Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

hijacked by angelinteractive 2000 Pro. Help Please

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

hijacked by angelinteractive 2000 Pro. Help Please

Unread postby ikei » August 15th, 2008, 10:54 am

If this comes up as a repeat post Sorry. I posted this info last night at 18:30mdt, copied and saved to my computer but this morning nothing is shown in this forum.

Our computer has been infected with some malware that prevents/blocks us going to our normal web sites and injects it's own answers to google searches.
I have Norton Internet security set over medium, have run scan and found nothing.
Ran CCleaner found nothing unusual. I know my msconfig and found a couple of .dll files. MRVJOXGX.dll and AJLHHTOS.dll. Both in the system 32 folder of my OS. I have deleted the MRVJOXGX file but cannot get rid of the AJLHHTOS. Keeps returning on restart.

Attached below is the HJT log.
Appreciate any help in solving this issue
Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:24 PM, on 8/14/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINNT\system32\Rundll32.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\BOINC\projects\setiathome.berkeley.edu\astropulse_4.35_windows_intelx86.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINNT\system32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BMbff45127] Rundll32.exe "C:\WINNT\system32\ajlhhtos.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - http://components.metastream.com/MTSIns ... tream3.cab
O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://www.3dpublisher.net/SWService/eD ... nglish.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-48.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08fa6a01c69 ... xIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4290811078
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

--
End of file - 8711 bytes
ikei
Active Member
 
Posts: 13
Joined: August 14th, 2008, 8:18 pm
Advertisement
Register to Remove

Re: hijacked by angelinteractive 2000 Pro. Help Please

Unread postby MikeSwim07 » August 15th, 2008, 1:10 pm

Hello, and Image to the Malware Removal forums.
My name is Michael I'll be glad to help you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happen.

Please be patient and I'd be grateful if you would note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Please note: All of my posts need to be checked by a teacher, so please be patient while I attempt to remove your malware.

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop.

Please post this log on your next reply.

Thanks, Michael
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: hijacked by angelinteractive 2000 Pro. Help Please

Unread postby ikei » August 15th, 2008, 9:08 pm

Sorry took so long. I'm working on another computer and have isolated the infected unit from the server.

Also I keep getting an application error message when running the HJT program.

'The instruction at "0X02283293" referenced memory at"0x00000000". The memory could not be "read"'

It takes 2-3 attempts to get HJT to work on the infected computer.
On a wild idea, I replaced the memory chips and still get this same message using the new memory. Replaced the memory with the original set so all hardware is back to original configuration.
Anyway here is the software list you requested.

Thanks Again
Ike

1Click DVD Copy Pro 3.2.0.1
Acronis True Imiage Home
Adobe Acrobat 7.0.9 Professional
BOINC
CC_ccProxyExt
ccCommon
CCleaner (remove only)
ccPyxCore
CloneCD
ConvertxtoDVD 2.2.3.258h
Disk Cleaner (remove only)
DivX
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD Identifier
DVD43v4.3.1
Easy CD Creator 5 Platinum
Easy Tune5Pro
Epson Printer Software
Epson Scan
Epson Stylus CX9400Fax Series Scanner Driver
Epson Web-To-Page
exPressit S.E 2.2
ExpressPCB
Google Earth
Hauppauge WinTV Infrared Remote
Hauppauge WinTV Radio
Hauppauge WinTV2000
HijackThis 2.0.2
Hotfix for MDAC 2.81 (KB927779)
Java(TM) 6 Update 3
KhalSetup
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Logitech SetPoimt
MediaFACE 4.0
Microsoft.NET Framework 1.1
Microsoft.NET Framawork 1.1
Microsoft.NET Framework 1.1 Hotfix (KB928366)
Microsoft.NET Framework 2.0 Service Pack 1
Microsoft internet explorer 6 SP1
Microsoft Office Professional Edition 2003
Microsoft Streets & Trips 2007
Microsoft Visual C++ 2005 Redistributable
MSRedist
MSXML 4.0 SP2 (KB936181)
Norton AntiSpam
Norton AntiSpam
Norton AntiVirus 2005
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security 2005 (Symantec Corporation)
Norton WMI Update
Norton WMI Update
NIVDIA Drivers
NIVDIA Windows 2000/XP Display Drivers
NIVDIA Windows 2000/XP nForce Drivers
QuickTime
RealFlight G3 Demo
RealPlayer
Realtek AC'97 Audio
Satellite Finder 4.8
Shipping Assistant 3.4
SPBBC
Switch Sound File Converter
Symantec Script Blocking Installer
Symantec SCSSDist MSI
Symantec Technical Support Advanced Chat Controls
Symantec Technical Support Web Controls
SymNet
Update Rollup 1 for Windows SP4
VRedistSetup
VSO Copy toDVD 4
Windows2000 Hotfix (PreSP4) [See q329112 for more information]
Windows Media Player Hotfix [See Q828026 for more information]
Windows Media Player system update (9 Series)
WinZip
ikei
Active Member
 
Posts: 13
Joined: August 14th, 2008, 8:18 pm

Re: hijacked by angelinteractive 2000 Pro. Help Please

Unread postby MikeSwim07 » August 16th, 2008, 8:40 am

Temporarily Disable Norton Anti Virus
Please navigate to the system tray on the bottom right hand corner and look for a Image sign.


  • Right-click it -> choose "Disable Auto-Protect."
  • select a duration of 5 hours (this assures no interference with the cleanup of your pc)
  • click "Ok."
  • a popup will warn that protection will now be disabled and the sign will now look like this: Image

You succesfully disabled the Norton Antivirus Guard. Do not surf the internet while this is disabled.

Download and Run ComboFix

Please visit this webpage for instructions for downloading ComboFix at your DESKTOP :
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.

Additional links to download the tool:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found here.
  • Click Yes to allow ComboFix to continue scanning for malware.
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

Please post the ComboFix log and the New hijackthis log.[/quote]
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: hijacked by angelinteractive 2000 Pro. Help Please

Unread postby ikei » August 16th, 2008, 12:18 pm

The OS on the infected computer is 2000 PRO SP4. All upgrades have been performed up until 5 days ago.
Will the Windows recovery program work on 2000 Pro? It says it's for "XP" on the installation page.

Thanks
Ike
ikei
Active Member
 
Posts: 13
Joined: August 14th, 2008, 8:18 pm

Re: hijacked by angelinteractive 2000 Pro. Help Please

Unread postby ikei » August 16th, 2008, 5:59 pm

While waiting for an answer to my earlier question about loading the XP Windows Recovery Console on 2000 Pro, our infected computer died with the 'Blue Screen' of death.

Don't know what or why but while I was working in the garage I had left the infected computer on but not connected to the internet. On my return I saw the monitor blinking to the blue screen to black to blue again and again. Because it was blinking so fast I couldn't copy any info from the screen.
I powered the unit off and then on again, this time it rebooted up and has been fine for the last 3 hours. Just sitting there.

Now however the dll file I saw before, AJLHHTOS is gone, along with a couple of other changes.
When I connect to the internet though I still get intercepted search pages and cannot go to our normal search web pages. IE just sits there after entering one of our web addresses.

I ran HJT again and attached is the new info.

Sorry, just don't know what happened to cause these changes.
Just to let you know, I am an Communications Engineer, have been for 40 ears and I know better than to 'shortcut' trouble shooting techniques from someone more knowledgable. The computer just died with no inputs.

At this point, the infected computer is not connected to the internet and Norton is disabled.
I still have not started ComboFix because of the XP Windows Recovery Console question.
If you need any more information just let me know.

Thanks
Ike


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:01 PM, on 8/16/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\Rundll32.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\BOINC\projects\setiathome.berkeley.edu\setiathome_5.27_windows_intelx86.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BMbff45127] Rundll32.exe "C:\WINNT\system32\kpmntvtk.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - http://components.metastream.com/MTSIns ... tream3.cab
O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://www.3dpublisher.net/SWService/eD ... nglish.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-48.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08fa6a01c69 ... xIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4290811078
O20 - AppInit_DLLs: zltybg.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

--
End of file - 8623 bytes



And the add/remove list


1Click DVD Copy Pro 3.2.0.1
Acronis True Image Home
Adobe Acrobat 7.0.9 Professional
BOINC
CC_ccProxyExt
ccCommon
CCleaner (remove only)
ccPxyCore
CloneCD
ConvertxtoDVD 2.2.3.258h
Disk Cleaner (remove only)
DivX
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD Identifier
DVD43 v4.3.1
Easy CD Creator 5 Platinum
EPSON Printer Software
EPSON Scan
EPSON Stylus CX9400Fax Series Scanner Driver Update
EPSON Web-To-Page
exPressit 5.E 2.2
ExpressPCB
Google Earth
Hauppauge WinTV Infrared Remote
Hauppauge WinTV Radio
Hauppauge WinTV2000
HijackThis 2.0.2
Hotfix for MDAC 2.81 (KB927779)
Java(TM) 6 Update 3
KhalSetup
LiveReg(Symantec Corporation)
LiveUpdate 3.0(Symantec Corporation)
Logitech SetPoint
MediaFACE 4.0
Microsoft.NET Framework1.1
Microsoft.NET Framework1.1
Microsoft.NET Framework1.1 Hotfix (KB928366)
Microsoft.NET Framework2.0 Service Pack 1
Microsoft Internet Explorer 6 SP1
Microsoft Office Professional Edition 2003
Microsoft Streets & Trips 2007
Microsoft Visual C++ 2005 Redistributable
MsRedist
MSXML 4.0 SP2 (KB936181)
Norton AntiSpam
Norton AntiSpam
Norton AntiVirus 2005
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security 2005(Symantec Corporation)
Norton WMI Update
Norton WMI Update
NVIDIA Drivers
NVIDIA Windows 2000/XP Display Drivers
NVIDIA Winsows 2000/XP nForce Drivers
QuickTime
RealFlight G3 Demo
RealPlayer
Realtek AC'97 Audio
Satelliet Finder 4.8
Shipping Assistant 3.4
SPBBC
Switch Sound File Converter
Symantec Script Blocking Installer
Symantec SCSSDist MSI
Symantec Technical Support Advanced Chat Controls
Symantec Technical Support Web Controls
SymNet
Update Rollup 1 for Windows 2000 SP4
VCRedistSetup
VSO CopytoDVD 4
Windows 2000 Hotfix (Pre-SP4) [See q329112 for more information]
Windows Media Player Hotfix [See QB828026 for more information]
Windows Media Player system update (9 Series)
WinZip
ikei
Active Member
 
Posts: 13
Joined: August 14th, 2008, 8:18 pm

Re: hijacked by angelinteractive 2000 Pro. Help Please

Unread postby MikeSwim07 » August 17th, 2008, 9:50 am

Remove bad HijackThis entries
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O4 - HKLM\..\Run: [BMbff45127] Rundll32.exe "C:\WINNT\system32\kpmntvtk.dll",s

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

Download and Run: OTMoveIt2
Please download OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code: Select all
    C:\WINNT\system32\kpmntvtk.dll
    
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
  • If you are not asked to reboot close OTMoveIt2.
  • A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware and save to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:

    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply

    Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.

Please post the OTMoveIt2 log, the Malwarebytes's Log, and a NEW hijackthis log after all the above have been done.
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: hijacked by angelinteractive 2000 Pro. Help Please

Unread postby ikei » August 18th, 2008, 12:53 am

Getting better but still has popups. Still gets hijacked/unwanted web sites also.
Anything else to be done to get back to speed would be appreciated :alien: ?
Hope I performed your instructions correctly.
Many thanks
Ike

OJMoveit LOG;

DllUnregisterServer procedure not found in c:\winnt\system32\kpmntvtk.dll
c:\winnt\system32\kpmntvtk.dll NOT unregistered.
File move failed. c:\winnt\system32\kpmntvtk.dll scheduled to be moved on reboot.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08172008_200943

Files moved on Reboot...
DllUnregisterServer procedure not found in c:\winnt\system32\kpmntvtk.dll
c:\winnt\system32\kpmntvtk.dll NOT unregistered.
c:\winnt\system32\kpmntvtk.dll moved successfully.

NEW HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:49 PM, on 8/17/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\BOINC\projects\setiathome.berkeley.edu\setiathome_5.27_windows_intelx86.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - http://components.metastream.com/MTSIns ... tream3.cab
O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://www.3dpublisher.net/SWService/eD ... nglish.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-48.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08fa6a01c69 ... xIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4290811078
O20 - AppInit_DLLs: zltybg.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

--
End of file - 8847 bytes



MALWARE LOG.

Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.0.2195 Service Pack 4

10:10:47 PM 8/17/2008
mbam-log-08-17-2008 (22-10-47).txt

Scan type: Full Scan (C:\|F:\|G:\|)
Objects scanned: 91999
Time elapsed: 1 hour(s), 16 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 15
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINNT\system32\ssqQijkl.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\zltybg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINNT\system32\khfFXQKA.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{38b9d19d-021a-4282-a2bd-f9e40dcba8c9} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\khffxqka (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{38b9d19d-021a-4282-a2bd-f9e40dcba8c9} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4b9196dc-9e00-47de-a32d-43d68895d03a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4b9196dc-9e00-47de-a32d-43d68895d03a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53f78edb-adab-49b4-b846-342df57c24df} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{53f78edb-adab-49b4-b846-342df57c24df} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{38b9d19d-021a-4282-a2bd-f9e40dcba8c9} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmbff45127 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Security Packages (Trojan.Vundo.H) -> Data: c:\winnt\system32\ssqqijkl -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\winnt\system32\ssqqijkl -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINNT\system32\khfFXQKA.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\ssqQijkl.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\lkjiQqss.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINNT\system32\lkjiQqss.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINNT\system32\zltybg.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\cbXNHxvT.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\fccaAqpM.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\hchpwyhn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\iuimroim.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\mlJYpMfc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\namlihdb.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\opnoPiFV.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\urqNFxuv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\xemkedfw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\xxywTlmN.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\xxywWqrO.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\yayYrSlj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\zoefpx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\vtUlLBSj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\08172008_200943\winnt\system32\kpmntvtk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINNT\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\BMbff45127.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\BMbff45127.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

:bounce: Thanks Again for help.
Since
ikei
Active Member
 
Posts: 13
Joined: August 14th, 2008, 8:18 pm

Re: hijacked by angelinteractive 2000 Pro. Help Please

Unread postby MikeSwim07 » August 20th, 2008, 7:30 am

Download and Run ATF Cleaner

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

OTScanIt

  • Please download OTScanIt.exe from Bleeping Computer by OldTimer and save it to your desktop.
  • Double click on OTScanIt.exe to run it.
  • Click on Extract. Once done, you will be prompted. Click OK and click Close.
  • Double click on the OTScanIt folder. Double click on OTScanIt.exe to run it.
  • Under Drivers section, select Non-Microsoft.
  • Click on the Run Scan button at the top left hand corner.
  • OTScanIt will start running. Once done, Notepad will open. Please post the contents of this Notepad file in your next reply.
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: hijacked by angelinteractive 2000 Pro. Help Please

Unread postby ikei » August 20th, 2008, 9:33 am

OK, done. Though the prefetch areas were not cleaned as the option was 'darked' out in the selection area.of the ATF Cleaner program.

Again previous symptoms have cleared somewhat, now we are experiencing occasional unwanted popups with fewer sites being blocked.

Thanks again, the notepad results follow.

Code: Select all
OTScanIt logfile created on: 8/20/2008 7:18:40 AM
OTScanIt by OldTimer - Version 1.0.16.2     Folder = C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Desktop\OTScanIt
Windows 2000 Professional Edition Service Pack 4 (Version = 5.0.2195) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1.50 Gb Total Physical Memory | 0.63 Gb Available Physical Memory | 41.97% Memory free
3.35 Gb Paging File | 3.01 Gb Available in Paging File | 90.02% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 149.02 Gb Total Space | 121.19 Gb Free Space | 81.33% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 465.76 Gb Total Space | 201.21 Gb Free Space | 43.20% Space Free | Partition Type: NTFS
Drive G: | 149.02 Gb Total Space | 136.48 Gb Free Space | 91.59% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: IRAN1
Current User Name: Clarence R. Isaacks 
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user

[Processes - Non-Microsoft Only]
ccproxy.exe -> %CommonProgramFiles%\Symantec Shared\CCPROXY.EXE -> Symantec Corporation [Ver = 103.0.8.2 | Size = 235168 bytes | Modified Date = 6/14/2006 1:48:42 PM | Attr =    ]
issvc.exe -> %ProgramFiles%\Norton Internet Security\ISSVC.exe -> Symantec Corporation [Ver = 8.0.5.14 | Size = 83584 bytes | Modified Date = 4/18/2005 7:49:24 PM | Attr =    ]
sndsrvc.exe -> %CommonProgramFiles%\Symantec Shared\SNDSrvc.exe -> Symantec Corporation [Ver = 5.5.6.604 | Size = 206552 bytes | Modified Date = 3/28/2007 6:41:56 PM | Attr =    ]
ccsetmgr.exe -> %CommonProgramFiles%\Symantec Shared\CCSETMGR.EXE -> Symantec Corporation [Ver = 103.0.11.4 | Size = 181608 bytes | Modified Date = 1/17/2008 11:42:04 AM | Attr =    ]
spbbcsvc.exe -> %CommonProgramFiles%\Symantec Shared\SPBBC\SPBBCSvc.exe -> Symantec Corporation [Ver = 1,0,1,47 | Size = 173160 bytes | Modified Date = 7/21/2004 4:24:04 PM | Attr =    ]
ccevtmgr.exe -> %CommonProgramFiles%\Symantec Shared\CCEVTMGR.EXE -> Symantec Corporation [Ver = 103.0.11.4 | Size = 197992 bytes | Modified Date = 1/17/2008 11:42:02 AM | Attr =    ]
schedul2.exe -> %CommonProgramFiles%\Acronis\Schedule2\schedul2.exe -> Acronis [Ver = 1,0,0,240 | Size = 411168 bytes | Modified Date = 2/16/2007 6:49:50 PM | Attr =    ]
aluschedulersvc.exe -> %ProgramFiles%\Symantec\LiveUpdate\AluSchedulerSvc.exe -> Symantec Corporation [Ver = 3.0.0.171 | Size = 100032 bytes | Modified Date = 7/25/2006 6:03:42 PM | Attr =    ]
navapsvc.exe -> %ProgramFiles%\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE -> Symantec Corporation [Ver = 11.0.16.2 | Size = 177264 bytes | Modified Date = 10/19/2005 12:54:14 PM | Attr =    ]
nvsvc32.exe -> %SystemRoot%\system32\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.4523 | Size = 77824 bytes | Modified Date = 7/28/2003 2:19:00 PM | Attr =    ]
symlcsvc.exe -> %CommonProgramFiles%\Symantec Shared\CCPD-LC\symlcsvc.exe -> Symantec Corporation [Ver = 1.8.54.841 | Size = 826512 bytes | Modified Date = 6/28/2008 5:20:12 PM | Attr =    ]
ccapp.exe -> %CommonProgramFiles%\Symantec Shared\CCAPP.EXE -> Symantec Corporation [Ver = 103.0.11.4 | Size = 58728 bytes | Modified Date = 1/17/2008 11:42:02 AM | Attr =    ]
boincmgr.exe -> %ProgramFiles%\BOINC\boincmgr.exe -> Space Sciences Laboratory [Ver = 5.10.28 | Size = 4145920 bytes | Modified Date = 10/29/2007 5:16:14 PM | Attr =    ]
boinc.exe -> %ProgramFiles%\BOINC\boinc.exe -> Space Sciences Laboratory [Ver = 5.10.28 | Size = 709376 bytes | Modified Date = 10/29/2007 5:16:12 PM | Attr =    ]
utorrent.exe -> %ProgramFiles%\uTorrent\uTorrent.exe -> BitTorrent, Inc. [Ver = 1.8.0.11813 | Size = 267056 bytes | Modified Date = 8/19/2008 8:07:47 PM | Attr =    ]
setiathome_5.27_windows_intelx86.exe -> %ProgramFiles%\BOINC\projects\setiathome.berkeley.edu\setiathome_5.27_windows_intelx86.exe -> Space Sciences Laboratory [Ver = 5.27 | Size = 2160033 bytes | Modified Date = 11/6/2007 12:20:11 AM | Attr =    ]
otscanit.exe -> %UserProfile%\Desktop\OTScanIt\OTScanIt.exe -> OldTimer Tools [Ver = 1.0.16.2 | Size = 397312 bytes | Modified Date = 7/12/2008 9:29:54 AM | Attr =    ]

[Win32 Services - Non-Microsoft Only]
(AcrSch2Svc) Acronis Scheduler2 Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Acronis\Schedule2\schedul2.exe -> Acronis [Ver = 1,0,0,240 | Size = 411168 bytes | Modified Date = 2/16/2007 6:49:50 PM | Attr =    ]
(Automatic LiveUpdate Scheduler) Automatic LiveUpdate Scheduler [Win32_Own | Auto | Running] -> %ProgramFiles%\Symantec\LiveUpdate\AluSchedulerSvc.exe -> Symantec Corporation [Ver = 3.0.0.171 | Size = 100032 bytes | Modified Date = 7/25/2006 6:03:42 PM | Attr =    ]
(ccEvtMgr) Symantec Event Manager [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\CCEVTMGR.EXE -> Symantec Corporation [Ver = 103.0.11.4 | Size = 197992 bytes | Modified Date = 1/17/2008 11:42:02 AM | Attr =    ]
(ccProxy) Symantec Network Proxy [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\CCPROXY.EXE -> Symantec Corporation [Ver = 103.0.8.2 | Size = 235168 bytes | Modified Date = 6/14/2006 1:48:42 PM | Attr =    ]
(ccPwdSvc) Symantec Password Validation [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Symantec Shared\CCPWDSVC.EXE -> Symantec Corporation [Ver = 103.0.11.4 | Size = 79208 bytes | Modified Date = 1/17/2008 11:42:04 AM | Attr =    ]
(ccSetMgr) Symantec Settings Manager [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\CCSETMGR.EXE -> Symantec Corporation [Ver = 103.0.11.4 | Size = 181608 bytes | Modified Date = 1/17/2008 11:42:04 AM | Attr =    ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %SystemRoot%\system32\dmadmin.exe -> VERITAS Software Corp. [Ver = 2195.6624.297.3 | Size = 147728 bytes | Modified Date = 6/19/2003 1:05:04 PM | Attr =    ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\1050\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 10.50.125 | Size = 73728 bytes | Modified Date = 10/22/2004 3:24:18 AM | Attr =    ]
(ISSVC) ISSVC [Win32_Own | Auto | Running] -> %ProgramFiles%\Norton Internet Security\ISSVC.exe -> Symantec Corporation [Ver = 8.0.5.14 | Size = 83584 bytes | Modified Date = 4/18/2005 7:49:24 PM | Attr =    ]
(LiveUpdate) LiveUpdate [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Symantec\LiveUpdate\LuComServer_3_0.EXE -> Symantec Corporation [Ver = 3.0.0.171 | Size = 2119360 bytes | Modified Date = 7/25/2006 6:03:42 PM | Attr =    ]
(navapsvc) Norton AntiVirus Auto-Protect Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE -> Symantec Corporation [Ver = 11.0.16.2 | Size = 177264 bytes | Modified Date = 10/19/2005 12:54:14 PM | Attr =    ]
(NVSvc) NVIDIA Driver Helper Service [Win32_Own | Auto | Running] -> %SystemRoot%\system32\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.4523 | Size = 77824 bytes | Modified Date = 7/28/2003 2:19:00 PM | Attr =    ]
(RoxLiveShare9) LiveShare P2P Server 9 [Win32_Own | Auto | Stopped] -> %CommonProgramFiles%\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe -> File not found
(SAVScan) SAVScan [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Norton Internet Security\Norton AntiVirus\SAVSCAN.EXE -> Symantec Corporation [Ver = 9.4.2.1 | Size = 198368 bytes | Modified Date = 3/7/2005 2:59:36 PM | Attr =    ]
(SBService) ScriptBlocking Service [Win32_Own | Auto | Stopped] -> %CommonProgramFiles%\Symantec Shared\Script Blocking\SBSERV.EXE -> Symantec Corporation [Ver = 11.0.16.2 | Size = 67184 bytes | Modified Date = 10/19/2005 12:55:00 PM | Attr =    ]
(SNDSrvc) Symantec Network Drivers Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\SNDSrvc.exe -> Symantec Corporation [Ver = 5.5.6.604 | Size = 206552 bytes | Modified Date = 3/28/2007 6:41:56 PM | Attr =    ]
(SPBBCSvc) Symantec SPBBCSvc [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\SPBBC\SPBBCSvc.exe -> Symantec Corporation [Ver = 1,0,1,47 | Size = 173160 bytes | Modified Date = 7/21/2004 4:24:04 PM | Attr =    ]
(stllssvr) stllssvr [Win32_Own | Disabled | Stopped] -> %CommonProgramFiles%\SureThing Shared\stllssvr.exe -> File not found
(Symantec Core LC) Symantec Core LC [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\CCPD-LC\symlcsvc.exe -> Symantec Corporation [Ver = 1.8.54.841 | Size = 826512 bytes | Modified Date = 6/28/2008 5:20:12 PM | Attr =    ]
(Symantec RemoteAssist) Symantec RemoteAssist [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Symantec Shared\Support Controls\ssrc.exe -> Symantec, Inc. [Ver = 6.9.2894.0 | Size = 394704 bytes | Modified Date = 1/29/2008 4:09:02 PM | Attr =    ]

[Driver Services - Non-Microsoft Only]
(Ad-Watch Connect Filter) Ad-Watch Connect Kernel Filter [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\NSDriver.sys -> File not found
(Ad-Watch Real-Time Scanner) AW Real-Time Scanner [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\AWRTPD.sys -> File not found
(Ad-Watch Registry Filter) Ad-Watch Registry Kernel Filter [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\AWRTRD.sys -> File not found
(Afc) PPdus ASPI Shell [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\afc.sys -> Arcsoft, Inc. [Ver = 1, 0, 0, 2 | Size = 11776 bytes | Modified Date = 2/23/2005 3:58:56 PM | Attr =    ]
(ALCXWDM) Service for Realtek AC97 Audio (WDM) [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\alcxwdm.sys -> Realtek Semiconductor Corp. [Ver = 5.10.00.6160 built by: WinDDK | Size = 4017536 bytes | Modified Date = 8/18/2006 2:52:00 PM | Attr = R  ]
(c2scsi) c2scsi [Kernel | System | Running] -> %SystemRoot%\System32\drivers\c2scsi.sys -> Sonic Solutions [Ver = 9.0.1.16 | Size = 241664 bytes | Modified Date = 3/4/2006 6:00:00 AM | Attr =    ]
(Cdr4_2K) Cdr4_2K [Kernel | System | Running] -> %SystemRoot%\System32\drivers\cdr4_2k.sys -> Sonic Solutions [Ver = 8.0.0.212  | Size = 2432 bytes | Modified Date = 7/24/2006 3:00:00 AM | Attr =    ]
(Cdralw2k) Cdralw2k [Kernel | System | Running] -> %SystemRoot%\System32\drivers\cdralw2k.sys -> Sonic Solutions [Ver = 8.0.0.212  | Size = 2560 bytes | Modified Date = 7/24/2006 3:00:00 AM | Attr =    ]
(cdudf) cdudf [File_System | System | Running] -> %SystemRoot%\System32\drivers\cdudf.sys -> Roxio [Ver = 5.3.5.10 | Size = 363927 bytes | Modified Date = 11/5/2007 9:23:45 PM | Attr =    ]
(dmboot) dmboot [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\dmboot.sys -> VERITAS Software Corp. [Ver = 2195.6655.297.3 | Size = 369104 bytes | Modified Date = 6/19/2003 1:05:04 PM | Attr =    ]
(dmio) Logical Disk Manager Driver [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\dmio.sys -> VERITAS Software Corp. [Ver = 2195.6655.297.3 | Size = 137936 bytes | Modified Date = 6/19/2003 1:05:04 PM | Attr =    ]
(dmload) dmload [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\dmload.sys -> VERITAS Software Corp. [Ver = 2195.6655.297.3 | Size = 7312 bytes | Modified Date = 6/19/2003 1:05:04 PM | Attr =    ]
(dvd43llh) dvd43llh [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\dvd43llh.sys -> RIF [Ver = 3.5.000 | Size = 18816 bytes | Modified Date = 7/11/2008 6:06:31 PM | Attr =    ]
(dvd_2K) dvd_2K [Kernel | On_Demand | Running] -> %SystemRoot%\System32\drivers\Dvd_2k.sys -> Roxio [Ver = 5.3.5.10 | Size = 25930 bytes | Modified Date = 11/5/2007 9:23:45 PM | Attr =    ]
(ElbyCDFL) ElbyCDFL [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ElbyCDFL.sys -> SlySoft, Inc. [Ver = 5, 2, 1, 3 | Size = 34760 bytes | Modified Date = 2/15/2007 6:57:04 PM | Attr =    ]
(ElbyCDIO) ElbyCDIO Driver [Kernel | System | Running] -> %SystemRoot%\system32\drivers\ElbyCDIO.sys -> Elaborate Bytes AG [Ver = 6, 0, 1, 0 | Size = 25160 bytes | Modified Date = 8/7/2007 1:48:33 PM | Attr =    ]
(GVTDrv) GVTDrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\GVTDrv.sys ->  [Ver =  | Size = 24944 bytes | Modified Date = 6/30/2008 6:32:31 PM | Attr =    ]
(HCWBT8XX) Hauppauge WinTV 848/9 WDM Video Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\HCWBT8xx.sys -> Hauppauge Computer Works [Ver = 3.49.24025 | Size = 472644 bytes | Modified Date = 1/25/2006 5:14:06 PM | Attr =    ]
(L8042Kbd) Logitech SetPoint Keyboard Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\L8042Kbd.sys -> Logitech Inc. [Ver = 3.1.82.00 | Size = 13568 bytes | Modified Date = 7/19/2006 1:27:26 PM | Attr =    ]
(L8042mou) SetPoint PS/2 Mouse Filter Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\L8042mou.Sys -> Logitech Inc. [Ver = 3.1.82.00 | Size = 55936 bytes | Modified Date = 7/19/2006 1:27:46 PM | Attr =    ]
(LBeepKE) LBeepKE [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\LBeepKE.sys -> Logitech Inc. [Ver = 3.1.116.00 | Size = 3712 bytes | Modified Date = 9/1/2006 1:32:50 PM | Attr =    ]
(LHidKe) SetPoint HID Mouse Filter Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\LHidKE.Sys -> Logitech Inc. [Ver = 3.1.82.00 | Size = 27136 bytes | Modified Date = 7/19/2006 1:29:08 PM | Attr =    ]
(LMouKE) SetPoint Mouse Filter Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\LMouKE.Sys -> Logitech Inc. [Ver = 3.1.82.00 | Size = 71936 bytes | Modified Date = 7/19/2006 1:28:56 PM | Attr =    ]
(ltmodem5) LT Modem Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ltmdmnt.sys -> LT [Ver = 5.41G6 | Size = 413712 bytes | Modified Date = 10/23/1999 7:01:40 AM | Attr =    ]
(MarkFun_NT) MarkFun_NT [Kernel | On_Demand | Stopped] -> %ProgramFiles%\Gigabyte\ET5Pro\markfun.w32 -> File not found
(mmc_2K) mmc_2K [Kernel | On_Demand | Running] -> %SystemRoot%\System32\drivers\Mmc_2k.sys -> Roxio [Ver = 5.3.5.10 | Size = 30662 bytes | Modified Date = 11/5/2007 9:23:45 PM | Attr =    ]
(NAVENG) NAVENG [Kernel | On_Demand | Running] -> %CommonProgramFiles%\Symantec Shared\VirusDefs\20080813.003\NAVENG.SYS -> Symantec Corporation [Ver = 20081.1.1.13 | Size = 89936 bytes | Modified Date = 6/18/2008 10:50:54 AM | Attr =    ]
(NAVEX15) NAVEX15 [Kernel | On_Demand | Running] -> %CommonProgramFiles%\Symantec Shared\VirusDefs\20080813.003\NAVEX15.SYS -> Symantec Corporation [Ver = 20081.1.1.13 | Size = 856336 bytes | Modified Date = 6/18/2008 10:50:54 AM | Attr =    ]
(nv) nv [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\nv4_mini.sys -> NVIDIA Corporation [Ver = 6.14.10.4523 | Size = 1341339 bytes | Modified Date = 7/28/2003 2:19:00 PM | Attr =    ]
(nvax) Service for NVIDIA(R) nForce(TM) Audio Enumerator [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\nvax.sys -> NVIDIA Corporation [Ver = 6.14.0442.30 built by: NVIDIA | Size = 48640 bytes | Modified Date = 5/25/2004 4:58:02 PM | Attr =    ]
(NVENET) NVIDIA nForce MCP Networking Controller Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\NVENET.sys -> NVIDIA Corporation [Ver = 4.14.01.0313 | Size = 80896 bytes | Modified Date = 11/27/2002 9:52:00 PM | Attr = R  ]
(nv_agp) NVIDIA nForce AGP Bus Filter [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\nv_agp.SYS -> NVIDIA Corporation [Ver = 4.12.01.0334 | Size = 18688 bytes | Modified Date = 3/19/2003 4:51:00 PM | Attr = R  ]
(pcouffin) VSO Software pcouffin [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\pcouffin.sys -> VSO Software [Ver = 1.37 | Size = 47360 bytes | Modified Date = 11/5/2007 7:48:57 PM | Attr =    ]
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ptilink.sys -> Parallel Technologies, Inc. [Ver = 1.10 | Size = 17680 bytes | Modified Date = 6/19/2003 1:05:04 PM | Attr =    ]
(pwd_2k) pwd_2k [Kernel | System | Running] -> %SystemRoot%\System32\drivers\pwd_2K.sys -> Roxio [Ver = 5.3.5.10 | Size = 144250 bytes | Modified Date = 11/5/2007 9:23:45 PM | Attr =    ]
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\PxHelp20.sys -> Sonic Solutions [Ver = 3.00.56a | Size = 43528 bytes | Modified Date = 11/29/2007 4:30:24 PM | Attr =    ]
(SAVRT) SAVRT [Kernel | On_Demand | Running] -> %ProgramFiles%\Norton Internet Security\Norton AntiVirus\SAVRT.SYS -> Symantec Corporation [Ver = 9.4.2.1 | Size = 338056 bytes | Modified Date = 3/7/2005 2:59:44 PM | Attr =    ]
(SAVRTPEL) SAVRTPEL [Kernel | System | Running] -> %ProgramFiles%\Norton Internet Security\Norton AntiVirus\SAVRTPEL.SYS -> Symantec Corporation [Ver = 9.4.2.1 | Size = 50312 bytes | Modified Date = 3/7/2005 2:59:50 PM | Attr =    ]
(SI3112) SiI-3112 SATALink Controller [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\SI3112.sys -> Silicon Image, Inc. [Ver = 1, 3, 64, 0 | Size = 62336 bytes | Modified Date = 4/18/2006 12:55:42 PM | Attr =    ]
(snapman) Acronis Snapshots Manager [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\snapman.sys -> Acronis [Ver = 3.1 build 329 | Size = 120992 bytes | Modified Date = 6/28/2008 11:24:59 AM | Attr =    ]
(SPBBCDrv) SPBBCDrv [Kernel | System | Running] -> %CommonProgramFiles%\Symantec Shared\SPBBC\SPBBCDrv.sys -> Symantec Corporation [Ver = 1,0,1,47 | Size = 341096 bytes | Modified Date = 7/21/2004 4:24:02 PM | Attr =    ]
(SYMDNS) SYMDNS [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\symdns.sys -> Symantec Corporation [Ver = 5.5.6.604 | Size = 11480 bytes | Modified Date = 3/28/2007 6:41:12 PM | Attr =    ]
(SymEvent) SymEvent [Kernel | On_Demand | Running] -> %ProgramFiles%\Symantec\SYMEVENT.SYS -> Symantec Corporation [Ver = 11.6.8.1 | Size = 124016 bytes | Modified Date = 9/15/2006 10:52:12 PM | Attr =    ]
(SYMFW) SYMFW [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\symfw.sys -> Symantec Corporation [Ver = 5.5.6.604 | Size = 171928 bytes | Modified Date = 3/28/2007 6:41:14 PM | Attr =    ]
(SYMIDS) SYMIDS [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\symids.sys -> Symantec Corporation [Ver = 5.5.6.604 | Size = 37016 bytes | Modified Date = 3/28/2007 6:41:20 PM | Attr =    ]
(SYMIDSCO) SYMIDSCO [Kernel | On_Demand | Running] -> %CommonProgramFiles%\Symantec Shared\SymcData\idsdefs\20080813.001\SymIDSCo.sys -> Symantec Corporation [Ver = 8.2.1.2 | Size = 240496 bytes | Modified Date = 6/3/2008 5:55:18 PM | Attr =    ]
(symlcbrd) symlcbrd [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\symlcbrd.sys -> Symantec Corporation [Ver = 1.8.54.834 | Size = 10344 bytes | Modified Date = 6/28/2008 5:20:12 PM | Attr =    ]
(SYMNDIS) SYMNDIS [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\symndis.sys -> Symantec Corporation [Ver = 5.5.6.604 | Size = 47192 bytes | Modified Date = 3/28/2007 6:41:18 PM | Attr =    ]
(SYMREDRV) SYMREDRV [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\symredrv.sys -> Symantec Corporation [Ver = 5.5.6.604 | Size = 18904 bytes | Modified Date = 3/28/2007 6:41:24 PM | Attr =    ]
(SYMTDI) SYMTDI [Kernel | System | Running] -> %SystemRoot%\system32\drivers\symtdi.sys -> Symantec Corporation [Ver = 5.5.6.604 | Size = 266552 bytes | Modified Date = 3/28/2007 6:41:26 PM | Attr =    ]
(tifsfilter) Acronis True Image FS Filter [File_System | Auto | Running] -> %SystemRoot%\system32\drivers\tifsfilt.sys -> Acronis [Ver = 3.3 build 444 | Size = 32768 bytes | Modified Date = 6/28/2008 11:25:01 AM | Attr =    ]
(timounter) Acronis True Image Backup Archive Explorer [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\timntr.sys -> Acronis [Ver = 3.3 build 444 | Size = 392320 bytes | Modified Date = 6/28/2008 11:25:01 AM | Attr =    ]
(UdfReadr) UdfReadr [File_System | System | Running] -> %SystemRoot%\System32\drivers\udfreadr.sys -> Roxio [Ver = 5.3.5.10 | Size = 227298 bytes | Modified Date = 11/5/2007 9:23:45 PM | Attr =    ]

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
ccApp -> %CommonProgramFiles%\Symantec Shared\CCAPP.EXE ["C:\Program Files\Common Files\Symantec Shared\ccApp.exe"] -> Symantec Corporation [Ver = 103.0.11.4 | Size = 58728 bytes | Modified Date = 1/17/2008 11:42:02 AM | Attr =    ]
NvCplDaemon -> %SystemRoot%\system32\nvcpl.dll [RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup] -> NVIDIA Corporation [Ver = 6.14.10.4523 | Size = 4841472 bytes | Modified Date = 7/28/2003 2:19:00 PM | Attr =    ]
NvMediaCenter -> %SystemRoot%\system32\nvmctray.dll [RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit] -> NVIDIA Corporation [Ver = 6.14.10.4523 | Size = 49152 bytes | Modified Date = 7/28/2003 2:19:00 PM | Attr =    ]
nwiz -> %SystemRoot%\system32\nwiz.exe [nwiz.exe /install] -> NVIDIA Corporation [Ver = 6.14.10.4523 | Size = 323584 bytes | Modified Date = 7/28/2003 2:19:00 PM | Attr =    ]
SSC_UserPrompt -> %CommonProgramFiles%\Symantec Shared\Security Center\UsrPrmpt.exe [C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe] -> Symantec Corporation [Ver = 2005.1.2.20 | Size = 218240 bytes | Modified Date = 11/2/2004 5:59:52 PM | Attr =    ]
Symantec NetDriver Monitor -> %ProgramFiles%\SymNetDrv\SNDMon.exe [C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer] -> Symantec Corporation [Ver = 5.5.6.604 | Size = 100056 bytes | Modified Date = 6/28/2008 5:38:19 PM | Attr =    ]
< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ -> 
IMAIL-> Installed = 1 -> 
MAPI-> Installed = 1 -> 
MSFS-> Installed = 1 -> 
< Clarence R. Isaacks .IRAN1 Startup Folder > -> C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Start Menu\Programs\Startup -> 
%UserProfile%\Start Menu\Programs\Startup\BOINC Manager.lnk -> %ProgramFiles%\BOINC\boincmgr.exe -> Space Sciences Laboratory [Ver = 5.10.28 | Size = 4145920 bytes | Modified Date = 10/29/2007 5:16:14 PM | Attr =    ]
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 
*SecurityProviders* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 
msapsspc.dll schannel.dll digest.dll msnsspc.dll ->  -> File not found
*MultiFile Done* -> -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
Explorer.exe -> %SystemRoot%\explorer.exe -> Microsoft Corporation [Ver = 5.00.3700.6690 | Size = 243472 bytes | Modified Date = 6/19/2003 1:05:04 PM | Attr =    ]
*MultiFile Done* -> -> 
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit -> 
C:\WINNT\system32\userinit.exe -> %SystemRoot%\system32\USERINIT.EXE -> Microsoft Corporation [Ver = 5.00.2195.6612 | Size = 17680 bytes | Modified Date = 6/19/2003 1:05:04 PM | Attr =    ]
*MultiFile Done* -> -> 
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet -> 
rundll32 shell32 -> %SystemRoot%\system32\SHELL32.DLL -> Microsoft Corporation [Ver = 5.00.3900.7105 | Size = 2362640 bytes | Modified Date = 7/13/2006 1:09:24 AM | Attr =    ]
Control_RunDLL "sysdm.cpl" -> %SystemRoot%\system32\SYSDM.CPL -> Microsoft Corporation [Ver = 5.00.2195.6601 | Size = 125712 bytes | Modified Date = 6/19/2003 1:05:04 PM | Attr =    ]
*MultiFile Done* -> -> 
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 -> 
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 149 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\CDRAutoRun -> 0 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> -> 
< CDROM Autorun Settings > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Autorun -> 1 -> 
*AutoRunAlwaysDisable* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRunAlwaysDisable -> 
NEC     MBR-7    ->  -> File not found
NEC     MBR-7.4  ->  -> File not found
PIONEER CHANGR DRM-1804X ->  -> File not found
PIONEER CD-ROM DRM-6324X ->  -> File not found
PIONEER CD-ROM DRM-624X  ->  -> File not found
TORiSAN CD-ROM CDR_C36 ->  -> File not found
*MultiFile Done* -> -> 
*DependOnGroup* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DependOnGroup -> 
SCSI miniport ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Group -> SCSI CDROM Class -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Start -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Tag -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Type -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DisplayName -> CD-ROM Driver -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ImagePath -> %SystemRoot%\system32\drivers\cdrom.sys [System32\DRIVERS\cdrom.sys] -> Microsoft Corporation [Ver = 5.00.2195.6655 | Size = 27984 bytes | Modified Date = 6/19/2003 1:05:04 PM | Attr =    ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\0 -> IDE\CdRomTDK_CDRW401240B_________________________Z7SD____\5&f328ca&0&0.0.0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\Count -> 3 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\NextInstance -> 3 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\1 -> SCSI\CdRom&Ven_PLEXTOR&Prod_DVDR___PX-716A&Rev_1.11\5&e87743c&0&100 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\2 -> SCSI\CdRom&Ven_ROXIO&Prod_DVD-ROM_EMULATOR&Rev_2.00\1&2afd7d61&1&000 -> 
< Drives - Autoruns > ->  -> 
AUTOEXEC.BAT [] -> %SystemDrive%\AUTOEXEC.BAT [ NTFS ] ->  [Ver =  | Size = 0 bytes | Modified Date = 11/5/2007 11:57:23 AM | Attr =  H ]
AUTOEXEC.BAT [] -> G:\AUTOEXEC.BAT [ NTFS ] ->  [Ver =  | Size = 0 bytes | Modified Date = 11/5/2007 11:57:23 AM | Attr =  H ]
< HOSTS File > (23 bytes) -> C:\WINNT\System32\drivers\etc\Hosts -> 
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm -> 
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home -> 
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINNT\system32\blank.htm -> 
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_CURRENT_USER\: Main\\Start Page -> about:blank -> 
HKEY_CURRENT_USER\: ProxyEnable -> 0 -> 
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 9/25/2007 2:11:33 AM | Attr =    ]
{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll [EpsonToolBandKicker Class] -> SEIKO EPSON CORPORATION [Ver = 1, 1, 0, 0 | Size = 368640 bytes | Modified Date = 2/22/2005 2:50:34 PM | Attr =    ]
< Internet Explorer Bars [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ -> 
{182EC0BE-5110-49C8-A062-BEB1D02A220B} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 5:18:14 AM | Attr =    ]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} [HKEY_LOCAL_MACHINE] -> %CommonProgramFiles%\Symantec Shared\AdBlocking\NISShExt.dll [Norton Internet Security] -> Symantec Corporation [Ver = 8.0.5.14 | Size = 104064 bytes | Modified Date = 4/18/2005 7:49:38 PM | Attr =    ]
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Norton Internet Security\Norton AntiVirus\NAVSHEXT.DLL [Norton AntiVirus] -> Symantec Corporation [Ver = 11.0.16.2 | Size = 218736 bytes | Modified Date = 10/19/2005 12:54:30 PM | Attr =    ]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 5:18:14 AM | Attr =    ]
{8E718888-423F-11D2-876E-00A0C9082467} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\msdxm.ocx [&Radio] ->  [Ver =  | Size = 844560 bytes | Modified Date = 3/31/2005 1:10:40 AM | Attr =    ]
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll [EPSON Web-To-Page] -> SEIKO EPSON CORPORATION [Ver = 1, 1, 0, 0 | Size = 368640 bytes | Modified Date = 2/22/2005 2:50:34 PM | Attr =    ]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 
WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} [HKEY_LOCAL_MACHINE] -> %CommonProgramFiles%\Symantec Shared\AdBlocking\NISShExt.dll [Norton Internet Security] -> Symantec Corporation [Ver = 8.0.5.14 | Size = 104064 bytes | Modified Date = 4/18/2005 7:49:38 PM | Attr =    ]
WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Norton Internet Security\Norton AntiVirus\NAVSHEXT.DLL [Norton AntiVirus] -> Symantec Corporation [Ver = 11.0.16.2 | Size = 218736 bytes | Modified Date = 10/19/2005 12:54:30 PM | Attr =    ]
WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 5:18:14 AM | Attr =    ]
WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 2:11:34 AM | Attr =    ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} [HKEY_CURRENT_USER] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 9/25/2007 2:11:33 AM | Attr =    ]
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ -> 
Convert link target to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 5:18:14 AM | Attr =    ]
Convert link target to existing PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 5:18:14 AM | Attr =    ]
Convert selected links to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 5:18:14 AM | Attr =    ]
Convert selected links to existing PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 5:18:14 AM | Attr =    ]
Convert selection to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 5:18:14 AM | Attr =    ]
Convert selection to existing PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 5:18:14 AM | Attr =    ]
Convert to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 5:18:14 AM | Attr =    ]
Convert to existing PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 5:18:14 AM | Attr =    ]
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{18E81829-C9A3-490A-92F0-AB0A9B7EDF51} ->    (NVIDIA nForce MCP Networking Controller) -> 
{B33B927A-0DCA-4C49-94A5-5BDF44227121} ->    () -> 
< Default Protocols [HKEY_CURRENT_USER\] - Select to Repair > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults -> 
shell -> shell protocol not assigned -> 
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ -> 
ipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
vnd.ms.radio:{3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\msdxm.ocx[AsyncPProt Class] ->  [Ver =  | Size = 844560 bytes | Modified Date = 3/31/2005 1:10:40 AM | Attr =    ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{02BCC737-B171-4746-94C9-0D8A0B2C0089}[HKEY_LOCAL_MACHINE] -> http://office.microsoft.com/templates/ieawsdc.cab[Microsoft Office Template and Media Control] -> 
{22945A69-1191-4DCF-9E6F-409BDE94D101}[HKEY_LOCAL_MACHINE] -> http://www.3dpublisher.net/SWService/eDrawingsEnglish.cab[EModelNonVersionSpecificViewControl Class] -> 
{4C39376E-FA9D-4349-BACC-D305C1750EF3}[HKEY_LOCAL_MACHINE] -> http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab[EPUImageControl Class] -> 
{56336BCB-3D8A-11D6-A00B-0050DA18DE71}[HKEY_LOCAL_MACHINE] -> http://software-dl.real.com/08fa6a01c69ac44ead03/netzip/RdxIE601.cab[RdxIE Class] -> 
{6414512B-B978-451D-A0D8-FCFDF33E833C}[HKEY_LOCAL_MACHINE] -> http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194290811078[WUWebControl Class] -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab[Java Plug-in 1.6.0_03] -> 
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[Java Plug-in 1.6.0_03] -> 
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[Java Plug-in 1.6.0_03] -> 
{D27CDB6E-AE6D-11CF-96B8-444553540000}[HKEY_LOCAL_MACHINE] -> http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[Shockwave Flash Object] -> 
DirectAnimation Java Classes[HKEY_LOCAL_MACHINE] -> file://C:\WINNT\Java\classes\dajava.cab[Reg Error: Key does not exist or could not be opened.] -> 
Microsoft XML Parser for Java[HKEY_LOCAL_MACHINE] -> file://C:\WINNT\Java\classes\xmldso.cab[Reg Error: Key does not exist or could not be opened.] -> 
< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/EPUWALcontrol.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/EPUWALcontrol.dll\\.Owner -> {4C39376E-FA9D-4349-BACC-D305C1750EF3} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/EPUWALcontrol.dll\\{4C39376E-FA9D-4349-BACC-D305C1750EF3} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/IEAWSDC.DLL\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/IEAWSDC.DLL\\.Owner -> {02BCC737-B171-4746-94C9-0D8A0B2C0089} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/IEAWSDC.DLL\\{02BCC737-B171-4746-94C9-0D8A0B2C0089} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/RdxIE.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/RdxIE.dll\\.Owner -> {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/RdxIE.dll\\{56336BCB-3D8A-11D6-A00B-0050DA18DE71} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/danim.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/danim.dll\\.Owner -> {DC38CC30-4E3B-11d1-9071-0060081840BC} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/danim.dll\\{DC38CC30-4E3B-11d1-9071-0060081840BC} -> {DC38CC30-4E3B-11d1-9071-0060081840BC} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/ddrawex.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/ddrawex.dll\\.Owner -> {DC38CC30-4E3B-11d1-9071-0060081840BC} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/ddrawex.dll\\{DC38CC30-4E3B-11d1-9071-0060081840BC} -> {DC38CC30-4E3B-11d1-9071-0060081840BC} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/ddrawex.dll\\22d6f312-b0f6-11d0-94ab-0080c74c7e95 -> 22d6f312-b0f6-11d0-94ab-0080c74c7e95 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/quartz.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/quartz.dll\\.Owner -> {DC38CC30-4E3B-11d1-9071-0060081840BC} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/quartz.dll\\{DC38CC30-4E3B-11d1-9071-0060081840BC} -> {DC38CC30-4E3B-11d1-9071-0060081840BC} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/quartz.dll\\{4112DF42-0DCB-11d1-8177-00AA00576BAD} -> {4112DF42-0DCB-11d1-8177-00AA00576BAD} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/quartz.dll\\{22d6f312-b0f6-11d0-94ab-0080c74c7e95} -> {22d6f312-b0f6-11d0-94ab-0080c74c7e95} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/system32/wuweb.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/system32/wuweb.dll\\.Owner -> {6414512B-B978-451D-A0D8-FCFDF33E833C} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/system32/wuweb.dll\\{6414512B-B978-451D-A0D8-FCFDF33E833C} ->  -> 



[Files/Folders - Created Within 30 days]
Avenger -> %SystemDrive%\Avenger ->  [Folder | Created Date = 8/17/2008 10:14:38 PM | Attr =    ]
fixwareout -> %SystemDrive%\fixwareout ->  [Folder | Created Date = 8/11/2008 11:26:07 PM | Attr =    ]
VundoFix Backups -> %SystemDrive%\VundoFix Backups ->  [Folder | Created Date = 8/14/2008 5:36:58 PM | Attr =    ]
windows -> %SystemDrive%\windows ->  [Folder | Created Date = 8/9/2008 3:11:08 PM | Attr =    ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt ->  [Folder | Created Date = 8/17/2008 8:09:43 PM | Attr =    ]
c2scsi.sys -> %SystemRoot%\System32\drivers\c2scsi.sys -> Sonic Solutions [Ver = 9.0.1.16 | Size = 241664 bytes | Created Date = 8/12/2008 10:07:23 AM | Attr =    ]
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> Malwarebytes Corporation [Ver = 1, 0, 0, 1 | Size = 17144 bytes | Created Date = 8/17/2008 8:48:21 PM | Attr =    ]
mbamswissarmy.sys -> %SystemRoot%\System32\drivers\mbamswissarmy.sys -> Malwarebytes Corporation [Ver = 1.00 | Size = 38472 bytes | Created Date = 8/17/2008 8:48:21 PM | Attr =    ]
keystone.exe -> %SystemRoot%\System32\keystone.exe -> NVIDIA Corporation [Ver = 6.14.10.4523 | Size = 286806 bytes | Created Date = 7/22/2008 9:27:30 PM | Attr =    ]
NEROINSTAEC43759.DB -> %SystemRoot%\System32\NEROINSTAEC43759.DB ->  [Ver =  | Size = 773120 bytes | Created Date = 8/9/2008 4:54:42 PM | Attr =    ]
nview.dll -> %SystemRoot%\System32\nview.dll -> NVIDIA Corporation [Ver = 6.14.10.4523 | Size = 852038 bytes | Created Date = 7/22/2008 9:27:30 PM | Attr =    ]
nvshell.dll -> %SystemRoot%\System32\nvshell.dll -> NVIDIA Corporation [Ver = 6.14.10.4523 | Size = 471112 bytes | Created Date = 7/22/2008 9:27:30 PM | Attr =    ]
nvtuicpl.cpl -> %SystemRoot%\System32\nvtuicpl.cpl -> NVIDIA Corporation [Ver = 6.14.10.4523 | Size = 143360 bytes | Created Date = 7/22/2008 9:27:30 PM | Attr =    ]
nwiz.exe -> %SystemRoot%\System32\nwiz.exe -> NVIDIA Corporation [Ver = 6.14.10.4523 | Size = 323584 bytes | Created Date = 7/22/2008 9:27:30 PM | Attr =    ]
Perflib_Perfdata_18c.dat -> %SystemRoot%\System32\Perflib_Perfdata_18c.dat ->  [Ver =  | Size = 16384 bytes | Created Date = 8/7/2008 7:41:09 PM | Attr =    ]
Perflib_Perfdata_560.dat -> %SystemRoot%\System32\Perflib_Perfdata_560.dat ->  [Ver =  | Size = 16384 bytes | Created Date = 8/3/2008 3:54:41 PM | Attr =    ]
Perflib_Perfdata_594.dat -> %SystemRoot%\System32\Perflib_Perfdata_594.dat ->  [Ver =  | Size = 16384 bytes | Created Date = 8/9/2008 9:23:38 AM | Attr =    ]
Perflib_Perfdata_5a8.dat -> %SystemRoot%\System32\Perflib_Perfdata_5a8.dat ->  [Ver =  | Size = 16384 bytes | Created Date = 8/7/2008 7:13:34 PM | Attr =    ]
Perflib_Perfdata_5b4.dat -> %SystemRoot%\System32\Perflib_Perfdata_5b4.dat ->  [Ver =  | Size = 16384 bytes | Created Date = 8/3/2008 5:02:17 PM | Attr =    ]
Perflib_Perfdata_5d4.dat -> %SystemRoot%\System32\Perflib_Perfdata_5d4.dat ->  [Ver =  | Size = 16384 bytes | Created Date = 8/8/2008 4:23:51 PM | Attr =    ]
Perflib_Perfdata_5e0.dat -> %SystemRoot%\System32\Perflib_Perfdata_5e0.dat ->  [Ver =  | Size = 16384 bytes | Created Date = 8/19/2008 8:28:38 PM | Attr =    ]
ShellManager310E2D762.dll -> %SystemRoot%\System32\ShellManager310E2D762.dll -> Nero AG [Ver = 8.3.6.0 | Size = 1414440 bytes | Created Date = 8/9/2008 4:54:42 PM | Attr =    ]
TwcToolbarBho.dll -> %SystemRoot%\System32\TwcToolbarBho.dll ->  [Ver = 1, 0, 0, 0 | Size = 98304 bytes | Created Date = 8/5/2008 4:12:30 PM | Attr =    ]
TwcToolInstDll.dll -> %SystemRoot%\System32\TwcToolInstDll.dll -> TODO: <Company name> [Ver = 1.0.0.1 | Size = 25600 bytes | Created Date = 8/5/2008 4:12:30 PM | Attr =    ]
xgxojvrm.ini -> %SystemRoot%\System32\xgxojvrm.ini ->  [Ver =  | Size = 1500280 bytes | Created Date = 8/14/2008 11:01:37 AM | Attr =  HS]
QTFont.for -> %SystemRoot%\QTFont.for ->  [Ver =  | Size = 1409 bytes | Created Date = 8/19/2008 9:36:11 AM | Attr =    ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn ->  [Ver =  | Size = 54156 bytes | Created Date = 8/19/2008 9:36:11 AM | Attr =  H ]
ShellIconCache -> %SystemRoot%\ShellIconCache ->  [Ver =  | Size = 2722766 bytes | Created Date = 8/16/2008 12:53:46 PM | Attr =  H ]
SHELLNEW -> %SystemRoot%\SHELLNEW ->  [Folder | Created Date = 7/26/2008 2:22:12 PM | Attr =    ]
8 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> 

[Files/Folders - Modified Within 30 days]
Avenger -> %SystemDrive%\Avenger ->  [Folder | Modified Date = 8/17/2008 10:16:03 PM | Attr =    ]
boot.ini -> %SystemDrive%\boot.ini ->  [Ver =  | Size = 192 bytes | Modified Date = 8/19/2008 11:18:09 AM | Attr =  HS]
displays -> %SystemDrive%\displays ->  [Folder | Modified Date = 7/26/2008 11:50:19 AM | Attr =    ]
Documents and Settings -> %SystemDrive%\Documents and Settings ->  [Folder | Modified Date = 8/18/2008 5:44:56 PM | Attr =    ]
DownLoad -> %SystemDrive%\DownLoad ->  [Folder | Modified Date = 8/4/2008 9:11:50 AM | Attr =    ]
downloads -> %SystemDrive%\downloads ->  [Folder | Modified Date = 8/19/2008 9:47:23 AM | Attr =    ]
fixwareout -> %SystemDrive%\fixwareout ->  [Folder | Modified Date = 8/19/2008 1:36:51 PM | Attr =    ]
My Music -> %SystemDrive%\My Music ->  [Folder | Modified Date = 8/9/2008 4:33:51 PM | Attr =    ]
MyVideos -> %SystemDrive%\MyVideos ->  [Folder | Modified Date = 8/11/2008 4:52:00 PM | Attr =    ]
Program Files -> %ProgramFiles% ->  [Folder | Modified Date = 8/19/2008 2:29:58 PM | Attr = R  ]
VundoFix Backups -> %SystemDrive%\VundoFix Backups ->  [Folder | Modified Date = 8/14/2008 5:36:58 PM | Attr =    ]
windows -> %SystemDrive%\windows ->  [Folder | Modified Date = 8/9/2008 3:11:08 PM | Attr =    ]
WINNT -> %SystemRoot% ->  [Folder | Modified Date = 8/19/2008 9:56:26 AM | Attr =    ]
workforms1 -> %SystemDrive%\workforms1 ->  [Folder | Modified Date = 8/16/2008 1:47:50 PM | Attr =    ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt ->  [Folder | Modified Date = 8/17/2008 8:09:43 PM | Attr =    ]
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> Malwarebytes Corporation [Ver = 1, 0, 0, 1 | Size = 17144 bytes | Modified Date = 8/17/2008 3:01:14 PM | Attr =    ]
mbamswissarmy.sys -> %SystemRoot%\System32\drivers\mbamswissarmy.sys -> Malwarebytes Corporation [Ver = 1.00 | Size = 38472 bytes | Modified Date = 8/17/2008 3:01:18 PM | Attr =    ]
dfrg.msc -> %SystemRoot%\System32\dfrg.msc ->  [Ver =  | Size = 104960 bytes | Modified Date = 8/12/2008 4:36:03 PM | Attr =    ]
dllcache -> %SystemRoot%\System32\dllcache ->  [Folder | Modified Date = 8/15/2008 5:07:44 PM | Attr = RHS]
21 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> 
drivers -> %SystemRoot%\System32\drivers ->  [Folder | Modified Date = 8/17/2008 10:14:38 PM | Attr =    ]
FNTCACHE.DAT -> %SystemRoot%\System32\FNTCACHE.DAT ->  [Ver =  | Size = 252680 bytes | Modified Date = 8/15/2008 5:22:09 PM | Attr =    ]
NtmsData -> %SystemRoot%\System32\NtmsData ->  [Folder | Modified Date = 8/19/2008 1:36:32 PM | Attr =    ]
nvapps.xml -> %SystemRoot%\System32\nvapps.xml ->  [Ver =  | Size = 88224 bytes | Modified Date = 7/22/2008 9:12:48 PM | Attr =    ]
perfc009.dat -> %SystemRoot%\System32\perfc009.dat ->  [Ver =  | Size = 62416 bytes | Modified Date = 7/30/2008 8:16:45 PM | Attr =    ]
perfh009.dat -> %SystemRoot%\System32\perfh009.dat ->  [Ver =  | Size = 398006 bytes | Modified Date = 7/30/2008 8:16:46 PM | Attr =    ]
Perflib_Perfdata_18c.dat -> %SystemRoot%\System32\Perflib_Perfdata_18c.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 8/7/2008 7:41:09 PM | Attr =    ]
Perflib_Perfdata_560.dat -> %SystemRoot%\System32\Perflib_Perfdata_560.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 8/3/2008 3:54:41 PM | Attr =    ]
Perflib_Perfdata_594.dat -> %SystemRoot%\System32\Perflib_Perfdata_594.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 8/9/2008 9:23:38 AM | Attr =    ]
Perflib_Perfdata_5a8.dat -> %SystemRoot%\System32\Perflib_Perfdata_5a8.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 8/7/2008 7:13:34 PM | Attr =    ]
Perflib_Perfdata_5b4.dat -> %SystemRoot%\System32\Perflib_Perfdata_5b4.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 8/3/2008 5:02:17 PM | Attr =    ]
Perflib_Perfdata_5d4.dat -> %SystemRoot%\System32\Perflib_Perfdata_5d4.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 8/8/2008 4:23:51 PM | Attr =    ]
Perflib_Perfdata_5e0.dat -> %SystemRoot%\System32\Perflib_Perfdata_5e0.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 8/19/2008 8:28:38 PM | Attr =    ]
PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI ->  [Ver =  | Size = 464914 bytes | Modified Date = 7/30/2008 8:16:45 PM | Attr =    ]
TwcToolbarBho.dll -> %SystemRoot%\System32\TwcToolbarBho.dll ->  [Ver = 1, 0, 0, 0 | Size = 98304 bytes | Modified Date = 7/22/2008 1:24:02 PM | Attr =    ]
wbem -> %SystemRoot%\System32\wbem ->  [Folder | Modified Date = 7/30/2008 8:16:46 PM | Attr =    ]
xgxojvrm.ini -> %SystemRoot%\System32\xgxojvrm.ini ->  [Ver =  | Size = 1500280 bytes | Modified Date = 8/14/2008 3:57:26 PM | Attr =  HS]
CSC -> %SystemRoot%\CSC ->  [Folder | Modified Date = 8/19/2008 2:29:35 PM | Attr =  HS]
8 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> 
Cursors -> %SystemRoot%\Cursors ->  [Folder | Modified Date = 8/8/2008 9:19:05 PM | Attr =    ]
Debug -> %SystemRoot%\Debug ->  [Folder | Modified Date = 8/19/2008 2:29:47 PM | Attr =    ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files ->  [Folder | Modified Date = 7/22/2008 3:14:08 PM | Attr =   S]
Fonts -> %SystemRoot%\Fonts ->  [Folder | Modified Date = 8/14/2008 6:45:52 PM | Attr = R S]
Help -> %SystemRoot%\Help ->  [Folder | Modified Date = 8/4/2008 8:46:27 AM | Attr =    ]
inf -> %SystemRoot%\inf ->  [Folder | Modified Date = 8/18/2008 5:43:17 PM | Attr =  H ]
Installer -> %SystemRoot%\Installer ->  [Folder | Modified Date = 8/19/2008 9:04:20 AM | Attr =  HS]
Microsoft.NET -> %SystemRoot%\Microsoft.NET ->  [Folder | Modified Date = 7/26/2008 12:13:00 PM | Attr =    ]
Minidump -> %SystemRoot%\Minidump ->  [Folder | Modified Date = 8/14/2008 5:49:03 PM | Attr =    ]
msicpl.ini -> %SystemRoot%\msicpl.ini ->  [Ver =  | Size = 141 bytes | Modified Date = 8/17/2008 11:14:15 PM | Attr =    ]
nview -> %SystemRoot%\nview ->  [Folder | Modified Date = 7/22/2008 9:27:26 PM | Attr =    ]
ODBC.INI -> %SystemRoot%\ODBC.INI ->  [Ver =  | Size = 956 bytes | Modified Date = 7/26/2008 2:24:35 PM | Attr =    ]
QTFont.for -> %SystemRoot%\QTFont.for ->  [Ver =  | Size = 1409 bytes | Modified Date = 8/19/2008 9:36:11 AM | Attr =    ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn ->  [Ver =  | Size = 54156 bytes | Modified Date = 8/19/2008 9:36:11 AM | Attr =  H ]
Registration -> %SystemRoot%\Registration ->  [Folder | Modified Date = 7/26/2008 12:09:06 PM | Attr =    ]
security -> %SystemRoot%\security ->  [Folder | Modified Date = 8/19/2008 11:25:38 PM | Attr =    ]
ShellIconCache -> %SystemRoot%\ShellIconCache ->  [Ver =  | Size = 2722766 bytes | Modified Date = 8/19/2008 11:11:46 AM | Attr =  H ]
SHELLNEW -> %SystemRoot%\SHELLNEW ->  [Folder | Modified Date = 7/26/2008 2:22:12 PM | Attr =    ]
system -> %SystemRoot%\system ->  [Folder | Modified Date = 7/26/2008 2:06:10 PM | Attr =    ]
system.ini -> %SystemRoot%\system.ini ->  [Ver =  | Size = 227 bytes | Modified Date = 8/19/2008 11:18:09 AM | Attr =    ]
system32 -> %SystemRoot%\system32 ->  [Folder | Modified Date = 8/19/2008 8:28:38 PM | Attr =    ]
Tasks -> %SystemRoot%\Tasks ->  [Folder | Modified Date = 8/8/2008 8:51:19 AM | Attr =   S]
Temp -> %SystemRoot%\Temp ->  [Folder | Modified Date = 8/20/2008 7:14:48 AM | Attr =    ]
vbaddin.ini -> %SystemRoot%\vbaddin.ini ->  [Ver =  | Size = 37 bytes | Modified Date = 7/26/2008 11:41:49 AM | Attr =    ]
win.ini -> %SystemRoot%\win.ini ->  [Ver =  | Size = 422 bytes | Modified Date = 8/19/2008 11:18:09 AM | Attr =    ]
WinInit.Ini -> %SystemRoot%\WinInit.Ini ->  [Ver =  | Size = 116 bytes | Modified Date = 8/12/2008 4:50:35 PM | Attr =    ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 8/19/2008 2:29:33 PM | Attr =  H ]
C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help ->  [Folder | Modified Date = 3/6/2008 10:56:58 PM | Attr =    ]
hhcolreg.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help\hhcolreg.dat ->  [Ver =  | Size = 1309 bytes | Modified Date = 3/6/2008 10:56:58 PM | Attr =    ]
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader ->  [Folder | Modified Date = 11/5/2007 1:26:39 PM | Attr =    ]
qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat ->  [Ver =  | Size = 4232 bytes | Modified Date = 8/13/2008 5:04:50 PM | Attr =    ]
qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat ->  [Ver =  | Size = 4617 bytes | Modified Date = 8/13/2008 5:04:50 PM | Attr =    ]
C:\Documents and Settings\All Users\Application Data\Microsoft\Office\Data\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\Office\Data ->  [Folder | Modified Date = 7/26/2008 2:43:13 PM | Attr =    ]
data.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Office\Data\data.dat ->  [Ver =  | Size = 1372 bytes | Modified Date = 7/26/2008 11:50:15 AM | Attr =    ]
opa11.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Office\Data\opa11.dat ->  [Ver =  | Size = 8206 bytes | Modified Date = 7/26/2008 2:43:13 PM | Attr =    ]
C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\ -> C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp ->  [Folder | Modified Date = 8/20/2008 7:15:30 AM | Attr =    ]
mpengine.dll -> C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\mpengine.dll -> Microsoft Corporation [Ver = 1.1.3807.0 | Size = 3358800 bytes | Modified Date = 8/16/2008 12:35:30 PM | Attr =    ]
mpengine.dll2b4f587f -> C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\mpengine.dll -> Microsoft Corporation [Ver = 1.1.3807.0 | Size = 3358800 bytes | Modified Date = 8/16/2008 12:42:05 PM | Attr =    ]
18 C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\*.tmp -> 
C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\{AC76BA86-1033-0000-7760-100000000002}\ -> C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\{AC76BA86-1033-0000-7760-100000000002} ->  [Folder | Modified Date = 8/19/2008 9:03:54 AM | Attr =    ]
asneu.dll -> C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\{AC76BA86-1033-0000-7760-100000000002}\asneu.dll ->  [Ver =  | Size = 212992 bytes | Modified Date = 8/19/2008 9:03:54 AM | Attr =    ]
C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\is-GHKKD.tmp\_isetup\ -> C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\is-GHKKD.tmp\_isetup ->  [Folder | Modified Date = 8/17/2008 8:47:50 PM | Attr =    ]
_shfoldr.dll -> C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\is-GHKKD.tmp\_isetup\_shfoldr.dll -> Microsoft Corporation [Ver = 5.50.4807.2300 | Size = 23312 bytes | Modified Date = 8/17/2008 8:47:50 PM | Attr =    ]
1 C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\is-GHKKD.tmp\_isetup\*.tmp files -> C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\is-GHKKD.tmp\_isetup\*.tmp -> 
C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\Temporary Internet Files\Content.IE5\ -> C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\Temporary Internet Files\Content.IE5\ ->  [Folder | Modified Date = 8/8/2008 7:09:56 PM | Attr =   S]
desktop.ini -> C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\Temporary Internet Files\Content.IE5\desktop.ini ->  [Ver =  | Size = 67 bytes | Modified Date = 8/4/2008 9:32:17 AM | Attr =  HS]
C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\Temporary Internet Files\Content.IE5\DWXXZLLJ\ -> C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\Temporary Internet Files\Content.IE5\DWXXZLLJ ->  [Folder | Modified Date = 8/8/2008 7:09:55 PM | Attr =   S]
desktop.ini -> C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\Temporary Internet Files\Content.IE5\DWXXZLLJ\desktop.ini ->  [Ver =  | Size = 67 bytes | Modified Date = 8/7/2008 7:40:40 AM | Attr =  HS]
C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\Temporary Internet Files\Content.IE5\EQI19DWE\ -> C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\Temporary Internet Files\Content.IE5\EQI19DWE ->  [Folder | Modified Date = 8/8/2008 7:09:55 PM | Attr =   S]
desktop.ini -> C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\Temporary Internet Files\Content.IE5\EQI19DWE\desktop.ini ->  [Ver =  | Size = 67 bytes | Modified Date = 8/7/2008 7:40:40 AM | Attr =  HS]
C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\Temporary Internet Files\Content.IE5\IZC7LAJE\ -> C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\Temporary Internet Files\Content.IE5\IZC7LAJE ->  [Folder | Modified Date = 8/8/2008 7:09:56 PM | Attr =   S]
desktop.ini -> C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\Temporary Internet Files\Content.IE5\IZC7LAJE\desktop.ini ->  [Ver =  | Size = 67 bytes | Modified Date = 8/7/2008 7:40:40 AM | Attr =  HS]
C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\Temporary Internet Files\Content.IE5\SPEJGPAZ\ -> C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\Temporary Internet Files\Content.IE5\SPEJGPAZ ->  [Folder | Modified Date = 8/8/2008 7:09:56 PM | Attr =   S]
desktop.ini -> C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\Temporary Internet Files\Content.IE5\SPEJGPAZ\desktop.ini ->  [Ver =  | Size = 67 bytes | Modified Date = 8/6/2008 12:17:01 PM | Attr =  HS]
C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZZL95H5E\ -> C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZZL95H5E ->  [Folder | Modified Date = 8/8/2008 7:09:56 PM | Attr =   S]
desktop.ini -> C:\Documents and Settings\Clarence R. Isaacks .IRAN1\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZZL95H5E\desktop.ini ->  [Ver =  | Size = 67 bytes | Modified Date = 8/7/2008 7:40:40 AM | Attr =  HS]

< End of report >
ikei
Active Member
 
Posts: 13
Joined: August 14th, 2008, 8:18 pm

Re: hijacked by angelinteractive 2000 Pro. Help Please

Unread postby ikei » August 20th, 2008, 5:56 pm

Just had blue screen error (BSoD). Only programs running is Berkeley SETI program, unix based, called BOINC and Norton Internet security. Not connected to internet at this time.
Let us know if you need any info.

Thanks
Ike
ikei
Active Member
 
Posts: 13
Joined: August 14th, 2008, 8:18 pm

Re: hijacked by angelinteractive 2000 Pro. Help Please

Unread postby MikeSwim07 » August 20th, 2008, 6:32 pm

OTScanIt

Now start OTScanIt. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
[Processes - Non-Microsoft Only]
YN -> utorrent.exe -> %ProgramFiles%\uTorrent\uTorrent.exe
[Files/Folders - Created Within 30 days]
NY -> utorrent -> %ProgramFiles%\uTorrent
NY -> NEROINSTAEC43759.DB -> %SystemRoot%\System32\NEROINSTAEC43759.DB
NY -> Perflib_Perfdata_18c.dat -> %SystemRoot%\System32\Perflib_Perfdata_18c.dat
NY -> Perflib_Perfdata_560.dat -> %SystemRoot%\System32\Perflib_Perfdata_560.dat
NY -> Perflib_Perfdata_594.dat -> %SystemRoot%\System32\Perflib_Perfdata_594.dat
NY -> Perflib_Perfdata_5a8.dat -> %SystemRoot%\System32\Perflib_Perfdata_5a8.dat
NY -> Perflib_Perfdata_5b4.dat -> %SystemRoot%\System32\Perflib_Perfdata_5b4.dat
NY -> Perflib_Perfdata_5d4.dat -> %SystemRoot%\System32\Perflib_Perfdata_5d4.dat
NY -> Perflib_Perfdata_5e0.dat -> %SystemRoot%\System32\Perflib_Perfdata_5e0.dat
NY -> ShellManager310E2D762.dll -> %SystemRoot%\System32\ShellManager310E2D762.dll
NY -> xgxojvrm.ini -> %SystemRoot%\System32\xgxojvrm.ini
[Files/Folders - Modified Within 30 days]
NY -> Perflib_Perfdata_18c.dat -> %SystemRoot%\System32\Perflib_Perfdata_18c.dat
NY -> Perflib_Perfdata_560.dat -> %SystemRoot%\System32\Perflib_Perfdata_560.dat
NY -> Perflib_Perfdata_594.dat -> %SystemRoot%\System32\Perflib_Perfdata_594.dat
NY -> Perflib_Perfdata_5a8.dat -> %SystemRoot%\System32\Perflib_Perfdata_5a8.dat
NY -> Perflib_Perfdata_5b4.dat -> %SystemRoot%\System32\Perflib_Perfdata_5b4.dat
NY -> Perflib_Perfdata_5d4.dat -> %SystemRoot%\System32\Perflib_Perfdata_5d4.dat
NY -> Perflib_Perfdata_5e0.dat -> %SystemRoot%\System32\Perflib_Perfdata_5e0.dat
NY -> xgxojvrm.ini -> %SystemRoot%\System32\xgxojvrm.ini


The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.
Warning: This fix is for this user only. DO NOT duplicate this fix or you risk damaging your own system

Please STOP download and installing P2P software.
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: hijacked by angelinteractive 2000 Pro. Help Please

Unread postby ikei » August 20th, 2008, 8:22 pm

OK, have done the OTScanit fix. Do you need any reports?
ikei
Active Member
 
Posts: 13
Joined: August 14th, 2008, 8:18 pm

Re: hijacked by angelinteractive 2000 Pro. Help Please

Unread postby MikeSwim07 » August 20th, 2008, 8:42 pm

Yes, please post a new hijackthis log. Are you still getting those pop-ups?
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: hijacked by angelinteractive 2000 Pro. Help Please

Unread postby ikei » August 20th, 2008, 10:01 pm

Here is the HJT scan log. Don't know about popups yet, I've only just connected the internet back
to this computer.
I will leave it on overnight and check in AM.

Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:55:22 PM, on 8/20/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\BOINC\projects\setiathome.berkeley.edu\setiathome_5.27_windows_intelx86.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://www.3dpublisher.net/SWService/eD ... nglish.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-48.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08fa6a01c69 ... xIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4290811078
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

--
End of file - 8229 bytes
ikei
Active Member
 
Posts: 13
Joined: August 14th, 2008, 8:18 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 22 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware