Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Mal/Behav-010 seems to be re-installing itself...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Mal/Behav-010 seems to be re-installing itself...

Unread postby lowlead » October 13th, 2007, 12:19 pm

Thanks very much in advance for your help. I have followed the appropriate instructions, and I will seek help in this forum only.

This malware was detected by Webroot SpySweeper with Anti-Virus, but it keeps returning after each quarantine. The most noteworthy action I was forced to take was to re-install the driver for my wireless network card in order to regain wireless connectivity. Occasionally the Webroot startup dialogue box will also tell me my subscription has expired even though I'm current until Feb '08.

My job takes me on the road for several days at a time and internet access is spotty at times. I will, however, do my very best to login as often as possible to follow your instructions.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:29 PM, on 10/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TPSODDCtl.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\system32\RAMASST.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Toshiba\ConfigFree\CFSServ.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [LtMoh] "C:\Program Files\ltmoh\Ltmoh.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe"
O4 - HKLM\..\Run: [Tvs] "C:\Program Files\Toshiba\Tvs\TvsTray.exe"
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TouchED] "C:\Program Files\TOSHIBA\TouchED\TouchED.Exe"
O4 - HKLM\..\Run: [DDWMon] "C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] "C:\Program Files\Picasa2\PicasaMediaDetector.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SystemTraySD] "C:\Program Files\SpywareDetector\SDSystemTray.exe" -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] "C:\Program Files\SpywareDetector\LiveUpdateSD.exe" -AUTO
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4661257500
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9947 bytes
[/b]
lowlead
Active Member
 
Posts: 5
Joined: October 13th, 2007, 10:06 am
Location: Downeast
Advertisement
Register to Remove

Unread postby askey127 » October 14th, 2007, 7:54 am

Your log actually looks pretty clean.
------------------------------------------------------
Spybot's TeaTimer will attempt to re-install many things you try to change.
-------------------------------------------------------------------
Disable Spybot's TeaTimer. This is a two step process.
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the older version 1.4, Click on Exit Spybot S&D Resident
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident (shows a red/white shield).
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
-----------------------------------------------------------
I don't usually recommend removing a program you may have paid for, but in this case, there may be some interference, and Spyware Detector is not of much use, relative to your SpySweeper package.
Use Add/Remove Programs In Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :

Spyware Detector

Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into Keeping the program.
------------------------------------------------------
Let's do one more scan to double-check:
Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it. Save it to your desktop.
  • Click the Format menu and make sure that Wordwrap is unchecked.
  • Copy/Paste the entire contents in your Reply.

If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

Let me know how it goes.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby lowlead » October 15th, 2007, 8:28 am

So far so good, askey127.

The startup is much more streamlined, without the annoying registry change notifications.

I am, however, having trouble removing Spyware Detector (free version). When I select remove in Add/Remove programs, I get a dialogue box saying, An error occurred while trying to remove Spyware Detector. It may have already been uninstalled. Would You like to remove Spyware Detector from the Add or Remove programs list?

You see, I tried to remove this earlier as it was causing a lot of interference as you predicted. Even if I attempt to remove Spyware Detector file by file from the program files folder, there are files that cannot be removed because they are "in use" etc... For your reference, I completely exited Spyware Detector before attempting removal.

Before proceeding with your last download suggestion, should we try to eliminate Spyware Detector first?

-Matt
lowlead
Active Member
 
Posts: 5
Joined: October 13th, 2007, 10:06 am
Location: Downeast

Unread postby askey127 » October 15th, 2007, 8:43 am

lowlead,

Ok. Let's get rid of the Spyware Detector startups first, then remove it. I'ts all part of its sleazy past.
-----------------------------------------------------------
Remove log items with HighjackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)

O4 - HKLM\..\Run: [SystemTraySD] "C:\Program Files\SpywareDetector\SDSystemTray.exe" -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] "C:\Program Files\SpywareDetector\LiveUpdateSD.exe" -AUTO

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
-----------------------------------------------------------
REBOOT Your Computer
-----------------------------------------------------------
Folder Deletion
In Windows Explorer (My Computer), navigate to the folder shown below, highlight the folder if found, and press Delete.

C:\Program Files\Spyware Detector\

You may have to first open the folder, choose View, Details, and delete all the underlying files and folders before an entire folder can be deleted.
If you need to delete underlying files in a folder and are unable to do so:
Right click the file set for deletion, and check Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
If a message pops up saying "File in use", or something like that, hit Ctrl-Alt-Delete and look under the Processes tab. If the exact filename is in there, highlight it and click End Process, then retry Delete.
Please Note the name and location of any item you cannot delete, or any file not found.
------------------------------------------------------
Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it. Save it to your desktop.
  • Click the Format menu and make sure that Wordwrap is not checked.
  • Copy/Paste the entire report in your Reply.
If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby lowlead » October 15th, 2007, 9:06 am

Done...

WinPFind3 logfile created on: 10/15/2007 9:00:01 AM
WinPFind3U by OldTimer - Version 1.0.42 Folder = C:\Documents and Settings\Matthew Sekerak\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)

1015.17 Mb Total Physical Memory | 593.96 Mb Available Physical Memory | 58.51% Memory free
2.39 Gb Paging File | 2.08 Gb Available in Paging File | 87.15% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 92.97 Gb Total Space | 79.08 Gb Free Space | 85.06% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: TOSHIBA
Current User Name: Matthew Sekerak
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
00thotkey.exe -> %System32%\00THotkey.exe -> TOSHIBA Corporation [Ver = 1, 2, 0, 2 | Size = 258048 bytes | Modified Date = 7/5/2006 3:14:30 PM | Attr = ]
agrsmmsg.exe -> %SystemRoot%\agrsmmsg.exe -> Agere Systems [Ver = 2.1.63 2.1.63 12/12/2005 14:50:01 | Size = 88204 bytes | Modified Date = 12/13/2005 10:50:02 AM | Attr = ]
apntex.exe -> %ProgramFiles%\Apoint2K\ApntEx.exe -> Alps Electric Co., Ltd. [Ver = 5.0.1.15 | Size = 45056 bytes | Modified Date = 2/26/2003 2:08:42 PM | Attr = ]
apoint.exe -> %ProgramFiles%\Apoint2K\Apoint.exe -> Alps Electric Co., Ltd. [Ver = 6.0.2.186 | Size = 196608 bytes | Modified Date = 3/24/2004 1:40:42 AM | Attr = ]
applemobiledeviceservice.exe -> %CommonProgramFiles%\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -> Apple, Inc. [Ver = 1, 12, 0, 0 | Size = 106496 bytes | Modified Date = 6/28/2007 4:06:52 AM | Attr = ]
cfsvcs.exe -> %ProgramFiles%\Toshiba\ConfigFree\CFSvcs.exe -> TOSHIBA CORPORATION [Ver = 6, 0, 0, 1 | Size = 40960 bytes | Modified Date = 1/17/2005 7:38:38 PM | Attr = ]
ddwmon.exe -> %ProgramFiles%\Toshiba\TOSHIBA Direct Disc Writer\DDWMon.exe -> TOSHIBA Corporation [Ver = 1.0.0.9 | Size = 299008 bytes | Modified Date = 4/25/2006 8:57:00 PM | Attr = ]
dvdramsv.exe -> %System32%\DVDRAMSV.exe -> Matsushita Electric Industrial Co., Ltd. [Ver = 3, 0, 0, 0 | Size = 110592 bytes | Modified Date = 8/28/2004 3:33:00 AM | Attr = ]
googletoolbarnotifier.exe -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 6/21/2007 6:08:02 AM | Attr = ]
hkcmd.exe -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3.0.0.4631 | Size = 77824 bytes | Modified Date = 6/30/2006 3:55:22 PM | Attr = ]
igfxpers.exe -> %System32%\igfxpers.exe -> Intel Corporation [Ver = 3.0.0.4631 | Size = 118784 bytes | Modified Date = 6/30/2006 3:59:20 PM | Attr = ]
igfxtray.exe -> %System32%\igfxtray.exe -> Intel Corporation [Ver = 3.0.0.4631 | Size = 94208 bytes | Modified Date = 6/30/2006 3:58:38 PM | Attr = ]
ipodservice.exe -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Inc. [Ver = 7.3.2.6 | Size = 501048 bytes | Modified Date = 7/31/2007 6:44:34 PM | Attr = ]
ituneshelper.exe -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Inc. [Ver = 7.3.2.6 | Size = 271672 bytes | Modified Date = 7/31/2007 6:44:42 PM | Attr = ]
jusched.exe -> %ProgramFiles%\Java\jre1.6.0_02\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 132496 bytes | Modified Date = 7/12/2007 4:00:36 AM | Attr = ]
ltmoh.exe -> %ProgramFiles%\ltmoh\ltmoh.exe -> Agere Systems [Ver = 1.75 | Size = 184320 bytes | Modified Date = 8/18/2004 6:37:44 AM | Attr = ]
padexe.exe -> %ProgramFiles%\Toshiba\Touch and Launch\PadExe.exe -> TOSHIBA [Ver = 1, 2, 10, 0 | Size = 1077322 bytes | Modified Date = 12/6/2005 1:06:10 AM | Attr = ]
picasamediadetector.exe -> %ProgramFiles%\Picasa2\PicasaMediaDetector.exe -> Google Inc. [Ver = 2.6.35.970 | Size = 366400 bytes | Modified Date = 12/11/2006 8:36:32 PM | Attr = ]
pinger.exe -> %SystemDrive%\TOSHIBA\IVP\ISM\pinger.exe -> TOSHIBA Corporation [Ver = 3.7.0.0 | Size = 151552 bytes | Modified Date = 3/17/2005 8:37:26 PM | Attr = ]
psqltray.exe -> %ProgramFiles%\Protector Suite QL\psqltray.exe -> UPEK Inc. [Ver = 5.4.0.2934 | Size = 46592 bytes | Modified Date = 5/5/2006 8:39:54 PM | Attr = ]
ramasst.exe -> %System32%\RAMASST.exe -> Matsushita Electric Industrial Co., Ltd. [Ver = 1, 1, 0, 0 | Size = 155648 bytes | Modified Date = 8/28/2004 3:37:00 AM | Attr = ]
reader_sl.exe -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date = 9/23/2005 10:05:26 PM | Attr = ]
smax4pnp.exe -> %ProgramFiles%\Analog Devices\Core\smax4pnp.exe -> Analog Devices, Inc. [Ver = 6, 0, 0, 20 | Size = 925696 bytes | Modified Date = 5/20/2005 11:11:06 AM | Attr = ]
smoothview.exe -> %ProgramFiles%\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe -> TOSHIBA Corporation [Ver = 2, 0, 0, 23 | Size = 122880 bytes | Modified Date = 4/26/2005 7:13:20 PM | Attr = ]
spysweeper.exe -> %ProgramFiles%\Webroot\Spy Sweeper\SpySweeper.exe -> Webroot Software, Inc. [Ver = 3,5,6,56 | Size = 3564344 bytes | Modified Date = 7/19/2007 10:54:28 PM | Attr = ]
spysweeperui.exe -> %ProgramFiles%\Webroot\Spy Sweeper\SpySweeperUI.exe -> Webroot Software, Inc. [Ver = 5,5,7,48 | Size = 5361464 bytes | Modified Date = 7/19/2007 10:54:32 PM | Attr = ]
swupdtmr.exe -> %SystemDrive%\TOSHIBA\IVP\swupdate\swupdtmr.exe -> [Ver = | Size = 40960 bytes | Modified Date = 7/12/2005 8:14:42 PM | Attr = ]
tfnf5.exe -> %System32%\TFNF5.exe -> TOSHIBA Corp. [Ver = 3, 4, 4, 1 | Size = 593920 bytes | Modified Date = 3/16/2006 8:34:48 PM | Attr = ]
thpsrv.exe -> %System32%\ThpSrv.exe -> TOSHIBA Corporation [Ver = 1, 1, 8, 4 | Size = 176128 bytes | Modified Date = 12/20/2005 3:46:20 PM | Attr = ]
toddsrv.exe -> %System32%\TODDSrv.exe -> TOSHIBA Corporation [Ver = 1, 0, 0, 3 | Size = 114688 bytes | Modified Date = 5/25/2006 9:30:16 PM | Attr = ]
toscdspd.exe -> %ProgramFiles%\Toshiba\TOSCDSPD\TOSCDSPD.exe -> TOSHIBA [Ver = 1, 0, 6, 0 | Size = 65536 bytes | Modified Date = 12/30/2004 3:32:20 AM | Attr = ]
toshkcw.exe -> %ProgramFiles%\Toshiba\Wireless Hotkey\TosHKCW.exe -> TOSHIBA CORPORATION [Ver = 2, 1, 0, 2 | Size = 49152 bytes | Modified Date = 5/17/2005 2:42:02 PM | Attr = ]
touched.exe -> %ProgramFiles%\Toshiba\TouchED\TouchED.exe -> TOSHIBA Corporation [Ver = 2, 5, 1, 0 | Size = 126976 bytes | Modified Date = 6/28/2005 11:43:00 PM | Attr = ]
tpsbattm.exe -> %System32%\TPSBattM.exe -> TOSHIBA Corporation [Ver = 1, 0, 3, 0 | Size = 45056 bytes | Modified Date = 4/24/2006 10:54:04 PM | Attr = ]
tpsmain.exe -> %System32%\TPSMain.exe -> TOSHIBA Corporation [Ver = 1, 0, 23, 0 | Size = 315392 bytes | Modified Date = 4/24/2006 10:54:12 PM | Attr = ]
tpsoddctl.exe -> %System32%\TPSODDCtl.exe -> TOSHIBA Corporation [Ver = 1, 0, 15, 0 | Size = 110592 bytes | Modified Date = 4/24/2006 10:54:14 PM | Attr = ]
tvstray.exe -> %ProgramFiles%\Toshiba\Tvs\TvsTray.exe -> TOSHIBA Corporation [Ver = 1, 0, 0, 7 | Size = 73728 bytes | Modified Date = 2/2/2006 3:11:38 PM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 9/4/2007 10:47:26 AM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(Apple Mobile Device) Apple Mobile Device [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -> Apple, Inc. [Ver = 1, 12, 0, 0 | Size = 106496 bytes | Modified Date = 6/28/2007 4:06:52 AM | Attr = ]
(CFSvcs) ConfigFree Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Toshiba\ConfigFree\CFSvcs.exe -> TOSHIBA CORPORATION [Ver = 6, 0, 0, 1 | Size = 40960 bytes | Modified Date = 1/17/2005 7:38:38 PM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/10/2004 8:00:00 AM | Attr = ]
(DVD-RAM_Service) DVD-RAM_Service [Win32_Own | Auto | Running] -> %System32%\DVDRAMSV.exe -> Matsushita Electric Industrial Co., Ltd. [Ver = 3, 0, 0, 0 | Size = 110592 bytes | Modified Date = 8/28/2004 3:33:00 AM | Attr = ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 2/3/2007 7:13:08 PM | Attr = ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\1050\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 10.50.125 | Size = 73728 bytes | Modified Date = 10/22/2004 6:24:18 AM | Attr = ]
(idsvc) Windows CardSpace [Win32_Shared | Unknown | Stopped] -> -> File not found
(iPod Service) iPod Service [Win32_Own | On_Demand | Running] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Inc. [Ver = 7.3.2.6 | Size = 501048 bytes | Modified Date = 7/31/2007 6:44:34 PM | Attr = ]
(SDService) SDService [Win32_Own | Auto | Stopped] -> %ProgramFiles%\SpywareDetector\SDService.exe -> File not found
(Swupdtmr) Swupdtmr [Win32_Own | Auto | Running] -> %SystemDrive%\TOSHIBA\IVP\swupdate\swupdtmr.exe -> [Ver = | Size = 40960 bytes | Modified Date = 7/12/2005 8:14:42 PM | Attr = ]
(Thpsrv) TOSHIBA HDD Protection [Win32_Shared | Auto | Running] -> %System32%\ThpSrv.exe -> TOSHIBA Corporation [Ver = 1, 1, 8, 4 | Size = 176128 bytes | Modified Date = 12/20/2005 3:46:20 PM | Attr = ]
(TODDSrv) TOSHIBA Optical Disc Drive Service [Win32_Own | Auto | Running] -> %System32%\TODDSrv.exe -> TOSHIBA Corporation [Ver = 1, 0, 0, 3 | Size = 114688 bytes | Modified Date = 5/25/2006 9:30:16 PM | Attr = ]
(WebrootSpySweeperService) Webroot Spy Sweeper Engine [Win32_Own | Auto | Running] -> %ProgramFiles%\Webroot\Spy Sweeper\SpySweeper.exe -> Webroot Software, Inc. [Ver = 3,5,6,56 | Size = 3564344 bytes | Modified Date = 7/19/2007 10:54:28 PM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
000StTHK -> %System32%\000StTHK.exe -> [Ver = | Size = 24576 bytes | Modified Date = 6/23/2001 7:28:00 AM | Attr = ]
00THotkey -> %System32%\00THotkey.exe -> TOSHIBA Corporation [Ver = 1, 2, 0, 2 | Size = 258048 bytes | Modified Date = 7/5/2006 3:14:30 PM | Attr = ]
AGRSMMSG -> %SystemRoot%\agrsmmsg.exe -> Agere Systems [Ver = 2.1.63 2.1.63 12/12/2005 14:50:01 | Size = 88204 bytes | Modified Date = 12/13/2005 10:50:02 AM | Attr = ]
Apoint -> %ProgramFiles%\Apoint2K\Apoint.exe -> Alps Electric Co., Ltd. [Ver = 6.0.2.186 | Size = 196608 bytes | Modified Date = 3/24/2004 1:40:42 AM | Attr = ]
DDWMon -> %ProgramFiles%\Toshiba\TOSHIBA Direct Disc Writer\DDWMon.exe -> TOSHIBA Corporation [Ver = 1.0.0.9 | Size = 299008 bytes | Modified Date = 4/25/2006 8:57:00 PM | Attr = ]
igfxhkcmd -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3.0.0.4631 | Size = 77824 bytes | Modified Date = 6/30/2006 3:55:22 PM | Attr = ]
igfxpers -> %System32%\igfxpers.exe -> Intel Corporation [Ver = 3.0.0.4631 | Size = 118784 bytes | Modified Date = 6/30/2006 3:59:20 PM | Attr = ]
igfxtray -> %System32%\igfxtray.exe -> Intel Corporation [Ver = 3.0.0.4631 | Size = 94208 bytes | Modified Date = 6/30/2006 3:58:38 PM | Attr = ]
iTunesHelper -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Inc. [Ver = 7.3.2.6 | Size = 271672 bytes | Modified Date = 7/31/2007 6:44:42 PM | Attr = ]
LtMoh -> %ProgramFiles%\ltmoh\ltmoh.exe -> Agere Systems [Ver = 1.75 | Size = 184320 bytes | Modified Date = 8/18/2004 6:37:44 AM | Attr = ]
PadTouch -> %ProgramFiles%\Toshiba\Touch and Launch\PadExe.exe -> TOSHIBA [Ver = 1, 2, 10, 0 | Size = 1077322 bytes | Modified Date = 12/6/2005 1:06:10 AM | Attr = ]
Picasa Media Detector -> %ProgramFiles%\Picasa2\PicasaMediaDetector.exe -> Google Inc. [Ver = 2.6.35.970 | Size = 366400 bytes | Modified Date = 12/11/2006 8:36:32 PM | Attr = ]
Pinger -> %SystemDrive%\TOSHIBA\IVP\ISM\pinger.exe -> TOSHIBA Corporation [Ver = 3.7.0.0 | Size = 151552 bytes | Modified Date = 3/17/2005 8:37:26 PM | Attr = ]
PSQLLauncher -> %ProgramFiles%\Protector Suite QL\launcher.exe -> UPEK Inc. [Ver = 5.4.0.2934 | Size = 30208 bytes | Modified Date = 5/5/2006 8:36:28 PM | Attr = ]
QuickTime Task -> %ProgramFiles%\QuickTime\QTTask.exe -> Apple Inc. [Ver = 7.2 | Size = 286720 bytes | Modified Date = 6/29/2007 6:24:52 AM | Attr = ]
SmoothView -> %ProgramFiles%\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe -> TOSHIBA Corporation [Ver = 2, 0, 0, 23 | Size = 122880 bytes | Modified Date = 4/26/2005 7:13:20 PM | Attr = ]
SoundMAX -> %ProgramFiles%\Analog Devices\SoundMAX\SMax4.exe -> Analog Devices, Inc. [Ver = 5, 2, 0, 8 | Size = 716800 bytes | Modified Date = 5/6/2005 5:06:00 PM | Attr = ]
SoundMAXPnP -> %ProgramFiles%\Analog Devices\Core\smax4pnp.exe -> Analog Devices, Inc. [Ver = 6, 0, 0, 20 | Size = 925696 bytes | Modified Date = 5/20/2005 11:11:06 AM | Attr = ]
SpySweeper -> %ProgramFiles%\Webroot\Spy Sweeper\SpySweeperUI.exe -> Webroot Software, Inc. [Ver = 5,5,7,48 | Size = 5361464 bytes | Modified Date = 7/19/2007 10:54:32 PM | Attr = ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_02\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 132496 bytes | Modified Date = 7/12/2007 4:00:36 AM | Attr = ]
TFNF5 -> %System32%\TFNF5.exe -> TOSHIBA Corp. [Ver = 3, 4, 4, 1 | Size = 593920 bytes | Modified Date = 3/16/2006 8:34:48 PM | Attr = ]
TOSDCR -> %System32%\TOSDCR.exe -> TOSHIBA Corporation [Ver = 1, 0, 0, 9 | Size = 57344 bytes | Modified Date = 12/13/2005 1:54:44 PM | Attr = ]
TosHKCW.exe -> %ProgramFiles%\Toshiba\Wireless Hotkey\TosHKCW.exe -> TOSHIBA CORPORATION [Ver = 2, 1, 0, 2 | Size = 49152 bytes | Modified Date = 5/17/2005 2:42:02 PM | Attr = ]
TouchED -> %ProgramFiles%\Toshiba\TouchED\TouchED.exe -> TOSHIBA Corporation [Ver = 2, 5, 1, 0 | Size = 126976 bytes | Modified Date = 6/28/2005 11:43:00 PM | Attr = ]
TPSMain -> %System32%\TPSMain.exe -> TOSHIBA Corporation [Ver = 1, 0, 23, 0 | Size = 315392 bytes | Modified Date = 4/24/2006 10:54:12 PM | Attr = ]
TPSODDCtl -> %System32%\TPSODDCtl.exe -> TOSHIBA Corporation [Ver = 1, 0, 15, 0 | Size = 110592 bytes | Modified Date = 4/24/2006 10:54:14 PM | Attr = ]
Tvs -> %ProgramFiles%\Toshiba\Tvs\TvsTray.exe -> TOSHIBA Corporation [Ver = 1, 0, 0, 7 | Size = 73728 bytes | Modified Date = 2/2/2006 3:11:38 PM | Attr = ]
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 6/21/2007 6:08:02 AM | Attr = ]
TOSCDSPD -> %ProgramFiles%\Toshiba\TOSCDSPD\TOSCDSPD.exe -> TOSHIBA [Ver = 1, 0, 6, 0 | Size = 65536 bytes | Modified Date = 12/30/2004 3:32:20 AM | Attr = ]
updateMgr -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe -> Adobe Systems Incorporated [Ver = 3.1.0.10 | Size = 313472 bytes | Modified Date = 3/30/2006 4:45:08 PM | Attr = R ]
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersStartup%\Adobe Reader Speed Launch.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date = 9/23/2005 10:05:26 PM | Attr = ]
%AllUsersStartup%\RAMASST.lnk -> %System32%\RAMASST.exe -> Matsushita Electric Industrial Co., Ltd. [Ver = 1, 1, 0, 0 | Size = 155648 bytes | Modified Date = 8/28/2004 3:37:00 AM | Attr = ]
< AppInit_DLLs [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs ->
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls ->
C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL -> %ProgramFiles%\Google\Google Desktop Search\GoogleDesktopNetwork3.dll -> Google [Ver = 4.2006.627.443 | Size = 135680 bytes | Modified Date = 8/18/2006 10:52:00 PM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
igfxcui -> %System32%\igfxdev.dll -> Intel Corporation [Ver = 3.0.0.4631 | Size = 139264 bytes | Modified Date = 6/30/2006 3:54:26 PM | Attr = ]
psfus -> %System32%\psqlpwd.dll -> UPEK Inc. [Ver = 5.4.0.2934 | Size = 40448 bytes | Modified Date = 5/5/2006 8:48:24 PM | Attr = ]
WRNotifier -> %System32%\WRLogonNTF.dll -> Webroot Software, Inc. [Ver = 3,5,6,56 | Size = 219448 bytes | Modified Date = 7/19/2007 10:42:36 PM | Attr = ]
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\InstallVisualStyle -> C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\InstallTheme -> C:\WINDOWS\Resources\Themes\Royale.theme ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
< HOSTS File > (34504 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
< Internet Explorer Settings > -> ->
HKLM: Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: SearchAssistant -> http://www.google.com/ie ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Bar -> http://www.google.com/ie ->
HKCU: Search Page -> http://www.google.com ->
HKCU: Start Page -> http://www.google.com/ ->
HKCU: SearchAssistant -> http://www.google.com/ie ->
HKCU: URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2006, 10, 26, 1 | Size = 440384 bytes | Modified Date = 10/26/2006 10:28:40 AM | Attr = ]
HKCU: ProxyEnable -> 1 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
msn.com [ - ] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{02478D38-C3F9-4EFB-9B51-7695ECA05670} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar Helper] -> Yahoo! Inc. [Ver = 2006, 10, 26, 1 | Size = 440384 bytes | Modified Date = 10/26/2006 10:28:40 AM | Attr = ]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 59032 bytes | Modified Date = 12/18/2006 4:16:42 AM | Attr = ]
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] -> Safer Networking Limited [Ver = 1, 5, 0, 8 | Size = 1122128 bytes | Modified Date = 8/31/2007 4:46:14 PM | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_02\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 501136 bytes | Modified Date = 7/12/2007 4:00:36 AM | Attr = ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2006, 10, 26, 1 | Size = 440384 bytes | Modified Date = 10/26/2006 10:28:40 AM | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_02\bin\npjpi160_02.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 132496 bytes | Modified Date = 7/12/2007 4:00:36 AM | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.6.0_02\bin\ssv.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 501136 bytes | Modified Date = 7/12/2007 4:00:36 AM | Attr = ]
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -> Reg Data - Value does not exist [ButtonText: Real.com] -> File not found
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [MenuText: Spybot - Search & Destroy Configuration] -> Safer Networking Limited [Ver = 1, 5, 0, 8 | Size = 1122128 bytes | Modified Date = 8/31/2007 4:46:14 PM | Attr = ]
{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> Reg Data - Key not found [MenuText: @xpsp3res.dll,-20001] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
E&xport to Microsoft Excel -> -> File not found
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{0C52D24D-A0E0-48C7-9070-B68374E88306} -> (Intel(R) PRO/Wireless 3945ABG Network Connection) ->
{67B50E96-9946-48B0-9117-38CFABA570E8} -> (Intel(R) PRO/1000 PL Network Connection) ->
{92E5E964-56B7-4234-BFC0-6274B6BC9A56} -> (Intel(R) PRO/100 VE Network Connection) ->
{9C72516D-0FF5-4BE1-9A23-C96DA7CF8788} -> (1394 Net Adapter) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -> Symantec AntiVirus scanner - CodeBase = http://security.symantec.com/sscv6/Shar ... vSniff.cab ->
{644E432F-49D3-41A1-8DD5-E099162EEEC5} -> Symantec RuFSI Utility Class - CodeBase = http://security.symantec.com/sscv6/Shar ... /cabsa.cab ->
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -> MUWebControl Class - CodeBase = http://update.microsoft.com/microsoftup ... 4661257500 ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab ->
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab ->
{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_11 - CodeBase = http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab ->
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_01 - CodeBase = http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab ->
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://download.macromedia.com/pub/shoc ... wflash.cab ->


[Files/Folders - Created Within 30 days]
85f11906521bd3719141282a670d -> %SystemDrive%\85f11906521bd3719141282a670d -> [Folder | Created Date = 10/13/2007 2:55:12 PM | Attr = ]
c4a66dd03c23161197d6415523 -> %SystemDrive%\c4a66dd03c23161197d6415523 -> [Folder | Created Date = 10/13/2007 2:48:35 PM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 1064554496 bytes | Created Date = 1/1/1601 5:00:00 AM | Attr = HS]
$NtUninstallbasecsp$ -> %SystemRoot%\$NtUninstallbasecsp$ -> [Folder | Created Date = 10/13/2007 2:47:03 PM | Attr = H ]
$NtUninstallKB896344$ -> %SystemRoot%\$NtUninstallKB896344$ -> [Folder | Created Date = 10/13/2007 2:46:53 PM | Attr = H ]
$NtUninstallKB912024$ -> %SystemRoot%\$NtUninstallKB912024$ -> [Folder | Created Date = 10/13/2007 2:47:21 PM | Attr = H ]
$NtUninstallKB920342$ -> %SystemRoot%\$NtUninstallKB920342$ -> [Folder | Created Date = 10/13/2007 2:48:02 PM | Attr = H ]
$NtUninstallKB925720$ -> %SystemRoot%\$NtUninstallKB925720$ -> [Folder | Created Date = 10/15/2007 7:12:57 AM | Attr = H ]
$NtUninstallKB925766$ -> %SystemRoot%\$NtUninstallKB925766$ -> [Folder | Created Date = 10/13/2007 2:47:49 PM | Attr = H ]
$NtUninstallKB925876$ -> %SystemRoot%\$NtUninstallKB925876$ -> [Folder | Created Date = 10/13/2007 2:48:11 PM | Attr = H ]
$NtUninstallKB926239$ -> %SystemRoot%\$NtUninstallKB926239$ -> [Folder | Created Date = 10/13/2007 2:57:04 PM | Attr = H ]
$NtUninstallKB929399$ -> %SystemRoot%\$NtUninstallKB929399$ -> [Folder | Created Date = 10/15/2007 7:12:20 AM | Attr = H ]
$NtUninstallKB933729$ -> %SystemRoot%\$NtUninstallKB933729$ -> [Folder | Created Date = 10/11/2007 4:18:04 PM | Attr = H ]
$NtUninstallKB936782_WMP11$ -> %SystemRoot%\$NtUninstallKB936782_WMP11$ -> [Folder | Created Date = 10/15/2007 7:11:22 AM | Attr = H ]
$NtUninstallKB939683$ -> %SystemRoot%\$NtUninstallKB939683$ -> [Folder | Created Date = 10/15/2007 7:11:58 AM | Attr = H ]
$NtUninstallKB941202$ -> %SystemRoot%\$NtUninstallKB941202$ -> [Folder | Created Date = 10/11/2007 4:18:53 PM | Attr = H ]
$NtUninstallMSCompPackV1$ -> %SystemRoot%\$NtUninstallMSCompPackV1$ -> [Folder | Created Date = 10/13/2007 2:56:55 PM | Attr = H ]
$NtUninstallWIC$ -> %SystemRoot%\$NtUninstallWIC$ -> [Folder | Created Date = 10/13/2007 2:48:41 PM | Attr = H ]
$NtUninstallWMFDist11$ -> %SystemRoot%\$NtUninstallWMFDist11$ -> [Folder | Created Date = 10/13/2007 2:55:35 PM | Attr = H ]
$NtUninstallwmp11$ -> %SystemRoot%\$NtUninstallwmp11$ -> [Folder | Created Date = 10/13/2007 2:56:21 PM | Attr = H ]
$NtUninstallWudf01000$ -> %SystemRoot%\$NtUninstallWudf01000$ -> [Folder | Created Date = 10/13/2007 2:55:02 PM | Attr = H ]
CSC -> %SystemRoot%\CSC -> [Folder | Created Date = 10/11/2007 5:36:43 AM | Attr = ]
Minidump -> %SystemRoot%\Minidump -> [Folder | Created Date = 10/13/2007 9:57:22 AM | Attr = ]
CheckDll.dll -> %System32%\CheckDll.dll -> Max Secure Software [Ver = 3. 0. 0. 3 | Size = 270336 bytes | Created Date = 10/13/2007 1:41:49 PM | Attr = ]
CloseAll.exe -> %System32%\CloseAll.exe -> Max Secure Software [Ver = 3, 0, 1, 1 | Size = 67024 bytes | Created Date = 10/13/2007 8:15:33 AM | Attr = ]
ProxySettings.ini -> %System32%\ProxySettings.ini -> [Ver = | Size = 104 bytes | Created Date = 10/13/2007 8:15:33 AM | Attr = ]
SDEarlyDelete.exe -> %System32%\SDEarlyDelete.exe -> [Ver = | Size = 6144 bytes | Created Date = 10/13/2007 1:41:57 PM | Attr = ]
XPSViewer -> %System32%\XPSViewer -> [Folder | Created Date = 10/13/2007 2:50:40 PM | Attr = ]
apphelp.sdb -> %System32%\dllcache\apphelp.sdb -> [Ver = | Size = 217118 bytes | Created Date = 10/13/2007 2:57:00 PM | Attr = ]
apph_sp.sdb -> %System32%\dllcache\apph_sp.sdb -> [Ver = | Size = 764868 bytes | Created Date = 10/13/2007 2:57:00 PM | Attr = ]
sysmain.sdb -> %System32%\dllcache\sysmain.sdb -> [Ver = | Size = 1197294 bytes | Created Date = 10/13/2007 2:57:00 PM | Attr = ]
CO_Mon.sys -> %System32%\drivers\CO_Mon.sys -> [Ver = | Size = 28672 bytes | Created Date = 10/13/2007 10:28:14 AM | Attr = ]
UMDF -> %System32%\drivers\UMDF -> [Folder | Created Date = 10/13/2007 2:55:07 PM | Attr = ]
hosts.20071013-103956.backup -> %System32%\drivers\etc\hosts.20071013-103956.backup -> [Ver = | Size = 734 bytes | Created Date = 10/13/2007 9:39:56 AM | Attr = ]
hosts.backup -> %System32%\drivers\etc\hosts.backup -> [Ver = | Size = 734 bytes | Created Date = 10/13/2007 8:14:50 AM | Attr = ]
MsftWdf_user_01_00_00.Wdf -> %System32%\drivers\UMDF\MsftWdf_user_01_00_00.Wdf -> [Ver = | Size = 0 bytes | Created Date = 10/13/2007 2:55:10 PM | Attr = H ]

[Files/Folders - Modified Within 30 days]
85f11906521bd3719141282a670d -> %SystemDrive%\85f11906521bd3719141282a670d -> [Folder | Modified Date = 10/13/2007 3:55:58 PM | Attr = ]
c4a66dd03c23161197d6415523 -> %SystemDrive%\c4a66dd03c23161197d6415523 -> [Folder | Modified Date = 10/13/2007 3:48:42 PM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 1064554496 bytes | Modified Date = 10/15/2007 8:57:06 AM | Attr = HS]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 10/15/2007 8:36:56 AM | Attr = ]
RECYCLER -> %SystemDrive%\RECYCLER -> [Folder | Modified Date = 10/13/2007 12:33:28 PM | Attr = HS]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 10/15/2007 8:57:54 AM | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 10/15/2007 8:05:34 AM | Attr = H ]
$NtUninstallbasecsp$ -> %SystemRoot%\$NtUninstallbasecsp$ -> [Folder | Modified Date = 10/13/2007 3:47:06 PM | Attr = H ]
$NtUninstallKB896344$ -> %SystemRoot%\$NtUninstallKB896344$ -> [Folder | Modified Date = 10/13/2007 3:46:56 PM | Attr = H ]
$NtUninstallKB912024$ -> %SystemRoot%\$NtUninstallKB912024$ -> [Folder | Modified Date = 10/13/2007 3:47:24 PM | Attr = H ]
$NtUninstallKB920342$ -> %SystemRoot%\$NtUninstallKB920342$ -> [Folder | Modified Date = 10/13/2007 3:48:04 PM | Attr = H ]
$NtUninstallKB925720$ -> %SystemRoot%\$NtUninstallKB925720$ -> [Folder | Modified Date = 10/15/2007 8:13:00 AM | Attr = H ]
$NtUninstallKB925766$ -> %SystemRoot%\$NtUninstallKB925766$ -> [Folder | Modified Date = 10/13/2007 3:47:52 PM | Attr = H ]
$NtUninstallKB925876$ -> %SystemRoot%\$NtUninstallKB925876$ -> [Folder | Modified Date = 10/13/2007 3:48:28 PM | Attr = H ]
$NtUninstallKB926239$ -> %SystemRoot%\$NtUninstallKB926239$ -> [Folder | Modified Date = 10/13/2007 3:57:06 PM | Attr = H ]
$NtUninstallKB929399$ -> %SystemRoot%\$NtUninstallKB929399$ -> [Folder | Modified Date = 10/15/2007 8:12:24 AM | Attr = H ]
$NtUninstallKB933729$ -> %SystemRoot%\$NtUninstallKB933729$ -> [Folder | Modified Date = 10/11/2007 5:18:08 PM | Attr = H ]
$NtUninstallKB936782_WMP11$ -> %SystemRoot%\$NtUninstallKB936782_WMP11$ -> [Folder | Modified Date = 10/15/2007 8:11:26 AM | Attr = H ]
$NtUninstallKB939683$ -> %SystemRoot%\$NtUninstallKB939683$ -> [Folder | Modified Date = 10/15/2007 8:12:02 AM | Attr = H ]
$NtUninstallKB941202$ -> %SystemRoot%\$NtUninstallKB941202$ -> [Folder | Modified Date = 10/11/2007 5:18:56 PM | Attr = H ]
$NtUninstallMSCompPackV1$ -> %SystemRoot%\$NtUninstallMSCompPackV1$ -> [Folder | Modified Date = 10/13/2007 3:56:56 PM | Attr = H ]
$NtUninstallWIC$ -> %SystemRoot%\$NtUninstallWIC$ -> [Folder | Modified Date = 10/13/2007 3:48:42 PM | Attr = H ]
$NtUninstallWMFDist11$ -> %SystemRoot%\$NtUninstallWMFDist11$ -> [Folder | Modified Date = 10/13/2007 3:55:40 PM | Attr = H ]
$NtUninstallwmp11$ -> %SystemRoot%\$NtUninstallwmp11$ -> [Folder | Modified Date = 10/13/2007 3:56:32 PM | Attr = H ]
$NtUninstallWudf01000$ -> %SystemRoot%\$NtUninstallWudf01000$ -> [Folder | Modified Date = 10/13/2007 3:55:04 PM | Attr = H ]
AppPatch -> %SystemRoot%\AppPatch -> [Folder | Modified Date = 10/13/2007 3:59:14 PM | Attr = ]
assembly -> %SystemRoot%\assembly -> [Folder | Modified Date = 10/13/2007 9:17:08 PM | Attr = R S]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 10/15/2007 8:57:10 AM | Attr = S]
CSC -> %SystemRoot%\CSC -> [Folder | Modified Date = 10/11/2007 6:36:44 AM | Attr = ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 10/13/2007 11:28:10 AM | Attr = S]
ehome -> %SystemRoot%\ehome -> [Folder | Modified Date = 10/13/2007 3:47:56 PM | Attr = ]
Fonts -> %SystemRoot%\Fonts -> [Folder | Modified Date = 10/13/2007 3:50:36 PM | Attr = R S]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 10/13/2007 3:56:32 PM | Attr = ]
ie7updates -> %SystemRoot%\ie7updates -> [Folder | Modified Date = 10/11/2007 5:18:22 PM | Attr = ]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1393 bytes | Modified Date = 10/15/2007 8:12:28 AM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 10/15/2007 8:13:32 AM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 10/15/2007 8:13:16 AM | Attr = HS]
machine.ver -> %SystemRoot%\machine.ver -> [Ver = | Size = 2838 bytes | Modified Date = 9/29/2007 4:15:26 AM | Attr = ]
Microsoft.NET -> %SystemRoot%\Microsoft.NET -> [Folder | Modified Date = 10/13/2007 9:17:08 PM | Attr = ]
Minidump -> %SystemRoot%\Minidump -> [Folder | Modified Date = 10/13/2007 3:06:00 PM | Attr = ]
network diagnostic -> %SystemRoot%\network diagnostic -> [Folder | Modified Date = 10/11/2007 4:59:34 AM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 10/11/2007 8:24:14 AM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Modified Date = 10/15/2007 8:58:00 AM | Attr = H ]
Registration -> %SystemRoot%\Registration -> [Folder | Modified Date = 10/15/2007 8:58:40 AM | Attr = ]
security -> %SystemRoot%\security -> [Folder | Modified Date = 10/13/2007 3:58:48 PM | Attr = ]
system -> %SystemRoot%\system -> [Folder | Modified Date = 10/13/2007 9:15:56 AM | Attr = ]
system.ini -> %SystemRoot%\system.ini -> [Ver = | Size = 227 bytes | Modified Date = 10/11/2007 6:22:40 AM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 10/15/2007 8:13:20 AM | Attr = ]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 10/15/2007 8:59:32 AM | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 603 bytes | Modified Date = 10/13/2007 3:56:44 PM | Attr = ]
WMSysPr9.prx -> %SystemRoot%\WMSysPr9.prx -> [Ver = | Size = 316640 bytes | Modified Date = 10/13/2007 3:55:54 PM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 10/15/2007 8:57:22 AM | Attr = H ]
amcompat.tlb -> %System32%\amcompat.tlb -> [Ver = | Size = 16832 bytes | Modified Date = 10/13/2007 3:56:50 PM | Attr = ]
CatRoot -> %System32%\CatRoot -> [Folder | Modified Date = 10/15/2007 8:13:20 AM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 10/15/2007 8:10:56 AM | Attr = ]
CloseAll.exe -> %System32%\CloseAll.exe -> Max Secure Software [Ver = 3, 0, 1, 1 | Size = 67024 bytes | Modified Date = 9/17/2007 1:39:44 PM | Attr = ]
config -> %System32%\config -> [Folder | Modified Date = 10/11/2007 6:24:46 AM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 10/15/2007 8:13:20 AM | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 10/13/2007 3:55:48 PM | Attr = ]
en-US -> %System32%\en-US -> [Folder | Modified Date = 10/13/2007 3:50:40 PM | Attr = ]
FNTCACHE.DAT -> %System32%\FNTCACHE.DAT -> [Ver = | Size = 158752 bytes | Modified Date = 10/13/2007 3:59:22 PM | Attr = ]
FxsTmp -> %System32%\FxsTmp -> [Folder | Modified Date = 9/19/2007 11:10:48 AM | Attr = ]
LogFiles -> %System32%\LogFiles -> [Folder | Modified Date = 10/13/2007 3:55:08 PM | Attr = ]
nscompat.tlb -> %System32%\nscompat.tlb -> [Ver = | Size = 23392 bytes | Modified Date = 10/13/2007 3:56:50 PM | Attr = ]
perfc009.dat -> %System32%\perfc009.dat -> [Ver = | Size = 72042 bytes | Modified Date = 10/13/2007 3:54:08 PM | Attr = ]
perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 441174 bytes | Modified Date = 10/13/2007 3:54:08 PM | Attr = ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 520446 bytes | Modified Date = 10/13/2007 3:54:08 PM | Attr = ]
ReinstallBackups -> %System32%\ReinstallBackups -> [Folder | Modified Date = 10/11/2007 8:32:46 AM | Attr = ]
Restore -> %System32%\Restore -> [Folder | Modified Date = 10/11/2007 6:23:48 AM | Attr = ]
spool -> %System32%\spool -> [Folder | Modified Date = 10/13/2007 3:48:54 PM | Attr = ]
usmt -> %System32%\usmt -> [Folder | Modified Date = 10/13/2007 3:47:00 PM | Attr = ]
wbem -> %System32%\wbem -> [Folder | Modified Date = 10/11/2007 6:24:26 AM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 1158 bytes | Modified Date = 10/15/2007 8:59:40 AM | Attr = ]
XPSViewer -> %System32%\XPSViewer -> [Folder | Modified Date = 10/13/2007 3:50:42 PM | Attr = ]
CO_Mon.sys -> %System32%\drivers\CO_Mon.sys -> [Ver = | Size = 28672 bytes | Modified Date = 10/13/2007 11:28:18 AM | Attr = ]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 10/13/2007 2:41:50 PM | Attr = ]
UMDF -> %System32%\drivers\UMDF -> [Folder | Modified Date = 10/13/2007 3:55:48 PM | Attr = ]
MsftWdf_user_01_00_00.Wdf -> %System32%\drivers\UMDF\MsftWdf_user_01_00_00.Wdf -> [Ver = | Size = 0 bytes | Modified Date = 10/13/2007 3:55:12 PM | Attr = H ]

[File String Scan - Non-Microsoft Only]
ad-w-a-r-e.com , -> %SystemRoot%\hosts -> [Ver = | Size = 34504 bytes | Modified Date = 1/30/2007 12:20:44 PM | Attr = ]
Thawte Consulting , -> %System32%\CloseAll.exe -> Max Secure Software [Ver = 3, 0, 1, 1 | Size = 67024 bytes | Modified Date = 9/17/2007 1:39:44 PM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 8/10/2004 8:00:00 AM | Attr = ]
PEC2 , -> %System32%\THR.DLL -> Picture Elements, Inc. [Ver = 0, 1, 37, 1 | Size = 204800 bytes | Modified Date = 5/16/2006 9:19:24 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 8/10/2004 8:00:00 AM | Attr = ]
ad-w-a-r-e.com , -> %System32%\drivers\etc\hosts -> [Ver = | Size = 34504 bytes | Modified Date = 1/30/2007 12:20:44 PM | Attr = ]

< End of report >
lowlead
Active Member
 
Posts: 5
Joined: October 13th, 2007, 10:06 am
Location: Downeast

Unread postby askey127 » October 15th, 2007, 12:02 pm

lowlead,
Not bad.
You have a hosts file from ad-a-w-a-r-e.com
These instructions will uninstall it and plug in a different one, and remove older Java items.
------------------------------------------------------
Start WinPFind3U. Copy/Paste the information from the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
[Registry - Non-Microsoft Only]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
YN -> {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_11 - CodeBase = http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
YN -> {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_01 - CodeBase = http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
[File String Scan - Non-Microsoft Only]
NY -> ad-w-a-r-e.com , -> %SystemRoot%\hosts
NY -> ad-w-a-r-e.com , -> %System32%\drivers\etc\hosts

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix.
You can save to your desktop if you wish.
Post that information back here.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
-----------------------------------------------------------
Download and Install a HOSTS File
A Hosts file is a plain text file which prevents your computer from inadvertently connecting to malware, spyware and adware sites by redirecting the connection request back to your own machine address (127.0.0.1).
It is a very effective defense system.
If you use a proxy server be sure to read the special instructions in the tutorial below..

Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
If this isn't done first, the next reboot may take a VERY LONG TIME.
This is how to do it. First be sure you are signed in as a user with administrative privileges:
Stop and Disable the DNS Client Service
Go to Start, Run and type Services.msc and click OK.
Under the Extended Tab, Scroll down and find this service.
DNS Client
Right-Click on the DNS Client Service. Choose Properties
Select the General tab. Click on the Stop button.
Click the Arrow-down tab on the right-hand side at the Start-up Type box.
From the drop-down menu, click on Manual
Click the Apply tab, then click OK


Download BlueTack's HOSTS Manager here:
http://www.bluetack.co.uk/forums/index.php?act=dscript&CODE=showdetails&f_id=5
Download and install the Hosts Manager first, then run it and click Download.
When it finishes, click Replace, and then Save.
You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.

If you have a firewall, you may have to give permission to Unlock the present default HOSTS file before you copy / install the new one.
You may also have to give additional permission during installation of the new one.

Read an excellent instruction about HOSTS files (the Bluetack version) here:
http://www.bluetack.co.uk/forums/index.php?showtopic=8406

There is a very detailed resource for those wanting to spend more time reading up, or to have as a reference:
http://www.bluetack.co.uk/forums/index.php?showtopic=8337
-------------------------------------------------------------------------------------------------------------
You can see another HOSTS file tutorial here : http://www.mvps.org/winhelp2002/hosts.htm
and choose to download the MVPS HOSTS File instead of using the BlueTack HOSTS.
The BlueTack version (80k+ entries) is more aggressive than the mvps (11k + entries), and targets adware sites as well as more dangerous ones.
------------------------------------------------------------------------------------------------------------
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby lowlead » October 16th, 2007, 3:40 pm

askey127, how do I know whether or not I use a proxy server? Stupid question, I know, but I never quite understood the term.

Here is the WinPFind log:

[Registry - Non-Microsoft Only]
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
not found.
C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} deleted successfully.
Removal of ActiveX control {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} complete!
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}
not found.
C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} deleted successfully.
Removal of ActiveX control {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} complete!
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
not found.
C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} deleted successfully.
Removal of ActiveX control {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} complete!
[File String Scan - Non-Microsoft Only]
C:\WINDOWS\hosts moved successfully.
C:\WINDOWS\SYSTEM32\drivers\etc\hosts moved successfully.
< End of log >
Created on 10/16/2007 15:35:16
lowlead
Active Member
 
Posts: 5
Joined: October 13th, 2007, 10:06 am
Location: Downeast

Unread postby askey127 » October 16th, 2007, 4:42 pm

If your PC actually connects to a network (like at a workplace) and the workplace system is the one does the connecting to the internet, then you have a proxy server.
If you and your machine have an internet service provider of your own, you probably don't have a proxy server.
If you follow the instructions and have any trouble connecting, you can always use the HOSTS Manager to just disable the HOSTS file until it's straightened out.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby askey127 » November 8th, 2007, 3:53 pm

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.
If you are the topic starter, you will need a valid, working link to the closed topic, along with the user name used.
The user name must match the one in the linked thread linked to avoid having the email deleted.

You can help support this site from this link :
Donations For Malware Removal
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: Vanilla-krypton and 30 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware