Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Virus tvgyiy.exe - unable to remove

Posted on 2007-10-16
15
Medium Priority
?
7,269 Views
Last Modified: 2016-08-29
Well first off my computer is acting a little buggy which is unusual.  I made sure that my antivirus software was up to date and ran a Virus and Spyware Scan to find nothing (utilities I'm using on my computer).  Went online to BitDefender's website and did an online virus-scan their to reveal a virus that my antivirus program did not pick up (imagine that). The virus's name is tvgyiy.exe - Backdoor.Rbot.XJH.  Which I've searched and searched I can't find anything on it.  I have tried to locate the virus myself by doing a search with the Windows search engine and whatever I do it won't find this particular file.  Then I did a search in the system32 directory where this virus resides I still can't find it there.  I enabled show hidden folders or files and turned on file extensions with no once again.  I ran silent runners and posting my log here for hopefully somebody can help me out.
------------------------------------------------------------------------------------------------------
"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Yahoo! Pager" = ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"BitDefender Antiphishing Helper" = ""C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"" ["BitDefender"]
"BDAgent" = ""C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"" ["BitDefender S.R.L."]
"ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["InstallShield Software Corporation"]
"ISUSPM Startup" = "c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup" ["InstallShield Software Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "&Yahoo! Toolbar Helper"
                   \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Yahoo! IE Services Button"
                   \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SSVHelper Class"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> {HKLM...CLSID} = "Display Panning CPL Extension"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{280CFDE1-1354-4431-92F3-03073BA593FB}" = "TotalConverter Context Menu Shell Extension"
  -> {HKLM...CLSID} = "TotalConverter Context Menu Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\TotalAudioConverter\axTotalConverter.dll" [empty string]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
  -> {HKLM...CLSID} = "Universal Plug and Play Devices"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
  -> {HKLM...CLSID} = "Microsoft Office Outlook"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
  -> {HKLM...CLSID} = "Outlook File Icon Extension"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
  -> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
  -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
  -> {HKLM...CLSID} = "Yahoo! Mail Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\YMMAPI.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
  -> {HKLM...CLSID} = "WPDShServiceObj Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
  -> {HKLM...CLSID} = "MShellExtMenu Class"
                   \InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
TotalConverter\(Default) = "{280CFDE1-1354-4431-92F3-03073BA593FB}"
  -> {HKLM...CLSID} = "TotalConverter Context Menu Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\TotalAudioConverter\axTotalConverter.dll" [empty string]
WinExpert\(Default) = "{19741013-C829-11D1-8233-0020AF3E97A9}"
  -> {HKLM...CLSID} = "Context Menu Shell Extension"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\context.dll" ["SuperLogix"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
  -> {HKLM...CLSID} = "Yahoo! Mail Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\YMMAPI.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
  -> {HKLM...CLSID} = "MShellExtMenu Class"
                   \InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
  -> {HKLM...CLSID} = "MShellExtMenu Class"
                   \InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
WinExpert\(Default) = "{19741013-C829-11D1-8233-0020AF3E97A9}"
  -> {HKLM...CLSID} = "Context Menu Shell Extension"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\context.dll" ["SuperLogix"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"ClearRecentDocsOnExit" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\David\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ss3dfo.scr" [MS]


Startup items in "David" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Wireless Connection Manager" -> shortcut to: "C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe" [" "]


Enabled Scheduled Tasks:
------------------------

"1-Click Maintenance" -> launches: "C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe /schedulestart" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
  -> {HKLM...CLSID} = "Yahoo! Toolbar"
                   \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{381FFDE8-2394-4F90-B10D-FC6124A40F8C}" = "IEToolbar"
  -> {HKLM...CLSID} = "BitDefender Toolbar"
                   \InProcServer32\(Default) = "C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll" ["Bitdefender"]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
  -> {HKLM...CLSID} = "Yahoo! Toolbar"
                   \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"
  -> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
  -> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
"ButtonText" = "Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
  -> {HKLM...CLSID} = "Yahoo! IE Services Button"
                   \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
  -> {HKLM...CLSID} = "Yahoo! Toolbar"
                   \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Atheros Configuration Service, ACS, "C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe" ["Atheros"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
BitDefender Communicator, XCOMM, ""C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe" /service" ["Softwin"]
BitDefender Desktop Update Service, LIVESRV, ""C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe" /service" ["BitDefender S.R.L."]
BitDefender Threat Scanner, scan, "C:\WINDOWS\System32\svchost.exe -kbdx" {"C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\scan.dll" ["BitDefender"]}
BitDefender Virus Shield, VSSERV, ""C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe" /service" ["BitDefender S.R.L."]
Diskeeper, Diskeeper, ""C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe"" ["Diskeeper Corporation"]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Dell Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


---------- (launch time: 2007-10-16 18:04:59)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 30 seconds.
---------- (total run time: 73 seconds)




0
Comment
Question by:Heuman
  • 8
  • 5
14 Comments
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20089681
Not seeing anything in the SR log. Can you give us a Deckards System Scanner log?

Download Deckard's System Scanner (DSS) and save it to your Desktop.

http://www.techsupportforum.com/sectools/Deckard/dss.exe

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads. main.txt and extra.tx  -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
0
 

Author Comment

by:Heuman
ID: 20089832
Detail from the program any you are the two reports main.txt and extra.txt
--------------------------------------------------------------------------------------------
Deckard's System Scanner v20071014.68
Run by David on 2007-10-16 19:20:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as David.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:20:55 PM, on 10/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\David\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\David.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\RunServices: [Microsoft Update Machine] tvgyiy.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 7429 bytes

-- Files created between 2007-09-16 and 2007-10-16 -----------------------------

2007-10-16 19:20:49         0 d-------- C:\Program Files\Trend Micro
2007-10-16 17:35:42         0 dr-h----- C:\Documents and Settings\David\Recent
2007-10-16 05:35:19         0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-16 05:28:13         0 d-------- C:\Documents and Settings\All Users\Application Data\CrystalIdea Software
2007-10-16 05:22:48         0 d-------- C:\Program Files\Uninstall Tool
2007-10-16 00:30:22         0 d-------- C:\Documents and Settings\David\Application Data\Bitdefender
2007-10-16 00:30:08         0 d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2007-10-15 22:01:40     81984 --a------ C:\WINDOWS\system32\bdod.bin
2007-10-15 22:01:01         0 d-------- C:\Program Files\BitDefender
2007-10-15 22:00:27         0 d-------- C:\Program Files\Common Files\BitDefender
2007-10-15 17:04:34         0 d-------- C:\WINDOWS\BDOSCAN8
2007-10-15 04:37:47         0 d-------- C:\Program Files\SonicWallES
2007-10-15 00:07:14         0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-14 17:13:39         0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-14 13:43:41         0 d-------- C:\WINDOWS\system32\ZoneLabs
2007-10-14 00:46:30         0 d-------- C:\KAV
2007-10-13 14:06:14         0 d-a------ C:\WINDOWS\zts2.exe
2007-10-13 14:06:14         0 d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2007-10-13 14:06:14         0 d-a------ C:\WINDOWS\system32\iifgfgf.dll
2007-10-13 14:06:14         0 d-a------ C:\WINDOWS\rundll16.exe
2007-10-13 14:06:14         0 d-a------ C:\WINDOWS\rundl132.dll
2007-10-13 14:06:14         0 d-a------ C:\WINDOWS\logo1_.exe
2007-10-13 04:17:28         0 d-------- C:\Program Files\Wise Registry Cleaner
2007-10-13 04:16:49         0 d-------- C:\Program Files\Aezay Productions
2007-10-13 04:10:22         0 d-------- C:\Program Files\AusLogics Registry Defrag
2007-10-12 22:49:54         0 d-------- C:\Documents and Settings\David\Application Data\foobar2000
2007-10-12 22:49:50         0 d-------- C:\Program Files\foobar2000
2007-10-12 17:55:16         0 d-------- C:\Program Files\Common Files\Scansoft Shared
2007-10-12 17:55:16         0 d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2007-10-12 17:55:02         0 d-------- C:\Program Files\Nuance
2007-10-12 16:44:57         0 d-------- C:\Program Files\Easy Duplicate Finder
2007-10-12 16:43:40         0 d-------- C:\Program Files\Duplicate Music Files Finder
2007-10-12 16:24:08         0 --a------ C:\WINDOWS\system32\suupdate.dat
2007-10-12 16:24:08         0 --a------ C:\WINDOWS\system32\mssurun.dat
2007-10-12 16:24:08    269824 --a------ C:\WINDOWS\system32\baksm.dll
2007-10-12 16:23:59   2281472 --a------ C:\WINDOWS\system32\vbsbak.dat <Not Verified; SuperLogix; Super Utilities>
2007-10-12 16:23:59        42 --a------ C:\WINDOWS\system32\vb6sock.dll
2007-10-12 16:23:59    269824 --a------ C:\WINDOWS\system32\supermenuhook.dll
2007-10-12 16:23:59         0 d-------- C:\WINDOWS\system32\IOSUBSYS
2007-10-12 16:23:59     43936 --a------ C:\WINDOWS\system32\drivers\HWFProt.sys <Not Verified; Alfa Corporation; AlfaFP (TM) 2003 Ansi Build for Windows NT/2K>
2007-10-12 16:23:59    591872 --a------ C:\WINDOWS\system32\context.dll <Not Verified; SuperLogix; Enhancement to context menu>
2007-10-12 16:23:59    269824 --a------ C:\WINDOWS\system32\baksm.dat
2007-10-12 16:23:59         0 d-------- C:\Program Files\SuperLogix
2007-10-12 15:36:47         0 d-------- C:\Program Files\Mgutil
2007-10-12 04:06:18         0 d-------- C:\Program Files\Wise Disk Cleaner
2007-10-11 23:59:00         0 d-------- C:\Program Files\SpywareBlaster
2007-10-11 22:58:27     28672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-10-11 18:57:35         0 d-------- C:\Program Files\QuickTime
2007-10-11 18:40:32         0 d-------- C:\WINDOWS\Sun
2007-10-11 18:40:32         0 d-------- C:\Documents and Settings\David\Application Data\Sun
2007-10-11 18:40:06         0 d-------- C:\Program Files\Java
2007-10-11 18:39:56         0 d-------- C:\Program Files\Common Files\Java
2007-10-11 18:34:58         0 d-------- C:\Documents and Settings\David\.housecall6.6
2007-10-11 12:24:05         0 d-------- C:\Program Files\TotalAudioConverter
2007-10-10 19:58:42         0 d-------- C:\Program Files\MSECache
2007-10-10 19:52:49         0 d-------- C:\Program Files\Microsoft ActiveSync
2007-10-10 19:52:10         0 d-------- C:\WINDOWS\SHELLNEW
2007-10-10 19:51:10         0 d-------- C:\Program Files\Microsoft.NET
2007-10-09 16:20:53         0 d-------- C:\Documents and Settings\David\Application Data\Ahead
2007-10-09 16:15:57         0 d-------- C:\Program Files\Nero
2007-10-09 16:15:57         0 d-------- C:\Program Files\Common Files\Ahead
2007-10-09 16:07:31         0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-09 15:25:25         0 d-------- C:\WINDOWS\SxsCaPendDel
2007-10-09 04:09:23         0 d-------- C:\Program Files\Seagate
2007-10-09 03:33:33         0 d-------- C:\Documents and Settings\David\Application Data\uTorrent
2007-10-09 02:36:46         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-08 01:53:15         0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-08 01:18:26         0 d-------- C:\Program Files\Bonjour
2007-10-08 01:10:05         0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-10-08 00:57:25         0 d-------- C:\Program Files\MagicISO
2007-10-08 00:39:32    639224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-10-07 00:17:29    237636 --a------ C:\WINDOWS\system32\wsimd.dll <Not Verified; Atheros Communications, Inc.; wsimd>
2007-10-07 00:17:29    245830 --a------ C:\WINDOWS\system32\wsfwDS.dll <Not Verified; Atheros Communications, Inc.; wsfwds>
2007-10-07 00:17:29     53248 -ra------ C:\WINDOWS\system32\dsaNac.dll <Not Verified; Devicescape, Inc.; Devicescape NAC Notify DLL>
2007-10-07 00:17:29   1253432 -ra------ C:\WINDOWS\system32\dsa.dll <Not Verified; Devicescape; Devicescape Windows WPA Supplicant (Core 0.4.3)>
2007-10-07 00:17:29         0 d-------- C:\WINDOWS\pcidevice
2007-10-07 00:17:29         0 d-------- C:\Program Files\D-Link
2007-10-06 18:44:54         0 d-------- C:\Documents and Settings\David\Application Data\Nero
2007-10-06 18:42:18         0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-10-05 19:41:15         0 d-------- C:\Program Files\Marvell
2007-10-05 19:37:24      5824 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2007-10-04 13:52:54    399872 --a------ C:\WINDOWS\c4dstand.dll
2007-10-04 13:52:53    438272 --a------ C:\WINDOWS\c4dll.dll <Not Verified; Sequiter Software Inc.; CodeBase>
2007-10-04 13:52:39     98304 --a------ C:\WINDOWS\system32\tsccvid.dll <Not Verified; TechSmith Corporation; TechSmith Screen Capture Codec>
2007-10-04 13:52:39         0 d-------- C:\Program Files\LearnKey
2007-10-04 13:52:36    487936 --a------ C:\WINDOWS\LkUnInst.exe <Not Verified; LearnKey, Inc.; >
2007-10-03 22:55:26         0 d-------- C:\temp
2007-10-02 20:58:47         0 d-------- C:\WINDOWS\PAC207
2007-10-02 00:18:12      1075 --a------ C:\Documents and Settings\David\Application Data\SAS7_000.DAT
2007-10-01 19:09:02         0 d-------- C:\Documents and Settings\David\Application Data\Nuance
2007-10-01 19:03:34         0 d-------- C:\Documents and Settings\All Users\Application Data\Nuance
2007-10-01 17:20:18         0 d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-10-01 17:17:35         0 d-------- C:\WINDOWS\speech
2007-10-01 02:24:27         0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-10-01 02:23:46         0 d-------- C:\Program Files\MSXML 4.0
2007-10-01 01:53:31         0 d-------- C:\Program Files\Anark
2007-09-30 23:56:43    299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2007-09-30 23:56:38         0 d-------- C:\Documents and Settings\David\WINDOWS
2007-09-28 23:05:33         0 d-------- C:\Program Files\MSXML 6.0
2007-09-28 20:57:19         0 d-------- C:\WINDOWS\system32\XPSViewer
2007-09-28 20:56:58         0 d-------- C:\Program Files\Reference Assemblies
2007-09-28 20:52:33         0 d-------- C:\WINDOWS\system32\URTTemp
2007-09-28 20:33:08         0 d-------- C:\Program Files\MTV Networks
2007-09-28 20:33:04         0 d-------- C:\WINDOWS\Downloaded Installations
2007-09-28 20:09:30         0 d-------- C:\Program Files\Windows Media Connect 2
2007-09-28 20:08:23         0 d-------- C:\WINDOWS\system32\LogFiles
2007-09-28 20:08:23         0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-09-28 20:00:19         0 d-------- C:\WINDOWS\network diagnostic
2007-09-28 19:59:04         0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-09-28 19:35:44         0 d-------- C:\Program Files\Diskeeper Corporation
2007-09-28 16:52:49         0 d--hs---- C:\Diskeeper
2007-09-28 16:09:53         0 d-------- C:\Documents and Settings\David\Application Data\Softplicity
2007-09-28 01:39:11         0 d-------- C:\WINDOWS\Wallpaper Of Wow
2007-09-27 22:22:02         0 d-------- C:\Documents and Settings\David\Application Data\Yahoo!
2007-09-27 22:09:22         0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-27 22:07:44         0 d-------- C:\Program Files\Yahoo!
2007-09-27 19:19:21     29696 -----n--- C:\WINDOWS\system32\dev32.exe <Not Verified; ALi Coporation; Install Program>
2007-09-27 19:19:16    163840 -----n--- C:\WINDOWS\system32\coin5288.dll <Not Verified; ULi Electronics Inc.; Coinstaller Dynamic Link Library>
2007-09-27 18:01:51         0 d-------- C:\Program Files\MSBuild
2007-09-27 17:58:14         0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-09-27 17:19:07         0 d-------- C:\Documents and Settings\David\Application Data\Adobe
2007-09-27 17:11:35         0 d-------- C:\Documents and Settings\David\Application Data\Media Player Classic
2007-09-27 17:10:34    217088 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2007-09-27 17:10:34    282624 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-09-27 17:10:34   1559040 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-09-27 17:10:33   3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-09-27 17:10:33     73728 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-09-27 17:10:33    740442 --a------ C:\WINDOWS\system32\divx.dll <Not Verified; DivX, Inc.; DivX®>
2007-09-27 17:10:32      7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-09-27 17:10:31         0 d-------- C:\Program Files\K-Lite Codec Pack
2007-09-27 17:03:31         0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-09-27 17:03:24         0 d-------- C:\Program Files\Common Files\Adobe
2007-09-27 17:00:32         0 d-------- C:\WINDOWS\pss
2007-09-27 16:47:23         0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-09-27 16:47:23         0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-09-27 16:47:23         0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-09-27 16:47:23         0 d-------- C:\Documents and Settings\Administrator\Recent
2007-09-27 16:47:23         0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-09-27 16:47:23    524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-09-27 16:47:23         0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-09-27 16:47:23         0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-09-27 16:47:23         0 d-------- C:\Documents and Settings\Administrator\Local Settings
2007-09-27 16:47:23         0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-09-27 16:47:23         0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-09-27 16:47:23         0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-09-27 16:47:23         0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-09-27 16:47:23         0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-09-27 16:32:20         0 d-------- C:\Documents and Settings\David\Application Data\Macromedia
2007-09-27 16:02:50       830 --a------ C:\WINDOWS\system32\installer.bat
2007-09-27 15:44:50    851456 --a------ C:\WINDOWS\system32\WGA.exe
2007-09-27 15:44:30       512 --a------ C:\ScanSectorLog.dat
2007-09-27 14:36:47         0 d-------- C:\Program Files\DAMN NFO Viewer
2007-09-27 14:36:15         0 d-------- C:\Documents and Settings\David\Application Data\WinRAR
2007-09-27 14:06:58         0 d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2007-09-27 14:06:57         0 d-------- C:\Documents and Settings\David\Application Data\Azureus
2007-09-27 14:06:07         0 d-------- C:\Program Files\Azureus
2007-09-27 13:54:35      4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-09-27 13:54:26     11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
2007-09-27 13:53:49         0 d-------- C:\WINDOWS\Internet Logs
2007-09-27 13:49:08         0 d-------- C:\WINDOWS\system32\appmgmt
2007-09-27 13:25:13         0 d-------- C:\WINDOWS\system32\PreInstall
2007-09-27 13:25:12         0 d--h----- C:\WINDOWS\$hf_mig$
2007-09-27 13:23:03         0 d--hs---- C:\Documents and Settings\David\UserData
2007-09-27 13:21:20         0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-09-27 13:09:06     40636 -ra------ C:\WINDOWS\system32\drivers\WLANGEN.bin
2007-09-27 13:09:06       912 -ra------ C:\WINDOWS\system32\drivers\RADIO15.bin
2007-09-27 13:09:06       964 -ra------ C:\WINDOWS\system32\drivers\RADIO11.bin
2007-09-27 13:09:06       936 -ra------ C:\WINDOWS\system32\drivers\RADIO0d.bin
2007-09-27 13:09:06    255360 -ra------ C:\WINDOWS\system32\drivers\AIRPLUS.sys <Not Verified; D-Link; D-Link AirPlus 22 Mbps Wireless Network Adapter>
2007-09-27 13:09:06     40636 -ra------ C:\WINDOWS\system\WLANGEN.bin
2007-09-27 13:09:06       912 -ra------ C:\WINDOWS\system\RADIO15.bin
2007-09-27 13:09:06       964 -ra------ C:\WINDOWS\system\RADIO11.bin
2007-09-27 13:09:06       936 -ra------ C:\WINDOWS\system\RADIO0d.bin
2007-09-27 12:59:50         0 d-------- C:\Program Files\AllToAVI
2007-09-27 12:59:21         0 d-------- C:\Documents and Settings\David\Application Data\TuneUp Software
2007-09-27 12:56:18         0 d-------- C:\Program Files\Lavalys
2007-09-27 12:55:13         0 d-------- C:\Program Files\DSC Driver
2007-09-27 12:35:45         0 d-------- C:\WINDOWS\system32\ReinstallBackups
2007-09-27 12:35:44         0 d-------- C:\WINDOWS\system32\Data
2007-09-27 12:35:36     49152 --a------ C:\WINDOWS\CTDCRES.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2007-09-27 12:24:35    593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2007-09-27 12:24:27         0 d--h----- C:\Program Files\InstallShield Installation Information
2007-09-27 12:24:16         0 d-------- C:\Program Files\Common Files\InstallShield
2007-09-27 12:24:11         0 d-------- C:\ATI
2007-09-27 12:23:27         0 d-------- C:\Documents and Settings\David\Application Data\Identities
2007-09-27 12:23:20         0 d--h----- C:\Documents and Settings\David\Templates
2007-09-27 12:23:20         0 dr------- C:\Documents and Settings\David\Start Menu
2007-09-27 12:23:20         0 dr-h----- C:\Documents and Settings\David\SendTo
2007-09-27 12:23:20         0 d--h----- C:\Documents and Settings\David\PrintHood
2007-09-27 12:23:20         0 d--h----- C:\Documents and Settings\David\NetHood
2007-09-27 12:23:20         0 dr------- C:\Documents and Settings\David\My Documents
2007-09-27 12:23:20         0 d--h----- C:\Documents and Settings\David\Local Settings
2007-09-27 12:23:20         0 dr------- C:\Documents and Settings\David\Favorites
2007-09-27 12:23:20         0 d-------- C:\Documents and Settings\David\Desktop
2007-09-27 12:23:20         0 d--hs---- C:\Documents and Settings\David\Cookies
2007-09-27 12:23:20         0 dr-h----- C:\Documents and Settings\David\Application Data
2007-09-27 12:23:19   4456448 --a------ C:\Documents and Settings\David\NTUSER.DAT
2007-09-27 12:22:37         0 d-------- C:\WINDOWS\SoftwareDistribution
2007-09-27 12:22:36         0 d---s---- C:\WINDOWS\system32\Microsoft
2007-09-27 12:22:36         0 d-------- C:\WINDOWS\Prefetch
2007-09-27 12:22:35    229376 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2007-09-27 12:22:35         0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2007-09-27 12:22:35         0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2007-09-27 12:22:35         0 d-------- C:\Documents and Settings\LocalService\Application Data
2007-09-27 12:22:35         0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2007-09-27 12:18:04    229376 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2007-09-27 12:18:04         0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2007-09-27 12:18:04         0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2007-09-27 12:18:04         0 d-------- C:\Documents and Settings\NetworkService\Application Data
2007-09-27 12:18:04         0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2007-09-27 12:14:59         0 d-------- C:\WINDOWS\system32\xircom
2007-09-27 12:14:59         0 d-------- C:\Program Files\microsoft frontpage
2007-09-27 12:14:51    229376 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2007-09-27 12:14:47         0 -rahs---- C:\MSDOS.SYS
2007-09-27 12:14:47         0 -rahs---- C:\IO.SYS
2007-09-27 12:14:47         0 --a------ C:\CONFIG.SYS
2007-09-27 12:14:47         0 -----n--- C:\AUTOEXEC.BAT
2007-09-27 12:14:03         0 d--hs---- C:\Documents and Settings\All Users\DRM
2007-09-27 12:13:57         0 d-------- C:\WINDOWS\Offline Web Pages
2007-09-27 12:13:57         0 d---s---- C:\WINDOWS\Downloaded Program Files
2007-09-27 12:13:48         0 d--h----- C:\Program Files\WindowsUpdate
2007-09-27 12:13:34         0 d-------- C:\WINDOWS\system32\DirectX
2007-09-27 12:13:04         0 d---s---- C:\WINDOWS\Tasks
2007-09-27 12:13:03         0 d-------- C:\Program Files\Common Files\MSSoap
2007-09-27 12:12:59         0 d-------- C:\WINDOWS\system32\Macromed
2007-09-27 12:12:59         0 d-------- C:\WINDOWS\srchasst
2007-09-27 12:12:51         0 d-------- C:\Program Files\Movie Maker
2007-09-27 12:12:43         0 d-------- C:\WINDOWS\system32\Restore
2007-09-27 12:12:14     21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-09-27 12:12:02         0 d-------- C:\WINDOWS\Registration
2007-09-27 12:11:57         0 d-------- C:\Program Files\Online Services
2007-09-27 12:11:52         0 d-------- C:\Program Files\Messenger
2007-09-27 12:11:48         0 d-------- C:\Program Files\MSN Gaming Zone
2007-09-27 12:11:12         0 d-------- C:\Program Files\Windows NT
2007-09-27 12:11:09         0 d-------- C:\WINDOWS\system32\MsDtc
2007-09-27 12:11:07         0 d-------- C:\WINDOWS\system32\Com
2007-09-27 08:05:30         0 d--hs---- C:\WINDOWS\Installer
2007-09-27 08:05:30         0 d-------- C:\Program Files\Common Files\ODBC
2007-09-27 08:05:27         0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-09-27 08:05:26         0 d-------- C:\Program Files
2007-09-27 08:05:26         0 d-------- C:\Program Files\Common Files
2007-09-27 08:05:05         0 d--h----- C:\Documents and Settings\Default User\Templates
2007-09-27 08:05:05         0 dr------- C:\Documents and Settings\Default User\Start Menu
2007-09-27 08:05:05         0 dr-h----- C:\Documents and Settings\Default User\SendTo
2007-09-27 08:05:05         0 d--h----- C:\Documents and Settings\Default User\Recent
2007-09-27 08:05:05         0 d--h----- C:\Documents and Settings\Default User\PrintHood
2007-09-27 08:05:05         0 d--h----- C:\Documents and Settings\Default User\NetHood
2007-09-27 08:05:05         0 d-------- C:\Documents and Settings\Default User\My Documents
2007-09-27 08:05:05         0 d-------- C:\Documents and Settings\Default User\Local Settings
2007-09-27 08:05:05         0 d-------- C:\Documents and Settings\Default User\Favorites
2007-09-27 08:05:05         0 d-------- C:\Documents and Settings\Default User\Desktop
2007-09-27 08:05:05         0 d---s---- C:\Documents and Settings\Default User\Cookies
2007-09-27 08:05:05         0 d--h----- C:\Documents and Settings\All Users\Templates
2007-09-27 08:05:05         0 dr------- C:\Documents and Settings\All Users\Start Menu
2007-09-27 08:05:05         0 d-------- C:\Documents and Settings\All Users\Favorites
2007-09-27 08:05:05         0 dr------- C:\Documents and Settings\All Users\Documents
2007-09-27 08:05:05         0 d-------- C:\Documents and Settings\All Users\Desktop
2007-09-27 08:04:47         0 d-------- C:\WINDOWS\system32\CatRoot2
2007-09-27 08:04:47         0 d-------- C:\WINDOWS\system32\CatRoot
2007-09-27 08:04:41         0 dr-h----- C:\Documents and Settings\Default User\Application Data
2007-09-27 08:04:41         0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2007-09-27 08:04:41         0 dr-h----- C:\Documents and Settings\All Users\Application Data
2007-09-27 08:04:41         0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft
2007-09-27 08:04:04         0 d-------- C:\Documents and Settings
2007-09-27 08:04:03         0 d--hs---- C:\System Volume Information
2007-09-27 07:57:20         0 d-------- C:\WINDOWS
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\WinSxS
2007-09-27 07:57:20         0 dr------- C:\WINDOWS\Web
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\twain_32
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\wins
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\wbem
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\usmt
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\spool
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\ShellExt
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\Setup
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\ras
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\oobe
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\npp
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\mui
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\inetsrv
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\IME
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\icsxml
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\ias
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\export
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\drivers
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\drivers\etc
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\drivers\disdn
2007-09-27 07:57:20         0 d------c- C:\WINDOWS\system32\dllcache
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\dhcp
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\config
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\3com_dmi
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\3076
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\2052
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1054
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1042
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1041
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1037
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1033
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1031
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1028
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1025
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\security
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Resources
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Provisioning
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\PeerNet
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\pchealth
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\mui
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\msapps
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\msagent
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Media
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\java
2007-09-27 07:57:20         0 d--h----- C:\WINDOWS\inf
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\ime
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Help
2007-09-27 07:57:20         0 dr--s---- C:\WINDOWS\Fonts
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\ehome
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Driver Cache
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Debug
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Cursors
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Connection Wizard
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Config
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\AppPatch
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\addins


-- Find3M Report ---------------------------------------------------------------

2007-09-27 08:05:05        62 --ahs---- C:\Documents and Settings\David\Application Data\desktop.ini
2007-07-20 15:54:30     77824 --a------ C:\WINDOWS\system32\xcomm.dll <Not Verified; Softwin; Softwin BitDefender Communicator>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [08/27/2007 03:24 PM]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [10/01/2007 03:23 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [02/16/2005 04:15 PM]
"ISUSPM Startup"="c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [02/16/2005 04:15 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 05:43 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft Update Machine"=tvgyiy.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless Connection Manager.lnk - C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe [10/7/2007 12:17:30 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=1 (0x1)
"ClearRecentDocsOnExit"=01

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Icatch(VI) SnapDetect.lnk]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DNS7reminder]
"C:\Program Files\Nuance\NaturallySpeaking9\Program\ereg.exe" -r "C:\Program Files\Nuance\NaturallySpeaking9\Program\ereg.ini"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update Machine]
famrbe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx      scan




-- End of Deckard's System Scanner: finished at 2007-10-16 19:23:21 ------------
-------------------------------------------------------------------------------------------------
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon(tm) 64 Processor 3700+
Percentage of Memory in Use: 23%
Physical Memory (total/avail): 2047.23 MiB / 1569.67 MiB
Pagefile Memory (total/avail): 3939.66 MiB / 3554.13 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1896.43 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.52 GiB total, 66.06 GiB free.
D: is Fixed (NTFS) - 232.88 GiB total, 158.02 GiB free.
E: is Fixed (NTFS) - 232.88 GiB total, 9.18 GiB free.
F: is CDROM (CDFS)
G: is Removable (FAT)

\\.\PHYSICALDRIVE0 - WDC WD2500JB-00GVA0 - 232.88 GiB - 1 partition
  \PARTITION0 (bootable) - Installable File System - 232.88 GiB - E:

\\.\PHYSICALDRIVE2 - ST325041 0AS SCSI Disk Device - 232.88 GiB - 1 partition
  \PARTITION0 - Installable File System - 232.88 GiB - D:

\\.\PHYSICALDRIVE1 - ST380811 AS SCSI Disk Device - 74.53 GiB - 1 partition
  \PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:

\\.\PHYSICALDRIVE3 - Kingston DataTraveler 2.0 USB Device - 1898.31 MiB - 1 partition
  \PARTITION0 (bootable) - MS-DOS V4 Huge - 1898.27 MiB - G:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntivirusOverride is set.

FW: Bitdefender Firewall v8.0 (BitDefender)
AV: Bitdefender Antivirus v8.0 (BitDefender)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\WINDOWS\\system32\\tvgyiy.exe"="C:\\WINDOWS\\system32\\tvgyiy.exe:*:Disabled:tvgyiy"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\David\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DAVID-DESKTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\David
LOGONSERVER=\\DAVID-DESKTOP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Diskeeper Corporation\Diskeeper\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 39 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2701
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\David\LOCALS~1\Temp
TMP=C:\DOCUME~1\David\LOCALS~1\Temp
USERDOMAIN=DAVID-DESKTOP
USERNAME=David
USERPROFILE=C:\Documents and Settings\David
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

David [I](admin)[/I]
Administrator [I](new local, admin)[/I]


-- Add/Remove Programs ---------------------------------------------------------

 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Setup --> MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
AllToAVI v4 r5394 --> C:\Program Files\AllToAVI\uninst.exe
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AudioConverter --> "C:\Program Files\TotalAudioConverter\unins000.exe"
AusLogics Registry Defrag --> "C:\Program Files\AusLogics Registry Defrag\unins000.exe"
Azureus Vuze --> C:\Program Files\Azureus\uninstall.exe
BitDefender Internet Security 2008 --> MsiExec.exe /I{E48949FB-95D7-4818-B45A-DE52BE556547}
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
D-Link RangeBooster N DWA-542 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6F6F39E3-D24D-4EEE-9AEA-DEDAF991385D}\setup.exe" -l0x9  -removeonly
Dell Photo Printer 720 --> C:\WINDOWS\system32\spool\drivers\w32x86\3\DLBCUN5C.EXE -dDell Photo Printer 720
Diskeeper 2007 Pro Premier --> MsiExec.exe /X{6EEE934B-F292-4995-95BF-4AE871AC42E8}
Dragon NaturallySpeaking 9 --> MsiExec.exe /I{DDDD90B2-80F2-413A-8A8E-38C5076A7DBA}
Duplicate Music Files Finder 1.5.5 --> "C:\Program Files\Duplicate Music Files Finder\unins000.exe"
Easy Duplicate Finder v. 1.4.3.0 --> "C:\Program Files\Easy Duplicate Finder\unins000.exe"
EVEREST Ultimate Edition v2.80 --> "C:\Program Files\Lavalys\EVEREST Ultimate Edition\unins000.exe"
foobar2000 v0.9.4.3 --> "C:\Program Files\foobar2000\uninstall.exe"
Images of Ireland Theme for Windows XP --> MsiExec.exe /X{E3387EAB-DFD3-4894-9F4C-B27669D35ED8}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
K-Lite Codec Pack 3.4.5 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Macromedia Flash Player 8 --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe
Magic ISO Maker v5.4 (build 0239) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Magic Utilities 2007 Version 5.30 --> "C:\Program Files\Mgutil\unins000.exe"
Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero 7 Essentials --> MsiExec.exe /I{9FB8CAC0-CCF6-47C9-8EDE-3AC69FD61033}
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Registry Commander v1.04 --> "C:\Program Files\Aezay Productions\Registry Commander\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Super Utilities Pro 7.66 --> "C:\Program Files\SuperLogix\Super Utilities\unins000.exe"
ULi Sata Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FDC53DC6-137A-4541-BFA2-A9BAE4A7FE99}\setup.exe"
Uninstall Tool --> "C:\Program Files\Uninstall Tool\unins000.exe"
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1460 / Warning
Event Submitted/Written: 10/16/2007 03:52:44 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{90110409-6000-11D3-8CFE-0150048383C9}', feature 'ProductNonBootFiles' failed during request for component '{22056900-C842-11D1-A0DD-00A0C9054277}'

Event Record #/Type1459 / Warning
Event Submitted/Written: 10/16/2007 03:52:44 AM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{90110409-6000-11D3-8CFE-0150048383C9}', feature 'ProductNonBootFiles', component '{EED59264-D37E-4F24-A622-EA5AB43D0EAC}' failed.  The resource 'C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\OPA11.BAK' does not exist.

Event Record #/Type1458 / Error
Event Submitted/Written: 10/16/2007 03:45:38 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application WiseDiskCleaner.exe, version 2.7.1.83, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1380 / Error
Event Submitted/Written: 10/14/2007 11:38:42 PM
Event ID/Source: 11921 / MsiInstaller
Event Description:
Product: Kaspersky Anti-Virus 7.0 -- Error 1921.Service Kaspersky Anti-Virus 7.0 (AVP) could not be stopped.  Verify that you have sufficient privileges to stop system services.

Event Record #/Type1375 / Error
Event Submitted/Written: 10/14/2007 05:47:25 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application nero.exe, version 7.7.5.1, faulting module unknown, version 0.0.0.0, fault address 0x08080774.
Processing media-specific event for [nero.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type5815 / Warning
Event Submitted/Written: 10/16/2007 02:49:19 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type5798 / Error
Event Submitted/Written: 10/16/2007 05:17:30 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Event Record #/Type5797 / Error
Event Submitted/Written: 10/16/2007 05:17:30 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Event Record #/Type5796 / Error
Event Submitted/Written: 10/16/2007 05:17:30 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Event Record #/Type5764 / Warning
Event Submitted/Written: 10/16/2007 03:58:09 AM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\JOHN-DESKTOP on the network \Device\NetBT_Tcpip_{F159D5D5-E846-41AD-8002-F3357B5B7AC1}.
The data is the error code.



-- End of Deckard's System Scanner: finished at 2007-10-16 19:19:54 ------------

 
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20089864
Yes, it's definitely a backdoor SDBot.

Please download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe 

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Open the SDFix folder and double click on RunThis.bat to start the script.
Type Y and press Enter to begin the script.
It will start cleaning your PC and then prompt you to press any key to Reboot.
Press any key to restart the PC.
Your system will take longer than normal to restart as the fixtool will be removing files.
When the desktop loads the Fixtool will complete the removal and display Finished.
Press any key to end the script and to load your desktop icons.
A text file should automatically open, so please copy the contents and post them here. We also need you to post a new HijackThis log.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 20

Expert Comment

by:IndiGenus
ID: 20089872
EDIT: Instead of posting a HijackThis log at the end please post another Deckards Scanner Log.

Thanks,
Dave
0
 

Author Comment

by:Heuman
ID: 20090043
Dave,

No Thank you for your help.  I running the SDFix fix tool.  When you run Deckards it will ask you if it can install and run HijackThis.  Is this normal?  Looks like it found something.  How radicial is this trojan and how can I ensure their is nothing else resident and laying in incoignito on my PC?
----------------------------------------------------------------------------------------------
 
SDFix: Version 1.109

Run by David on Tue 10/16/2007 at 08:10 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\regedit.com  - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.
 
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
 


                                 Final Check:

Remaining Services:
------------------




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:æTorrent"
"C:\\WINDOWS\\system32\\tvgyiy.exe"="C:\\WINDOWS\\system32\\tvgyiy.exe:*:Disabled:tvgyiy"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Fri 12 Oct 2007             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!
------------------------------------------------------------------------------------------------------------------------


Deckard's System Scanner v20071014.68
Run by David on 2007-10-16 20:17:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as David.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:38 PM, on 10/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Documents and Settings\David\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\David.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 7385 bytes

-- Files created between 2007-09-16 and 2007-10-16 -----------------------------

2007-10-16 20:09:55         0 d-------- C:\WINDOWS\ERUNT
2007-10-16 20:03:34         0 dr-h----- C:\Documents and Settings\David\Recent
2007-10-16 19:20:49         0 d-------- C:\Program Files\Trend Micro
2007-10-16 05:35:19         0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-16 05:28:13         0 d-------- C:\Documents and Settings\All Users\Application Data\CrystalIdea Software
2007-10-16 05:22:48         0 d-------- C:\Program Files\Uninstall Tool
2007-10-16 00:30:22         0 d-------- C:\Documents and Settings\David\Application Data\Bitdefender
2007-10-16 00:30:08         0 d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2007-10-15 22:01:40     81984 --a------ C:\WINDOWS\system32\bdod.bin
2007-10-15 22:01:01         0 d-------- C:\Program Files\BitDefender
2007-10-15 22:00:27         0 d-------- C:\Program Files\Common Files\BitDefender
2007-10-15 17:04:34         0 d-------- C:\WINDOWS\BDOSCAN8
2007-10-15 04:37:47         0 d-------- C:\Program Files\SonicWallES
2007-10-15 00:07:14         0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-14 17:13:39         0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-14 13:43:41         0 d-------- C:\WINDOWS\system32\ZoneLabs
2007-10-14 00:46:30         0 d-------- C:\KAV
2007-10-13 14:06:14         0 d-a------ C:\WINDOWS\zts2.exe
2007-10-13 14:06:14         0 d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2007-10-13 14:06:14         0 d-a------ C:\WINDOWS\system32\iifgfgf.dll
2007-10-13 14:06:14         0 d-a------ C:\WINDOWS\rundll16.exe
2007-10-13 14:06:14         0 d-a------ C:\WINDOWS\rundl132.dll
2007-10-13 14:06:14         0 d-a------ C:\WINDOWS\logo1_.exe
2007-10-13 04:17:28         0 d-------- C:\Program Files\Wise Registry Cleaner
2007-10-13 04:16:49         0 d-------- C:\Program Files\Aezay Productions
2007-10-13 04:10:22         0 d-------- C:\Program Files\AusLogics Registry Defrag
2007-10-12 22:49:54         0 d-------- C:\Documents and Settings\David\Application Data\foobar2000
2007-10-12 22:49:50         0 d-------- C:\Program Files\foobar2000
2007-10-12 17:55:16         0 d-------- C:\Program Files\Common Files\Scansoft Shared
2007-10-12 17:55:16         0 d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2007-10-12 17:55:02         0 d-------- C:\Program Files\Nuance
2007-10-12 16:44:57         0 d-------- C:\Program Files\Easy Duplicate Finder
2007-10-12 16:43:40         0 d-------- C:\Program Files\Duplicate Music Files Finder
2007-10-12 16:24:08         0 --a------ C:\WINDOWS\system32\suupdate.dat
2007-10-12 16:24:08         0 --a------ C:\WINDOWS\system32\mssurun.dat
2007-10-12 16:24:08    269824 --a------ C:\WINDOWS\system32\baksm.dll
2007-10-12 16:23:59   2281472 --a------ C:\WINDOWS\system32\vbsbak.dat <Not Verified; SuperLogix; Super Utilities>
2007-10-12 16:23:59        42 --a------ C:\WINDOWS\system32\vb6sock.dll
2007-10-12 16:23:59    269824 --a------ C:\WINDOWS\system32\supermenuhook.dll
2007-10-12 16:23:59         0 d-------- C:\WINDOWS\system32\IOSUBSYS
2007-10-12 16:23:59     43936 --a------ C:\WINDOWS\system32\drivers\HWFProt.sys <Not Verified; Alfa Corporation; AlfaFP (TM) 2003 Ansi Build for Windows NT/2K>
2007-10-12 16:23:59    591872 --a------ C:\WINDOWS\system32\context.dll <Not Verified; SuperLogix; Enhancement to context menu>
2007-10-12 16:23:59    269824 --a------ C:\WINDOWS\system32\baksm.dat
2007-10-12 16:23:59         0 d-------- C:\Program Files\SuperLogix
2007-10-12 15:36:47         0 d-------- C:\Program Files\Mgutil
2007-10-12 04:06:18         0 d-------- C:\Program Files\Wise Disk Cleaner
2007-10-11 23:59:00         0 d-------- C:\Program Files\SpywareBlaster
2007-10-11 22:58:27     28672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-10-11 18:57:35         0 d-------- C:\Program Files\QuickTime
2007-10-11 18:40:32         0 d-------- C:\WINDOWS\Sun
2007-10-11 18:40:32         0 d-------- C:\Documents and Settings\David\Application Data\Sun
2007-10-11 18:40:06         0 d-------- C:\Program Files\Java
2007-10-11 18:39:56         0 d-------- C:\Program Files\Common Files\Java
2007-10-11 18:34:58         0 d-------- C:\Documents and Settings\David\.housecall6.6
2007-10-11 12:24:05         0 d-------- C:\Program Files\TotalAudioConverter
2007-10-10 19:58:42         0 d-------- C:\Program Files\MSECache
2007-10-10 19:52:49         0 d-------- C:\Program Files\Microsoft ActiveSync
2007-10-10 19:52:10         0 d-------- C:\WINDOWS\SHELLNEW
2007-10-10 19:51:10         0 d-------- C:\Program Files\Microsoft.NET
2007-10-09 16:20:53         0 d-------- C:\Documents and Settings\David\Application Data\Ahead
2007-10-09 16:15:57         0 d-------- C:\Program Files\Nero
2007-10-09 16:15:57         0 d-------- C:\Program Files\Common Files\Ahead
2007-10-09 16:07:31         0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-09 15:25:25         0 d-------- C:\WINDOWS\SxsCaPendDel
2007-10-09 04:09:23         0 d-------- C:\Program Files\Seagate
2007-10-09 03:33:33         0 d-------- C:\Documents and Settings\David\Application Data\uTorrent
2007-10-09 02:36:46         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-08 01:53:15         0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-08 01:18:26         0 d-------- C:\Program Files\Bonjour
2007-10-08 01:10:05         0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-10-08 00:57:25         0 d-------- C:\Program Files\MagicISO
2007-10-08 00:39:32    639224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-10-07 00:17:29    237636 --a------ C:\WINDOWS\system32\wsimd.dll <Not Verified; Atheros Communications, Inc.; wsimd>
2007-10-07 00:17:29    245830 --a------ C:\WINDOWS\system32\wsfwDS.dll <Not Verified; Atheros Communications, Inc.; wsfwds>
2007-10-07 00:17:29     53248 -ra------ C:\WINDOWS\system32\dsaNac.dll <Not Verified; Devicescape, Inc.; Devicescape NAC Notify DLL>
2007-10-07 00:17:29   1253432 -ra------ C:\WINDOWS\system32\dsa.dll <Not Verified; Devicescape; Devicescape Windows WPA Supplicant (Core 0.4.3)>
2007-10-07 00:17:29         0 d-------- C:\WINDOWS\pcidevice
2007-10-07 00:17:29         0 d-------- C:\Program Files\D-Link
2007-10-06 18:44:54         0 d-------- C:\Documents and Settings\David\Application Data\Nero
2007-10-06 18:42:18         0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-10-05 19:41:15         0 d-------- C:\Program Files\Marvell
2007-10-05 19:37:24      5824 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2007-10-04 13:52:54    399872 --a------ C:\WINDOWS\c4dstand.dll
2007-10-04 13:52:53    438272 --a------ C:\WINDOWS\c4dll.dll <Not Verified; Sequiter Software Inc.; CodeBase>
2007-10-04 13:52:39     98304 --a------ C:\WINDOWS\system32\tsccvid.dll <Not Verified; TechSmith Corporation; TechSmith Screen Capture Codec>
2007-10-04 13:52:39         0 d-------- C:\Program Files\LearnKey
2007-10-04 13:52:36    487936 --a------ C:\WINDOWS\LkUnInst.exe <Not Verified; LearnKey, Inc.; >
2007-10-03 22:55:26         0 d-------- C:\temp
2007-10-02 20:58:47         0 d-------- C:\WINDOWS\PAC207
2007-10-02 00:18:12      1075 --a------ C:\Documents and Settings\David\Application Data\SAS7_000.DAT
2007-10-01 19:09:02         0 d-------- C:\Documents and Settings\David\Application Data\Nuance
2007-10-01 19:03:34         0 d-------- C:\Documents and Settings\All Users\Application Data\Nuance
2007-10-01 17:20:18         0 d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-10-01 17:17:35         0 d-------- C:\WINDOWS\speech
2007-10-01 02:24:27         0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-10-01 02:23:46         0 d-------- C:\Program Files\MSXML 4.0
2007-10-01 01:53:31         0 d-------- C:\Program Files\Anark
2007-09-30 23:56:43    299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2007-09-30 23:56:38         0 d-------- C:\Documents and Settings\David\WINDOWS
2007-09-28 23:05:33         0 d-------- C:\Program Files\MSXML 6.0
2007-09-28 20:57:19         0 d-------- C:\WINDOWS\system32\XPSViewer
2007-09-28 20:56:58         0 d-------- C:\Program Files\Reference Assemblies
2007-09-28 20:52:33         0 d-------- C:\WINDOWS\system32\URTTemp
2007-09-28 20:33:08         0 d-------- C:\Program Files\MTV Networks
2007-09-28 20:33:04         0 d-------- C:\WINDOWS\Downloaded Installations
2007-09-28 20:09:30         0 d-------- C:\Program Files\Windows Media Connect 2
2007-09-28 20:08:23         0 d-------- C:\WINDOWS\system32\LogFiles
2007-09-28 20:08:23         0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-09-28 20:00:19         0 d-------- C:\WINDOWS\network diagnostic
2007-09-28 19:59:04         0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-09-28 19:35:44         0 d-------- C:\Program Files\Diskeeper Corporation
2007-09-28 16:52:49         0 d--hs---- C:\Diskeeper
2007-09-28 16:09:53         0 d-------- C:\Documents and Settings\David\Application Data\Softplicity
2007-09-28 01:39:11         0 d-------- C:\WINDOWS\Wallpaper Of Wow
2007-09-27 22:22:02         0 d-------- C:\Documents and Settings\David\Application Data\Yahoo!
2007-09-27 22:09:22         0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-27 22:07:44         0 d-------- C:\Program Files\Yahoo!
2007-09-27 19:19:21     29696 -----n--- C:\WINDOWS\system32\dev32.exe <Not Verified; ALi Coporation; Install Program>
2007-09-27 19:19:16    163840 -----n--- C:\WINDOWS\system32\coin5288.dll <Not Verified; ULi Electronics Inc.; Coinstaller Dynamic Link Library>
2007-09-27 18:01:51         0 d-------- C:\Program Files\MSBuild
2007-09-27 17:58:14         0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-09-27 17:19:07         0 d-------- C:\Documents and Settings\David\Application Data\Adobe
2007-09-27 17:11:35         0 d-------- C:\Documents and Settings\David\Application Data\Media Player Classic
2007-09-27 17:10:34    217088 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2007-09-27 17:10:34    282624 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-09-27 17:10:34   1559040 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-09-27 17:10:33   3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-09-27 17:10:33     73728 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-09-27 17:10:33    740442 --a------ C:\WINDOWS\system32\divx.dll <Not Verified; DivX, Inc.; DivX®>
2007-09-27 17:10:32      7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-09-27 17:10:31         0 d-------- C:\Program Files\K-Lite Codec Pack
2007-09-27 17:03:31         0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-09-27 17:03:24         0 d-------- C:\Program Files\Common Files\Adobe
2007-09-27 17:00:32         0 d-------- C:\WINDOWS\pss
2007-09-27 16:47:23         0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-09-27 16:47:23         0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-09-27 16:47:23         0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-09-27 16:47:23         0 d-------- C:\Documents and Settings\Administrator\Recent
2007-09-27 16:47:23         0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-09-27 16:47:23    524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-09-27 16:47:23         0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-09-27 16:47:23         0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-09-27 16:47:23         0 d-------- C:\Documents and Settings\Administrator\Local Settings
2007-09-27 16:47:23         0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-09-27 16:47:23         0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-09-27 16:47:23         0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-09-27 16:47:23         0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-09-27 16:47:23         0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-09-27 16:32:20         0 d-------- C:\Documents and Settings\David\Application Data\Macromedia
2007-09-27 16:02:50       830 --a------ C:\WINDOWS\system32\installer.bat
2007-09-27 15:44:50    851456 --a------ C:\WINDOWS\system32\WGA.exe
2007-09-27 15:44:30       512 --a------ C:\ScanSectorLog.dat
2007-09-27 14:36:47         0 d-------- C:\Program Files\DAMN NFO Viewer
2007-09-27 14:36:15         0 d-------- C:\Documents and Settings\David\Application Data\WinRAR
2007-09-27 14:06:58         0 d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2007-09-27 14:06:57         0 d-------- C:\Documents and Settings\David\Application Data\Azureus
2007-09-27 14:06:07         0 d-------- C:\Program Files\Azureus
2007-09-27 13:54:35      4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-09-27 13:54:26     11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
2007-09-27 13:53:49         0 d-------- C:\WINDOWS\Internet Logs
2007-09-27 13:49:08         0 d-------- C:\WINDOWS\system32\appmgmt
2007-09-27 13:25:13         0 d-------- C:\WINDOWS\system32\PreInstall
2007-09-27 13:25:12         0 d--h----- C:\WINDOWS\$hf_mig$
2007-09-27 13:23:03         0 d--hs---- C:\Documents and Settings\David\UserData
2007-09-27 13:21:20         0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-09-27 13:09:06     40636 -ra------ C:\WINDOWS\system32\drivers\WLANGEN.bin
2007-09-27 13:09:06       912 -ra------ C:\WINDOWS\system32\drivers\RADIO15.bin
2007-09-27 13:09:06       964 -ra------ C:\WINDOWS\system32\drivers\RADIO11.bin
2007-09-27 13:09:06       936 -ra------ C:\WINDOWS\system32\drivers\RADIO0d.bin
2007-09-27 13:09:06    255360 -ra------ C:\WINDOWS\system32\drivers\AIRPLUS.sys <Not Verified; D-Link; D-Link AirPlus 22 Mbps Wireless Network Adapter>
2007-09-27 13:09:06     40636 -ra------ C:\WINDOWS\system\WLANGEN.bin
2007-09-27 13:09:06       912 -ra------ C:\WINDOWS\system\RADIO15.bin
2007-09-27 13:09:06       964 -ra------ C:\WINDOWS\system\RADIO11.bin
2007-09-27 13:09:06       936 -ra------ C:\WINDOWS\system\RADIO0d.bin
2007-09-27 12:59:50         0 d-------- C:\Program Files\AllToAVI
2007-09-27 12:59:21         0 d-------- C:\Documents and Settings\David\Application Data\TuneUp Software
2007-09-27 12:56:18         0 d-------- C:\Program Files\Lavalys
2007-09-27 12:55:13         0 d-------- C:\Program Files\DSC Driver
2007-09-27 12:35:45         0 d-------- C:\WINDOWS\system32\ReinstallBackups
2007-09-27 12:35:44         0 d-------- C:\WINDOWS\system32\Data
2007-09-27 12:35:36     49152 --a------ C:\WINDOWS\CTDCRES.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2007-09-27 12:24:35    593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2007-09-27 12:24:27         0 d--h----- C:\Program Files\InstallShield Installation Information
2007-09-27 12:24:16         0 d-------- C:\Program Files\Common Files\InstallShield
2007-09-27 12:24:11         0 d-------- C:\ATI
2007-09-27 12:23:27         0 d-------- C:\Documents and Settings\David\Application Data\Identities
2007-09-27 12:23:20         0 d--h----- C:\Documents and Settings\David\Templates
2007-09-27 12:23:20         0 dr------- C:\Documents and Settings\David\Start Menu
2007-09-27 12:23:20         0 dr-h----- C:\Documents and Settings\David\SendTo
2007-09-27 12:23:20         0 d--h----- C:\Documents and Settings\David\PrintHood
2007-09-27 12:23:20         0 d--h----- C:\Documents and Settings\David\NetHood
2007-09-27 12:23:20         0 dr------- C:\Documents and Settings\David\My Documents
2007-09-27 12:23:20         0 d--h----- C:\Documents and Settings\David\Local Settings
2007-09-27 12:23:20         0 dr------- C:\Documents and Settings\David\Favorites
2007-09-27 12:23:20         0 d-------- C:\Documents and Settings\David\Desktop
2007-09-27 12:23:20         0 d--hs---- C:\Documents and Settings\David\Cookies
2007-09-27 12:23:20         0 dr-h----- C:\Documents and Settings\David\Application Data
2007-09-27 12:23:19   4456448 --a------ C:\Documents and Settings\David\NTUSER.DAT
2007-09-27 12:22:37         0 d-------- C:\WINDOWS\SoftwareDistribution
2007-09-27 12:22:36         0 d---s---- C:\WINDOWS\system32\Microsoft
2007-09-27 12:22:36         0 d-------- C:\WINDOWS\Prefetch
2007-09-27 12:22:35    229376 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2007-09-27 12:22:35         0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2007-09-27 12:22:35         0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2007-09-27 12:22:35         0 d-------- C:\Documents and Settings\LocalService\Application Data
2007-09-27 12:22:35         0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2007-09-27 12:18:04    229376 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2007-09-27 12:18:04         0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2007-09-27 12:18:04         0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2007-09-27 12:18:04         0 d-------- C:\Documents and Settings\NetworkService\Application Data
2007-09-27 12:18:04         0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2007-09-27 12:14:59         0 d-------- C:\WINDOWS\system32\xircom
2007-09-27 12:14:59         0 d-------- C:\Program Files\microsoft frontpage
2007-09-27 12:14:51    229376 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2007-09-27 12:14:47         0 -rahs---- C:\MSDOS.SYS
2007-09-27 12:14:47         0 -rahs---- C:\IO.SYS
2007-09-27 12:14:47         0 --a------ C:\CONFIG.SYS
2007-09-27 12:14:47         0 -----n--- C:\AUTOEXEC.BAT
2007-09-27 12:14:03         0 d--hs---- C:\Documents and Settings\All Users\DRM
2007-09-27 12:13:57         0 d-------- C:\WINDOWS\Offline Web Pages
2007-09-27 12:13:57         0 d---s---- C:\WINDOWS\Downloaded Program Files
2007-09-27 12:13:48         0 d--h----- C:\Program Files\WindowsUpdate
2007-09-27 12:13:34         0 d-------- C:\WINDOWS\system32\DirectX
2007-09-27 12:13:04         0 d---s---- C:\WINDOWS\Tasks
2007-09-27 12:13:03         0 d-------- C:\Program Files\Common Files\MSSoap
2007-09-27 12:12:59         0 d-------- C:\WINDOWS\system32\Macromed
2007-09-27 12:12:59         0 d-------- C:\WINDOWS\srchasst
2007-09-27 12:12:51         0 d-------- C:\Program Files\Movie Maker
2007-09-27 12:12:43         0 d-------- C:\WINDOWS\system32\Restore
2007-09-27 12:12:14     21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-09-27 12:12:02         0 d-------- C:\WINDOWS\Registration
2007-09-27 12:11:57         0 d-------- C:\Program Files\Online Services
2007-09-27 12:11:52         0 d-------- C:\Program Files\Messenger
2007-09-27 12:11:48         0 d-------- C:\Program Files\MSN Gaming Zone
2007-09-27 12:11:12         0 d-------- C:\Program Files\Windows NT
2007-09-27 12:11:09         0 d-------- C:\WINDOWS\system32\MsDtc
2007-09-27 12:11:07         0 d-------- C:\WINDOWS\system32\Com
2007-09-27 08:05:30         0 d--hs---- C:\WINDOWS\Installer
2007-09-27 08:05:30         0 d-------- C:\Program Files\Common Files\ODBC
2007-09-27 08:05:27         0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-09-27 08:05:26         0 d-------- C:\Program Files
2007-09-27 08:05:26         0 d-------- C:\Program Files\Common Files
2007-09-27 08:05:05         0 d--h----- C:\Documents and Settings\Default User\Templates
2007-09-27 08:05:05         0 dr------- C:\Documents and Settings\Default User\Start Menu
2007-09-27 08:05:05         0 dr-h----- C:\Documents and Settings\Default User\SendTo
2007-09-27 08:05:05         0 d--h----- C:\Documents and Settings\Default User\Recent
2007-09-27 08:05:05         0 d--h----- C:\Documents and Settings\Default User\PrintHood
2007-09-27 08:05:05         0 d--h----- C:\Documents and Settings\Default User\NetHood
2007-09-27 08:05:05         0 d-------- C:\Documents and Settings\Default User\My Documents
2007-09-27 08:05:05         0 d-------- C:\Documents and Settings\Default User\Local Settings
2007-09-27 08:05:05         0 d-------- C:\Documents and Settings\Default User\Favorites
2007-09-27 08:05:05         0 d-------- C:\Documents and Settings\Default User\Desktop
2007-09-27 08:05:05         0 d---s---- C:\Documents and Settings\Default User\Cookies
2007-09-27 08:05:05         0 d--h----- C:\Documents and Settings\All Users\Templates
2007-09-27 08:05:05         0 dr------- C:\Documents and Settings\All Users\Start Menu
2007-09-27 08:05:05         0 d-------- C:\Documents and Settings\All Users\Favorites
2007-09-27 08:05:05         0 dr------- C:\Documents and Settings\All Users\Documents
2007-09-27 08:05:05         0 d-------- C:\Documents and Settings\All Users\Desktop
2007-09-27 08:04:47         0 d-------- C:\WINDOWS\system32\CatRoot2
2007-09-27 08:04:47         0 d-------- C:\WINDOWS\system32\CatRoot
2007-09-27 08:04:41         0 dr-h----- C:\Documents and Settings\Default User\Application Data
2007-09-27 08:04:41         0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2007-09-27 08:04:41         0 dr-h----- C:\Documents and Settings\All Users\Application Data
2007-09-27 08:04:41         0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft
2007-09-27 08:04:04         0 d-------- C:\Documents and Settings
2007-09-27 08:04:03         0 d--hs---- C:\System Volume Information
2007-09-27 07:57:20         0 d-------- C:\WINDOWS
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\WinSxS
2007-09-27 07:57:20         0 dr------- C:\WINDOWS\Web
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\twain_32
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\wins
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\wbem
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\usmt
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\spool
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\ShellExt
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\Setup
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\ras
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\oobe
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\npp
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\mui
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\inetsrv
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\IME
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\icsxml
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\ias
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\export
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\drivers
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\drivers\etc
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\drivers\disdn
2007-09-27 07:57:20         0 d------c- C:\WINDOWS\system32\dllcache
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\dhcp
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\config
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\3com_dmi
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\3076
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\2052
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1054
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1042
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1041
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1037
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1033
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1031
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1028
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1025
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\security
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Resources
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Provisioning
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\PeerNet
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\pchealth
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\mui
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\msapps
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\msagent
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Media
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\java
2007-09-27 07:57:20         0 d--h----- C:\WINDOWS\inf
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\ime
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Help
2007-09-27 07:57:20         0 dr--s---- C:\WINDOWS\Fonts
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\ehome
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Driver Cache
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Debug
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Cursors
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Connection Wizard
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Config
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\AppPatch
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\addins


-- Find3M Report ---------------------------------------------------------------

2007-09-27 08:05:05        62 --ahs---- C:\Documents and Settings\David\Application Data\desktop.ini
2007-07-20 15:54:30     77824 --a------ C:\WINDOWS\system32\xcomm.dll <Not Verified; Softwin; Softwin BitDefender Communicator>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [08/27/2007 03:24 PM]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [10/01/2007 03:23 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [02/16/2005 04:15 PM]
"ISUSPM Startup"="c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [02/16/2005 04:15 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless Connection Manager.lnk - C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe [10/7/2007 12:17:30 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=1 (0x1)
"ClearRecentDocsOnExit"=01

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Icatch(VI) SnapDetect.lnk]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DNS7reminder]
"C:\Program Files\Nuance\NaturallySpeaking9\Program\ereg.exe" -r "C:\Program Files\Nuance\NaturallySpeaking9\Program\ereg.ini"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update Machine]
famrbe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx      scan




-- End of Deckard's System Scanner: finished at 2007-10-16 20:20:15 ------------
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20090095
>"When you run Deckards it will ask you if it can install and run HijackThis.  Is this normal?  Looks like it found something."<

Yes, HJT is run as part of the DSS scan.  

>'How radicial is this trojan and how can I ensure their is nothing else resident and laying in incoignito on my PC?"<

Well, it's a backdoor. Any time one of these are present there should be some concern that there may be things we can't see. Some would consider this kind of discovery a reason to reformat and install fresh. In some cases I agree with this. But we also have good tools to deal with these infections, like SDFix and others. We also would want to run some other scans.

One of the concerns I have now is you have another one of these disabled with msconfig. We can see it from your DSS log.
-----------------------
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update Machine]
famrbe.exe
-----------------------
So don't make any changes with msconfig. There is a couple of other items in there too that I need to research. At this point I would recommend running Combofix and getting a log. We can also use combofix as a script tool to remove the malicious entries waiting to do damage from msconfig.

Download and Run ComboFix

http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

Disconnect from the Internet, than disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Post that log in your next reply with a HijackThis log.

HijackThis can be downloaded here:

http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20090393
Okay no problem rpggamergirl. Will have them use http://www.ee-stuff.com.

I'm obviously used to working in the forums where we have them post everything for all to see. I'll adjust accordingly here.

Thanks,
Dave
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20090449
Thanks for understanding Dave, I know it's a little different here at EE. It's kinda "question and answer" site.
EE prefers that no logs are posted in the questions.
At least, it's better now that there's a Hijackthis zone for hijackthis logs, they didn't used to, :)

Keep up the good work!

~rpg
0
 
LVL 20

Accepted Solution

by:
IndiGenus earned 2000 total points
ID: 20090706
Thanks for following up on rpg's request. I'm still kind of new here....although not new to doing this stuff.

Open Notepad and copy/paste in the following text between the lines:
--------------------------------------------------------
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update Machine]
--------------------------------------------------------

Save the above as CFScript.txt on the desktop.

Then drag the CFScript.txt file onto ComboFix.exe on the desktop. This will start ComboFix again. Upload the new log that is produced.

Please do a search for the following file(s):
Start > Search > All Files And Folders
Under More Advanced Options, make sure the following are checked:
*Search system folders
*Search hidden files and folders
*Search subfolders
Then copy and paste the following(one at a time) in the search box:

famrbe.exe
tvgyiy.exe

If found delete all instances of these files.

Let us know how it's running now.
0
 

Author Comment

by:Heuman
ID: 20091085
- Hey no problem I'm just trying to follow the sites rules, I was the person who decided to copy and paste one of my logs directly into this thread to begin with. This was something that I overlooked in the rules section. I did not mean for you to get into any trouble.  
 - I created the CFScript.txt file and ran it with ComboFix. Please see below for a link to this log file.  I also did a search with making sure that everything you mentioned above is checked: search system folders, search hidden files and folders, search subfolders. My search results did not find any files by the name of famrbe.exe and tvgyiy.exe.

https://filedb.experts-exchange.com/incoming/ee-stuff/5053-log22txt.txt

- Please let me know how the log file looks (cross my fingers and hope its clean)& I would like to thank you in advance for all of your hard work and time youve put in to help resolve my issue.  My computer has definitely smoothed out and isnt laggy anymore like it was before. Awesome!
- Question what antivirus/ anti-spyware and personal firewall should I be using??? Since it seems that all of them pick up something that the other one cant...  If that suggestion can be made.
 - Is it safe for people to look at my log files online like this?





0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20092575
>"- Question what antivirus/ anti-spyware and personal firewall should I be using??? Since it seems that all of them pick up something that the other one cant...  If that suggestion can be made."<

Well ask 10 people this question and you'll probably get 10 different answers. No, there is not one of them that will find "everything". Bit Defender gets good reviews and I believe is solid. But it does not include a Firewall does it. I would recommend adding that as the Windows Firewall is weak at best. Here are a couple of free ideas. I'm using Sunbelt right now and am happy with it.

http://www.sunbelt-software.com/Kerio-Download.cfm - Sunbelt Personal Firewall
http://www.agnitum.com/products/outpost/index.php - Outpost Firewall

>" - Is it safe for people to look at my log files online like this?"<

Well I've never seen or heard of any issues around it. There is nothing that is really helpful to a hacker like an IP address or anything. So I believe you're OK.

Log looks clean. I would recommend an online scan like Kaspersky. It will not fix anything but t's very thorough. You can upload the log that it produces and I'll take a look at it. It will likely take a long time to run on your computer so set it to run overnight or at a time when you don't need it.

Using Internet Explorer, run Kaspersky Online Scanner
http://www.kaspersky.com/virusscanner

0
 

Author Comment

by:Heuman
ID: 20097499
IndiGenus,
  You're right everyone does have an opinion about something.... actually the BitDefender software I was using was their Internet security suite which came with an antivirus, anti-spyware engine and a personal firewall. I have since uninstalled BitDefender and I have installed the Sun Belt personal firewall which I like a lot better  It seems to have more direct control over the applications on your computer that are trying to reach out to net. Just using a trial version of the firewall and Kaspersky's antivirus.  
 - Oh, I did do a couple of online virus scans that came up CLEAN... YOU DA MAN!!  Now I'd need to learn how to read scripts files that are produced by hijackthis and similar software when system scans are performed.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20097544
There are several good places to learn how to interpret HJT logs and advise on cleanup and prevention. It requires a fair amount of study and work but if you are motivated these are the places to learn.

Malware Removal University: http://forum.malwareremoval.com/viewtopic.php?t=233
Geek U: http://www.geekstogo.com/forum/Would-like-to-learn-to-fight-malware-t4817.html

There are other good places too.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OVERVIEW This guide provides information on the process performed when the Symantec Endpoint Protection (SEP) client checks in with the Symantec Endpoint Protection Manager (SEPM). AUDIENCE Information Technology personnel responsible for suppo…
PREFACE The purpose of this guide is to provide information to successfully add specific IIS 7.0 role services for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technol…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question