAIM"="C:\Program Files\AIM95\\DeadAIM.ocm" [02/24/2003 05:11 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/16/2003 12:06 PM]
"HostManager"="C:\Program Files\Common Files\AOL\1134674526\ee\AOLSoftware.exe" [05/09/2006 08:24 PM]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [02/17/2006 12:59 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/25/2008 09:47 PM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [02/07/2008 02:49 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/16/2007 03:15 PM]
"AIM"="C:\Program Files\AIM95\aim.exe" [11/13/2002 08:50 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Colorific.lnk - C:\Program Files\E-Color\Colorific\hgcctl95.exe [7/7/2002 10:26:25 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [7/13/2000 4:00:00 PM]
SonnReg.lnk - C:\Program Files\E-Color\Registration\SonnReg.exe [7/7/2002 10:26:26 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ca84dec-cc33-11db-bec4-806d6172696f}]
AutoRun\command- D:\CDSTART.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b54d96a-ca96-11db-88a4-0030f139d52e}]
AutoRun\command- H:\setupSNK.exe

*Newly Created Service* - COMHOST

-- End of Deckard's System Scanner: finished at 2008-05-03 11:23:18 ------------


----------



## Jintan (Oct 4, 2007)

That Avenger run failed because the end of the script was cut off ("AppInit_DL" instead of "AppInit_DLLs"). Please redo that after the following steps.

. Kaspersky looks good though. Only normally locked system functions, infection already removed in previous scans and infection for now held harmless in System Restore. We will be clearing that out shortly anyway. And a folder needing removal, as well as a questionable choice in downloading music files. I suggest caution, as music files are where issues occur often, legally and malware-wise.

Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"

Do a search ( Start - Search/Find - Files or Folders) for the following hilighted files/folders, and if found, delete them.

Folders:
C:\Program Files\OIN Search
C:\Program Files\WinBudget
And these if now uninstalled:
C:\Program Files\Enigma Software Group
C:\Program Files\NoAdware5.0

File:
C:\Documents and Settings\Larry Miller\Desktop\itunes\11 lupe fiasco lil weapons.mp3

You do not want to have folders store directly to the desktop like that iTunes one. If necessary in Explorer (right click Start - left click Explore) locate a folder, then right click and drag that to the desktop, and select the "create shortcut" option. The desktop truly is an interface only and not for storage.

Then redo the Avenger step at this point, being sure you have the entire script for that, and post back that log please. Once we verify that we will assess where we are, but looking cleared up well.


----------



## GlennU (Jul 25, 2005)

Performed all steps as instructed. Noticed "OIN Search" in Add'Remove folder. Should that be removed? Avenger report below.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Registry value "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs" replaced with dummy successfully.

Completed script processing.

*******************

Finished! Terminate.


----------



## Jintan (Oct 4, 2007)

That OIN listing is now only a registry remnant. Open Hijackthis.

Click Config - Misc Tools - Open Uninstall Manager again. Click to hilight that OIN entry then click Delete, and close HijackThis.

Scans and logs are coming back clear now, so looking good. Any issues/problems we need to address before we clean up what our work added there?


----------



## Jintan (Oct 4, 2007)

The progress here really was not the flow I had expected. But in review I was able to locate the info on a worm infection, that would have created the change info that has shown here. And it's own Windows update value as well.


```
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"OfflineDetectionPending"=-
```
Open Notepad (Start - Run, type *Notepad* and OK) and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it updatefix.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry. Reboot after to complete that changes.

That should correct the update issue you have been noticing.


----------



## Jintan (Oct 4, 2007)

We actually did our repairs a bit backwards, since I was targeting an infection different from the worm that likely was involved. If you would, once you have done that registry merge reboot, and then run the same Deckards steps and post that new log please.


----------



## GlennU (Jul 25, 2005)

Jintan...did registry update and DSS. Report below.

Computer seems to be running smoother. All of your help is paying off. We only have 256 ram and plan to add 512. One thing that is still a problem is the sound card. I'm thinking it might be a hardware issue since we've eliminated the virus and adware. As a note, I've verified the control>sound folder options seem to be set correctly. The systemsfolder>device driver>sound is not showing any yellow or red marks on the icon. I've updated the sound driver. Only thing i haven't done is delete the driver and reload it. Maybe i should. Any thoughts?

Thanks,
Glenn U

Deckard's System Scanner v20071014.68
Run by Larry Miller on 2008-05-08 15:27:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 255 MiB (512 MiB recommended).

-- HijackThis (run as Larry Miller.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:28:09 PM, on 5/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1134674526\ee\AOLSoftware.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\E-Color\Colorific\hgcctl95.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Larry Miller\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\LARRYM~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hhttp://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134674526\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Colorific.lnk = C:\Program Files\E-Color\Colorific\hgcctl95.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SonnReg.lnk = C:\Program Files\E-Color\Registration\SonnReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {0D68CB5D-F53A-4446-9C8F-BFEDF5D63C7B} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O9 - Extra button: @Home - {681A93F4-BE60-49D0-88CF-73489AA78B89} - http://home.excite.com (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://home.excite.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/99...W/win/019-0123.20031218.zes4d/iTunesSetup.exe
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by130fd.bay130.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C87E1BCE-99F0-46D9-A3B5-A0754566D056}: NameServer = 71.242.0.12 71.252.0.12
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 8285 bytes

-- Files created between 2008-04-08 and 2008-05-08 -----------------------------

2008-05-06 21:55:37 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-02 22:52:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-02 22:52:10 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-30 20:17:51 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-30 20:17:28 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-30 20:17:28 0 d-------- C:\Documents and Settings\Larry Miller\Application Data\SUPERAntiSpyware.com
2008-04-28 18:49:25 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-04-26 11:09:03 0 d-------- C:\Documents and Settings\Larry Miller\Application Data\Malwarebytes
2008-04-26 11:08:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-26 11:08:46 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 10:15:58 0 d-------- C:\WINDOWS\ERUNT
2008-04-24 22:06:55 0 d-------- C:\Documents and Settings\Larry Miller\Application Data\FrostWire
2008-04-24 22:06:23 0 d-------- C:\Program Files\FrostWire
2008-04-24 19:55:55 36864 --a------ C:\WINDOWS\system32\wbsys.dll <Not Verified; Stardock.Net, Inc; WindowBlinds 4.x for x86 machines>
2008-04-24 19:55:54 0 d-------- C:\Program Files\AlienGUIse
2008-04-24 19:52:30 0 d-------- C:\Documents and Settings\Larry Miller\Application Data\Aim
2008-04-24 19:16:38 2560 --a------ C:\WINDOWS\system32\drivers\mchInjDrv.sys
2008-04-23 09:33:22 0 d-------- C:\Program Files\Windows Sidebar
2008-04-23 09:31:14 0 d-------- C:\Program Files\Norton Internet Security
2008-04-21 17:58:22 0 d-------- C:\Program Files\Lavasoft
2008-04-21 17:58:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-21 17:57:28 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-21 17:06:46 0 d-------- C:\Program Files\Trend Micro
2008-04-15 20:51:46 0 d--h----- C:\Documents and Settings\Larry Miller\Application Data\Webroot
2008-04-09 19:33:41 40960 --a------ C:\WINDOWS\system32\B11gUSB.dll
2008-04-09 19:33:37 94208 --a------ C:\WINDOWS\system32\GTW32N50.dll
2008-04-09 19:33:37 15872 --a------ C:\WINDOWS\system32\GTNDIS5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-04-08 21:04:30 2048 -ra------ C:\WINDOWS\system32\drivers\rt73.bin
2008-04-08 20:40:59 232192 --a------ C:\WINDOWS\system32\drivers\rt73.sys <Not Verified; Ralink Technology, Corp.; Ralink 802.11 Wireless Adapters>

-- Find3M Report ---------------------------------------------------------------

2008-05-08 13:44:58 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-06 07:52:14 0 d-------- C:\Program Files\iTunes
2008-04-28 19:01:04 0 d-------- C:\Program Files\Comcast Rhapsody
2008-04-28 18:49:03 0 d-------- C:\Program Files\Common Files
2008-04-24 19:51:54 0 d-------- C:\Program Files\AIM95
2008-04-23 09:37:53 0 d--h----- C:\Documents and Settings\Larry Miller\Application Data\Symantec
2008-04-23 09:34:36 0 d-------- C:\Program Files\Symantec
2008-04-21 14:27:16 0 d--h----- C:\Documents and Settings\Larry Miller\Application Data\Google
2008-04-12 15:46:58 0 d-------- C:\Program Files\quickenw
2008-04-09 19:33:35 0 d-------- C:\Program Files\Belkin
2008-04-09 17:37:50 45056 --a------ C:\WINDOWS\NCUNINST.EXE <Not Verified; Northern Codeworks; Uninstall>
2008-04-09 17:37:42 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-19 05:47:00 1845248 --a------ C:\WINDOWS\system32\win32k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
02/07/2008 12:05 AM	349552	--a------	C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
04/23/2008 09:32 AM	116088	--a------	C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll [02/07/2008 12:05 AM 349552]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WorksFUD"="" []
"PCTVOICE"="pctspk.exe" [08/14/2002 06:48 PM C:\WINDOWS\system32\pctspk.exe]
"DeadAIM"="C:\Program Files\AIM95\\DeadAIM.ocm" [02/24/2003 05:11 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/16/2003 12:06 PM]
"HostManager"="C:\Program Files\Common Files\AOL\1134674526\ee\AOLSoftware.exe" [05/09/2006 08:24 PM]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [02/17/2006 12:59 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/25/2008 09:47 PM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [02/07/2008 02:49 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/16/2007 03:15 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Colorific.lnk - C:\Program Files\E-Color\Colorific\hgcctl95.exe [7/7/2002 10:26:25 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [7/13/2000 4:00:00 PM]
SonnReg.lnk - C:\Program Files\E-Color\Registration\SonnReg.exe [7/7/2002 10:26:26 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ca84dec-cc33-11db-bec4-806d6172696f}]
AutoRun\command- D:\CDSTART.EXE

*Newly Created Service* - COMHOST

-- End of Deckard's System Scanner: finished at 2008-05-08 15:28:53 ------------


----------



## Jintan (Oct 4, 2007)

Looks all cleaned up there. You did well. Some leftover files from some past quasi-rogue software that I noticed reviewing. You can delete those now:

C:\Documents and Settings\Larry Miller\Desktop\Free-SpyHunter-Scanner-Install.exe
C:\Documents and Settings\Larry Miller\My Documents\KaZaA.exe
C:\Documents and Settings\Larry Miller\Desktop\noadware.exe

Though I am sure we already covered the steps, as some of these are hidden files, make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types". Then locate and delete those.

This is a remnant from Spyware Doctor, though I don't recall seeing it in any logs you posted, or the drivers it supports:

C:\WINDOWS\system32\drivers\mchInjDrv.sys

Locate and rename that by adding ".old" to the end, and if no issues after a few reboots you can delete it as well.

And you can clean up what our work added there.

Kaspersky and SUPERAntiSpyware, if you don't plan to use them again, uninstall through Add/Remove Programs. Though you may opt to keep SUPERAntiSpyware for periodic updated scans there.

You can also at this time delete the files/folders of the tools we used. To assist with some of that download OTMoveIt2 and save the file to your desktop. This will help by automatically removing some of the tools we used.

Please double-click OTMoveIt.exe to run it and click on Cleanup (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator"). When you do this list of malware removal programs will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. After the list has downloaded, you'll be asked if you want to begin cleanup process? Select Yes.

OTMoveIt will search for and delete/uninstall all the tools that we have used to fix your problems and all their backup folders and then delete itself when you next reboot. At the end of the run you will receive a prompt to reboot, but save that for the next step resetting Restore.

Then reset the System Restore. To do this, right-click My Computer and select Properties. Click the System Restore tab in the window that appears, and check the box that says "Turn off System Restore on all drives" and click Apply.

You will be asked if you are sure, click Yes. This will delete the restore points. Then click OK in the Properties window and reboot your computer.

When your desktop appears, right-click My Computer and select Properties once more. Uncheck the "Turn off System Restore..." box and click Apply. OK.

In addition, I like to recommend reviewing the information Here to make sure you stay malware free.


----------



## GlennU (Jul 25, 2005)

Jintan...my apologies for not getting back to you earlier. Been dealing with some other issues. Computer seems to be working great. This problem is solved.

Are you able to assist me in solving a problem with another computer?

Thanks,
GlennU


----------



## Jintan (Oct 4, 2007)

A late response here myself. Always glad to assist. But one system per request thread GlennU - too confusing any other way.


----------



## GlennU (Jul 25, 2005)

Jintan...can you ask someone to respond to my new June 9th post? Are you guys very backlogged or did my post get missed?

Thanks,
Glenn U


----------

