Total Scan Log:
;***********************************************************************************************************************************************************************************
ANALYSIS: 2007-08-27 14:02:16
PROTECTIONS: 1
MALWARE: 8
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan Enterprise 8.5.0.781 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt[.mediaplex.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt[.com.com/]
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@xiti[1].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt[.xiti.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt[.statcounter.com/]
00167760 Cookie/Hitslink TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt[counter.hitslink.com/]
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt[statse.webtrendslive.com/]
01221464 Trj/Shark.F Virus/Trojan No 0 Yes No C:\Users\Tom\Downloads\[Megafileupload]adobe%20cs3.zip[adobe cs3/Adobe Photoshop CS3 Extended Keygen.exe]
01221464 Trj/Shark.F Virus/Trojan No 0 Yes No C:\Users\Tom\Desktop\Adobe CS3\Adobe Photoshop CS3 Extended.exe
01221465 Trj/Shark.F Virus/Trojan No 0 Yes No C:\Deckard\System Scanner\20070826143329\backup\Users\Tom\AppData\Local\Temp\5726624.exe
;===================================================================================================================================================================================
SUSPECTS
Location
;===================================================================================================================================================================================
C:\Users\Tom\AppData\Local\Microsoft\fcrnli.exe
;===================================================================================================================================================================================
Aha! Those two references to photoshop haven't shown up in the other scans before. I grabbed the free 30 day photoshop trial with bittorrent 'cos Adobe's servers seemed to be dead at the time (I was getting ~10kbps, would have taken days to dload). It turned out to have a link to a keygen bundled with it, which I just deleted - but I ran the photoshop install anyway.
With hindsight that seems like a slightly stupid thing to have done.....obviously anyone including a "keygen" (99% certain to be a trojan) is also gonna bundle something unpleasant into the photoshop file as well. Meh. Stupid. Anyway - have we found the source of the infection, do you think?
DSS Log:
Deckard's System Scanner v20070819.64
Run by Tom on 2007-08-27 15:18:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Tom.exe) -------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:33:42, on 26/08/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.exe
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Tom\Desktop\dss.exe
C:\HJT\Tom.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.02\RivaTuner.exe" /S
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [fcrnli] c:\users\tom\appdata\local\microsoft\fcrnli.exe fcrnli
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BF74E30-1B78-4EDD-86AB-3659697836B8}: NameServer = 85.92.175.4,85.92.175.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{1BF74E30-1B78-4EDD-86AB-3659697836B8}: NameServer = 85.92.175.4,85.92.175.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{1BF74E30-1B78-4EDD-86AB-3659697836B8}: NameServer = 85.92.175.4,85.92.175.5
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
--
End of file - 7307 bytes
-- Files created between 2007-07-27 and 2007-08-27 -----------------------------
2007-08-27 14:30:11 0 d-------- C:\Program Files\Common Files\Steam
2007-08-27 13:03:41 0 d-------- C:\Windows\system32\Panda Software
2007-08-27 13:03:29 0 d-------- C:\Program Files\Panda Security
2007-08-26 13:25:35 0 d-------- C:\Users\All Users\Grisoft
2007-08-26 12:24:20 0 d-------- C:\VundoFix Backups
2007-08-24 12:41:13 0 d-------- C:\Users\All Users\Kaspersky Lab
2007-08-24 12:41:12 0 d-------- C:\Windows\system32\Kaspersky Lab
2007-08-21 22:45:40 0 d-------- C:\Kontiki
2007-08-21 22:44:36 41984 -----n--- C:\Windows\Ctregrun.exe <Not Verified; Creative Technology Ltd; Creative On-line Registration System>
2007-08-21 22:39:36 77824 -----n--- C:\Windows\system32\ctdvda32.dll <Not Verified; Creative Technology Ltd; Creative DVD-Audio Product>
2007-08-21 21:13:05 0 d-------- C:\Program Files\Creative
2007-08-21 21:12:48 0 d-------- C:\Windows\system32\Defaults
2007-08-21 21:09:56 0 d-------- C:\Program Files\OpenAL
2007-08-21 21:09:12 0 d-------- C:\Windows\system32\Data
2007-08-21 21:09:12 3072 --a------ C:\Windows\CTXFIRES.DLL <Not Verified; ; CTxfiRes Dynamic Link Library>
2007-08-21 21:09:12 10240 --a------ C:\Windows\CTDCRES.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2007-08-21 21:09:10 66560 -----n--- C:\Windows\system32\CmdRtr.dll
2007-08-21 21:09:10 103936 -----n--- C:\Windows\system32\APOMngr.dll
2007-08-21 18:23:50 0 d-------- C:\HJT
2007-08-21 13:10:16 0 d-------- C:\Program Files\ATITool
2007-08-21 01:10:30 0 d-------- C:\Users\All Users\Media Center Programs
2007-08-21 01:06:16 0 d-------- C:\Program Files\2K Games
2007-08-20 17:09:57 0 d-------- C:\Windows\Sun
2007-08-20 16:34:20 0 d-------- C:\Program Files\Steam
2007-08-20 12:20:20 0 d-------- C:\Users\All Users\Lavasoft
2007-08-20 12:15:45 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2007-08-19 15:38:03 0 d-------- C:\Users\All Users\Kontiki
2007-08-19 15:38:03 0 d-------- C:\Program Files\Kontiki
2007-08-18 13:04:39 0 d-------- C:\Program Files\HD Tune
2007-08-18 00:01:13 0 d--hs---- C:\Windows\VG9t
2007-08-17 22:35:03 0 d-------- C:\Program Files\Bonjour
2007-08-17 22:23:31 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-08-17 20:19:51 0 d-------- C:\Users\All Users\FLEXnet
2007-08-17 15:46:42 0 d-------- C:\Users\Tom\{b359c3d6-fc87-40a9-bfc4-84dd70141a06}
2007-08-17 14:10:43 0 d-------- C:\Program Files\DivX
2007-08-17 14:10:07 0 d-------- C:\Program Files\Combined Community Codec Pack
2007-08-17 14:09:37 765952 --a------ C:\Windows\system32\xvidcore.dll
2007-08-17 14:09:36 180224 --a------ C:\Windows\system32\xvidvfw.dll
2007-08-17 14:09:36 0 d-------- C:\Program Files\Xvid
2007-08-17 12:29:15 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-17 11:46:49 0 d-------- C:\Program Files\Ventrilo
2007-08-17 10:42:50 0 d-------- C:\QUARANTINE
2007-08-17 10:35:23 0 d-------- C:\Users\All Users\Adobe
2007-08-17 10:24:27 0 d-------- C:\Program Files\Common Files\Adobe
2007-08-17 09:47:45 0 d-------- C:\Program Files\Guild Wars
2007-08-17 07:43:32 0 d-------- C:\Windows\Panther
2007-08-17 07:43:23 0 d--hs---- C:\Boot
2007-08-16 22:47:05 0 d-------- C:\Windows\SoftwareDistribution
2007-08-16 22:45:59 0 d-------- C:\Windows\Debug
2007-08-16 22:44:51 0 d-------- C:\Windows\Prefetch
2007-08-16 22:44:41 0 d--hs---- C:\System Volume Information
2007-08-16 21:17:47 0 d-------- C:\Program Files\THQ
2007-08-16 20:27:12 0 d-------- C:\Program Files\RivaTuner v2.02
2007-08-16 19:34:18 0 d-------- C:\Program Files\Yahoo!
2007-08-16 19:33:11 1495552 --a------ C:\Windows\system32\epoPGPsdk.dll <Not Verified; PGP Corporation; PGPsdk>
2007-08-16 19:33:10 0 d-------- C:\Program Files\Common Files\Cisco Systems
2007-08-16 19:33:08 0 d-------- C:\Users\All Users\McAfee
2007-08-16 19:32:38 0 d-------- C:\Program Files\McAfee
2007-08-16 19:32:38 0 d-------- C:\Program Files\Common Files\McAfee
2007-08-16 18:27:56 0 d-------- C:\Program Files\Stardock
2007-08-16 18:27:56 0 d-------- C:\Program Files\Common Files\Stardock
2007-08-16 18:27:37 409600 --a------ C:\Windows\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2007-08-16 18:27:37 114688 --a------ C:\Windows\system32\OpenAL32.dll <Not Verified; Portions (C) Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(TM) Library>
2007-08-16 18:25:46 0 d-------- C:\Windows\system32\Futuremark
2007-08-16 18:25:46 3972 --a------ C:\Windows\system32\drivers\PciBus.sys
2007-08-16 18:25:46 5632 --a------ C:\Windows\system32\drivers\Entech64.sys <Not Verified; EnTech Taiwan; EnTech.sys>
2007-08-16 18:25:46 21664 --a------ C:\Windows\system32\drivers\Entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
2007-08-16 18:24:31 0 d-------- C:\Program Files\Futuremark
2007-08-16 18:12:58 0 d-------- C:\Program Files\Azureus
2007-08-16 18:06:40 0 d-------- C:\Windows\system32\Macromed
2007-08-16 18:06:07 0 d-------- C:\Users\All Users\NVIDIA
2007-08-16 17:52:15 0 d-------- C:\Program Files\VideoLAN
2007-08-16 17:51:35 0 d-------- C:\Program Files\iPod
2007-08-16 17:51:33 0 d-------- C:\Program Files\iTunes
2007-08-16 17:50:50 0 d-------- C:\Program Files\QuickTime
2007-08-16 17:50:49 0 d-------- C:\Users\All Users\Apple Computer
2007-08-16 17:50:31 0 d-------- C:\Program Files\Apple Software Update
2007-08-16 17:49:14 0 d-------- C:\Program Files\Common Files\Apple
2007-08-16 17:49:12 0 d-------- C:\Users\All Users\Apple
2007-08-16 17:47:49 0 d-------- C:\Program Files\OpenOffice.org 2.2
2007-08-16 17:47:32 0 d-------- C:\Program Files\Java
2007-08-16 17:47:31 0 d-------- C:\Program Files\Common Files\Java
2007-08-16 17:42:42 0 d-------- C:\Program Files\Google
2007-08-16 17:39:48 0 d-------- C:\Program Files\Prime95
2007-08-16 17:30:56 0 d-------- C:\NVIDIA
2007-08-16 17:25:38 0 d-------- C:\Program Files\Wallpaper Changer
2007-08-16 17:04:23 0 --a------ C:\Windows\nsreg.dat
2007-08-16 16:39:06 0 d-------- C:\Program Files\D-Link
2007-08-16 16:18:12 0 d-------- C:\Program Files\U-ABIT
2007-08-16 16:17:41 0 d-------- C:\Program Files\Marvell
2007-08-16 16:17:23 0 d--hs---- C:\Windows\Installer
2007-08-16 16:16:58 0 d-------- C:\Windows\system32\RTCOM
2007-08-16 16:16:34 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-08-16 16:16:25 315392 --a------ C:\Windows\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2007-08-16 16:16:21 0 d-------- C:\Program Files\Common Files\InstallShield
2007-08-16 16:14:40 0 d-------- C:\Program Files\Intel
2007-08-16 16:14:31 0 d-------- C:\Intel
2007-08-16 15:53:29 0 dr------- C:\Users\Tom\Searches
2007-08-16 15:53:19 0 dr------- C:\Users\Tom\Contacts
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Videos
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\Templates
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\Start Menu
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\SendTo
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Saved Games
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\Recent
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\PrintHood
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Pictures
2007-08-16 15:53:14 2883584 --ahs---- C:\Users\Tom\ntuser.dat
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\NetHood
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\My Documents
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Music
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\Local Settings
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Links
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Favorites
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Downloads
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Documents
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Desktop
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\Cookies
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\Application Data
2007-08-16 15:53:14 0 d--h----- C:\Users\Tom\AppData
-- Find3M Report ---------------------------------------------------------------
2007-08-27 14:30:11 0 d-------- C:\Program Files\Common Files
2007-08-27 14:07:22 0 d-------- C:\Users\Tom\AppData\Roaming\Adobe
2007-08-24 15:05:52 0 d-------- C:\Users\Tom\AppData\Roaming\OpenOffice.org2
2007-08-23 19:44:59 0 d-------- C:\Users\Tom\AppData\Roaming\Ventrilo
2007-08-21 22:33:37 0 d-------- C:\Users\Tom\AppData\Roaming\Bioshock
2007-08-19 11:06:53 0 d-------- C:\Users\Tom\AppData\Roaming\Azureus
2007-08-17 15:02:14 0 d-------- C:\Users\Tom\AppData\Roaming\DivX
2007-08-17 14:11:24 0 d-------- C:\Users\Tom\AppData\Roaming\WinRAR
2007-08-17 14:03:57 0 d-------- C:\Users\Tom\AppData\Roaming\vlc
2007-08-16 18:20:51 0 d-------- C:\Users\Tom\AppData\Roaming\Apple Computer
2007-08-16 18:08:02 0 d-------- C:\Users\Tom\AppData\Roaming\Macromedia
2007-08-16 18:02:21 0 d-------- C:\Program Files\Windows Mail
2007-08-16 18:02:21 0 d-------- C:\Program Files\Windows Defender
2007-08-16 17:04:29 0 d-------- C:\Users\Tom\AppData\Roaming\Talkback
2007-08-16 17:04:21 0 d-------- C:\Users\Tom\AppData\Roaming\Mozilla
2007-08-16 16:18:01 0 d-------- C:\Users\Tom\AppData\Roaming\InstallShield
2007-08-16 15:53:21 0 d-------- C:\Users\Tom\AppData\Roaming\Identities
2007-07-26 03:53:34 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2007-07-26 03:50:34 196608 --a------ C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-07-26 03:50:34 81920 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-07-26 03:50:22 802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-07-26 03:50:22 823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-26 03:50:22 823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-26 03:50:22 740442 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-26 03:49:28 12288 --a------ C:\Windows\system32\DivXWMPExtType.dll
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="" []
"RtHDVCpl"="RtHDVCpl.exe" [09/08/2007 19:26 C:\Windows\RtHDVCpl.exe]
"Wallpaper"="" []
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [15/07/2005 22:48]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [12/07/2007 04:00]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [29/06/2007 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [31/07/2007 18:44]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [22/02/2007 20:50]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [19/12/2006 11:27]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 03:06]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [17/08/2007 16:23]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [17/08/2007 16:23]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [17/08/2007 16:23]
"RivaTunerStartupDaemon"="C:\Program Files\RivaTuner v2.02\RivaTuner.exe" [01/07/2007 20:20]
"CTHelper"="CTHELPER.EXE" [12/02/2007 19:47 C:\Windows\System32\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [12/02/2007 19:47 C:\Windows\System32\CTXFIHLP.EXE]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE" [18/06/2003 01:00]
"CTSysVol"="C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe" [15/02/2005 16:10]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [16/06/2005 18:25]
"UpdReg"="C:\Windows\UpdReg.EXE" [11/05/2000 01:00]
"fcrnli"="c:\users\tom\appdata\local\microsoft\fcrnli.exe" [18/08/2007 00:12]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [02/11/2006 13:35]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [02/11/2006 13:35]
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [16/08/2007 18:27:56]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [20/07/2007 18:57:16]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRun"=0 (0x0)
"NoClose"=0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
-- End of Deckard's System Scanner: finished at 2007-08-27 15:19:12 ------------