Malwareteks: Forums / Inactive Malware Threads / [INACTIVE] Any more viruses? Things are running slow here.

Forums

Malwareteks :: Forums :: Malware Support :: Inactive Malware Threads		<< Previous thread \| Next thread >>
[INACTIVE] Any more viruses? Things are running slow here.


Moderators: ShadowPuterDude, Greg, D3m3nt3d, Brandon, Vmarm, peterparker, siljaline, jholland1964, TurcoLoco, Windsor, JeanInMontana, KZ, RatHat, Jason Amison, MrCharlie	This thread is now closed

Author

Post

chemistpgh

Mon Jul 09 2007, 09:37PM

Registered Member #80

Joined: Mon Jul 09 2007, 09:24PM
Posts: 3
Thanked 0 times in 0 posts

Hi,

I was glad to find this site after I accidently aquired the Storm Trojan. I thought I got it all and 2 days later, things slowed again. So I found your Cleaning guide and ran the crap out of everything. Some more stuff was found, and now all the scanners you suggest find the system 'clean'.

However, I also ran the IseeyouXP.bat because I feel my performance is a little slow still, and i'm afraid that i will have to blow another entire day deleting and scanning if a piece of the Storm Trojan is left to copy itself.

I am attaching the results of IseeyouXP.bat as a txt file. I am not attaching the logs from the anti-virus scans, because they all come clean now. The date of the infection was most likely July 5th at about 130 pm.

Thank you in advace for your help! I am trying to write a thesis here! what a crappy couple of days!

Linz

[ Edited Mon Jul 21 2008, 08:52AM ]

ShadowPuterDude

Mon Jul 09 2007, 09:47PM

...the Shadow knows

Registered Member #1

Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 251
Thanked 12 times in 12 posts

Hi Liz, and welcome to MalwareTeks.

For some reason the ISeeYouXP log did not attach. Go ahead and Copy & Paste the log into your reply along with a log from HijackThis.

There is a RootKit element of the Storm Worm that will need to be removed to fully clean the infection.

"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218

chemistpgh

Wed Jul 11 2007, 09:03AM

Registered Member #80

Joined: Mon Jul 09 2007, 09:24PM
Posts: 3
Thanked 0 times in 0 posts

Ok, I am trying to attach again.

iseeyouxpresults0709.txt

chemistpgh

Wed Jul 11 2007, 09:04AM

Registered Member #80

Joined: Mon Jul 09 2007, 09:24PM
Posts: 3
Thanked 0 times in 0 posts

************************************************************************************
ISeeYouXP v2.0 Beta 12

ISeeYouXP v1.3.0-v2.0 Beta 12 Copyright - ShadowPuterDude
ISeeYouXP v1.2.9 and earlier Copyright - PhilliePhan
------------------------------------------------------------------------------------
**** PLEASE NOTE THAT MOST (if not ALL) OF THE ITEMS BELOW ARE NOT BADDIES! ****
**** PLEASE CONSULT A KNOWLEDGEABLE PERSON BEFORE TAKING ANY ACTION. ****
************************************************************************************

Windows OS is:

Microsoft Windows XP [Version 5.1.2600]
It's Mon July 9, 2007 08:50:53 PM

------------------------------------------------------------------------------------

ISeeYouXP installation folder and files

"C:\ISeeYouXP\"
change.log May 27 2007 4421 "change.log"
chodefix.bat Apr 18 2007 5387 "chodefix.bat"
egrep Dec 24 2004 35 "egrep"
fgrep Dec 24 2004 35 "fgrep"
fixchode.reg Apr 18 2007 528 "fixChode.reg"
fixexp~1.bat Feb 24 2007 487 "FixExplorerPolicies.bat"
getunk~1.bat Aug 12 2006 1478 "GetUnKeys.bat"
grep.exe Dec 24 2004 160768 "grep.exe"
hideit.bat Mar 31 2007 1114 "HideIT.bat"
iseeyo~1.bat May 27 2007 201093 "ISeeYouXP.bat"
libico~1.dll Mar 16 2004 898048 "libiconv2.dll"
libintl3.dll Oct 9 2004 101888 "libintl3.dll"
locate.com Jan 14 2005 11254 "locate.com"
ltime.exe Oct 28 1986 13184 "ltime.exe"
msconf~1.bat Feb 24 2007 578 "MSConfigFix.bat"
pcbutts.txt Mar 25 2007 5167 "PCBUTTS.TXT"
pcre.dll Nov 14 2004 183313 "pcre.dll"
regedi~1.bat Mar 30 2007 650 "RegEditFix.bat"
regfix.bat Apr 18 2007 145 "Regfix.bat"
showit.bat Mar 31 2007 1055 "ShowIT.bat"
swreg.exe Apr 5 2007 139776 "swreg.exe"
system~1.bat Feb 28 2007 369 "SystemRestoreFix.bat"
taskmg~1.bat Feb 24 2007 288 "TaskMgrFix.bat"

23 items found: 23 files, 0 directories.
Total of file sizes: 1,731,061 bytes 1.65 M
3 Dir(s) 68,257,607,680 bytes free

------------------------------------------------------------------------------------

System Environment Variables

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Chemist by Day\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LINDSAY-LAPTOP
ComSpec=C:\windows\system32\cmd.exe
errcode=0
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Chemist by Day
LOGONSERVER=\\LINDSAY-LAPTOP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\windows\system32;C:\windows;C:\windows\system32\wbem;C:\Program Files\MATLAB\R2006b\bin;C:\Program Files\MATLAB\R2006b\bin\win32;
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d06
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\windows
TEMP=C:\DOCUME~1\CHEMIS~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\CHEMIS~1\LOCALS~1\Temp
USERDOMAIN=LINDSAY-LAPTOP
USERNAME=Chemist by Day
USERPROFILE=C:\Documents and Settings\Chemist by Day
windir=C:\windows

------------------------------------------------------------------------------------

Showing any Pocket Killbox backup files

No matches found.

------------------------------------------------------------------------------------

Displaying BOOT.INI:

c:\peboot.bin="Boot BartPE (by PE Builder)"

------------------------------------------------------------------------------------

Displaying SYSTEM.INI:

; for 16-bit app support

[drivers]
wave=mmdrv.dll
timer=timer.drv

[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON

------------------------------------------------------------------------------------

Displaying WIN.INI:

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
CMCDLLNAME32=mapi32.dll
CMCDLLNAME=mapi.dll
CMC=1
MAPIX=1
MAPIXVER=1.0.0.1
OLEMessaging=1
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo2
asx=MPEGVideo2
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo2
mp2=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo2
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo2
wm=MPEGVideo2
wma=MPEGVideo2
wmv=MPEGVideo2
wmx=MPEGVideo2
wvx=MPEGVideo2
wpl=MPEGVideo
[ActiveScan]
ID = {815C7763-07AC-4E58-B5CA-058160A48CB4}

------------------------------------------------------------------------------------

Displaying AUTOEXEC.BAT:

------------------------------------------------------------------------------------

Displaying CONFIG.SYS:

------------------------------------------------------------------------------------

Displaying LOG for Microsoft Windows Malicious Software Removal Tool:

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.23, December 2006
Started On Tue Dec 26 13:22:44 2006

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Tue Dec 26 13:22:56 2006

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.24, January 2007
Started On Thu Jan 11 00:19:02 2007

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Thu Jan 11 00:19:19 2007

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.25, February 2007
Started On Wed Feb 14 03:01:12 2007

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Feb 14 03:01:36 2007

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.27, March 2007
Started On Sat Mar 17 02:00:37 2007

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Sat Mar 17 02:00:55 2007

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.28, April 2007
Started On Fri Apr 13 03:01:05 2007

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Fri Apr 13 03:01:22 2007

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.29, May 2007
Started On Wed May 09 03:00:41 2007

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed May 09 03:01:53 2007

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.30, June 2007
Started On Thu Jun 14 08:56:02 2007

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Thu Jun 14 08:57:21 2007

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.30, June 2007
Started On Mon Jul 09 12:31:56 2007

Extended Scan Results
----------------
->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\System Volume Information\_restore{BDBBC479-CA85-4D56-9939-F29E82DD6B3C}\RP232\A0023049.msi->(MSI Stream 42) (code 0x0000000B (11))
->Scan ERROR: resource file://C:\WINDOWS\Installer\d8eaaf.msi->(MSI Stream 73) (code 0x0000000B (11))
No infection found as part of the extended scan

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Mon Jul 09 15:13:15 2007

----------------------------------------------------------------------------
Listing HKCU Explorer\Advanced//Hidden and SuperHidden Registry Keys
if Hidden = 0 then Hidden Files and Folders are not shown
if SuperHidden = 1 is the desired default value.
if ShowSuperHidden = 0 then System Files are not shown
if HideFileExt = 1 then File Extension are not shown
We want their values to be (from top to bottom) 1,1,1,0
----------------------------------------------------------------------------

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced
Hidden REG_DWORD 1 (0x1)
SuperHidden REG_DWORD 1 (0x1)
ShowSuperHidden REG_DWORD 1 (0x1)
HideFileExt REG_DWORD 0 (0x0)

************************************************************************************

Examining Select Windows Registry Keys
------------------------------------------------------------------------------------

--------------------------------------------------------------------------
Items Found in ZoneMap\Domains:
--------------------------------------------------------------------------

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\internet settings\zonemap\domains
<NO NAME> REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\internet settings\zonemap\domains\msn.com

----------------------------------------------------------------------------
Current User ZoneMap ProtocolDefaults
----------------------------------------------------------------------------

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\protocoldefaults
<NO NAME> REG_SZ
http REG_DWORD 3 (0x3)
https REG_DWORD 3 (0x3)
ftp REG_DWORD 3 (0x3)
file REG_DWORD 3 (0x3)
@ivt REG_DWORD 1 (0x1)
shell REG_DWORD 0 (0x0)

----------------------------------------------------------------------------
Default URL Prefix Keys
----------------------------------------------------------------------------

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\url

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\url\DefaultPrefix
<NO NAME> REG_SZ http://

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\url\Prefixes
ftp REG_SZ ftp://
gopher REG_SZ gopher://
home REG_SZ http://
mosaic REG_SZ http://
www REG_SZ http://

--------------------------------------------------------------------------
Startup Items Disabled via MSCONFIG:
--------------------------------------------------------------------------

--------------------------------------------------------------------------
Select AutoRun Registry Keys:
--------------------------------------------------------------------------

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run
ctfmon.exe REG_SZ C:\windows\system32\ctfmon.exe
MSMSGS REG_SZ "C:\Program Files\Messenger\MSMSGS.EXE" /background
BitTorrent REG_SZ "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
igfxtray REG_SZ C:\windows\System32\igfxtray.exe
igfxhkcmd REG_SZ C:\windows\System32\hkcmd.exe
igfxpers REG_SZ C:\windows\System32\igfxpers.exe
Broadcom Wireless Manager UI REG_SZ C:\windows\System32\WLTRAY.exe
ccApp REG_SZ "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
vptray REG_SZ C:\PROGRA~1\SYMANT~1\VPTray.exe
QuickTime Task REG_SZ "C:\Program Files\QuickTime\qttask.exe" -atboottime
SunJavaUpdateSched REG_SZ "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
!AVG Anti-Spyware REG_SZ "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex

HKEY_USERS\.default\software\microsoft\windows\currentversion\run

HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run

HKEY_USERS\s-1-5-19\software\microsoft\windows\currentversion\run

HKEY_USERS\s-1-5-20\software\microsoft\windows\currentversion\run

--------------------------------------------------------------------------
WinLogon Notify Registry Key:
--------------------------------------------------------------------------

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
Asynchronous REG_DWORD 0 (0x0)
Impersonate REG_DWORD 0 (0x0)
DllName REG_EXPAND_SZ crypt32.dll
Logoff REG_SZ ChainWlxLogoffEvent

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
Asynchronous REG_DWORD 0 (0x0)
Impersonate REG_DWORD 0 (0x0)
DllName REG_EXPAND_SZ cryptnet.dll
Logoff REG_SZ CryptnetWlxLogoffEvent

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
DLLName REG_SZ cscdll.dll
Logon REG_SZ WinlogonLogonEvent
Logoff REG_SZ WinlogonLogoffEvent
ScreenSaver REG_SZ WinlogonScreenSaverEvent
Startup REG_SZ WinlogonStartupEvent
Shutdown REG_SZ WinlogonShutdownEvent
StartShell REG_SZ WinlogonStartShellEvent
Impersonate REG_DWORD 0 (0x0)
Asynchronous REG_DWORD 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\igfxcui
<NO NAME> REG_SZ
DLLName REG_SZ igfxdev.dll
Asynchronous REG_DWORD 1 (0x1)
Impersonate REG_DWORD 1 (0x1)
Unlock REG_SZ WinlogonUnlockEvent

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon
Logoff REG_SZ NavLogoffEvent
DllName REG_SZ C:\windows\system32\NavLogon.dll
StartShell REG_SZ NavStartShellEvent
LoginDomain REG_SZ LINDSAY-LAPTOP

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
DLLName REG_SZ wlnotify.dll
Logon REG_SZ SCardStartCertProp
Logoff REG_SZ SCardStopCertProp
Lock REG_SZ SCardSuspendCertProp
Unlock REG_SZ SCardResumeCertProp
Enabled REG_DWORD 1 (0x1)
Impersonate REG_DWORD 1 (0x1)
Asynchronous REG_DWORD 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
Asynchronous REG_DWORD 0 (0x0)
DllName REG_EXPAND_SZ wlnotify.dll
Impersonate REG_DWORD 0 (0x0)
StartShell REG_SZ SchedStartShell
Logoff REG_SZ SchedEventLogOff

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
Logoff REG_SZ WLEventLogoff
Impersonate REG_DWORD 0 (0x0)
Asynchronous REG_DWORD 1 (0x1)
DllName REG_EXPAND_SZ sclgntfy.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
DLLName REG_SZ WlNotify.dll
Lock REG_SZ SensLockEvent
Logon REG_SZ SensLogonEvent
Logoff REG_SZ SensLogoffEvent
Safe REG_DWORD 1 (0x1)
MaxWait REG_DWORD 600 (0x258)
StartScreenSaver REG_SZ SensStartScreenSaverEvent
StopScreenSaver REG_SZ SensStopScreenSaverEvent
Startup REG_SZ SensStartupEvent
Shutdown REG_SZ SensShutdownEvent
StartShell REG_SZ SensStartShellEvent
PostShell REG_SZ SensPostShellEvent
Disconnect REG_SZ SensDisconnectEvent
Reconnect REG_SZ SensReconnectEvent
Unlock REG_SZ SensUnlockEvent
Impersonate REG_DWORD 1 (0x1)
Asynchronous REG_DWORD 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
Asynchronous REG_DWORD 0 (0x0)
DllName REG_EXPAND_SZ wlnotify.dll
Impersonate REG_DWORD 0 (0x0)
Logoff REG_SZ TSEventLogoff
Logon REG_SZ TSEventLogon
PostShell REG_SZ TSEventPostShell
Shutdown REG_SZ TSEventShutdown
StartShell REG_SZ TSEventStartShell
Startup REG_SZ TSEventStartup
MaxWait REG_DWORD 600 (0x258)
Reconnect REG_SZ TSEventReconnect
Disconnect REG_SZ TSEventDisconnect

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon
EulaAccepted REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
DLLName REG_SZ wlnotify.dll
Logon REG_SZ RegisterTicketExpiredNotificationEvent
Logoff REG_SZ UnregisterTicketExpiredNotificationEvent
Impersonate REG_DWORD 1 (0x1)
Asynchronous REG_DWORD 1 (0x1)

--------------------------------------------------------------------------
Shared Task Scheduler Registry Items:
--------------------------------------------------------------------------

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon

--------------------------------------------------------------------------
Scheduled Tasks:
--------------------------------------------------------------------------

Volume in drive C has no label.
Volume Serial Number is 5487-E935

Directory of C:\windows\tasks

12/25/2006 02:25 PM <DIR> .
12/25/2006 02:25 PM <DIR> ..
01/08/2004 10:21 AM 65 desktop.ini
07/09/2007 08:30 PM 6 SA.DAT
2 File(s) 71 bytes

Total Files Listed:
2 File(s) 71 bytes
2 Dir(s) 68,257,574,912 bytes free
HR C:\windows\tasks\desktop.ini
A H C:\windows\tasks\SA.DAT

----------------------------------------------------------------------------
ShellExecuteHooks Registry Keys
----------------------------------------------------------------------------

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks
{AEB6717E-7E19-11d0-97EE-00C04FD91972} REG_SZ
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} REG_SZ AVG Anti-Spyware 7.5

----------------------------------------------------------------------------
ShellServiceObjectDelayLoad Registry Keys
----------------------------------------------------------------------------

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload
PostBootReminder REG_SZ {7849596a-48ea-486e-8937-a2a3009f31a9}
CDBurn REG_SZ {fbeb8a05-beee-4442-804e-409d6c4515e9}
WebCheck REG_SZ {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
SysTray REG_SZ {35CEC8A3-2BE6-11D2-8773-92E220524153}

----------------------------------------------------------------------------
ModuleUsage Registry Keys:
----------------------------------------------------------------------------

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/windows/Downloaded Program Files/asinst.dll
.Owner REG_SZ {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/windows/Downloaded Program Files/GeacRevw.ocx
.Owner REG_SZ {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E}
{83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/windows/Downloaded Program Files/MLXClientUtils.dll
.Owner REG_SZ {6FD482A3-7B57-438B-B040-52CAA30147EE}
{6FD482A3-7B57-438B-B040-52CAA30147EE} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/windows/Downloaded Program Files/MultiSelectComboBox.dll
.Owner REG_SZ {4989312D-58CF-11D5-A7D7-00E02911103E}
{4989312D-58CF-11D5-A7D7-00E02911103E} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/windows/system32/GeacView.dll
.Owner REG_SZ {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E}
{83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/windows/system32/MFC71.dll
.Owner REG_SZ Unknown Owner
{6FD482A3-7B57-438B-B040-52CAA30147EE} REG_SZ
{4989312D-58CF-11D5-A7D7-00E02911103E} REG_SZ
{83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/windows/system32/missouri.dll
.Owner REG_SZ {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E}
{83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/windows/system32/msvcr71.dll
.Owner REG_SZ Unknown Owner
{6FD482A3-7B57-438B-B040-52CAA30147EE} REG_SZ
{4989312D-58CF-11D5-A7D7-00E02911103E} REG_SZ
{83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/windows/System32/wuweb.dll
.Owner REG_SZ {6414512B-B978-451D-A0D8-FCFDF33E833C}
{6414512B-B978-451D-A0D8-FCFDF33E833C} REG_SZ

----------------------------------------------------------------------------
BHO Registry Keys:
----------------------------------------------------------------------------

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{53707962-6F74-2D53-2644-206D7942484F}

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
NoExplorer REG_DWORD 1 (0x1)

--------------------------------------------------------------------------
Select Policy Keys:
--------------------------------------------------------------------------

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer
NoDriveTypeAutoRun REG_DWORD 145 (0x91)

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableRegistryTools REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system
dontdisplaylastusername REG_DWORD 0 (0x0)
legalnoticecaption REG_SZ
legalnoticetext REG_SZ
shutdownwithoutlogon REG_DWORD 1 (0x1)
undockwithoutlogon REG_DWORD 1 (0x1)

HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer
NoDriveTypeAutoRun REG_DWORD 145 (0x91)

HKEY_USERS\.default\software\microsoft\windows\currentversion\policies

HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\Explorer

HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer
NoDriveTypeAutoRun REG_DWORD 145 (0x91)

************************************************************************************

Checking File System for suspicious Files

--------------------------------------------------------------------------
Items in the Root Directory:
--------------------------------------------------------------------------

Locating all files created in C:\

"C:\"
801AAC~1 Dec 26 2006 "801aacb8c3be531c00"
ACDFREE8 Jan 23 2007 "ACDFREE8"
autoexec.bat Dec 25 2006 0 "AUTOEXEC.BAT"
boot.ini Dec 25 2006 46 "boot.ini"
CONFIG.MSI May 17 2007 "Config.Msi"
config.sys Dec 25 2006 0 "CONFIG.SYS"
CYGWIN Mar 28 2007 "cygwin"
DELL Dec 25 2006 "dell"
DOCUME~1 Dec 25 2006 "Documents and Settings"
DOWNLO~1 Jun 26 2007 "downloadedTemplate"
helpas~1.htm Jun 26 2007 6473 "helpasapcontact.htm"
helpas~2.htm Jun 26 2007 83 "helpasapabout.htm"
io.sys Dec 25 2006 0 "IO.SYS"
ISEEYO~1 Jul 9 2007 "ISeeYouXP"
MININT Dec 25 2006 "minint"
msdos.sys Dec 25 2006 0 "MSDOS.SYS"
MSOCACHE Dec 25 2006 "MSOCache"
ntdetect.com Dec 26 2006 47564 "NTDETECT.COM"
ntldr Dec 26 2006 250032 "ntldr"
pagefile.sys Jul 9 2007 780140544 "pagefile.sys"
peboot.bin Dec 25 2006 8192 "peboot.bin"
peldr Aug 28 2002 245920 "peldr"
PROGRA~1 Dec 25 2006 "Program Files"
RECYCLER Dec 27 2006 "RECYCLER"
SFSCHLR Dec 26 2006 "SFSCHLR"
SFSCHO~1 Dec 26 2006 "SFScholarToolbar"
SYSTEM~1 Dec 25 2006 "System Volume Information"
WINDOWS Dec 25 2006 "WINDOWS"

28 items found: 12 files (6 H/S), 16 directories (4 H/S).
Total of file sizes: 780,698,854 bytes 744.53 M

--------------------------------------------------------------------------
Locating all Backup files on C:
--------------------------------------------------------------------------

Locating all *.BAK* files

"C:\WINDOWS\"
imsins.bak Jun 14 2007 1374 "imsins.BAK"

"C:\WINDOWS\inf\"
mplayer2.bak Jan 8 2004 18755 "mplayer2.bak"

"C:\WINDOWS\Debug\UserMode\"
userenv.bak Jul 1 2007 311338 "userenv.bak"

"C:\Program Files\Apache Group\Apache2\conf\"
httpdc~1.bak May 17 2007 34426 "httpd.conf.bak"
mimety~1.bak May 17 2007 15612 "mime.types.bak"

"C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\"
brndlog.bak Dec 25 2006 113 "brndlog.bak"

"C:\Documents and Settings\Administrator.LINDSAY-LAPTOP\Application Data\Microsoft\Internet Explorer\"
brndlog.bak Dec 25 2006 113 "brndlog.bak"

"C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\"
settings.bak Jul 9 2007 130908 "settings.bak"

"C:\Documents and Settings\Chemist by Day\Application Data\Microsoft\Internet Explorer\"
brndlog.bak Dec 25 2006 141 "brndlog.bak"

"C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\"
brndlog.bak Dec 25 2006 113 "brndlog.bak"

"C:\Documents and Settings\Lindsay\Application Data\Microsoft\Internet Explorer\"
brndlog.bak Dec 25 2006 141 "brndlog.bak"

"C:\WINDOWS\PCHealth\HelpCtr\Config\Cache\"
profes~1.bak Dec 26 2006 170684 "Professional_32_1033.dat.bak"

"C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\"
opa11.bak Oct 17 2002 8200 "OPA11.BAK"

"C:\Documents and Settings\Lindsay\Application Data\Intel\Wireless\WLANProfiles\"
profil~1.bak Jan 15 2007 11904 "Profiles.enc.bak"

"C:\Documents and Settings\Administrator.LINDSAY-LAPTOP\Application Data\Mozilla\Firefox\Profiles\vb3x18jq.default\"
bookma~1.bak Jul 9 2007 7191 "bookmarks.bak"

"C:\Documents and Settings\Chemist by Day\Application Data\Mozilla\Firefox\Profiles\kezqkn8x.default\"
bookma~1.bak Jul 9 2007 17395 "bookmarks.bak"
bookma~2.bak Jun 13 2007 17395 "bookmarks.html.sbsd.bak"

"C:\Documents and Settings\Lindsay\Application Data\Mozilla\Firefox\Profiles\vi2rarfs.default\"
bookma~1.bak Jun 29 2007 7191 "bookmarks.bak"

"C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\"
brndlog.bak Dec 25 2006 113 "brndlog.bak"

"C:\Program Files\MATLAB\R2006b\toolbox\rtw\targets\tasking\tasking\default_project_options\c166\ede\"
apd9fc~1.bak Aug 4 2006 3488 "app_c167cs_sim.bak"
app_c1~1.bak Aug 4 2006 3277 "app_c166_sim.bak"
app_c1~2.bak Aug 4 2006 3478 "app_c167cr_hw.bak"
app_c1~3.bak Aug 4 2006 3381 "app_c167cr_sim.bak"
app_c1~4.bak Aug 4 2006 3637 "app_c167cs_hw.bak"
app_st~1.bak Aug 4 2006 3598 "app_st10f269_hw.bak"
app_st~2.bak Aug 4 2006 3449 "app_st10f269_sim.bak"
app_xc~1.bak Aug 4 2006 3650 "app_xc167ci_hw.bak"
app_xc~2.bak Aug 4 2006 3556 "app_xc167ci_sim.bak"
lib_c1~1.bak Aug 4 2006 7383 "lib_c166_sim.bak"
lib_c1~2.bak Aug 4 2006 7414 "lib_c167cr_hw.bak"
lib_c1~3.bak Aug 4 2006 7426 "lib_c167cr_sim.bak"
lib_c1~4.bak Aug 4 2006 7414 "lib_c167cs_hw.bak"
lib_st~1.bak Aug 4 2006 7436 "lib_st10f269_hw.bak"
lib_st~2.bak Aug 4 2006 7448 "lib_st10f269_sim.bak"
lib_xc~1.bak Aug 4 2006 7427 "lib_xc167ci_hw.bak"
lib_xc~2.bak Aug 4 2006 7439 "lib_xc167ci_sim.bak"
lic8ab~1.bak Aug 4 2006 7426 "lib_c167cs_sim.bak"

"C:\Program Files\MATLAB\R2006b\toolbox\rtw\targets\tasking\tasking\default_project_options\c563\ede\"
app_ds~1.bak Aug 4 2006 3295 "app_dsp563xx_sim.bak"
app_ds~2.bak Aug 4 2006 3345 "app_dsp566xx_sim.bak"
lib_ds~1.bak Aug 4 2006 6121 "lib_dsp563xx_sim.bak"
lib_ds~2.bak Aug 4 2006 6171 "lib_dsp566xx_sim.bak"

"C:\Program Files\MATLAB\R2006b\toolbox\rtw\targets\tasking\tasking\default_project_options\carm\ede\"
app_ar~1.bak Aug 4 2006 3194 "app_arm_sim.bak"
app_ar~2.bak Aug 4 2006 3229 "app_arm_sim_big_endian.bak"
lib_ar~1.bak Aug 4 2006 4917 "lib_arm_sim.bak"
lib_ar~2.bak Aug 4 2006 5007 "lib_arm_sim_big_endian.bak"

"C:\Program Files\MATLAB\R2006b\toolbox\rtw\targets\tasking\tasking\default_project_options\cc51\ede\"
app_i8~1.bak Aug 4 2006 3315 "app_i8051_sim.bak"
lib_i8~1.bak Aug 4 2006 4689 "lib_i8051_sim.bak"

"C:\Program Files\MATLAB\R2006b\toolbox\rtw\targets\tasking\tasking\default_project_options\cm16c\ede\"
app_m1~1.bak Aug 4 2006 3278 "app_m16c_sim.bak"
app_r8~1.bak Aug 4 2006 3343 "app_r8ctiny_sim.bak"
lib_m1~1.bak Aug 4 2006 5678 "lib_m16c_sim.bak"
lib_r8~1.bak Aug 4 2006 5761 "lib_r8ctiny_sim.bak"

"C:\Program Files\MATLAB\R2006b\toolbox\rtw\targets\tasking\tasking\default_project_options\ctc\ede\"
app_tr~1.bak Aug 4 2006 3950 "app_tricore_1766b.bak"
app_tr~2.bak Aug 4 2006 4019 "app_tricore_1796b.bak"
app_tr~3.bak Aug 4 2006 3327 "app_tricore_sim.bak"
app_tr~4.bak Aug 4 2006 3563 "app_tricore_sim_misra.bak"
lib_tr~1.bak Aug 4 2006 7101 "lib_tricore_1766b.bak"
lib_tr~2.bak Aug 4 2006 7170 "lib_tricore_1796b.bak"
lib_tr~3.bak Aug 4 2006 6460 "lib_tricore_sim.bak"
lib_tr~4.bak Aug 4 2006 6514 "lib_tricore_sim_misra.bak"

59 items found: 59 files, 0 directories.
Total of file sizes: 954,881 bytes 932.50 K

--------------------------------------------------------------------------
Locating all copies of Internet Explorer on C:
--------------------------------------------------------------------------

Locating all copies of Internet Explorer

"C:\Program Files\Internet Explorer\"
iexplore.exe Aug 4 2004 93184 "iexplore.exe"

"C:\WINDOWS\$NtServicePackUninstall$\"
iexplore.exe Aug 28 2002 91136 "iexplore.exe"

"C:\WINDOWS\ServicePackFiles\i386\"
iexplore.exe Aug 4 2004 93184 "iexplore.exe"

3 items found: 3 files, 0 directories.
Total of file sizes: 277,504 bytes 271.00 K

--------------------------------------------------------------------------
Locating all copies of Windows Explorer on C:
--------------------------------------------------------------------------

Locating all copies of Windows Explorer

"C:\WINDOWS\"
explorer.exe Aug 4 2004 1032192 "explorer.exe"

"C:\WINDOWS\$NtServicePackUninstall$\"
explorer.exe Aug 28 2002 1004032 "explorer.exe"

"C:\WINDOWS\ServicePackFiles\i386\"
explorer.exe Aug 4 2004 1032192 "explorer.exe"

3 items found: 3 files, 0 directories.
Total of file sizes: 3,068,416 bytes 2.93 M

--------------------------------------------------------------------------
Items in Document and Settings:
--------------------------------------------------------------------------

Listing contents of C:\Documents and Settings

"C:\Documents and Settings\"
ADMINI~1 Jul 9 2007 "Administrator"
ADMINI~1.LIN Jul 9 2007 "Administrator.LINDSAY-LAPTOP"
ALLUSE~1 Dec 25 2006 "All Users"
CHEMIS~1 Dec 25 2006 "Chemist by Day"
DEFAUL~1 Dec 25 2006 "Default User"
LINDSAY Dec 25 2006 "Lindsay"
LOCALS~1 Dec 25 2006 "LocalService"
NETWOR~1 Dec 25 2006 "NetworkService"

8 items found: 0 files, 8 directories (3 H/S).

--------------------------------------------------------------------------
Desktop Items:
--------------------------------------------------------------------------

Locating all files created in C:\Documents and Settings\Chemist by Day\Desktop within the last 90 days.

"C:\Documents and Settings\Chemist by Day\Desktop\"
081_nu~1.pdf May 29 2007 134837 "081_Nutri_Coat_WT_MSDS.pdf"
append~1.pdf Jul 5 2007 109579 "Appendix_C_FinalUpdated.pdf"
ata.pdf May 27 2007 406367 "ATA.pdf"
bombal~1.txt Jun 7 2007 51809 "bombalski.txt"
bombnew.txt Jun 7 2007 9197 "bombnew.txt"
boyes.doc Jun 27 2007 24064 "Boyes.doc"
deet07~1.doc May 8 2007 43008 "DEET 07.doc"
DLS May 21 2007 "DLS"
f_ma00~1.pdf Jun 27 2007 160553 "f_ma00123a031.pdf"
google~1.exe May 11 2007 15714552 "Google_Earth_BZXD.exe"
greeti~1.doc May 21 2007 550400 "GreetingsINVITE.doc"
HERM May 20 2007 "Herm"
julybi~1.xls Jul 1 2007 15872 "Julybills.xls"
JUNE07 Jun 8 2007 "June07"
launch~1.lnk Jul 5 2007 2527 "Launch Google Earth.lnk"
MAY07 May 22 2007 "May07"
netboot.htm Apr 14 2007 18651 "Netboot.htm"
nvu.lnk Jun 26 2007 568 "Nvu.lnk"
particle.txt May 1 2007 12401 "particle.txt"
quasit~3.doc Apr 30 2007 3980800 "QuasitransparentHybridParticles_BombalskiEtAlLB2.doc"
quickt~1.lnk May 28 2007 1656 "Quick Terrain Reader.lnk"
rock.pdf Jul 5 2007 27754 "rock.pdf"
solven~1.doc May 14 2007 72704 "SOLVENTRefractive Index.doc"
SURFAC~1 Jun 27 2007 "SurfaceReviewArticles"
surfac~1.zip Jun 27 2007 7657751 "SurfaceReviewArticles.zip"
surger~1.doc Jul 6 2007 33280 "Surgery isn.doc"
TEMDP1~1 Jul 2 2007 "TEM DP10"
TEMPLA~1 Jun 26 2007 "TemplateExpress"
WORDPR~1.2 May 17 2007 "wordpress-2.2"

29 items found: 21 files, 8 directories.
Total of file sizes: 29,028,330 bytes 27.68 M

Locating all files created in C:\Documents and Settings\All Users\Desktop\ within the last 90 days.

"C:\Documents and Settings\All Users\Desktop\"
avgant~1.lnk Jul 9 2007 849 "AVG Anti-Spyware.lnk"

1 item found: 1 file, 0 directories.
Total of file sizes: 849 bytes 0.83 K

--------------------------------------------------------------------------
Start Menu Items:
--------------------------------------------------------------------------

Locating all files created inC:\Documents and Settings\Chemist by Day\Start Menu within the last 90 days.

No matches found.

Locating all files created in C:\Documents and Settings\Chemist by Day\Start Menu\Programs\Startup within the last 90 days.

No matches found.

Locating all files created in C:\Documents and Settings\All Users\Start Menu within the last 90 days.

No matches found.

Locating all files created in C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ within the last 90 days.

"C:\Documents and Settings\All Users\Start Menu\Programs\Startup\"
vpncli~1.lnk Jul 9 2007 2447 "VPN Client.lnk"

1 item found: 1 file, 0 directories.
Total of file sizes: 2,447 bytes 2.39 K

--------------------------------------------------------------------------
Application Data Items:
--------------------------------------------------------------------------

Locating all files created in C:\Documents and Settings\Chemist by Day\Application Data\ within the last 90 days.

"C:\Documents and Settings\Chemist by Day\Application Data\"
GOOGLE May 11 2007 "Google"
GRISOFT Jul 9 2007 "Grisoft"
NVU Jun 26 2007 "Nvu"

3 items found: 0 files, 3 directories.

Locating all files created in C:\Documents and Settings\Chemist by Day\Local Settings\Application Data\ within the last 90 days.

"C:\Documents and Settings\Chemist by Day\Local Settings\Application Data\"
dcbc2a~1.ini May 2 2007 28160 "DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini"
GOOGLE May 11 2007 "Google"

2 items found: 1 file, 1 directory.
Total of file sizes: 28,160 bytes 27.50 K

Locating all files created in C:\Documents and Settings\All Users\Application Data\ within the last 90 days.

"C:\Documents and Settings\All Users\Application Data\"
ADOBE May 17 2007 "Adobe"
GRISOFT Jul 9 2007 "Grisoft"
KASPER~1 Jul 9 2007 "Kaspersky Lab"
MSN6 Jul 9 2007 "MSN6"

4 items found: 0 files, 4 directories.

--------------------------------------------------------------------------
C:\Documents and Settings\Chemist by Day\Local Settings\TEMP:
--------------------------------------------------------------------------

Locating all files created in C:\Documents and Settings\Chemist by Day\Local Settings\TEMP within the last 90 days.

--------------------------------------------------------------------------
Items in Templates Folder:
--------------------------------------------------------------------------

Locating all files created in C:\Documents and Settings\Chemist by Day\Templates

"C:\Documents and Settings\Chemist by Day\Templates\"
amipro.sam Jan 8 2004 4570 "amipro.sam"
excel.xls Jan 8 2004 5632 "excel.xls"
excel4.xls Jan 8 2004 1518 "excel4.xls"
lotus.wk4 Jan 8 2004 2448 "lotus.wk4"
powerpnt.ppt Jan 8 2004 12288 "powerpnt.ppt"
presenta.shw Jan 8 2004 461 "presenta.shw"
quattro.wb2 Jan 8 2004 4017 "quattro.wb2"
sndrec.wav Jan 8 2004 58 "sndrec.wav"
winword.doc Jan 8 2004 4608 "winword.doc"
winword2.doc Jan 8 2004 1769 "winword2.doc"
wordpfct.wpd Jan 8 2004 30 "wordpfct.wpd"
wordpfct.wpg Jan 8 2004 57 "wordpfct.wpg"

12 items found: 12 files, 0 directories.
Total of file sizes: 37,456 bytes 36.58 K

--------------------------------------------------------------------------
Items in Program Files:
--------------------------------------------------------------------------

Locating all files created in C:\Program Files\ within the last 90 days.

"C:\Program Files\"
APACHE~1 May 17 2007 "Apache Group"
GOOGLE May 11 2007 "Google"
GRISOFT Jul 9 2007 "Grisoft"
HJT Jul 9 2007 "HJT"
MYSQL May 17 2007 "MySQL"
NVU Jun 26 2007 "Nvu"
PHP May 17 2007 "PHP"
QUICKT~2 May 28 2007 "Quick Terrain Reader"

8 items found: 0 files, 8 directories.

Locating all files created in C:\Program Files\Common Files\ within the last 90 days.

No matches found.

Locating all files created in C:\Program Files\Common Files\Microsoft Shared\Web Folders within the last 90 days.

No matches found.

--------------------------------------------------------------------------
Items in the Windows Directory:
--------------------------------------------------------------------------

Locating all files created in C:\windows\ within the last 90 days.

"C:\WINDOWS\"
$N20DA~1 Apr 13 2007 "$NtUninstallKB931261$"
$N30DA~2 Jun 14 2007 "$NtUninstallKB935840$"
$N30DC~1 Jun 14 2007 "$NtUninstallKB929123$"
$N4009~1 May 23 2007 "$NtUninstallKB927891$"
$N50EE~1 Apr 13 2007 "$NtUninstallKB931784$"
$N64D6~1 Apr 13 2007 "$NtUninstallKB932168$"
$N64D6~2 Apr 13 2007 "$NtUninstallKB930178$"
$N68D6~1 Jun 14 2007 "$NtUninstallKB933566$"
$N70DE~1 May 9 2007 "$NtUninstallKB931768$"
$N74A6~1 May 9 2007 "$NtUninstallKB930916$"
$N88C2~1 Jun 14 2007 "$NtUninstallKB935839$"
0.log Jul 9 2007 0 "0.log"
comsetup.log Jun 14 2007 229237 "comsetup.log"
CSC Jul 9 2007 "CSC"
faxsetup.log Jun 14 2007 937624 "FaxSetup.log"
iis6.log Jun 14 2007 1088716 "iis6.log"
imsins.bak Jun 14 2007 1374 "imsins.BAK"
imsins.log Jun 14 2007 1374 "imsins.log"
kb927891.log May 23 2007 7599 "KB927891.log"
kb929123.log Jun 14 2007 12538 "KB929123.log"
kb930178.log Apr 13 2007 12513 "KB930178.log"
kb930916.log May 9 2007 10432 "KB930916.log"
kb931261.log Apr 13 2007 12208 "KB931261.log"
kb931768.log May 9 2007 12654 "KB931768.log"
kb931784.log Apr 13 2007 14033 "KB931784.log"
kb932168.log Apr 13 2007 12305 "KB932168.log"
kb933566.log Jun 14 2007 18967 "KB933566.log"
kb935839.log Jun 14 2007 10994 "KB935839.log"
kb935840.log Jun 14 2007 10987 "KB935840.log"
matlab.ini May 1 2007 157 "matlab.ini"
medctroc.log Jun 14 2007 65594 "MedCtrOC.log"
MINIDUMP Jul 6 2007 "Minidump"
msgsocm.log Jun 14 2007 47149 "msgsocm.log"
msmqinst.log Jun 14 2007 302482 "msmqinst.log"
netfxocm.log Jun 14 2007 165235 "netfxocm.log"
ntbtlog.txt Jul 9 2007 379976 "ntbtlog.txt"
ntdtcs~1.log Jun 14 2007 138389 "ntdtcsetup.log"
ocgen.log Jun 14 2007 471724 "ocgen.log"
ocmsn.log Jun 14 2007 28904 "ocmsn.log"
qtfont.for May 5 2007 1409 "QTFont.for"
qtfont.qfn Jul 6 2007 54156 "QTFont.qfn"
QUICKT~1 May 28 2007 "Quick Terrain Reader"
schedlgu.txt Jul 9 2007 2226 "SchedLgU.Txt"
setupapi.log Jul 9 2007 838058 "setupapi.log"
tabletoc.log Jun 14 2007 48121 "tabletoc.log"
thumbs.db Jun 12 2007 7168 "Thumbs.db"
tsoc.log Jun 14 2007 436071 "tsoc.log"
updspapi.log Jun 14 2007 83563 "updspapi.log"
vpc32.ini Jul 9 2007 0 "VPC32.INI"
wiadebug.log Jun 22 2007 411 "wiadebug.log"
wiaservc.log Jun 22 2007 49 "wiaservc.log"
win.ini Jul 9 2007 642 "win.ini"
window~2.log Jul 9 2007 60240 "WindowsUpdate.log"
wmsetup.log Jul 5 2007 28755 "wmsetup.log"

54 items found: 40 files (2 H/S), 14 directories (11 H/S).
Total of file sizes: 5,554,034 bytes 5.29 M

--------------------------------------------------------------------------
C:\windows\Downloaded Program Files:
--------------------------------------------------------------------------

Locating all files created in C:\windows\Downloaded Program Files\ within the last 90 days.

No matches found.

--------------------------------------------------------------------------
C:\windows\PCHealth\HelpCtr\Binaries:
--------------------------------------------------------------------------

Locating all files in C:\windows\PCHealth\HelpCtr\Binaries

"C:\WINDOWS\PCHealth\HelpCtr\Binaries\"
brpinfo.dll Jan 8 2004 21504 "brpinfo.dll"
hcappres.dll Jan 8 2004 6656 "HCAppRes.dll"
helpctr.exe Aug 4 2004 768512 "helpctr.exe"
helphost.exe Jan 8 2004 99840 "HelpHost.exe"
helpsvc.exe Aug 4 2004 743936 "helpsvc.exe"
hscmui.cab Jul 17 2004 68327 "hscmui.cab"
hscsp_w3.cab Jul 17 2004 305145 "hscsp_w3.cab"
hscupd.exe Aug 4 2004 18944 "hscupd.exe"
msconfig.exe Aug 4 2004 158208 "msconfig.exe"
msinfo.dll Aug 4 2004 376320 "msinfo.dll"
notiflag.exe Jan 8 2004 35328 "notiflag.exe"
pchdt_w3.cab Aug 28 2002 2330186 "pchdt_w3.cab"
pchshell.dll Aug 4 2004 102400 "pchshell.dll"
pchsvc.dll Aug 4 2004 38912 "pchsvc.dll"

14 items found: 14 files, 0 directories.
Total of file sizes: 5,074,218 bytes 4.84 M

--------------------------------------------------------------------------
C:\windows\system:
--------------------------------------------------------------------------

Locating all files created in C:\windows\system within the last 90 days.

No matches found.

--------------------------------------------------------------------------
C:\windows\system32:
--------------------------------------------------------------------------

Locating all files created in C:\windows\system32 within the last 90 days.

"C:\WINDOWS\system32\"
ACTIVE~1 Jul 9 2007 "ActiveScan"
asfiles.txt Jul 9 2007 0 "asfiles.txt"
browseui.dll Apr 18 2007 1023488 "browseui.dll"
cdfview.dll Apr 18 2007 151040 "cdfview.dll"
cdm.dll Apr 16 2007 92504 "cdm.dll"
danim.dll Apr 18 2007 1054208 "danim.dll"
dxtmsft.dll Apr 18 2007 357888 "dxtmsft.dll"
dxtrans.dll Apr 18 2007 205312 "dxtrans.dll"
extmgr.dll Apr 18 2007 55808 "extmgr.dll"
help.ico Jul 9 2007 1406 "Help.ico"
iepeers.dll Apr 18 2007 251392 "iepeers.dll"
inetcomm.dll May 16 2007 683520 "inetcomm.dll"
inseng.dll Apr 18 2007 96256 "inseng.dll"
jsproxy.dll Apr 18 2007 16384 "jsproxy.dll"
KASPER~1 Jul 9 2007 "Kaspersky Lab"
kernel32.dll Apr 16 2007 984576 "kernel32.dll"
mrt.exe Jun 5 2007 15747032 "MRT.exe"
mshtml.dll May 4 2007 3058688 "mshtml.dll"
mshtmled.dll Apr 18 2007 449024 "mshtmled.dll"
msi.dll Apr 18 2007 2854400 "msi.dll"
msrating.dll Apr 18 2007 146432 "msrating.dll"
mstime.dll Apr 18 2007 532480 "mstime.dll"
pavas.ico Jul 9 2007 30590 "pavas.ico"
pngfilt.dll Apr 18 2007 39424 "pngfilt.dll"
schannel.dll Apr 25 2007 144896 "schannel.dll"
shdocvw.dll Apr 18 2007 1494528 "shdocvw.dll"
shlwapi.dll Apr 18 2007 474112 "shlwapi.dll"
SOFTWA~1 Jun 22 2007 "SoftwareDistribution"
uninst~1.ico Jul 9 2007 2550 "Uninstall.ico"
urlmon.dll Apr 18 2007 615424 "urlmon.dll"
usb1 Apr 16 2007 1201308 "USB1"
windev~1.ini Jul 9 2007 11387 "windev-peers.ini"
wininet.dll Apr 18 2007 658944 "wininet.dll"
wpa.dbl Jul 5 2007 2206 "wpa.dbl"
wuapi.dll Apr 16 2007 549720 "wuapi.dll"
wuapid~1.mui Apr 16 2007 25944 "wuapi.dll.mui"
wuauclt.exe Apr 16 2007 53080 "wuauclt.exe"
wuaucpl.cpl Apr 16 2007 216408 "wuaucpl.cpl"
wuaucp~1.mui Apr 16 2007 25944 "wuaucpl.cpl.mui"
wuaueng.dll Apr 16 2007 1710936 "wuaueng.dll"
wuauen~1.mui Apr 16 2007 20312 "wuaueng.dll.mui"
wucltui.dll Apr 16 2007 325976 "wucltui.dll"
wucltu~1.mui Apr 16 2007 34136 "wucltui.dll.mui"
wups.dll Apr 16 2007 33624 "wups.dll"
wups2.dll Apr 16 2007 43352 "wups2.dll"
wuweb.dll Apr 16 2007 203096 "wuweb.dll"
xpsp3res.dll Apr 18 2007 115200 "xpsp3res.dll"

47 items found: 44 files, 3 directories.
Total of file sizes: 35,794,935 bytes 34.13 M

--------------------------------------------------------------------------
C:\windows\system32\com:
--------------------------------------------------------------------------

Locating all files created in C:\windows\system32\com within the last 90 days.

No matches found.

--------------------------------------------------------------------------
C:\windows\system32\components:
--------------------------------------------------------------------------
Locating all files created in C:\windows\system32\components within the last 90 days.

No matches found.

--------------------------------------------------------------------------
C:\windows\system32\drivers:
--------------------------------------------------------------------------

Locating all files created in C:\windows\system32\drivers within the last 90 days.

"C:\WINDOWS\system32\drivers\"
avgascln.sys May 30 2007 10872 "AvgAsCln.sys"

1 item found: 1 file, 0 directories.
Total of file sizes: 10,872 bytes 10.62 K

--------------------------------------------------------------------------
C:\windows\system32\drivers\etc:
--------------------------------------------------------------------------

Locating all files created in C:\windows\system32\drivers\etc within the last 90 days.

No matches found.

--------------------------------------------------------------------------
C:\windows\TEMP:
--------------------------------------------------------------------------

Locating all files created in C:\windows\TEMP within the last 90 days.

"C:\WINDOWS\Temp\"
ASHEUR~1 Jul 9 2007 "ASHeuristic"

1 item found: 0 files, 1 directory.

************************************************************************************

Checking for .COM files to Delete. They will only print if deleted!

Locating .COM files in the C:\windows\System32 folder

"C:\WINDOWS\system32\"
chcp.com Jan 8 2004 7680 "chcp.com"
command.com Jan 8 2004 50620 "command.com"
diskcomp.com Jan 8 2004 9216 "diskcomp.com"
diskcopy.com Jan 8 2004 7168 "diskcopy.com"
edit.com Jan 8 2004 69886 "edit.com"
format.com Jan 8 2004 25600 "format.com"
graftabl.com Jan 8 2004 26112 "graftabl.com"
graphics.com Jan 8 2004 19694 "graphics.com"
kb16.com Jan 8 2004 14710 "kb16.com"
loadfix.com Jan 8 2004 1131 "loadfix.com"
locate.com Jan 14 2005 11254 "locate.com"
mode.com Jan 8 2004 19456 "mode.com"
more.com Jan 8 2004 15872 "more.com"
tree.com Jan 8 2004 11264 "tree.com"
win.com Jan 8 2004 18432 "win.com"

15 items found: 15 files, 0 directories.
Total of file sizes: 308,095 bytes 300.87 K

************************************************************************************

Miscellaneous Malware Detections:
------------------------------------------------------------------------------------

**** Delfin Media {31EE3286-D785-4E3F-95FC-51D00FDABC01} NOT FOUND by this tool! ****

**** SmitFraud {0BC9BC01-54D4-4CCE-2B7D-955164314CD4} NOT FOUND by this tool! ****

**** SpywareStrike {C1A2FDA2-1A5B-2A8F-F3A2-B22DA1A3C41D} NOT FOUND by this tool! ****

**** SpywareStrike {C1A2FDA2-2A5B-2C8A-F2A2-BA2DB3A2C31C} NOT FOUND by this tool! ****

**** SpywareStrike {D81E2FC4-B0A2-11D3-21AC-07C04C21A18A} NOT FOUND by this tool! ****

**** SpyAxe {A1D9D3F0-8C2A-9A1D-A376-2CACFB10AB72} NOT FOUND by this tool! ****

**** SpyAxe {A2D9D3F0-8C2A-2A1D-A376-1BECFB10AB72} NOT FOUND by this tool! ****

**** SpyAxe {A2D9D3F0-8C2A-2A1D-A376-1BECFB10AB72} NOT FOUND by this tool! ****

**** SpyAxe {A2D9D3F0-8C2A-2A1D-A376-1BECFB10AB72} NOT FOUND by this tool! ****

**** SpyAxe {A2C8F6B1-7C2A-3D1C-A3C6-A1FDA113B43F} NOT FOUND by this tool! ****

**** SpyFalcon {A2C8F6B1-7C2A-3D1C-A3C6-A1FDA113B43F} NOT FOUND by this tool! ****

**** SpyFalcon {C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D} NOT FOUND by this tool! ****

**** SpyFalcon {CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E} NOT FOUND by this tool! ****

**** SpyFalcon {35a88e51-b53d-43e9-b8a7-75d4c31b4676} NOT FOUND by this tool! ****

**** SpyFalcon {64ba30a2-811a-4597-b0af-d551128be340} NOT FOUND by this tool! ****

**** SpyFalcon {89aef01d-d237-49c7-84dc-4e1904c1fd31} NOT FOUND by this tool! ****

**** SpyFalcon {e04408db-4812-4478-8d4d-e46edcffd3b6} NOT FOUND by this tool! ****

**** SpyFalcon {336ec37f-54bf-4f13-8237-03f64fa591e7} NOT FOUND by this tool! ****

**** SpyFalcon {5bc82bdb-bc03-4671-9a78-3ef2b68449de} NOT FOUND by this tool! ****

**** SpyFalcon {24c60b9b-26b5-4201-9f7a-fb9219356ae9} NOT FOUND by this tool! ****

**** SpyFalcon {a0c51615-738a-4542-801a-5af61614e182} NOT FOUND by this tool! ****

**** SpyFalcon {70fbd528-2d3c-4a00-9b8c-bbf441e534be} NOT FOUND by this tool! ****

**** SpyFalcon {a566f298-05a6-4b3d-b672-da7c27316430} NOT FOUND by this tool! ****

**** SpyFalcon {f5947202-e9cb-4a72-88e7-22f2cbd2b124} NOT FOUND by this tool! ****

**** SpyFalcon {5aaf6542-f4ba-4df4-873d-4902ecbe794c} NOT FOUND by this tool! ****

**** SpyFalcon {3e4155b8-5a4a-4e95-83b2-ab032da9acbc} NOT FOUND by this tool! ****

**** SpyFalcon {9952355f-fefb-4764-bcd7-a993d03dd7e2} NOT FOUND by this tool! ****

**** SpyFalcon {55059d4f-a1ac-4837-ae07-4859101f598d} NOT FOUND by this tool! ****

**** SpyFalcon {c3786a8d-6426-4c29-a23f-f36e47b31e0c} NOT FOUND by this tool! ****

**** SpyLocked {25b7d2fd-4f71-46d1-801a-7de323e4ec82} NOT FOUND by this tool! ****

**** SpyLocked {4233AC08-A2C4-4742-A0B4-83719613D62C} NOT FOUND by this tool! ****

**** SpyLocked {716002DB-288C-4BF0-80CD-A467E78D8B55} NOT FOUND by this tool! ****

**** SpyLocked {735E980D-45D2-4777-AF82-9923D3C8D3AE} NOT FOUND by this tool! ****

**** SpyLocked {B23DC537-3E13-44C7-BF67-D8405EB377F7} NOT FOUND by this tool! ****

**** SpyLocked {B292EC9F-A074-4115-8342-1F459702D8D2} NOT FOUND by this tool! ****

**** SpyLocked {CECA6F2B-247B-4ECE-9B7A-D0135C8036FC} NOT FOUND by this tool! ****

**** SpyLocked {DA3B49F6-8C54-4429-A275-21A86DCCA413} NOT FOUND by this tool! ****

**** SpyLocked {EDE8BED5-92CF-4482-8F51-A01CD9B3EA37} NOT FOUND by this tool! ****

**** SpyLocked {FA4FBF53-C766-4622-8011-A87A805EEBF0} NOT FOUND by this tool! ****

**** SpywareLocked {0E4E5110-A772-4C4A-A7DC-137FE10ABD6E} NOT FOUND by this tool! ****

**** SpywareLocked {07A582E8-BAE3-457D-9D29-2048DE45A369} NOT FOUND by this tool! ****

**** SpywareLocked {3BAA1AD8-EE49-4772-BF0B-F55083E0F7AA} NOT FOUND by this tool! ****

**** SpywareLocked {9D6FAC42-A7BE-4702-87EF-75D8DC14249E} NOT FOUND by this tool! **

ShadowPuterDude

Wed Jul 11 2007, 03:37PM

...the Shadow knows

Registered Member #1

Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 251
Thanked 12 times in 12 posts

The whole log didn't make it thru. Start from:

Miscellaneous Malware Detections:
--------------------------------------- ---------------------------------------- -----

Copy & Paste the rest of the log.

ShadowPuterDude

Thu Jul 12 2007, 08:00PM

...the Shadow knows

Registered Member #1

Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 251
Thanked 12 times in 12 posts

The problem with File Attachments has been corrected.

The installed version of Java on this compter is out-dated. Install Java Runtime Environment (JRE) 6u2 available from Major Geeks. Uninstall all older versions of Java on your computer, before installing the latest version of Java.

Download
- Pocket Killbox
- ExplorerXP

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\Uninstall.ico
C:\WINDOWS\system32\windev-peers.ini
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following:

C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\Uninstall.ico
C:\WINDOWS\system32\windev-peers.ini

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to .

Post the following logs as attachments:
HijackThis
ISeeYouXP


Jump: Back to top