Solved Badly infected computer, reformat best option??

Dr. Web completed

Don't know why I was getting the "page cannot be displayed" message on my computer? But did the steps on this (infected) one and it worked just fine!!

So here's the report list:

00375218.FIL;C:\$VAULT$.AVG;Trojan.Iespy;Deleted.;
05074078.FIL;C:\$VAULT$.AVG;Trojan.Iespy;Deleted.;
11076390.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.232;Deleted.;
16120765.FIL;C:\$VAULT$.AVG;Trojan.Iespy;Deleted.;
19145625.FIL;C:\$VAULT$.AVG;Trojan.Iespy;Deleted.;
19156437.FIL;C:\$VAULT$.AVG;Trojan.Iespy;Deleted.;
27889906.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27890000.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27890093.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27890171.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27890328.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27890421.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27890515.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27890625.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27890718.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27890796.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27890906.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27891015.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27891109.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27891218.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27891312.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27891421.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27891531.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27891656.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27891765.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27891843.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27891953.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27892031.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27892125.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27892203.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27892296.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27892390.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27892531.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27892656.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27892765.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27892906.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27893046.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27893203.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27893343.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27893484.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27893578.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27893718.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27893828.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27894187.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27894281.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27894406.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27894812.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27894921.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27895046.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27895156.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27895250.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27895359.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27895468.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27895640.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27895750.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.232;Deleted.;
27895828.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27895968.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27896062.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27896203.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27896312.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27896468.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27896828.FIL;C:\$VAULT$.AVG;Trojan.EzulaAd;Deleted.;
27897046.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27897359.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27898234.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27898484.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27898718.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27898843.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27898953.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27899062.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27899171.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
27899265.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.9328;Deleted.;
66250203.FIL;C:\$VAULT$.AVG;Trojan.Iespy;Deleted.;
D4.tmp;C:\Deckard\System Scanner\20080118142025\backup\DOCUME~1\Owner\LOCALS~1\Temp;Trojan.Sentinel;Deleted.;
jifihdty.dat;C:\Documents and Settings\Owner\Local Settings\Temp;Trojan.Sentinel;Deleted.;
browsew.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Sentinel.origin;Incurable.Moved.;
SearchTool.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\SearchTool;Adware.SearchEnh.origin;;
A0035535.bat;C:\System Volume Information\_restore{2A78FFE6-1A31-4B5E-A406-069C360D2A03}\RP153;Probably BATCH.Virus;;
A0035611.bat;C:\System Volume Information\_restore{2A78FFE6-1A31-4B5E-A406-069C360D2A03}\RP154;Probably BATCH.Virus;;
A0035649.dll;C:\System Volume Information\_restore{2A78FFE6-1A31-4B5E-A406-069C360D2A03}\RP155;Adware.SearchEnh.origin;;
A0035652.dll;C:\System Volume Information\_restore{2A78FFE6-1A31-4B5E-A406-069C360D2A03}\RP155;Trojan.Sentinel.origin;Incurable.Moved.;
A0035659.bat;C:\System Volume Information\_restore{2A78FFE6-1A31-4B5E-A406-069C360D2A03}\RP155;Probably BATCH.Virus;;
A0014896.dll;C:\System Volume Information\_restore{2A78FFE6-1A31-4B5E-A406-069C360D2A03}\RP29;Adware.Zango;;
A0017536.dll;C:\System Volume Information\_restore{2A78FFE6-1A31-4B5E-A406-069C360D2A03}\RP55;Adware.Zango;;
A0019002.dll;C:\System Volume Information\_restore{2A78FFE6-1A31-4B5E-A406-069C360D2A03}\RP59;Adware.Shopper;;
A0023388.dll;C:\System Volume Information\_restore{2A78FFE6-1A31-4B5E-A406-069C360D2A03}\RP83;Adware.Shopper;;
A0024572.dll;C:\System Volume Information\_restore{2A78FFE6-1A31-4B5E-A406-069C360D2A03}\RP87;Adware.SearchAid.origin;;


There were a couple of "infections" that were detected but could not be cured (?), it asked if I wished to "move" them....I chose "yes" (Don't know if that was the correct thing to do or not??)

I haven't closed the Dr Web program yet because it is telling me that "No operations performed with some objects in list. Exit program?" Because I was unsure of what I should do at this point, I chose "no" and left the program open until I receive further instructions

 

You did fine, Vicki. Go ahead and close Dr Web.

Please download Dial-a-Fix by djlizard, save it to the desktop then extract it to it's own folder.

• Open the folder and run Dial-a-fix.exe
• 2 windows will open. Close the one in the background labled Restrictive Policies
• On the main window, check the box in section 4, labled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
• Check all boxes in Section 5, labled Registration Center.
• Click Go
• OK any error messages if received, but write them down and post them here.
• Restart the computer when done

Let me know if IE behaves properly.

 

No change

I got that Dial-a-fix downloaded & ran. I didn't see 2 windows open though? But on the main window, did all the checking that you suggested and then "go ".

No errors were reported from there, so nothing to copy/write down to post here.

Rebooted, but still no changes in the way IE reacts.

 

Hi Vicki,

Good that you got no errors at least.

I would still like to complete a repair of IE, and since the XP cd doesn't seem to be doing the job, and you have no i386 folder, I've found an alternative method. Only do this if you have a high speed connection, because the download required is very large ..... dialup connection would take about 12 hours.

Using the affected computer, click here then download Windows XP Service Pack 2. Save the file to the desktop. If clicking the link opens a blank page for you, right click the link and select 'Copy Shortcut', then click Start>Run and paste it in and hit Enter (fingers crossed it will work one way or the other).

Double click the WindowsXP-KB835935-SP2-ENU.exe file. Setup will begin extracting files, and the message box confirming file extraction will show the following.

Extracting files:
To Directory: C:\74b1c6f9a2cc0f21308a0c419f (that is a random number and yours will differ)

Take note of the directory that the files are being extracted to. When file extraction is complete, the setup window will prompt you to continue. Do NOT click Next! Instead, open the directory the setup files were extracted to. Right click the i386 folder in that directory and select Copy. Now, navigate to C:, right click a blank space and select Paste. When the i386 folder has finished copying to C:, click Cancel on the XP Service Pack 2 setup window. You can also delete the WindowsXP-KB835935-SP2-ENU.exe file from the desktop.

Now, navigate to C:\Windows\inf and right click the ie.inf file then select Install. When prompted for the location of the i386 folder, point it to C:\i386 and click OK. When the repair has completed, restart the computer and test IE.

 

Confused or goofed??

I did try connecting to that link (via the infected computer), but the result was "normal "....blank page showed up, locking up, using "end task" to close.

So tried the alternative method (copying/paste in the run box)....same effect!

My next option was to use that shortcut in the "homepage" option in IE settings. I was able to get to the website and attemted to download. Of course that would open a new window (I'm guessing this was the download progress window??) but as it wouldn't show anything I was uncertain.

I did see a flicker on the screen that said "Thank you for downloading.... ". Now that I thought was surprise as I didn't/couldn't see anything downloading!

Somehow it must have done it as it asked me if I wanted to "save, run, download this file later" etc. I chose to "save ". It asked me where I wanted to save it to & I chose "desktop ".

So I now have a file on the desktop that says "WindowsXP-KB835935-SP2-ENU.exe ". If I hover the mouse over this file, it says:

1. Description: Self-extracting Cabinet
2. Company: Microsoft Corporation
3. File version: 5.5.1005.0
4. Date Created: 1/30/2008 7:00a.m.
5. Size: 266 MB

If I click on that file, it shows the normal "run or cancel ". I chose neither (just closed) as I want to be sure this is correct before going any further!

If I click on the "run" will this be where the "extracting files" comes into play?

Once again, I thank you noahdfear, for your patience with me!

 

Great! Allow it to run.

 

Did I mess up?

I'm guessing that I may have? I did all the steps and was able to copy the file/folder to C: (as there is now a folder there listed as i386!)

However I may be lost when trying to find the C:\Windows\inf folder??

I clicked on the folder marked "Windows" and see there are many listed there (I think I was here once before when you had me looking for something?). Anyway, there is a (muted yellow) folder marked "inf ". I clicked on that to open. Found the ie.inf file, right clicked and chose "install ".

But when I chose the location of the file to install from (C:\i386) I receive a "copy error" message "Setup cannot copy the file IEXPLORE.EX_" Ensure that the location specified is correct, or change it and insert "Windows XP Home Edition Service Pack 2 CD" in the drive you specify.

Did I goof somewhere? Not looking for the right folder? Sorry, I'm really a dunce when it comes to this stuff. I'm actually amazed that I've made it this far! But I've had VERY good instructions, so maybe my concept of following them isn't the best!

 

You've done quite well Vicki, and no, you didn't do anything wrong. I cannot explain why you're getting the copy error. It is supposed to work, it just isn't, and I haven't found an answer for it yet.

• Close all IE windows.
• Open C:\Program Files\Internet Explorer
• Locate the file iexplore.exe
• If you see only iexplore and not the exe extension, click Tools>Folder Options on the toolbar. Click the View tab then scroll down and uncheck 'hide extensions for known file types' and click OK. You should now see iexplore.exe
• Right click iexplore.exe and select rename
• Name it iexplore.exe.old
• Wait a few shakes then right click a blank area and select Refresh.
• A new iexplore.exe should appear
• Open an IE window and see if it behaves any differently

Let me know if iexplore.exe is not replaced with a fresh copy after renaming.

 

No change...

Did all the steps you requested, and yes there was a new iexplore.exe after selecting refresh. But still no change in how IE responds! I told my husband that if this wasn't so frustrating it would be funny!

I do feel more sorry for you with all the time & effort you are taking in helping me to try and resolve this issue!

Should I be thinking we might need to reformat after all? (Ooooh, now that's a REALLY scary thought for me!!)

 

Open this page with the affected computer, highlight and copy the bolded command below.

expand c:\i386\iexplore.ex_ "c:\program files\internet explorer\iexplore.exe" /Y

Click Start>Run and type cmd then hit enter to open a command window. Now close the open IE window. Right click in the command window and Paste the copied command, then hit enter. There should be some information echoed to the screen and it will return to a command prompt. If it says 'iexplore.ex_ expanded by 145%', close the command window and continue with the following, otherwise stop and post the information here (you can close command window too).
Run the ie-rereg.cmd file again and restart the computer when complete. See if IE behaves any differently.

 

something amiss??

I ran the command and it opened:
C:\Documents and Settings\owner>

After I chose "paste" (to copy the command line you wanted me to run), I received the following response:
"unrecognized switch -Y ".

Didn't dare try and alter that command line in any way, so will wait for your response.

 

That's odd. Try it without the /Y switch.

expand c:\i386\iexplore.ex_ "c:\program files\internet explorer\iexplore.exe "

 

Another question

I ran the command line without the "/Y" switch and am guessing that worked? After completing it showed "....expanding 37895 bytes to 93184 bytes 145% increase.

I am now read for the next step you suggested:

But being the dunce that I am, I'm not sure how to do this?

After checking back through some of our previous posts, I came across this:

Is this the procedure that you want me to use?

 

Yes.

Just for the record, you have done quite well following my instructions. There's nothing wrong with asking first when unsure, and that surely doesn't make you a dunce. On the contrary, only a dunce wouldn't stop and ask first when unsure.

 

No Luck!

I ran that command and saw the message about having to "be patient as this will take awhile ". I didn't see any other messages after it completed and it closed on its own.

Rebooted the computer and tested IE.....still no change, still reacts like it did when I first wrote.

Thank you for your vote of confidence, you certainly have a way of making a person feel competent!

I'm glad that you have the skills, expertise & patience to keep trying different ideas! Are we getting any closer to getting this resolved?

 

Hi Vicki,

Open Dial-a-fix and click the hammer icon. Select Flush DNS and click Go
When complete, select Repair Permissions and click Go
When complete, select Repair/reinstall IE and click Go

If at any time you are prompted for the XP cd, insert it
Make note of any error messages and post them here
Reboot when complete and let me know if there's any change

 

Still no change

Hello Dave!

I performed all the steps and the only "error" message I received was when I was asked to insert the "cd ". Once again the "copy error" message returned stating that it could not copy files from D:\i386.

I chose to then cancel and received a "confirm" box from Dial-a-fix asking if I wanted to reset all IE defaults, etc., etc. and that it would only take a few minutes. I chose "yes ".

Rebooted, but still no change in the way IE responds.

 

Open this post with the affected computer, then click on each of the following links and make note of what happens with each.

1. http://www.kaspersky.com
2. http://195.200.84.20
3. http://www.google.com
4. http://64.233.169.99

Deckards System Scanner (dss.exe) should still be on the desktop. If so, please copy the following bolded command, then click Start>Run and paste it in and hit Enter.

"%userprofile%\desktop\dss.exe" /config

When the dss interface opens, click Uncheck All, then click Select All. Now click Scan. It should open 2 logs when complete; main.txt which will be maximized, and extra.txt which will be minimized. Please post both logs here. You may need to split them up into several posts due to the number of characters allowed in a post.

 

Results

I tried clicking on the links you posted. The first two resulted in the same effect (opening new bland IE, had to end task to close). The google link actually opened up a new IE with google showing!? The 4th link responded the same way the first two did.

Here's the main text of Deckards Scan:


Deckard's System Scanner v20071014.68
Run by Owner on 2008-02-06 19:51:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
156: 2008-02-07 01:51:27 UTC - RP168 - Deckard's System Scanner Restore Point
155: 2008-02-06 18:43:41 UTC - RP167 - System Checkpoint
154: 2008-02-04 23:18:56 UTC - RP166 - System Checkpoint
153: 2008-02-01 13:36:27 UTC - RP165 - System Checkpoint
152: 2008-01-31 13:20:28 UTC - RP164 - System Checkpoint


-- First Restore Point --
1: 2007-12-22 00:18:01 UTC - RP13 - System Checkpoint


Performed disk cleanup.

Total Physical Memory: 495 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:51:45 PM, on 2/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Owner\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsbbs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141944401843
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay103.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe

--
End of file - 4949 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 RecAgent - c:\windows\system32\drivers\sldrv\recagent.sys <Not Verified; ; Modem>
R1 BIOS - c:\windows\system32\drivers\bios.sys <Not Verified; BIOSTAR Group; BIOSTAR I/O driver fle>
R3 SMBios (Intel (R) System Management BIOS Service) - c:\windows\system32\drivers\smbios.sys <Not Verified; Intel Corporation; Intel (R) System Management BIOS Driver>

S0 ssbgdcxf - c:\windows\system32\drivers\qeeeicen.dat (file missing)
S3 catchme - c:\docume~1\owner\locals~1\temp\catchme.sys (file missing)
S3 CBTNDIS5 (CBTNDIS5 NDIS Protocol Driver) - c:\windows\system32\cbtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 iscFlash - c:\windows\system32\drivers\iscflash.sys (file missing)
S3 Mtlmnt5 - c:\windows\system32\drivers\sldrv\mtlmnt5.sys <Not Verified; ; Modem>
S3 Mtlstrm - c:\windows\system32\drivers\sldrv\mtlstrm.sys <Not Verified; ; Modem>
S3 Slntamr (SmartLink AMR_PCI Driver) - c:\windows\system32\drivers\sldrv\slntamr.sys <Not Verified; ; Modem>
S3 SlNtHal - c:\windows\system32\drivers\sldrv\slnthal.sys <Not Verified; ; Modem>
S3 SlWdmSup - c:\windows\system32\drivers\sldrv\slwdmsup.sys <Not Verified; ; Modem>
S3 SQTECH905C (DualCamera) - c:\windows\system32\drivers\capt905c.sys <Not Verified; Service & Quality Technology.; SQ905c>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 SLService (SmartLinkService) - slmdmsr.exe <Not Verified; ; Modem>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\explorer.exe (pid 1392)
2007-08-20 04:04:37 6058496 --a------ C:\WINDOWS\system32\ieframe.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2007-08-20 04:04:38 267776 --a------ C:\WINDOWS\system32\iertutil.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>


-- Scheduled Tasks -------------------------------------------------------------

2008-01-13 16:35:18 240 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job


-- Files created between 2008-01-06 and 2008-02-06 -----------------------------

2008-01-31 00:07:03 0 d-------- C:\Program Files\Windows Media Connect 2
2008-01-31 00:04:40 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-30 13:14:24 0 d-------- C:\i386
2008-01-29 09:39:42 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-01-28 07:14:12 0 d-------- C:\Documents and Settings\Owner\DoctorWeb
2008-01-25 07:32:06 0 d-------- C:\Program Files\Trend Micro
2008-01-17 11:05:50 0 d-------- C:\Program Files\Windows Live Safety Center
2008-01-17 09:40:54 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-01-17 09:30:24 428032 --a------ C:\WINDOWS\WRServices.dll <Not Verified; Webroot Software, Inc; >
2008-01-17 09:30:24 0 d-------- C:\Program Files\Webroot
2008-01-13 08:36:30 0 dr-h----- C:\$VAULT$.AVG
2008-01-13 08:33:16 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-01-13 08:32:57 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-13 08:32:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-12 12:08:27 0 d-------- C:\Program Files\Enigma Software Group
2008-01-11 12:37:42 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-11 12:32:56 0 d-------- C:\WINDOWS\system32\runtime
2008-01-11 10:36:49 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2008-01-11 10:36:48 0 d-------- C:\Program Files\SpywareBlaster


-- Find3M Report ---------------------------------------------------------------

2008-02-07 17:13:05 0 d-------- C:\Program Files\Logitech
2008-02-01 09:46:30 0 d-------- C:\Program Files\Kodak
2008-01-30 13:14:07 5632 --ahs---- C:\Program Files\Thumbs.db
2008-01-27 19:14:40 0 d-------- C:\Program Files\Google
2008-01-20 10:47:37 0 d-------- C:\Program Files\Common Files
2008-01-17 17:43:41 0 d-------- C:\Program Files\Java
2008-01-13 10:53:27 0 d-------- C:\Program Files\QuickTime
2008-01-10 17:42:18 56264 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2008-01-03 02:08:49 0 d-------- C:\Documents and Settings\Owner\Application Data\Google
2008-01-02 17:05:42 126976 --a------ C:\WINDOWS\system32\unzdll.dll <Not Verified; ; BCB/Delphi UnZip>
2008-01-02 17:05:41 0 d-------- C:\Program Files\Gateway
2008-01-02 16:37:05 22720 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-12-23 22:04:22 618 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-12-23 20:44:05 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-09 23:06:42 0 d-------- C:\Program Files\LimeWire


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [12/24/2007 08:14 AM]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [12/24/2007 01:57 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [01/12/2008 12:20 PM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages "= scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"C:\Program Files\Ahead\Nero BackItUp\NBJ.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca291ff0-c325-11da-84c1-806d6172696f}]
play\Command- "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /deviceVD "%L "




-- End of Deckard's System Scanner: finished at 2008-02-06 19:53:49 ------------

 

Extra Text

Here's the extra text scan:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-02-06 19:51:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
156: 2008-02-07 01:51:27 UTC - RP168 - Deckard's System Scanner Restore Point
155: 2008-02-06 18:43:41 UTC - RP167 - System Checkpoint
154: 2008-02-04 23:18:56 UTC - RP166 - System Checkpoint
153: 2008-02-01 13:36:27 UTC - RP165 - System Checkpoint
152: 2008-01-31 13:20:28 UTC - RP164 - System Checkpoint


-- First Restore Point --
1: 2007-12-22 00:18:01 UTC - RP13 - System Checkpoint


Performed disk cleanup.

Total Physical Memory: 495 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:51:45 PM, on 2/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Owner\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsbbs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141944401843
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay103.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe

--
End of file - 4949 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 RecAgent - c:\windows\system32\drivers\sldrv\recagent.sys <Not Verified; ; Modem>
R1 BIOS - c:\windows\system32\drivers\bios.sys <Not Verified; BIOSTAR Group; BIOSTAR I/O driver fle>
R3 SMBios (Intel (R) System Management BIOS Service) - c:\windows\system32\drivers\smbios.sys <Not Verified; Intel Corporation; Intel (R) System Management BIOS Driver>

S0 ssbgdcxf - c:\windows\system32\drivers\qeeeicen.dat (file missing)
S3 catchme - c:\docume~1\owner\locals~1\temp\catchme.sys (file missing)
S3 CBTNDIS5 (CBTNDIS5 NDIS Protocol Driver) - c:\windows\system32\cbtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 iscFlash - c:\windows\system32\drivers\iscflash.sys (file missing)
S3 Mtlmnt5 - c:\windows\system32\drivers\sldrv\mtlmnt5.sys <Not Verified; ; Modem>
S3 Mtlstrm - c:\windows\system32\drivers\sldrv\mtlstrm.sys <Not Verified; ; Modem>
S3 Slntamr (SmartLink AMR_PCI Driver) - c:\windows\system32\drivers\sldrv\slntamr.sys <Not Verified; ; Modem>
S3 SlNtHal - c:\windows\system32\drivers\sldrv\slnthal.sys <Not Verified; ; Modem>
S3 SlWdmSup - c:\windows\system32\drivers\sldrv\slwdmsup.sys <Not Verified; ; Modem>
S3 SQTECH905C (DualCamera) - c:\windows\system32\drivers\capt905c.sys <Not Verified; Service & Quality Technology.; SQ905c>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 SLService (SmartLinkService) - slmdmsr.exe <Not Verified; ; Modem>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\explorer.exe (pid 1392)
2007-08-20 04:04:37 6058496 --a------ C:\WINDOWS\system32\ieframe.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2007-08-20 04:04:38 267776 --a------ C:\WINDOWS\system32\iertutil.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>


-- Scheduled Tasks -------------------------------------------------------------

2008-01-13 16:35:18 240 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job


-- Files created between 2008-01-06 and 2008-02-06 -----------------------------

2008-01-31 00:07:03 0 d-------- C:\Program Files\Windows Media Connect 2
2008-01-31 00:04:40 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-30 13:14:24 0 d-------- C:\i386
2008-01-29 09:39:42 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-01-28 07:14:12 0 d-------- C:\Documents and Settings\Owner\DoctorWeb
2008-01-25 07:32:06 0 d-------- C:\Program Files\Trend Micro
2008-01-17 11:05:50 0 d-------- C:\Program Files\Windows Live Safety Center
2008-01-17 09:40:54 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-01-17 09:30:24 428032 --a------ C:\WINDOWS\WRServices.dll <Not Verified; Webroot Software, Inc; >
2008-01-17 09:30:24 0 d-------- C:\Program Files\Webroot
2008-01-13 08:36:30 0 dr-h----- C:\$VAULT$.AVG
2008-01-13 08:33:16 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-01-13 08:32:57 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-13 08:32:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-12 12:08:27 0 d-------- C:\Program Files\Enigma Software Group
2008-01-11 12:37:42 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-11 12:32:56 0 d-------- C:\WINDOWS\system32\runtime
2008-01-11 10:36:49 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2008-01-11 10:36:48 0 d-------- C:\Program Files\SpywareBlaster


-- Find3M Report ---------------------------------------------------------------

2008-02-07 17:13:05 0 d-------- C:\Program Files\Logitech
2008-02-01 09:46:30 0 d-------- C:\Program Files\Kodak
2008-01-30 13:14:07 5632 --ahs---- C:\Program Files\Thumbs.db
2008-01-27 19:14:40 0 d-------- C:\Program Files\Google
2008-01-20 10:47:37 0 d-------- C:\Program Files\Common Files
2008-01-17 17:43:41 0 d-------- C:\Program Files\Java
2008-01-13 10:53:27 0 d-------- C:\Program Files\QuickTime
2008-01-10 17:42:18 56264 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2008-01-03 02:08:49 0 d-------- C:\Documents and Settings\Owner\Application Data\Google
2008-01-02 17:05:42 126976 --a------ C:\WINDOWS\system32\unzdll.dll <Not Verified; ; BCB/Delphi UnZip>
2008-01-02 17:05:41 0 d-------- C:\Program Files\Gateway
2008-01-02 16:37:05 22720 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-12-23 22:04:22 618 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-12-23 20:44:05 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-09 23:06:42 0 d-------- C:\Program Files\LimeWire


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [12/24/2007 08:14 AM]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [12/24/2007 01:57 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [01/12/2008 12:20 PM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages "= scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"C:\Program Files\Ahead\Nero BackItUp\NBJ.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca291ff0-c325-11da-84c1-806d6172696f}]
play\Command- "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /deviceVD "%L "




-- End of Deckard's System Scanner: finished at 2008-02-06 19:53:49 ------------