1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Virtumonde.G

Discussion in 'Virus & Other Malware Removal' started by bggarric, Jul 21, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. bggarric

    bggarric Thread Starter

    Joined:
    Jul 21, 2006
    Messages:
    6
    Hi. I have this Virtumonde.G virus that my Windows Defender keeps picking up. I've tried to get rid of it using VundoFix V5.1.4 and that didn't work. I've also tried to use a different version of VundoFix. Here is my Hijack This log. If you can help, please do. This virus is slowing my computer down significantly. Thanks a ton.


    Logfile of HijackThis v1.99.1
    Scan saved at 6:19:20 PM, on 7/21/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\Program Files\Symantec AntiVirus\DoScan.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\basfipm.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Ben\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: DosSpecFolder Object - {FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67} - C:\WINDOWS\system32\awtsp.dll (file missing)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
    O4 - Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O20 - Winlogon Notify: awtsp - C:\WINDOWS\system32\awtsp.dll (file missing)
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,060
    Hi and welcome to TSG,

    Download the trial version of Ewido Anti-spyware from HERE and save that file to your desktop. When the trial period expires it becomes freeware with reduced functions but still worth keeping.



    • Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
    • Once the setup is complete you will need run Ewido and update the definition files.
    • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    • Once in the Settings screen click on "Recommended actions" and then select "Quarantine"
    • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"

    Close Ewido Anti-spyware, Do NOT run a scan yet. We will do that later in safe mode.


    • Reboot your computer into Safe Mode now. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
      IMPORTANT: Do not open any other windows or programs while Ewido is scanning as it may interfere with the scanning process:
    • Launch Ewido Anti-spyware by double-clicking the icon on your desktop.
    • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    • Ewido will now begin the scanning process. Be patient this may take a little time.
      Once the scan is complete do the following:
    • If you have any infections you will prompted, then select "Apply all actions"
    • Next select the "Reports" icon at the top.
    • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    • Close Ewido and reboot your system back into Normal Mode.


    Please go HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report


    Come back here and post a new HijackThis log along with the logs from the Ewido and Panda scans.
     
  3. bggarric

    bggarric Thread Starter

    Joined:
    Jul 21, 2006
    Messages:
    6
    Okay. Sorry it took me so long Cookie. My internet stopped working for a while. Here are the reports you needed. I don't think any of this got rid of Virtumonde yet though.

    Logfile of HijackThis v1.99.1
    Scan saved at 10:49:44 PM, on 7/21/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\basfipm.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Symantec AntiVirus\DoScan.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Ben\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: DosSpecFolder Object - {FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67} - C:\WINDOWS\system32\awtsp.dll (file missing)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
    O4 - Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: awtsp - C:\WINDOWS\system32\awtsp.dll (file missing)
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

    Panda Scan:

    Incident Status Location

    Spyware:spyware/virtumonde Not disinfected Windows Registry
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt[.statcounter.com/]
    Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt[.c2.gostats.com/]
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Ben\Cookies\[email protected][1].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Ben\Cookies\[email protected][2].txt
    Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Ben\Cookies\[email protected][2].txt
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Ben\Desktop\VundoFix\VundoFix\process.exe


    Edwido:

    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 7:59:47 PM 7/21/2006

    + Scan result:



    :mozilla.31:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
    :mozilla.32:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
    :mozilla.33:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
    :mozilla.34:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
    C:\Documents and Settings\Ben\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
    :mozilla.225:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
    :mozilla.226:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
    :mozilla.227:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
    :mozilla.228:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
    :mozilla.90:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
    :mozilla.58:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup (quarantined).
    C:\Documents and Settings\Ben\Cookies\[email protected][2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
    :mozilla.113:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
    :mozilla.114:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
    :mozilla.115:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
    :mozilla.81:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
    :mozilla.82:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
    :mozilla.83:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
    :mozilla.84:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
    :mozilla.85:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
    :mozilla.100:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
    :mozilla.97:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
    :mozilla.98:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
    :mozilla.99:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
    :mozilla.48:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
    :mozilla.263:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
    :mozilla.230:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
    :mozilla.231:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
    :mozilla.232:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
    :mozilla.233:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
    :mozilla.234:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
    :mozilla.35:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
    :mozilla.67:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
    :mozilla.69:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
    :mozilla.70:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
    :mozilla.71:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
    :mozilla.170:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
    :mozilla.171:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
    :mozilla.172:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
    :mozilla.241:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
    :mozilla.242:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
    :mozilla.243:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
    :mozilla.244:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
    :mozilla.245:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
    :mozilla.246:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
    :mozilla.247:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
    :mozilla.248:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
    C:\Documents and Settings\Ben\Cookies\[email protected][1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
    :mozilla.51:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
    :mozilla.52:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
    :mozilla.53:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
    :mozilla.106:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
    :mozilla.192:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
    :mozilla.193:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
    :mozilla.194:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
    :mozilla.195:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
    :mozilla.86:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
    :mozilla.87:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
    :mozilla.88:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
    :mozilla.89:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
    C:\Documents and Settings\Ben\Cookies\[email protected][2].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
    :mozilla.11:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
    C:\Documents and Settings\Ben\Cookies\[email protected][2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
    :mozilla.199:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
    :mozilla.200:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
    :mozilla.201:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
    :mozilla.202:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
    :mozilla.203:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
    :mozilla.204:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
    :mozilla.205:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
    :mozilla.206:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
    :mozilla.221:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\6uxdzmco.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
    C:\Documents and Settings\Ben\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).


    ::Report end


    I'm actually leaving for vacation tomorrow. I will be taking my laptop with me and will hopefully (almost 100%) have internet access, so if you could please respond when you have some time I would really appreciate it. Thank you so much for your help.
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,060
    Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Don’t do anything with it yet!


    Click here for info on how to boot to safe mode if you don't already know how.


    Reboot into Safe Mode.


    Double click WinPFind.exe
    • Click "Start Scan"
    • It will scan the entire System, so please be patient and let it complete.


    Reboot back to Normal Mode!


    • Go to the WinPFind folder
    • Locate WinPFind.txt
    • Copy and paste WinPFind.txt in your next post here please.
     
  5. bggarric

    bggarric Thread Starter

    Joined:
    Jul 21, 2006
    Messages:
    6
    Hey Cookie,
    I'm sorry I haven't been able to respond. I actually didn't have internet access on my vacation. I appreciate you sticking with me though. I used the WinPFind like you said and here is the txt document that came up after the scan. ... THanks again!


    WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

    If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

    »»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
    Internet Explorer Version: 6.0.2900.2180

    »»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

    Checking %SystemDrive% folder...

    Checking %ProgramFilesDir% folder...

    Checking %WinDir% folder...

    Checking %System% folder...
    aspack 3/18/2005 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
    PEC2 8/4/2004 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
    PEC2 1/26/2006 2:36:02 PM 574976 C:\WINDOWS\SYSTEM32\DivX.dll
    PECompact2 1/26/2006 2:36:02 PM 574976 C:\WINDOWS\SYSTEM32\DivX.dll
    PTech 5/23/2006 5:26:00 PM 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
    aspack 7/6/2006 9:21:46 PM 6757792 C:\WINDOWS\SYSTEM32\MRT.exe
    aspack 8/4/2004 6:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
    Umonitor 8/4/2004 6:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
    winsync 8/4/2004 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
    PTech 5/23/2006 5:25:52 PM 285488 C:\WINDOWS\SYSTEM32\WgaTray.exe

    Checking %System%\Drivers folder and sub-folders...
    UPX! 5/24/2006 7:18:46 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
    FSG! 5/24/2006 7:18:46 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
    PEC2 5/24/2006 7:18:46 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
    aspack 5/24/2006 7:18:46 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

    Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


    Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
    7/30/2006 12:48:44 PM S 2048 C:\WINDOWS\bootstat.dat
    7/22/2006 5:09:24 PM H 54156 C:\WINDOWS\QTFont.qfn
    7/30/2006 12:48:48 PM S 64 C:\WINDOWS\CSC\00000001
    7/21/2006 7:44:06 PM S 64 C:\WINDOWS\CSC\00000002
    7/21/2006 4:21:10 PM S 64 C:\WINDOWS\CSC\csc1.tmp
    6/22/2006 7:18:30 AM S 13309 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911280.cat
    6/1/2006 4:28:56 PM S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
    7/30/2006 12:48:48 PM H 20480 C:\WINDOWS\system32\config\default.LOG
    7/30/2006 12:54:42 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
    7/30/2006 12:48:44 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
    7/30/2006 12:51:42 PM H 266240 C:\WINDOWS\system32\config\software.LOG
    7/30/2006 12:48:56 PM H 1064960 C:\WINDOWS\system32\config\system.LOG
    7/18/2006 1:51:22 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
    6/3/2006 8:57:44 PM S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
    6/3/2006 8:57:44 PM S 144 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
    7/30/2006 1:18:24 AM H 1024 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
    7/30/2006 12:51:54 PM H 330 C:\WINDOWS\Tasks\MP Scheduled Scan.job
    7/30/2006 12:47:48 PM H 6 C:\WINDOWS\Tasks\SA.DAT

    Checking for CPL files...
    Microsoft Corporation 8/4/2004 6:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
    Broadcom Corp. 2/14/2003 2:33:08 PM 430080 C:\WINDOWS\SYSTEM32\ASFConfig.cpl
    6/29/2004 1:21:26 PM 24576 C:\WINDOWS\SYSTEM32\BACSCPL.cpl
    Dell Inc 12/6/2004 9:45:12 PM 1491053 C:\WINDOWS\SYSTEM32\BCMWLCPL.CPL
    Microsoft Corporation 8/4/2004 6:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
    Sun Microsystems 11/19/2003 6:48:12 PM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
    Dell Inc. 11/10/2004 12:51:26 PM 122880 C:\WINDOWS\SYSTEM32\NicConfigSvc.Cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
    Sun Microsystems 11/27/2001 12:24:30 AM 45148 C:\WINDOWS\SYSTEM32\plugincpl131_02.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
    SigmaTel Inc. 7/20/2004 4:14:06 PM 102481 C:\WINDOWS\SYSTEM32\STAC97.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
    Microsoft Corporation 5/26/2005 5:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
    Microsoft Corporation 5/26/2005 5:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

    »»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

    Checking files in %ALLUSERSPROFILE%\Startup folder...
    4/27/2006 7:17:52 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    8/11/2004 6:15:06 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
    8/6/2005 3:36:18 PM 493 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

    Checking files in %ALLUSERSPROFILE%\Application Data folder...
    8/11/2004 6:07:12 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
    8/6/2005 3:35:30 PM H 4 C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare

    Checking files in %USERPROFILE%\Startup folder...
    4/2/2006 6:36:12 PM 1908 C:\Documents and Settings\Ben\Start Menu\Programs\Startup\Clean Access Agent.lnk
    8/11/2004 6:15:06 PM HS 84 C:\Documents and Settings\Ben\Start Menu\Programs\Startup\desktop.ini

    Checking files in %USERPROFILE%\Application Data folder...
    8/11/2004 6:07:12 PM HS 62 C:\Documents and Settings\Ben\Application Data\desktop.ini

    »»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    SV1 =

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

    [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
    {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
    {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
    {BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
    {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
    Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
    {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
    {BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
    {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
    {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
    = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    Adobe PDF Reader Link Helper = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
    = C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}
    DriveLetterAccess = C:\WINDOWS\system32\dla\tfswshx.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67}
    DosSpecFolder Object = C:\WINDOWS\system32\awtsp.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
    &Tip of the Day = %SystemRoot%\system32\shdocvw.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    MenuText = Sun Java Console :
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
    ButtonText = Research :
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
    ButtonText = AIM : C:\Program Files\AIM95\aim.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
    ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
    Search Band = %SystemRoot%\system32\browseui.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
    File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
    Favorites Band = %SystemRoot%\system32\shdocvw.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
    History Band = %SystemRoot%\system32\shdocvw.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
    Explorer Band = %SystemRoot%\system32\shdocvw.dll

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    Apoint C:\Program Files\Apoint\Apoint.exe
    SunJavaUpdateSched C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    Dell Wireless Manager UI C:\WINDOWS\system32\WLTRAY
    DVDLauncher "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    UpdateManager "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    dla C:\WINDOWS\system32\dla\tfswctrl.exe
    ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    vptray C:\PROGRA~1\SYMANT~1\VPTray.exe
    QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
    MMTray C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    SpybotSnD "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
    AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    Windows Defender "C:\Program Files\Windows Defender\MSASCui.exe" -hide

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
    IMAIL Installed = 1
    MAPI Installed = 1
    MSFS Installed = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
    AIM C:\Program Files\AIM95\aim.exe -cnetwait.odl
    Steam "C:\Program Files\Steam\Steam.exe" -silent

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk
    path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
    location Common Startup
    command C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE
    item Adobe Reader Speed Launch

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\a-squared
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item a2guard
    hkey HKCU
    command "C:\Program Files\a-squared\a2guard.exe"
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item a2guard
    hkey HKCU
    command "C:\Program Files\a-squared\a2guard.exe"
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item iTunesHelper
    hkey HKLM
    command "C:\Program Files\iTunes\iTunesHelper.exe"
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item iTunesHelper
    hkey HKLM
    command "C:\Program Files\iTunes\iTunesHelper.exe"
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\mmtask
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item mmtask
    hkey HKLM
    command C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item mmtask
    hkey HKLM
    command C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MMTray
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item mm_tray
    hkey HKLM
    command C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item mm_tray
    hkey HKLM
    command C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item qttask
    hkey HKLM
    command "C:\Program Files\QuickTime\qttask.exe" -atboottime
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item qttask
    hkey HKLM
    command "C:\Program Files\QuickTime\qttask.exe" -atboottime
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
    system.ini 0
    win.ini 0
    bootini 0
    services 0
    startup 2


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments
    ScanWithAntiVirus 2


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
    {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
    {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
    {0DF44EAA-FF21-4412-828E-260A8728E7F1} =


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    dontdisplaylastusername 0
    legalnoticecaption
    legalnoticetext
    shutdownwithoutlogon 1
    undockwithoutlogon 1


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    NoDriveTypeAutoRun 145

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
    DisableRegistryTools 0


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
    CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
    WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
    SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,
    Shell = Explorer.exe
    System =

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
    = Ati2evxx.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtsp
    = C:\WINDOWS\system32\awtsp.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon
    = C:\WINDOWS\system32\NavLogon.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
    = WgaLogon.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
    Debugger = ntsd -d

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    AppInit_DLLs


    »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
    Scan completed on 7/30/2006 12:55:16 PM
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,060
    Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.

    O2 - BHO: DosSpecFolder Object - {FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67} - C:\WINDOWS\system32\awtsp.dll (file missing)

    O20 - Winlogon Notify: awtsp - C:\WINDOWS\system32\awtsp.dll (file missing)



    Reboot and post a new HijackThis log please.
     
  7. bggarric

    bggarric Thread Starter

    Joined:
    Jul 21, 2006
    Messages:
    6
    Alright, I did what you said... however when I rebooted, Windows defender was still detecting Virtumonde.G... Here is the logifle:

    Logfile of HijackThis v1.99.1
    Scan saved at 5:23:42 PM, on 7/30/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Steam\Steam.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Symantec AntiVirus\DoScan.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\basfipm.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Ben\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
    O4 - Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,060
    Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Don’t do anything with it yet!


    Click here for info on how to boot to safe mode if you don't already know how.


    Reboot into Safe Mode.


    Double click WinPFind.exe
    • Click "Start Scan"
    • It will scan the entire System, so please be patient and let it complete.


    Reboot back to Normal Mode!


    • Go to the WinPFind folder
    • Locate WinPFind.txt
    • Copy and paste WinPFind.txt in your next post here please.
     
  9. bggarric

    bggarric Thread Starter

    Joined:
    Jul 21, 2006
    Messages:
    6
    Ok here is the WinPFind logfile:

    WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

    If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

    »»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
    Internet Explorer Version: 6.0.2900.2180

    »»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

    Checking %SystemDrive% folder...

    Checking %ProgramFilesDir% folder...

    Checking %WinDir% folder...

    Checking %System% folder...
    aspack 3/18/2005 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
    PEC2 8/4/2004 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
    PEC2 1/26/2006 2:36:02 PM 574976 C:\WINDOWS\SYSTEM32\DivX.dll
    PECompact2 1/26/2006 2:36:02 PM 574976 C:\WINDOWS\SYSTEM32\DivX.dll
    PTech 5/23/2006 5:26:00 PM 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
    aspack 7/6/2006 9:21:46 PM 6757792 C:\WINDOWS\SYSTEM32\MRT.exe
    aspack 8/4/2004 6:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
    Umonitor 8/4/2004 6:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
    winsync 8/4/2004 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
    PTech 5/23/2006 5:25:52 PM 285488 C:\WINDOWS\SYSTEM32\WgaTray.exe

    Checking %System%\Drivers folder and sub-folders...
    UPX! 5/24/2006 7:18:46 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
    FSG! 5/24/2006 7:18:46 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
    PEC2 5/24/2006 7:18:46 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
    aspack 5/24/2006 7:18:46 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

    Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


    Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
    7/30/2006 12:48:44 PM S 2048 C:\WINDOWS\bootstat.dat
    7/22/2006 5:09:24 PM H 54156 C:\WINDOWS\QTFont.qfn
    7/30/2006 12:48:48 PM S 64 C:\WINDOWS\CSC\00000001
    7/21/2006 7:44:06 PM S 64 C:\WINDOWS\CSC\00000002
    7/21/2006 4:21:10 PM S 64 C:\WINDOWS\CSC\csc1.tmp
    6/22/2006 7:18:30 AM S 13309 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911280.cat
    6/1/2006 4:28:56 PM S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
    7/30/2006 12:48:48 PM H 20480 C:\WINDOWS\system32\config\default.LOG
    7/30/2006 12:54:42 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
    7/30/2006 12:48:44 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
    7/30/2006 12:51:42 PM H 266240 C:\WINDOWS\system32\config\software.LOG
    7/30/2006 12:48:56 PM H 1064960 C:\WINDOWS\system32\config\system.LOG
    7/18/2006 1:51:22 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
    6/3/2006 8:57:44 PM S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
    6/3/2006 8:57:44 PM S 144 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
    7/30/2006 1:18:24 AM H 1024 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
    7/30/2006 12:51:54 PM H 330 C:\WINDOWS\Tasks\MP Scheduled Scan.job
    7/30/2006 12:47:48 PM H 6 C:\WINDOWS\Tasks\SA.DAT

    Checking for CPL files...
    Microsoft Corporation 8/4/2004 6:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
    Broadcom Corp. 2/14/2003 2:33:08 PM 430080 C:\WINDOWS\SYSTEM32\ASFConfig.cpl
    6/29/2004 1:21:26 PM 24576 C:\WINDOWS\SYSTEM32\BACSCPL.cpl
    Dell Inc 12/6/2004 9:45:12 PM 1491053 C:\WINDOWS\SYSTEM32\BCMWLCPL.CPL
    Microsoft Corporation 8/4/2004 6:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
    Sun Microsystems 11/19/2003 6:48:12 PM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
    Dell Inc. 11/10/2004 12:51:26 PM 122880 C:\WINDOWS\SYSTEM32\NicConfigSvc.Cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
    Sun Microsystems 11/27/2001 12:24:30 AM 45148 C:\WINDOWS\SYSTEM32\plugincpl131_02.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
    SigmaTel Inc. 7/20/2004 4:14:06 PM 102481 C:\WINDOWS\SYSTEM32\STAC97.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
    Microsoft Corporation 8/4/2004 6:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
    Microsoft Corporation 5/26/2005 5:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
    Microsoft Corporation 5/26/2005 5:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

    »»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

    Checking files in %ALLUSERSPROFILE%\Startup folder...
    4/27/2006 7:17:52 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    8/11/2004 6:15:06 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
    8/6/2005 3:36:18 PM 493 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

    Checking files in %ALLUSERSPROFILE%\Application Data folder...
    8/11/2004 6:07:12 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
    8/6/2005 3:35:30 PM H 4 C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare

    Checking files in %USERPROFILE%\Startup folder...
    4/2/2006 6:36:12 PM 1908 C:\Documents and Settings\Ben\Start Menu\Programs\Startup\Clean Access Agent.lnk
    8/11/2004 6:15:06 PM HS 84 C:\Documents and Settings\Ben\Start Menu\Programs\Startup\desktop.ini

    Checking files in %USERPROFILE%\Application Data folder...
    8/11/2004 6:07:12 PM HS 62 C:\Documents and Settings\Ben\Application Data\desktop.ini

    »»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    SV1 =

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

    [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
    {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
    {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
    {BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
    {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
    Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
    {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
    {BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
    {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
    {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
    = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    Adobe PDF Reader Link Helper = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
    = C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}
    DriveLetterAccess = C:\WINDOWS\system32\dla\tfswshx.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67}
    DosSpecFolder Object = C:\WINDOWS\system32\awtsp.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
    &Tip of the Day = %SystemRoot%\system32\shdocvw.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    MenuText = Sun Java Console :
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
    ButtonText = Research :
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
    ButtonText = AIM : C:\Program Files\AIM95\aim.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
    ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
    Search Band = %SystemRoot%\system32\browseui.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
    File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
    Favorites Band = %SystemRoot%\system32\shdocvw.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
    History Band = %SystemRoot%\system32\shdocvw.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
    Explorer Band = %SystemRoot%\system32\shdocvw.dll

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    Apoint C:\Program Files\Apoint\Apoint.exe
    SunJavaUpdateSched C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    Dell Wireless Manager UI C:\WINDOWS\system32\WLTRAY
    DVDLauncher "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    UpdateManager "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    dla C:\WINDOWS\system32\dla\tfswctrl.exe
    ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    vptray C:\PROGRA~1\SYMANT~1\VPTray.exe
    QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
    MMTray C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    SpybotSnD "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
    AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    Windows Defender "C:\Program Files\Windows Defender\MSASCui.exe" -hide

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
    IMAIL Installed = 1
    MAPI Installed = 1
    MSFS Installed = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
    AIM C:\Program Files\AIM95\aim.exe -cnetwait.odl
    Steam "C:\Program Files\Steam\Steam.exe" -silent

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk
    path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
    location Common Startup
    command C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE
    item Adobe Reader Speed Launch

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\a-squared
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item a2guard
    hkey HKCU
    command "C:\Program Files\a-squared\a2guard.exe"
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item a2guard
    hkey HKCU
    command "C:\Program Files\a-squared\a2guard.exe"
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item iTunesHelper
    hkey HKLM
    command "C:\Program Files\iTunes\iTunesHelper.exe"
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item iTunesHelper
    hkey HKLM
    command "C:\Program Files\iTunes\iTunesHelper.exe"
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\mmtask
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item mmtask
    hkey HKLM
    command C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item mmtask
    hkey HKLM
    command C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MMTray
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item mm_tray
    hkey HKLM
    command C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item mm_tray
    hkey HKLM
    command C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item qttask
    hkey HKLM
    command "C:\Program Files\QuickTime\qttask.exe" -atboottime
    inimapping 0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item qttask
    hkey HKLM
    command "C:\Program Files\QuickTime\qttask.exe" -atboottime
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
    system.ini 0
    win.ini 0
    bootini 0
    services 0
    startup 2


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments
    ScanWithAntiVirus 2


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
    {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
    {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
    {0DF44EAA-FF21-4412-828E-260A8728E7F1} =


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    dontdisplaylastusername 0
    legalnoticecaption
    legalnoticetext
    shutdownwithoutlogon 1
    undockwithoutlogon 1


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    NoDriveTypeAutoRun 145

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
    DisableRegistryTools 0


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
    CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
    WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
    SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,
    Shell = Explorer.exe
    System =

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
    = Ati2evxx.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtsp
    = C:\WINDOWS\system32\awtsp.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon
    = C:\WINDOWS\system32\NavLogon.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
    = WgaLogon.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
    Debugger = ntsd -d

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    AppInit_DLLs


    »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
    Scan completed on 7/30/2006 12:55:16 PM
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,060
    Please post the log from Bit Defender.
     
  11. bggarric

    bggarric Thread Starter

    Joined:
    Jul 21, 2006
    Messages:
    6
    Bit Defender? I don't think I have that. Can you send a link please? The last thing I posted a log for was the WinPFind.
    Thanks Cookie.
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,060
    Sorry, I meant Windows Defender. Can you please post the log you did with Windows Defender that picked up virtumonde.
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/485204

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice