malware: help! i've tried many things!

Viruses and worms
21

whoops, i meant to put HJTwtf.exe (i didn’t say i was classy) and its folder into the plain ol’ c:.… it’s there now.

My latest ComboFix log is somehow 86,000 characters. Is this normal? Should I just break it up into 9 different posts?

22

I think it might have to do with running windows update, so I’m going to post it here without the snapshot:

ComboFix 07-10-07.2 - Kimberley 2007-10-08 18:12:49.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.587 [GMT -7:00]
Running from: C:\Documents and Settings\Kimberley\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-09 to 2007-10-09 )))))))))))))))))))))))))))))))
.

2007-10-08 18:11 13,179 —hs---- C:\WINDOWS\system32\rqtss.bak2
2007-10-08 18:03 d-------- C:\Program Files\HJT
2007-10-08 17:38 d-------- C:\Program Files\MSBuild
2007-10-08 17:33 d-------- C:\WINDOWS\system32\XPSViewer
2007-10-08 17:32 d-------- C:\Program Files\Reference Assemblies
2007-10-08 17:31 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-10-08 17:30 d-------- C:\6c5d95b0f7a967861ce081828f
2007-10-08 16:17 6,521 —hs---- C:\WINDOWS\system32\rqtss.ini2
2007-10-08 16:06 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-08 15:40 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-08 15:39 d-------- C:\Documents and Settings\Kimberley\Application Data\SUPERAntiSpyware.com
2007-10-08 03:18 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-08 03:03 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-08 02:29 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-10-08 02:29 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-08 02:29 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-08 02:29 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-10-08 02:29 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-08 02:29 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-08 02:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-08 02:29 d-------- C:\Program Files\VirusCrap
2007-10-08 02:12 d-------- C:\Program Files\Windows Live Safety Center
2007-10-08 01:54 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-08 01:01 d-------- C:\VundoFix Backups
2007-10-06 16:29 325,728 --------- C:\WINDOWS\system32\sstqr.dll
2007-10-03 23:43 34,160 --a------ C:\Documents and Settings\Kimberley\Application Data\GDIPFONTCACHEV1.DAT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-08 16:54 --------- d-------- C:\Program Files\Sonic
2007-10-08 16:53 --------- d-------- C:\Program Files\Common Files\Sonic Shared
2007-10-08 12:00 --------- d-------- C:\Program Files\Webteh
2007-10-08 03:04 --------- d-------- C:\Program Files\Lavasoft
2007-10-08 03:04 --------- d-------- C:\Documents and Settings\Kimberley\Application Data\Lavasoft
2007-09-22 22:24 --------- d-------- C:\Program Files\iTunes
2007-08-20 23:42 --------- d-------- C:\Program Files\DivX
2007-08-15 21:11 --------- d-------- C:\Documents and Settings\Kimberley\Application Data\Viewpoint
2007-08-15 08:02 --------- d-------- C:\Program Files\Common Files\AOL
2007-08-15 08:02 --------- d-------- C:\Program Files\AIM
2007-08-13 18:56 --------- d-------- C:\Documents and Settings\All Users\Application Data\AOL
2007-08-13 18:46 --------- d-------- C:\Documents and Settings\Kimberley\Application Data\acccore
2007-08-13 18:46 --------- d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-08-13 18:41 --------- d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-26 16:06 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-26 16:06 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-18 23:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-12 16:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2006-10-02 02:31 5025792 --a------ C:\Program Files\Adobe DNG Converter.exe
2006-03-26 06:57:59 56 --sh–r C:\WINDOWS\system32\E111ED96EA.sys
2006-03-26 06:57:59 1,890 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{84BB2E13-1A0A-4247-B9D1-735D06771FA8}]
2007-10-06 16:29 325728 --------- C:\WINDOWS\system32\sstqr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Apoint”=“C:\Program Files\Apoint\Apoint.exe” [2004-09-13 15:33]
“igfxtray”=“C:\WINDOWS\system32\igfxtray.exe” [2005-07-19 22:09]
“igfxhkcmd”=“C:\WINDOWS\system32\hkcmd.exe” [2005-07-19 22:06]
“igfxpers”=“C:\WINDOWS\system32\igfxpers.exe” [2005-07-19 22:10]
“SunJavaUpdateSched”=“C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe” [2003-11-19 16:48]
“IntelWireless”=“C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” [2004-10-30 13:59]
“PCMService”=“C:\Program Files\Dell\Media Experience\PCMService.exe” [2004-04-11 19:15]
“Dell QuickSet”=“C:\Program Files\Dell\QuickSet\quickset.exe” [2005-09-01 16:24]
“DVDLauncher”=“C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe” [2005-02-23 15:19]
“RealTray”=“C:\Program Files\Real\RealPlayer\RealPlay.exe” [2005-12-30 21:29]
“ISUSPM Startup”=“C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe” [2004-07-27 15:50]
“ISUSScheduler”=“C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” [2004-07-27 15:50]
“NeroCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 12:50]
“MSKDetectorExe”=“C:\Program Files\McAfee\SpamKiller\MSKDetct.exe” [2005-08-12 17:16]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-02-16 10:54]
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2007-03-14 19:05]
“avast!”=“C:\PROGRA~1\VIRUSC~1\Avast4\ashDisp.exe” [2007-09-06 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“MsnMsgr”=“C:\Program Files\MSN Messenger\MsnMsgr.exe” [2007-01-19 13:54]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 04:00]
“MSMSGS”=“C:\Program Files\Messenger\Msmsgs.exe” [2004-10-13 09:24]
“SUPERAntiSpyware”=“C:\Program Files\VirusCrap\SuperAntiSpyware\SUPERAntiSpyware.exe” [2007-06-21 14:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2004-12-22 12:42:22]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-30 21:28:05]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\VirusCrap\SuperAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\VirusCrap\SuperAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\VirusCrap\SuperAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 15:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
“Authentication Packages”= msv1_0 C:\WINDOWS\system32\sstqr.dll

.

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-08 18:17:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2007-10-08 18:20:14
C:\ComboFix-quarantined-files.txt … 2007-10-08 18:20
C:\ComboFix2.txt … 2007-10-08 16:38
.
— E O F —

23

New HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:34:53 PM, on 08/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\VirusCrap\Avast4\aswUpdSv.exe
C:\Program Files\VirusCrap\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\VirusCrap\a-squared Free\a2service.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\VirusCrap\Avast4\ashMaiSv.exe
C:\Program Files\VirusCrap\Avast4\ashWebSv.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\VIRUSC~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VirusCrap\SuperAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\HJT\HJTwtf.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.globeandmail.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {84BB2E13-1A0A-4247-B9D1-735D06771FA8} - C:\WINDOWS\system32\sstqr.dll
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM..\Run: [PCMService] “C:\Program Files\Dell\Media Experience\PCMService.exe”
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM..\Run: [DVDLauncher] “C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe”
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\VIRUSC~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\Msmsgs.exe” /background
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\VirusCrap\SuperAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by137fd.bay137.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\VirusCrap\SuperAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\VirusCrap\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\VirusCrap\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\VirusCrap\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\VirusCrap\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\VirusCrap\Avast4\ashWebSv.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


End of file - 8585 bytes

24

Sorry - I was away for a bit.

Did you remember to check this line when you ran the HJT fix?

O2 - BHO: (no name) - {84BB2E13-1A0A-4247-B9D1-735D06771FA8} - C:\WINDOWS\system32\sstqr.dll

25

I did remember to check that line, and I noticed that it was still there upon creating another log after reboot. Shall I do it again?

26

No, let’s take a different, deeper look at things.

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]Under Additional Scans click the checkboxes in front of the following items to select them:

(Use the default options)

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. The log will be very long - use as many posts as necessary or attach the log if its easier. Make sure the last line reads < End of Report >

27

That took a lot less time than I thought!

Here’s the WinPFind3u log:

WinPFind3 logfile created on: 08/10/2007 7:40:25 PM
WinPFind3U by OldTimer - Version 1.0.42 Folder = C:\Documents and Settings\Kimberley\Desktop\WinPFind3u
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)

1015.37 Mb Total Physical Memory | 560.70 Mb Available Physical Memory | 55.22% Memory free
2.39 Gb Paging File | 2.02 Gb Available in Paging File | 84.55% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 90.09 Gb Total Space | 24.27 Gb Free Space | 26.94% Space Free
Drive D: | 4.29 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: MAGNETAR
Current User Name: Kimberley
Logged in as Administrator.
Current Boot Mode: Normal

[Processes - Non-Microsoft Only]
1xconfig.exe → %ProgramFiles%\Intel\Wireless\Bin\1XConfig.exe → Intel [Ver = 9, 0, 1, 33 | Size = 245760 bytes | Modified Date = 07/09/2004 3:03:40 PM | Attr = ]
a2service.exe → %ProgramFiles%\VirusCrap\a-squared Free\a2service.exe → Emsi Software GmbH [Ver = 3.0.0.345 | Size = 217208 bytes | Modified Date = 31/08/2007 8:24:24 PM | Attr = ]
aawservice.exe → %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe → Lavasoft AB [Ver = 7, 0, 2, 3 | Size = 574808 bytes | Modified Date = 25/09/2007 9:00:46 AM | Attr = ]
apntex.exe → %ProgramFiles%\Apoint\ApntEx.exe → Alps Electric Co., Ltd. [Ver = 5.5.1.19 | Size = 45056 bytes | Modified Date = 19/08/2004 1:40:08 PM | Attr = ]
apoint.exe → %ProgramFiles%\Apoint\Apoint.exe → Alps Electric Co., Ltd. [Ver = 5.5.101.141 | Size = 155648 bytes | Modified Date = 13/09/2004 3:33:20 PM | Attr = ]
ashdisp.exe → %ProgramFiles%\VirusCrap\Avast4\ashDisp.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 06/09/2007 3:06:10 AM | Attr = ]
ashmaisv.exe → %ProgramFiles%\VirusCrap\Avast4\ashMaiSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 06/09/2007 3:05:42 AM | Attr = ]
ashserv.exe → %ProgramFiles%\VirusCrap\Avast4\ashServ.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 06/09/2007 3:06:04 AM | Attr = ]
ashwebsv.exe → %ProgramFiles%\VirusCrap\Avast4\ashWebSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 06/09/2007 3:04:44 AM | Attr = ]
aswupdsv.exe → %ProgramFiles%\VirusCrap\Avast4\aswUpdSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 06/09/2007 2:54:58 AM | Attr = ]
dlg.exe → %ProgramFiles%\Digital Line Detect\DLG.exe → BVRP Software [Ver = 1, 0, 0, 1 | Size = 24576 bytes | Modified Date = 29/10/2003 2:06:00 AM | Attr = ]
dvdlauncher.exe → %ProgramFiles%\CyberLink\PowerDVD\DVDLauncher.exe → CyberLink Corp. [Ver = 3.00.0000 | Size = 53248 bytes | Modified Date = 23/02/2005 3:19:56 PM | Attr = ]
evteng.exe → %ProgramFiles%\Intel\Wireless\Bin\EvtEng.exe → Intel Corporation [Ver = 9, 0, 1, 12 | Size = 86016 bytes | Modified Date = 07/09/2004 3:02:40 PM | Attr = ]
hkcmd.exe → %System32%\hkcmd.exe → Intel Corporation [Ver = 3.0.0.4363 | Size = 77824 bytes | Modified Date = 19/07/2005 10:06:12 PM | Attr = ]
ifrmewrk.exe → %ProgramFiles%\Intel\Wireless\Bin\iFrmewrk.exe → Intel Corporation [Ver = 9, 0, 1, 19 | Size = 385024 bytes | Modified Date = 30/10/2004 1:59:54 PM | Attr = ]
igfxpers.exe → %System32%\igfxpers.exe → Intel Corporation [Ver = 3.0.0.4363 | Size = 114688 bytes | Modified Date = 19/07/2005 10:10:06 PM | Attr = ]
igfxsrvc.exe → %System32%\igfxsrvc.exe → Intel Corporation [Ver = 3.0.0.4363 | Size = 159744 bytes | Modified Date = 19/07/2005 10:06:04 PM | Attr = ]
ipodservice.exe → %ProgramFiles%\iPod\bin\iPodService.exe → Apple Inc. [Ver = 7.1.1.5 | Size = 500800 bytes | Modified Date = 14/03/2007 7:05:42 PM | Attr = ]
issch.exe → %CommonProgramFiles%\InstallShield\UpdateService\issch.exe → InstallShield Software Corporation [Ver = 3, 10, 100, 1155 | Size = 81920 bytes | Modified Date = 27/07/2004 3:50:18 PM | Attr = ]
jusched.exe → %ProgramFiles%\Java\j2re1.4.2_03\bin\jusched.exe → [Ver = | Size = 32881 bytes | Modified Date = 19/11/2003 4:48:14 PM | Attr = ]
nicconfigsvc.exe → %ProgramFiles%\Dell\NICCONFIGSVC\NICCONFIGSVC.exe → Dell Inc. [Ver = 1, 0, 0, 1 | Size = 356352 bytes | Modified Date = 09/06/2005 7:53:18 AM | Attr = ]
pcmservice.exe → %ProgramFiles%\Dell\Media Experience\PCMService.exe → CyberLink Corp. [Ver = 1.0.1611 | Size = 290816 bytes | Modified Date = 11/04/2004 7:15:14 PM | Attr = ]
qttask.exe → %ProgramFiles%\QuickTime\qttask.exe → Apple Computer, Inc. [Ver = 7.1.5 | Size = 282624 bytes | Modified Date = 16/02/2007 10:54:04 AM | Attr = ]
quickset.exe → %ProgramFiles%\Dell\QuickSet\quickset.exe → [Ver = 0, 5, 5, 0 | Size = 684032 bytes | Modified Date = 01/09/2005 4:24:08 PM | Attr = ]
realplay.exe → %ProgramFiles%\Real\RealPlayer\realplay.exe → RealNetworks, Inc. [Ver = 6.0.9.584 | Size = 26112 bytes | Modified Date = 30/12/2005 9:29:02 PM | Attr = ]
regsrvc.exe → %ProgramFiles%\Intel\Wireless\Bin\RegSrvc.exe → Intel Corporation [Ver = 9, 0, 1, 10 | Size = 139264 bytes | Modified Date = 07/09/2004 3:02:04 PM | Attr = ]
s24evmon.exe → %ProgramFiles%\Intel\Wireless\Bin\S24EvMon.exe → Intel Corporation [Ver = 9, 0, 1, 41 | Size = 360521 bytes | Modified Date = 07/09/2004 3:05:10 PM | Attr = ]
superantispyware.exe → %ProgramFiles%\VirusCrap\SuperAntiSpyware\SUPERAntiSpyware.exe → SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 21/06/2007 2:06:28 PM | Attr = ]
tosbtmng1.exe → %ProgramFiles%\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe → [Ver = | Size = 45056 bytes | Modified Date = 22/12/2004 12:42:22 PM | Attr = ]
winpfind3u.exe → %UserDesktop%\WinPFind3u\WinPFind3U.exe → OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 04/09/2007 10:47:26 AM | Attr = ]
wlkeeper.exe → %ProgramFiles%\Intel\Wireless\Bin\WLKEEPER.exe → Intel® Corporation [Ver = 9, 0, 1, 14 | Size = 225353 bytes | Modified Date = 07/09/2004 3:12:32 PM | Attr = ]
zcfgsvc.exe → %ProgramFiles%\Intel\Wireless\Bin\ZCfgSvc.exe → Intel Corporation [Ver = 9, 0, 1, 45 | Size = 389120 bytes | Modified Date = 07/09/2004 3:08:02 PM | Attr = ]

28

[Win32 Services - Non-Microsoft Only]
(a2free) a-squared Free Service [Win32_Own | Auto | Running] → %ProgramFiles%\VirusCrap\a-squared Free\a2service.exe → Emsi Software GmbH [Ver = 3.0.0.345 | Size = 217208 bytes | Modified Date = 31/08/2007 8:24:24 PM | Attr = ]
(aawservice) Ad-Aware 2007 Service [Win32_Own | Auto | Running] → %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe → Lavasoft AB [Ver = 7, 0, 2, 3 | Size = 574808 bytes | Modified Date = 25/09/2007 9:00:46 AM | Attr = ]
(Adobe LM Service) Adobe LM Service [Win32_Own | On_Demand | Stopped] → %CommonProgramFiles%\Adobe Systems Shared\Service\Adobelmsvc.exe → Adobe Systems [Ver = 2.67.010 | Size = 72704 bytes | Modified Date = 02/04/2006 3:10:34 PM | Attr = ]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] → %ProgramFiles%\VirusCrap\Avast4\aswUpdSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 06/09/2007 2:54:58 AM | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] → %ProgramFiles%\VirusCrap\Avast4\ashServ.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 06/09/2007 3:06:04 AM | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] → %ProgramFiles%\VirusCrap\Avast4\ashMaiSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 06/09/2007 3:05:42 AM | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] → %ProgramFiles%\VirusCrap\Avast4\ashWebSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 06/09/2007 3:04:44 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] → %System32%\dmadmin.exe → Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 04/08/2004 4:00:00 AM | Attr = ]
(EvtEng) EvtEng [Win32_Own | Auto | Running] → %ProgramFiles%\Intel\Wireless\Bin\EvtEng.exe → Intel Corporation [Ver = 9, 0, 1, 12 | Size = 86016 bytes | Modified Date = 07/09/2004 3:02:40 PM | Attr = ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] → %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe → Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 04/04/2005 1:41:10 AM | Attr = ]
(idsvc) Windows CardSpace [Win32_Shared | Unknown | Stopped] → → File not found
(iPod Service) iPod Service [Win32_Own | On_Demand | Running] → %ProgramFiles%\iPod\bin\iPodService.exe → Apple Inc. [Ver = 7.1.1.5 | Size = 500800 bytes | Modified Date = 14/03/2007 7:05:42 PM | Attr = ]
(NICCONFIGSVC) NICCONFIGSVC [Win32_Own | Auto | Running] → %ProgramFiles%\Dell\NICCONFIGSVC\NICCONFIGSVC.exe → Dell Inc. [Ver = 1, 0, 0, 1 | Size = 356352 bytes | Modified Date = 09/06/2005 7:53:18 AM | Attr = ]
(RegSrvc) RegSrvc [Win32_Own | Auto | Running] → %ProgramFiles%\Intel\Wireless\Bin\RegSrvc.exe → Intel Corporation [Ver = 9, 0, 1, 10 | Size = 139264 bytes | Modified Date = 07/09/2004 3:02:04 PM | Attr = ]
(S24EventMonitor) Spectrum24 Event Monitor [Win32_Own | Auto | Running] → %ProgramFiles%\Intel\Wireless\Bin\S24EvMon.exe → Intel Corporation [Ver = 9, 0, 1, 41 | Size = 360521 bytes | Modified Date = 07/09/2004 3:05:10 PM | Attr = ]
(WLANKEEPER) WLANKEEPER [Win32_Own | Auto | Running] → %ProgramFiles%\Intel\Wireless\Bin\WLKEEPER.exe → Intel® Corporation [Ver = 9, 0, 1, 14 | Size = 225353 bytes | Modified Date = 07/09/2004 3:12:32 PM | Attr = ]

29

[Registry - Non-Microsoft Only]
< Run [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run →
Apoint → %ProgramFiles%\Apoint\Apoint.exe → Alps Electric Co., Ltd. [Ver = 5.5.101.141 | Size = 155648 bytes | Modified Date = 13/09/2004 3:33:20 PM | Attr = ]
avast! → %ProgramFiles%\VirusCrap\Avast4\ashDisp.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 06/09/2007 3:06:10 AM | Attr = ]
Dell QuickSet → %ProgramFiles%\Dell\QuickSet\quickset.exe → [Ver = 0, 5, 5, 0 | Size = 684032 bytes | Modified Date = 01/09/2005 4:24:08 PM | Attr = ]
DVDLauncher → %ProgramFiles%\CyberLink\PowerDVD\DVDLauncher.exe → CyberLink Corp. [Ver = 3.00.0000 | Size = 53248 bytes | Modified Date = 23/02/2005 3:19:56 PM | Attr = ]
igfxhkcmd → %System32%\hkcmd.exe → Intel Corporation [Ver = 3.0.0.4363 | Size = 77824 bytes | Modified Date = 19/07/2005 10:06:12 PM | Attr = ]
igfxpers → %System32%\igfxpers.exe → Intel Corporation [Ver = 3.0.0.4363 | Size = 114688 bytes | Modified Date = 19/07/2005 10:10:06 PM | Attr = ]
igfxtray → %System32%\igfxtray.exe → Intel Corporation [Ver = 3.0.0.4363 | Size = 94208 bytes | Modified Date = 19/07/2005 10:09:26 PM | Attr = ]
IntelWireless → %ProgramFiles%\Intel\Wireless\Bin\iFrmewrk.exe → Intel Corporation [Ver = 9, 0, 1, 19 | Size = 385024 bytes | Modified Date = 30/10/2004 1:59:54 PM | Attr = ]
ISUSPM Startup → %CommonProgramFiles%\InstallShield\UpdateService\ISUSPM.exe → InstallShield Software Corporation [Ver = 3, 10, 100, 1155 | Size = 221184 bytes | Modified Date = 27/07/2004 3:50:42 PM | Attr = ]
ISUSScheduler → %CommonProgramFiles%\InstallShield\UpdateService\issch.exe → InstallShield Software Corporation [Ver = 3, 10, 100, 1155 | Size = 81920 bytes | Modified Date = 27/07/2004 3:50:18 PM | Attr = ]
iTunesHelper → %ProgramFiles%\iTunes\iTunesHelper.exe → Apple Inc. [Ver = 7.1.1.5 | Size = 257088 bytes | Modified Date = 14/03/2007 7:05:48 PM | Attr = ]
MSKDetectorExe → %ProgramFiles%\McAfee\SpamKiller\MSKDetct.exe → McAfee, Inc. [Ver = 7.0.1.6 | Size = 1121792 bytes | Modified Date = 12/08/2005 5:16:44 PM | Attr = ]
NeroCheck → %System32%\NeroCheck.exe → Ahead Software Gmbh [Ver = 1, 0, 0, 2 | Size = 155648 bytes | Modified Date = 09/07/2001 12:50:42 PM | Attr = ]
PCMService → %ProgramFiles%\Dell\Media Experience\PCMService.exe → CyberLink Corp. [Ver = 1.0.1611 | Size = 290816 bytes | Modified Date = 11/04/2004 7:15:14 PM | Attr = ]
QuickTime Task → %ProgramFiles%\QuickTime\qttask.exe → Apple Computer, Inc. [Ver = 7.1.5 | Size = 282624 bytes | Modified Date = 16/02/2007 10:54:04 AM | Attr = ]
RealTray → %ProgramFiles%\Real\RealPlayer\realplay.exe → RealNetworks, Inc. [Ver = 6.0.9.584 | Size = 26112 bytes | Modified Date = 30/12/2005 9:29:02 PM | Attr = ]
SunJavaUpdateSched → %ProgramFiles%\Java\j2re1.4.2_03\bin\jusched.exe → [Ver = | Size = 32881 bytes | Modified Date = 19/11/2003 4:48:14 PM | Attr = ]
< OptionalComponents [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ →
IMAIL → Installed = 1 →
MAPI → Installed = 1 →
MSFS → Installed = 1 →
< Run [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run →
SUPERAntiSpyware → %ProgramFiles%\VirusCrap\SuperAntiSpyware\SUPERAntiSpyware.exe → SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 21/06/2007 2:06:28 PM | Attr = ]
< Common Startup > → C:\Documents and Settings\All Users\Start Menu\Programs\Startup →
%AllUsersStartup%\Adobe Gamma.lnk → %CommonProgramFiles%\Adobe\Calibration\Adobe Gamma Loader.exe → Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 113664 bytes | Modified Date = 16/03/2005 8:16:50 PM | Attr = ]
%AllUsersStartup%\Adobe Reader Speed Launch.lnk → %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe → Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date = 23/09/2005 10:05:26 PM | Attr = ]
%AllUsersStartup%\Bluetooth Manager.lnk → %ProgramFiles%\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe → [Ver = | Size = 45056 bytes | Modified Date = 22/12/2004 12:42:22 PM | Attr = ]
%AllUsersStartup%\Digital Line Detect.lnk → %ProgramFiles%\Digital Line Detect\DLG.exe → BVRP Software [Ver = 1, 0, 0, 1 | Size = 24576 bytes | Modified Date = 29/10/2003 2:06:00 AM | Attr = ]
< ShellExecuteHooks [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks →
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] → %ProgramFiles%\VirusCrap\SuperAntiSpyware\SASSEH.DLL SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 20/12/2006 1:55:48 PM | Attr = ]
< SecurityProviders [HKLM] > → HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders →
< Winlogon settings [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon →
< Winlogon settings [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon →
< Winlogon\Notify settings [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ →
!SASWinLogon → %ProgramFiles%\VirusCrap\SuperAntiSpyware\SASWINLO.dll → SUPERAntiSpyware.com [Ver = 1, 0, 0, 1046 | Size = 294912 bytes | Modified Date = 19/04/2007 1:41:36 PM | Attr = ]
igfxcui → %System32%\igfxdev.dll → Intel Corporation [Ver = 3.0.0.4363 | Size = 135168 bytes | Modified Date = 19/07/2005 10:05:16 PM | Attr = ]
IntelWireless → %ProgramFiles%\Intel\Wireless\Bin\LgNotify.dll → Intel Corporation [Ver = 9, 0, 1, 0 | Size = 110592 bytes | Modified Date = 07/09/2004 3:08:06 PM | Attr = ]
< CurrentVersion Policy Settings [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveAutoRun → 67108863 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun → 255 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} → 1073741857 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1} → 32 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\dontdisplaylastusername → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticecaption → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticetext → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\shutdownwithoutlogon → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\undockwithoutlogon → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ → →
< CurrentVersion Policy Settings [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun → 145 →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ → →
< HOSTS File > (27 bytes) → C:\WINDOWS\System32\drivers\etc\Hosts →
127.0.0.1 localhost → →

30

< Internet Explorer Settings > → →
HKLM: Default_Page_URL → http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM: Main\Default_Search_URL → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM: Local Page → C:\windows\system32\blank.htm →
HKLM: Search Page → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM: Start Page → http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKLM: CustomizeSearch → http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKLM: Search\Default_Search_URL → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM: SearchAssistant → http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKCU: Default_Search_URL → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU: Local Page → C:\windows\system32\blank.htm →
HKCU: Search Page → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU: Start Page → http://www.globeandmail.com/
HKCU: ProxyEnable → 0 →
< Trusted Sites > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ →
msn.com [ - ] → →
< BHO’s > → HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ →
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] → %ProgramFiles%\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] → File not found
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] → %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll → Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 31/05/2005 2:04:00 AM | Attr = ]
{7E853D72-626A-48EC-A868-BA8D5E23E045} [HKLM] → Reg Data - Key not found [Reg Data - Key not found] → File not found
{84BB2E13-1A0A-4247-B9D1-735D06771FA8} [HKLM] → %System32%\sstqr.dll [Reg Data - Value does not exist] → [Ver = | Size = 325728 bytes | Modified Date = 06/10/2007 4:29:50 PM | Attr = ]
< Internet Explorer ToolBars [HKCU] > → HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ →
ShellBrowser\{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] → Reg Data - Key not found [Reg Data - Key not found] → File not found
< Internet Explorer Extensions [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ →
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] → Reg Data - Key not found [MenuText: Sun Java Console] → File not found
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} → %ProgramFiles%\AIM\aim.exe [ButtonText: AIM] → America Online, Inc. [Ver = 5.9.3861 | Size = 67160 bytes | Modified Date = 05/08/2005 3:08:26 PM | Attr = ]
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} → Reg Data - Value does not exist [ButtonText: Real.com] → File not found
< Internet Explorer Menu Extensions [HKCU] > → HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ →
E&xport to Microsoft Excel → → File not found
< DNS Name Servers [HKLM] > → HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ →
{71B36D95-4FB0-4D5F-BBE3-714F9CF67B4F} → (Intel(R) PRO/Wireless 2915ABG Network Connection) →
{932326F7-8F71-45F0-AF82-8A7F3E47BF6D} → (1394 Net Adapter) →
{D72795FF-6CCF-4907-B6CA-431643361D19} → (Broadcom 440x 10/100 Integrated Controller) →
< Protocol Handlers [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ →
ipp → Reg Data - Key not found → File not found
msdaipp → Reg Data - Key not found → File not found
< Downloaded Program Files > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ →
{14B87622-7E19-4EA8-93B3-97215F77A6BC} → MessengerStatsClient Class - CodeBase = http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} → - CodeBase = http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} → MSN Photo Upload Tool - CodeBase = http://by137fd.bay137.hotmail.msn.com/resources/MsnPUpld.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} → Java Plug-in 1.4.2_03 - CodeBase = http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
{8E0D4DE5-3180-4024-A327-4DFAD1796A8D} → MessengerStatsClient Class - CodeBase = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
{B8BE5E93-A60C-4D26-A2DC-220313175592} → ZoneIntro Class - CodeBase = http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
{C3F79A2B-B9B4-4A66-B012-3EE46475B072} → MessengerStatsClient Class - CodeBase = http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} → Java Plug-in 1.4.2_03 - CodeBase = http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} → - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
{F6BF0D00-0B2A-4A75-BF7B-F385591623AF} → Solitaire Showdown Class - CodeBase = http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab

31

[Files/Folders - Created Within 30 days]
6c5d95b0f7a967861ce081828f → %SystemDrive%\6c5d95b0f7a967861ce081828f → [Folder | Created Date = 08/10/2007 4:30:08 PM | Attr = ]
hiberfil.sys → %SystemDrive%\hiberfil.sys → [Ver = | Size = 1064763392 bytes | Created Date = 01/01/1601 8:00:00 AM | Attr = HS]
qoobox → %SystemDrive%\qoobox → [Folder | Created Date = 08/10/2007 3:10:54 PM | Attr = ]
sqmdata01.sqm → %SystemDrive%\sqmdata01.sqm → [Ver = | Size = 268 bytes | Created Date = 07/10/2007 10:35:49 PM | Attr = H ]
sqmdata02.sqm → %SystemDrive%\sqmdata02.sqm → [Ver = | Size = 268 bytes | Created Date = 08/10/2007 11:11:13 AM | Attr = H ]
sqmdata03.sqm → %SystemDrive%\sqmdata03.sqm → [Ver = | Size = 268 bytes | Created Date = 08/10/2007 3:24:38 PM | Attr = H ]
sqmdata04.sqm → %SystemDrive%\sqmdata04.sqm → [Ver = | Size = 268 bytes | Created Date = 08/10/2007 3:36:44 PM | Attr = H ]
sqmdata05.sqm → %SystemDrive%\sqmdata05.sqm → [Ver = | Size = 268 bytes | Created Date = 08/10/2007 5:51:31 PM | Attr = H ]
sqmnoopt01.sqm → %SystemDrive%\sqmnoopt01.sqm → [Ver = | Size = 244 bytes | Created Date = 07/10/2007 10:35:49 PM | Attr = H ]
sqmnoopt02.sqm → %SystemDrive%\sqmnoopt02.sqm → [Ver = | Size = 244 bytes | Created Date = 08/10/2007 11:11:13 AM | Attr = H ]
sqmnoopt03.sqm → %SystemDrive%\sqmnoopt03.sqm → [Ver = | Size = 244 bytes | Created Date = 08/10/2007 3:24:37 PM | Attr = H ]
sqmnoopt04.sqm → %SystemDrive%\sqmnoopt04.sqm → [Ver = | Size = 244 bytes | Created Date = 08/10/2007 3:36:43 PM | Attr = H ]
sqmnoopt05.sqm → %SystemDrive%\sqmnoopt05.sqm → [Ver = | Size = 244 bytes | Created Date = 08/10/2007 5:51:31 PM | Attr = H ]
VundoFix Backups → %SystemDrive%\VundoFix Backups → [Folder | Created Date = 08/10/2007 12:01:15 AM | Attr = ]
_OTMoveIt → %SystemDrive%_OTMoveIt → [Folder | Created Date = 08/10/2007 4:45:29 PM | Attr = ]
$NtUninstallKB896344$ → %SystemRoot%$NtUninstallKB896344$ → [Folder | Created Date = 08/10/2007 4:19:32 PM | Attr = H ]
$NtUninstallKB904942$ → %SystemRoot%$NtUninstallKB904942$ → [Folder | Created Date = 08/10/2007 4:29:37 PM | Attr = H ]
$NtUninstallKB920342$ → %SystemRoot%$NtUninstallKB920342$ → [Folder | Created Date = 08/10/2007 4:29:50 PM | Attr = H ]
$NtUninstallWIC$ → %SystemRoot%$NtUninstallWIC$ → [Folder | Created Date = 08/10/2007 4:30:28 PM | Attr = H ]
catchme.exe → %SystemRoot%\catchme.exe → [Ver = | Size = 135168 bytes | Created Date = 08/10/2007 3:06:55 PM | Attr = ]
erdnt → %SystemRoot%\erdnt → [Folder | Created Date = 08/10/2007 3:09:20 PM | Attr = ]
NirCmd.exe → %SystemRoot%\NirCmd.exe → NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 08/10/2007 3:06:55 PM | Attr = ]
QTFont.for → %SystemRoot%\QTFont.for → [Ver = | Size = 1409 bytes | Created Date = 08/10/2007 2:15:56 PM | Attr = ]
QTFont.qfn → %SystemRoot%\QTFont.qfn → [Ver = | Size = 54156 bytes | Created Date = 08/10/2007 2:15:56 PM | Attr = H ]
actskin4.ocx → %System32%\actskin4.ocx → [Ver = 4, 2, 7, 3 | Size = 380928 bytes | Created Date = 08/10/2007 1:29:10 AM | Attr = ]
aswBoot.exe → %System32%\aswBoot.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 801144 bytes | Created Date = 08/10/2007 1:29:10 AM | Attr = ]
AvastSS.scr → %System32%\AvastSS.scr → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 95608 bytes | Created Date = 08/10/2007 1:29:21 AM | Attr = ]
rqtss.bak2 → %System32%\rqtss.bak2 → [Ver = | Size = 13179 bytes | Created Date = 08/10/2007 5:11:05 PM | Attr = HS]
rqtss.ini → %System32%\rqtss.ini → [Ver = | Size = 387447 bytes | Created Date = 08/10/2007 3:33:39 PM | Attr = HS]
rqtss.ini2 → %System32%\rqtss.ini2 → [Ver = | Size = 15548 bytes | Created Date = 08/10/2007 3:17:21 PM | Attr = HS]
rqtss.tmp → %System32%\rqtss.tmp → [Ver = | Size = 394864 bytes | Created Date = 08/10/2007 3:08:30 PM | Attr = HS]
sstqr.dll → %System32%\sstqr.dll → [Ver = | Size = 325728 bytes | Created Date = 06/10/2007 3:29:35 PM | Attr = ]
swreg.exe → %System32%\swreg.exe → SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Created Date = 08/10/2007 3:06:55 PM | Attr = ]
swsc.exe → %System32%\swsc.exe → SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 08/10/2007 3:06:55 PM | Attr = ]
swxcacls.exe → %System32%\swxcacls.exe → SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 08/10/2007 3:06:55 PM | Attr = ]
VFind.exe → %System32%\VFind.exe → [Ver = | Size = 49152 bytes | Created Date = 08/10/2007 3:06:55 PM | Attr = ]
XPSViewer → %System32%\XPSViewer → [Folder | Created Date = 08/10/2007 4:33:50 PM | Attr = ]
aavmker4.sys → %System32%\drivers\aavmker4.sys → ALWIL Software [Ver = 4.7.1043.0 | Size = 26624 bytes | Created Date = 08/10/2007 1:29:25 AM | Attr = ]
aswmon.sys → %System32%\drivers\aswmon.sys → ALWIL Software [Ver = 4.7.1043.0 | Size = 92848 bytes | Created Date = 08/10/2007 1:29:19 AM | Attr = ]
aswmon2.sys → %System32%\drivers\aswmon2.sys → ALWIL Software [Ver = 4.7.1043.0 | Size = 94416 bytes | Created Date = 08/10/2007 1:29:19 AM | Attr = ]
aswRdr.sys → %System32%\drivers\aswRdr.sys → ALWIL Software [Ver = 4.7.1043.0 | Size = 23152 bytes | Created Date = 08/10/2007 1:29:28 AM | Attr = ]
aswTdi.sys → %System32%\drivers\aswTdi.sys → ALWIL Software [Ver = 4.7.1043.0 | Size = 42912 bytes | Created Date = 08/10/2007 1:29:26 AM | Attr = ]
tmcomm.sys → %System32%\drivers\tmcomm.sys → Trend Micro Inc. [Ver = 1.6.0.1059 | Size = 102664 bytes | Created Date = 08/10/2007 2:18:01 AM | Attr = ]

32

[Files/Folders - Modified Within 30 days]
6c5d95b0f7a967861ce081828f → %SystemDrive%\6c5d95b0f7a967861ce081828f → [Folder | Modified Date = 08/10/2007 5:30:26 PM | Attr = ]
hiberfil.sys → %SystemDrive%\hiberfil.sys → [Ver = | Size = 1064763392 bytes | Modified Date = 08/10/2007 6:08:56 PM | Attr = HS]
Program Files → %ProgramFiles% → [Folder | Modified Date = 08/10/2007 6:03:26 PM | Attr = R ]
qoobox → %SystemDrive%\qoobox → [Folder | Modified Date = 08/10/2007 4:38:00 PM | Attr = ]
sqmdata01.sqm → %SystemDrive%\sqmdata01.sqm → [Ver = | Size = 268 bytes | Modified Date = 07/10/2007 11:35:50 PM | Attr = H ]
sqmdata02.sqm → %SystemDrive%\sqmdata02.sqm → [Ver = | Size = 268 bytes | Modified Date = 08/10/2007 12:11:14 PM | Attr = H ]
sqmdata03.sqm → %SystemDrive%\sqmdata03.sqm → [Ver = | Size = 268 bytes | Modified Date = 08/10/2007 4:24:40 PM | Attr = H ]
sqmdata04.sqm → %SystemDrive%\sqmdata04.sqm → [Ver = | Size = 268 bytes | Modified Date = 08/10/2007 4:36:46 PM | Attr = H ]
sqmdata05.sqm → %SystemDrive%\sqmdata05.sqm → [Ver = | Size = 268 bytes | Modified Date = 08/10/2007 6:51:32 PM | Attr = H ]
sqmnoopt01.sqm → %SystemDrive%\sqmnoopt01.sqm → [Ver = | Size = 244 bytes | Modified Date = 07/10/2007 11:35:50 PM | Attr = H ]
sqmnoopt02.sqm → %SystemDrive%\sqmnoopt02.sqm → [Ver = | Size = 244 bytes | Modified Date = 08/10/2007 12:11:14 PM | Attr = H ]
sqmnoopt03.sqm → %SystemDrive%\sqmnoopt03.sqm → [Ver = | Size = 244 bytes | Modified Date = 08/10/2007 4:24:40 PM | Attr = H ]
sqmnoopt04.sqm → %SystemDrive%\sqmnoopt04.sqm → [Ver = | Size = 244 bytes | Modified Date = 08/10/2007 4:36:44 PM | Attr = H ]
sqmnoopt05.sqm → %SystemDrive%\sqmnoopt05.sqm → [Ver = | Size = 244 bytes | Modified Date = 08/10/2007 6:51:32 PM | Attr = H ]
System Volume Information → %SystemDrive%\System Volume Information → [Folder | Modified Date = 08/10/2007 4:07:26 PM | Attr = HS]
VundoFix Backups → %SystemDrive%\VundoFix Backups → [Folder | Modified Date = 08/10/2007 1:01:16 AM | Attr = ]
WINDOWS → %SystemRoot% → [Folder | Modified Date = 08/10/2007 6:09:50 PM | Attr = ]
_OTMoveIt → %SystemDrive%_OTMoveIt → [Folder | Modified Date = 08/10/2007 5:45:30 PM | Attr = ]
$hf_mig$ → %SystemRoot%$hf_mig$ → [Folder | Modified Date = 08/10/2007 5:16:20 PM | Attr = H ]
$NtUninstallKB896344$ → %SystemRoot%$NtUninstallKB896344$ → [Folder | Modified Date = 08/10/2007 5:19:36 PM | Attr = H ]
$NtUninstallKB904942$ → %SystemRoot%$NtUninstallKB904942$ → [Folder | Modified Date = 08/10/2007 5:29:40 PM | Attr = H ]
$NtUninstallKB920342$ → %SystemRoot%$NtUninstallKB920342$ → [Folder | Modified Date = 08/10/2007 5:29:52 PM | Attr = H ]
$NtUninstallWIC$ → %SystemRoot%$NtUninstallWIC$ → [Folder | Modified Date = 08/10/2007 5:30:30 PM | Attr = H ]
assembly → %SystemRoot%\assembly → [Folder | Modified Date = 08/10/2007 7:11:34 PM | Attr = R S]
bootstat.dat → %SystemRoot%\bootstat.dat → [Ver = | Size = 2048 bytes | Modified Date = 08/10/2007 6:08:58 PM | Attr = S]
catchme.exe → %SystemRoot%\catchme.exe → [Ver = | Size = 135168 bytes | Modified Date = 28/09/2007 9:06:10 AM | Attr = ]
Downloaded Program Files → %SystemRoot%\Downloaded Program Files → [Folder | Modified Date = 08/10/2007 4:55:12 PM | Attr = S]
erdnt → %SystemRoot%\erdnt → [Folder | Modified Date = 08/10/2007 4:30:30 PM | Attr = ]
Fonts → %SystemRoot%\Fonts → [Folder | Modified Date = 08/10/2007 5:33:44 PM | Attr = R S]
imsins.BAK → %SystemRoot%\imsins.BAK → [Ver = | Size = 1374 bytes | Modified Date = 08/10/2007 5:30:08 PM | Attr = ]
inf → %SystemRoot%\inf → [Folder | Modified Date = 08/10/2007 5:31:44 PM | Attr = H ]
Installer → %SystemRoot%\Installer → [Folder | Modified Date = 08/10/2007 5:39:56 PM | Attr = HS]
Microsoft.NET → %SystemRoot%\Microsoft.NET → [Folder | Modified Date = 08/10/2007 7:11:40 PM | Attr = ]
Prefetch → %SystemRoot%\Prefetch → [Folder | Modified Date = 08/10/2007 4:06:36 PM | Attr = ]
QTFont.for → %SystemRoot%\QTFont.for → [Ver = | Size = 1409 bytes | Modified Date = 08/10/2007 3:15:58 PM | Attr = ]
QTFont.qfn → %SystemRoot%\QTFont.qfn → [Ver = | Size = 54156 bytes | Modified Date = 08/10/2007 6:37:56 PM | Attr = H ]
SoftwareDistribution → %SystemRoot%\SoftwareDistribution → [Folder | Modified Date = 08/10/2007 4:56:16 PM | Attr = ]
system32 → %System32% → [Folder | Modified Date = 08/10/2007 7:40:32 PM | Attr = ]
Temp → %SystemRoot%\Temp → [Folder | Modified Date = 08/10/2007 6:21:00 PM | Attr = ]
wininit.ini → %SystemRoot%\wininit.ini → [Ver = | Size = 223 bytes | Modified Date = 08/10/2007 12:19:28 AM | Attr = ]
WinSxS → %SystemRoot%\WinSxS → [Folder | Modified Date = 08/10/2007 5:24:58 PM | Attr = ]
SA.DAT → %SystemRoot%\tasks\SA.DAT → [Ver = | Size = 6 bytes | Modified Date = 08/10/2007 6:09:26 PM | Attr = H ]
CatRoot2 → %System32%\CatRoot2 → [Folder | Modified Date = 08/10/2007 5:29:48 PM | Attr = ]
config → %System32%\config → [Folder | Modified Date = 08/10/2007 4:31:40 PM | Attr = ]
CONFIG.NT → %System32%\CONFIG.NT → [Ver = | Size = 2626 bytes | Modified Date = 08/10/2007 2:29:26 AM | Attr = ]
dllcache → %System32%\dllcache → [Folder | Modified Date = 08/10/2007 5:31:18 PM | Attr = RHS]
drivers → %System32%\drivers → [Folder | Modified Date = 08/10/2007 6:12:58 PM | Attr = ]
en-US → %System32%\en-US → [Folder | Modified Date = 08/10/2007 5:33:48 PM | Attr = ]
FNTCACHE.DAT → %System32%\FNTCACHE.DAT → [Ver = | Size = 158752 bytes | Modified Date = 08/10/2007 6:08:56 PM | Attr = ]
FxsTmp → %System32%\FxsTmp → [Folder | Modified Date = 08/10/2007 6:24:32 PM | Attr = ]
perfc009.dat → %System32%\perfc009.dat → [Ver = | Size = 71198 bytes | Modified Date = 08/10/2007 5:39:34 PM | Attr = ]
perfh009.dat → %System32%\perfh009.dat → [Ver = | Size = 438270 bytes | Modified Date = 08/10/2007 5:39:34 PM | Attr = ]
PerfStringBackup.INI → %System32%\PerfStringBackup.INI → [Ver = | Size = 516442 bytes | Modified Date = 08/10/2007 5:39:34 PM | Attr = ]
Restore → %System32%\Restore → [Folder | Modified Date = 08/10/2007 4:07:26 PM | Attr = ]
rqtss.bak2 → %System32%\rqtss.bak2 → [Ver = | Size = 13179 bytes | Modified Date = 08/10/2007 6:19:50 PM | Attr = HS]
rqtss.ini → %System32%\rqtss.ini → [Ver = | Size = 387447 bytes | Modified Date = 08/10/2007 1:50:12 PM | Attr = HS]
rqtss.ini2 → %System32%\rqtss.ini2 → [Ver = | Size = 15548 bytes | Modified Date = 08/10/2007 7:40:32 PM | Attr = HS]
rqtss.tmp → %System32%\rqtss.tmp → [Ver = | Size = 394864 bytes | Modified Date = 08/10/2007 4:17:20 PM | Attr = HS]
spool → %System32%\spool → [Folder | Modified Date = 08/10/2007 5:31:30 PM | Attr = ]
sstqr.dll → %System32%\sstqr.dll → [Ver = | Size = 325728 bytes | Modified Date = 06/10/2007 4:29:50 PM | Attr = ]
swreg.exe → %System32%\swreg.exe → SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 05/10/2007 10:07:32 AM | Attr = ]
usmt → %System32%\usmt → [Folder | Modified Date = 08/10/2007 5:19:50 PM | Attr = ]
wpa.dbl → %System32%\wpa.dbl → [Ver = | Size = 2206 bytes | Modified Date = 08/10/2007 6:10:52 PM | Attr = ]
XPSViewer → %System32%\XPSViewer → [Folder | Modified Date = 08/10/2007 5:33:52 PM | Attr = ]
etc → %System32%\drivers\etc → [Folder | Modified Date = 08/10/2007 4:34:08 PM | Attr = ]
tmcomm.sys → %System32%\drivers\tmcomm.sys → Trend Micro Inc. [Ver = 1.6.0.1059 | Size = 102664 bytes | Modified Date = 07/10/2007 2:18:38 PM | Attr = ]

[File String Scan - Non-Microsoft Only]
UPX! , UPX0 , → %System32%\aswBoot.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 801144 bytes | Modified Date = 06/09/2007 3:09:50 AM | Attr = ]
UPX! , UPX0 , → %System32%\avisynth.dll → The Public [Ver = 2, 5, 6, 0 | Size = 308224 bytes | Modified Date = 07/10/2005 10:14:52 AM | Attr = ]
PEC2 , → %System32%\dfrg.msc → [Ver = | Size = 41397 bytes | Modified Date = 04/08/2004 4:00:00 AM | Attr = ]
UPX! , UPX0 , → %System32%\swreg.exe → SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 05/10/2007 10:07:32 AM | Attr = ]
winsync , → %System32%\wbdbase.deu → [Ver = | Size = 1309184 bytes | Modified Date = 04/08/2004 4:00:00 AM | Attr = ]

< End of report >

33

Yeah, running it isn’t too bad but analysing it can take a little while. I’ll be back …

34

What, analysing hundreds of lines of information takes time!!! :wink:

Thank you!

35

Well there is a tool to make it easier. Not gone as long as you expected, was I? :stuck_out_tongue:

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.

[Files/Folders - Created Within 30 days] NY -> rqtss.bak2 -> %System32%\rqtss.bak2 NY -> rqtss.ini -> %System32%\rqtss.ini NY -> rqtss.ini2 -> %System32%\rqtss.ini2 NY -> rqtss.tmp -> %System32%\rqtss.tmp NY -> sstqr.dll -> %System32%\sstqr.dll [Files/Folders - Modified Within 30 days] NY -> imsins.BAK -> %SystemRoot%\imsins.BAK NY -> rqtss.bak2 -> %System32%\rqtss.bak2 NY -> rqtss.ini -> %System32%\rqtss.ini NY -> rqtss.ini2 -> %System32%\rqtss.ini2 NY -> rqtss.tmp -> %System32%\rqtss.tmp NY -> sstqr.dll -> %System32%\sstqr.dll

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix which you should post in your next response. Don’t worry if some of the files are not found - there are duplicates.

Also let me know of any problems you encounter performing these steps or any continuing problems you are having with the computer.

After running that fix download ERUNT from here and back up your entire registry

http://www.snapfiles.com/get/erunt.html

Now we will create a registry fix to delete the Vundo BHO.

Copy and paste ALL of the information below in the quote box below to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE > ALL FILES
In the FILE NAME box type fix.reg and save the file - this will create a fix.reg file on your desktop.

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

After merging this into your registry, reboot and post a new WinPFind log.

36

WinPFind3U fix log: (the fix ended by prompting me for a reboot, which I followed)

[Files/Folders - Created Within 30 days]
C:\WINDOWS\SYSTEM32\rqtss.bak2 moved successfully.
C:\WINDOWS\SYSTEM32\rqtss.ini moved successfully.
C:\WINDOWS\SYSTEM32\rqtss.ini2 moved successfully.
C:\WINDOWS\SYSTEM32\rqtss.tmp moved successfully.
File move failed. C:\WINDOWS\SYSTEM32\sstqr.dll scheduled to be moved on reboot.
[Files/Folders - Modified Within 30 days]
C:\WINDOWS\imsins.BAK moved successfully.
File C:\WINDOWS\SYSTEM32\rqtss.bak2 not found!
File C:\WINDOWS\SYSTEM32\rqtss.ini not found!
File C:\WINDOWS\SYSTEM32\rqtss.ini2 not found!
File C:\WINDOWS\SYSTEM32\rqtss.tmp not found!
File move failed. C:\WINDOWS\SYSTEM32\sstqr.dll scheduled to be moved on reboot.
< End of log >
Created on 10/08/2007 20:41:47

Now for ERUNT…

37

WinPFind log:

WinPFind3 logfile created on: 08/10/2007 8:57:58 PM
WinPFind3U by OldTimer - Version 1.0.42 Folder = C:\Documents and Settings\Kimberley\Desktop\WinPFind3u
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)

1015.37 Mb Total Physical Memory | 606.00 Mb Available Physical Memory | 59.68% Memory free
2.39 Gb Paging File | 2.06 Gb Available in Paging File | 86.25% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 90.09 Gb Total Space | 24.23 Gb Free Space | 26.89% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: MAGNETAR
Current User Name: Kimberley
Logged in as Administrator.
Current Boot Mode: Normal

[Processes - Non-Microsoft Only]
1xconfig.exe → %ProgramFiles%\Intel\Wireless\Bin\1XConfig.exe → Intel [Ver = 9, 0, 1, 33 | Size = 245760 bytes | Modified Date = 07/09/2004 3:03:40 PM | Attr = ]
a2service.exe → %ProgramFiles%\VirusCrap\a-squared Free\a2service.exe → Emsi Software GmbH [Ver = 3.0.0.345 | Size = 217208 bytes | Modified Date = 31/08/2007 8:24:24 PM | Attr = ]
aawservice.exe → %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe → Lavasoft AB [Ver = 7, 0, 2, 3 | Size = 574808 bytes | Modified Date = 25/09/2007 9:00:46 AM | Attr = ]
apntex.exe → %ProgramFiles%\Apoint\ApntEx.exe → Alps Electric Co., Ltd. [Ver = 5.5.1.19 | Size = 45056 bytes | Modified Date = 19/08/2004 1:40:08 PM | Attr = ]
apoint.exe → %ProgramFiles%\Apoint\Apoint.exe → Alps Electric Co., Ltd. [Ver = 5.5.101.141 | Size = 155648 bytes | Modified Date = 13/09/2004 3:33:20 PM | Attr = ]
ashdisp.exe → %ProgramFiles%\VirusCrap\Avast4\ashDisp.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 06/09/2007 3:06:10 AM | Attr = ]
ashmaisv.exe → %ProgramFiles%\VirusCrap\Avast4\ashMaiSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 06/09/2007 3:05:42 AM | Attr = ]
ashserv.exe → %ProgramFiles%\VirusCrap\Avast4\ashServ.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 06/09/2007 3:06:04 AM | Attr = ]
ashwebsv.exe → %ProgramFiles%\VirusCrap\Avast4\ashWebSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 06/09/2007 3:04:44 AM | Attr = ]
aswupdsv.exe → %ProgramFiles%\VirusCrap\Avast4\aswUpdSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 06/09/2007 2:54:58 AM | Attr = ]
dlg.exe → %ProgramFiles%\Digital Line Detect\DLG.exe → BVRP Software [Ver = 1, 0, 0, 1 | Size = 24576 bytes | Modified Date = 29/10/2003 2:06:00 AM | Attr = ]
dvdlauncher.exe → %ProgramFiles%\CyberLink\PowerDVD\DVDLauncher.exe → CyberLink Corp. [Ver = 3.00.0000 | Size = 53248 bytes | Modified Date = 23/02/2005 3:19:56 PM | Attr = ]
evteng.exe → %ProgramFiles%\Intel\Wireless\Bin\EvtEng.exe → Intel Corporation [Ver = 9, 0, 1, 12 | Size = 86016 bytes | Modified Date = 07/09/2004 3:02:40 PM | Attr = ]
hkcmd.exe → %System32%\hkcmd.exe → Intel Corporation [Ver = 3.0.0.4363 | Size = 77824 bytes | Modified Date = 19/07/2005 10:06:12 PM | Attr = ]
ifrmewrk.exe → %ProgramFiles%\Intel\Wireless\Bin\iFrmewrk.exe → Intel Corporation [Ver = 9, 0, 1, 19 | Size = 385024 bytes | Modified Date = 30/10/2004 1:59:54 PM | Attr = ]
igfxpers.exe → %System32%\igfxpers.exe → Intel Corporation [Ver = 3.0.0.4363 | Size = 114688 bytes | Modified Date = 19/07/2005 10:10:06 PM | Attr = ]
igfxsrvc.exe → %System32%\igfxsrvc.exe → Intel Corporation [Ver = 3.0.0.4363 | Size = 159744 bytes | Modified Date = 19/07/2005 10:06:04 PM | Attr = ]
ipodservice.exe → %ProgramFiles%\iPod\bin\iPodService.exe → Apple Inc. [Ver = 7.1.1.5 | Size = 500800 bytes | Modified Date = 14/03/2007 7:05:42 PM | Attr = ]
issch.exe → %CommonProgramFiles%\InstallShield\UpdateService\issch.exe → InstallShield Software Corporation [Ver = 3, 10, 100, 1155 | Size = 81920 bytes | Modified Date = 27/07/2004 3:50:18 PM | Attr = ]
ituneshelper.exe → %ProgramFiles%\iTunes\iTunesHelper.exe → Apple Inc. [Ver = 7.1.1.5 | Size = 257088 bytes | Modified Date = 14/03/2007 7:05:48 PM | Attr = ]
jusched.exe → %ProgramFiles%\Java\j2re1.4.2_03\bin\jusched.exe → [Ver = | Size = 32881 bytes | Modified Date = 19/11/2003 4:48:14 PM | Attr = ]
nicconfigsvc.exe → %ProgramFiles%\Dell\NICCONFIGSVC\NICCONFIGSVC.exe → Dell Inc. [Ver = 1, 0, 0, 1 | Size = 356352 bytes | Modified Date = 09/06/2005 7:53:18 AM | Attr = ]
pcmservice.exe → %ProgramFiles%\Dell\Media Experience\PCMService.exe → CyberLink Corp. [Ver = 1.0.1611 | Size = 290816 bytes | Modified Date = 11/04/2004 7:15:14 PM | Attr = ]
qttask.exe → %ProgramFiles%\QuickTime\qttask.exe → Apple Computer, Inc. [Ver = 7.1.5 | Size = 282624 bytes | Modified Date = 16/02/2007 10:54:04 AM | Attr = ]
quickset.exe → %ProgramFiles%\Dell\QuickSet\quickset.exe → [Ver = 0, 5, 5, 0 | Size = 684032 bytes | Modified Date = 01/09/2005 4:24:08 PM | Attr = ]
reader_sl.exe → %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe → Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date = 23/09/2005 10:05:26 PM | Attr = ]
realplay.exe → %ProgramFiles%\Real\RealPlayer\realplay.exe → RealNetworks, Inc. [Ver = 6.0.9.584 | Size = 26112 bytes | Modified Date = 30/12/2005 9:29:02 PM | Attr = ]
regsrvc.exe → %ProgramFiles%\Intel\Wireless\Bin\RegSrvc.exe → Intel Corporation [Ver = 9, 0, 1, 10 | Size = 139264 bytes | Modified Date = 07/09/2004 3:02:04 PM | Attr = ]
s24evmon.exe → %ProgramFiles%\Intel\Wireless\Bin\S24EvMon.exe → Intel Corporation [Ver = 9, 0, 1, 41 | Size = 360521 bytes | Modified Date = 07/09/2004 3:05:10 PM | Attr = ]
superantispyware.exe → %ProgramFiles%\VirusCrap\SuperAntiSpyware\SUPERAntiSpyware.exe → SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 21/06/2007 2:06:28 PM | Attr = ]
tosbtmng1.exe → %ProgramFiles%\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe → [Ver = | Size = 45056 bytes | Modified Date = 22/12/2004 12:42:22 PM | Attr = ]
winpfind3u.exe → %UserDesktop%\WinPFind3u\WinPFind3U.exe → OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 04/09/2007 10:47:26 AM | Attr = ]
wlkeeper.exe → %ProgramFiles%\Intel\Wireless\Bin\WLKEEPER.exe → Intel® Corporation [Ver = 9, 0, 1, 14 | Size = 225353 bytes | Modified Date = 07/09/2004 3:12:32 PM | Attr = ]
zcfgsvc.exe → %ProgramFiles%\Intel\Wireless\Bin\ZCfgSvc.exe → Intel Corporation [Ver = 9, 0, 1, 45 | Size = 389120 bytes | Modified Date = 07/09/2004 3:08:02 PM | Attr = ]

38

[Win32 Services - Non-Microsoft Only]
(a2free) a-squared Free Service [Win32_Own | Auto | Running] → %ProgramFiles%\VirusCrap\a-squared Free\a2service.exe → Emsi Software GmbH [Ver = 3.0.0.345 | Size = 217208 bytes | Modified Date = 31/08/2007 8:24:24 PM | Attr = ]
(aawservice) Ad-Aware 2007 Service [Win32_Own | Auto | Running] → %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe → Lavasoft AB [Ver = 7, 0, 2, 3 | Size = 574808 bytes | Modified Date = 25/09/2007 9:00:46 AM | Attr = ]
(Adobe LM Service) Adobe LM Service [Win32_Own | On_Demand | Stopped] → %CommonProgramFiles%\Adobe Systems Shared\Service\Adobelmsvc.exe → Adobe Systems [Ver = 2.67.010 | Size = 72704 bytes | Modified Date = 02/04/2006 3:10:34 PM | Attr = ]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] → %ProgramFiles%\VirusCrap\Avast4\aswUpdSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 06/09/2007 2:54:58 AM | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] → %ProgramFiles%\VirusCrap\Avast4\ashServ.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 06/09/2007 3:06:04 AM | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] → %ProgramFiles%\VirusCrap\Avast4\ashMaiSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 06/09/2007 3:05:42 AM | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] → %ProgramFiles%\VirusCrap\Avast4\ashWebSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 06/09/2007 3:04:44 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] → %System32%\dmadmin.exe → Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 04/08/2004 4:00:00 AM | Attr = ]
(EvtEng) EvtEng [Win32_Own | Auto | Running] → %ProgramFiles%\Intel\Wireless\Bin\EvtEng.exe → Intel Corporation [Ver = 9, 0, 1, 12 | Size = 86016 bytes | Modified Date = 07/09/2004 3:02:40 PM | Attr = ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] → %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe → Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 04/04/2005 1:41:10 AM | Attr = ]
(idsvc) Windows CardSpace [Win32_Shared | Unknown | Stopped] → → File not found
(iPod Service) iPod Service [Win32_Own | On_Demand | Running] → %ProgramFiles%\iPod\bin\iPodService.exe → Apple Inc. [Ver = 7.1.1.5 | Size = 500800 bytes | Modified Date = 14/03/2007 7:05:42 PM | Attr = ]
(NICCONFIGSVC) NICCONFIGSVC [Win32_Own | Auto | Running] → %ProgramFiles%\Dell\NICCONFIGSVC\NICCONFIGSVC.exe → Dell Inc. [Ver = 1, 0, 0, 1 | Size = 356352 bytes | Modified Date = 09/06/2005 7:53:18 AM | Attr = ]
(RegSrvc) RegSrvc [Win32_Own | Auto | Running] → %ProgramFiles%\Intel\Wireless\Bin\RegSrvc.exe → Intel Corporation [Ver = 9, 0, 1, 10 | Size = 139264 bytes | Modified Date = 07/09/2004 3:02:04 PM | Attr = ]
(S24EventMonitor) Spectrum24 Event Monitor [Win32_Own | Auto | Running] → %ProgramFiles%\Intel\Wireless\Bin\S24EvMon.exe → Intel Corporation [Ver = 9, 0, 1, 41 | Size = 360521 bytes | Modified Date = 07/09/2004 3:05:10 PM | Attr = ]
(WLANKEEPER) WLANKEEPER [Win32_Own | Auto | Running] → %ProgramFiles%\Intel\Wireless\Bin\WLKEEPER.exe → Intel® Corporation [Ver = 9, 0, 1, 14 | Size = 225353 bytes | Modified Date = 07/09/2004 3:12:32 PM | Attr = ]

39

[Registry - Non-Microsoft Only]
< Run [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run →
Apoint → %ProgramFiles%\Apoint\Apoint.exe → Alps Electric Co., Ltd. [Ver = 5.5.101.141 | Size = 155648 bytes | Modified Date = 13/09/2004 3:33:20 PM | Attr = ]
avast! → %ProgramFiles%\VirusCrap\Avast4\ashDisp.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 06/09/2007 3:06:10 AM | Attr = ]
Dell QuickSet → %ProgramFiles%\Dell\QuickSet\quickset.exe → [Ver = 0, 5, 5, 0 | Size = 684032 bytes | Modified Date = 01/09/2005 4:24:08 PM | Attr = ]
DVDLauncher → %ProgramFiles%\CyberLink\PowerDVD\DVDLauncher.exe → CyberLink Corp. [Ver = 3.00.0000 | Size = 53248 bytes | Modified Date = 23/02/2005 3:19:56 PM | Attr = ]
igfxhkcmd → %System32%\hkcmd.exe → Intel Corporation [Ver = 3.0.0.4363 | Size = 77824 bytes | Modified Date = 19/07/2005 10:06:12 PM | Attr = ]
igfxpers → %System32%\igfxpers.exe → Intel Corporation [Ver = 3.0.0.4363 | Size = 114688 bytes | Modified Date = 19/07/2005 10:10:06 PM | Attr = ]
igfxtray → %System32%\igfxtray.exe → Intel Corporation [Ver = 3.0.0.4363 | Size = 94208 bytes | Modified Date = 19/07/2005 10:09:26 PM | Attr = ]
IntelWireless → %ProgramFiles%\Intel\Wireless\Bin\iFrmewrk.exe → Intel Corporation [Ver = 9, 0, 1, 19 | Size = 385024 bytes | Modified Date = 30/10/2004 1:59:54 PM | Attr = ]
ISUSPM Startup → %CommonProgramFiles%\InstallShield\UpdateService\ISUSPM.exe → InstallShield Software Corporation [Ver = 3, 10, 100, 1155 | Size = 221184 bytes | Modified Date = 27/07/2004 3:50:42 PM | Attr = ]
ISUSScheduler → %CommonProgramFiles%\InstallShield\UpdateService\issch.exe → InstallShield Software Corporation [Ver = 3, 10, 100, 1155 | Size = 81920 bytes | Modified Date = 27/07/2004 3:50:18 PM | Attr = ]
iTunesHelper → %ProgramFiles%\iTunes\iTunesHelper.exe → Apple Inc. [Ver = 7.1.1.5 | Size = 257088 bytes | Modified Date = 14/03/2007 7:05:48 PM | Attr = ]
MSKDetectorExe → %ProgramFiles%\McAfee\SpamKiller\MSKDetct.exe → McAfee, Inc. [Ver = 7.0.1.6 | Size = 1121792 bytes | Modified Date = 12/08/2005 5:16:44 PM | Attr = ]
NeroCheck → %System32%\NeroCheck.exe → Ahead Software Gmbh [Ver = 1, 0, 0, 2 | Size = 155648 bytes | Modified Date = 09/07/2001 12:50:42 PM | Attr = ]
PCMService → %ProgramFiles%\Dell\Media Experience\PCMService.exe → CyberLink Corp. [Ver = 1.0.1611 | Size = 290816 bytes | Modified Date = 11/04/2004 7:15:14 PM | Attr = ]
QuickTime Task → %ProgramFiles%\QuickTime\qttask.exe → Apple Computer, Inc. [Ver = 7.1.5 | Size = 282624 bytes | Modified Date = 16/02/2007 10:54:04 AM | Attr = ]
RealTray → %ProgramFiles%\Real\RealPlayer\realplay.exe → RealNetworks, Inc. [Ver = 6.0.9.584 | Size = 26112 bytes | Modified Date = 30/12/2005 9:29:02 PM | Attr = ]
SunJavaUpdateSched → %ProgramFiles%\Java\j2re1.4.2_03\bin\jusched.exe → [Ver = | Size = 32881 bytes | Modified Date = 19/11/2003 4:48:14 PM | Attr = ]
< OptionalComponents [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ →
IMAIL → Installed = 1 →
MAPI → Installed = 1 →
MSFS → Installed = 1 →
< Run [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run →
SUPERAntiSpyware → %ProgramFiles%\VirusCrap\SuperAntiSpyware\SUPERAntiSpyware.exe → SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 21/06/2007 2:06:28 PM | Attr = ]
< Common Startup > → C:\Documents and Settings\All Users\Start Menu\Programs\Startup →
%AllUsersStartup%\Adobe Gamma.lnk → %CommonProgramFiles%\Adobe\Calibration\Adobe Gamma Loader.exe → Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 113664 bytes | Modified Date = 16/03/2005 8:16:50 PM | Attr = ]
%AllUsersStartup%\Adobe Reader Speed Launch.lnk → %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe → Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date = 23/09/2005 10:05:26 PM | Attr = ]
%AllUsersStartup%\Bluetooth Manager.lnk → %ProgramFiles%\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe → [Ver = | Size = 45056 bytes | Modified Date = 22/12/2004 12:42:22 PM | Attr = ]
%AllUsersStartup%\Digital Line Detect.lnk → %ProgramFiles%\Digital Line Detect\DLG.exe → BVRP Software [Ver = 1, 0, 0, 1 | Size = 24576 bytes | Modified Date = 29/10/2003 2:06:00 AM | Attr = ]
< ShellExecuteHooks [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks →
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] → %ProgramFiles%\VirusCrap\SuperAntiSpyware\SASSEH.DLL SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 20/12/2006 1:55:48 PM | Attr = ]
< SecurityProviders [HKLM] > → HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders →
< Winlogon settings [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon →
< Winlogon settings [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon →
< Winlogon\Notify settings [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ →
!SASWinLogon → %ProgramFiles%\VirusCrap\SuperAntiSpyware\SASWINLO.dll → SUPERAntiSpyware.com [Ver = 1, 0, 0, 1046 | Size = 294912 bytes | Modified Date = 19/04/2007 1:41:36 PM | Attr = ]
igfxcui → %System32%\igfxdev.dll → Intel Corporation [Ver = 3.0.0.4363 | Size = 135168 bytes | Modified Date = 19/07/2005 10:05:16 PM | Attr = ]
IntelWireless → %ProgramFiles%\Intel\Wireless\Bin\LgNotify.dll → Intel Corporation [Ver = 9, 0, 1, 0 | Size = 110592 bytes | Modified Date = 07/09/2004 3:08:06 PM | Attr = ]
< CurrentVersion Policy Settings [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveAutoRun → 67108863 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun → 255 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} → 1073741857 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1} → 32 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\dontdisplaylastusername → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticecaption → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticetext → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\shutdownwithoutlogon → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\undockwithoutlogon → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ → →
< CurrentVersion Policy Settings [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun → 145 →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ → →
< HOSTS File > (27 bytes) → C:\WINDOWS\System32\drivers\etc\Hosts →
127.0.0.1 localhost → →

40

< Internet Explorer Settings > → →
HKLM: Default_Page_URL → http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM: Main\Default_Search_URL → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM: Local Page → C:\windows\system32\blank.htm →
HKLM: Search Page → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM: Start Page → http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKLM: CustomizeSearch → http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKLM: Search\Default_Search_URL → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM: SearchAssistant → http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKCU: Default_Search_URL → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU: Local Page → C:\windows\system32\blank.htm →
HKCU: Search Page → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU: Start Page → http://www.globeandmail.com/
HKCU: ProxyEnable → 0 →
< Trusted Sites > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ →
msn.com [ - ] → →
< BHO’s > → HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ →
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] → %ProgramFiles%\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] → File not found
{1A031B59-131C-462C-B461-5B0C517B570B} [HKLM] → %System32%\sstqr.dll [Reg Data - Value does not exist] → [Ver = | Size = 325728 bytes | Modified Date = 06/10/2007 4:29:50 PM | Attr = ]
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] → %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll → Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 31/05/2005 2:04:00 AM | Attr = ]
{7E853D72-626A-48EC-A868-BA8D5E23E045} [HKLM] → Reg Data - Key not found [Reg Data - Key not found] → File not found
< Internet Explorer ToolBars [HKCU] > → HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ →
ShellBrowser\{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] → Reg Data - Key not found [Reg Data - Key not found] → File not found
< Internet Explorer Extensions [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ →
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] → Reg Data - Key not found [MenuText: Sun Java Console] → File not found
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} → %ProgramFiles%\AIM\aim.exe [ButtonText: AIM] → America Online, Inc. [Ver = 5.9.3861 | Size = 67160 bytes | Modified Date = 05/08/2005 3:08:26 PM | Attr = ]
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} → Reg Data - Value does not exist [ButtonText: Real.com] → File not found
< Internet Explorer Menu Extensions [HKCU] > → HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ →
E&xport to Microsoft Excel → → File not found
< DNS Name Servers [HKLM] > → HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ →
{71B36D95-4FB0-4D5F-BBE3-714F9CF67B4F} → (Intel(R) PRO/Wireless 2915ABG Network Connection) →
{932326F7-8F71-45F0-AF82-8A7F3E47BF6D} → (1394 Net Adapter) →
{D72795FF-6CCF-4907-B6CA-431643361D19} → (Broadcom 440x 10/100 Integrated Controller) →
< Protocol Handlers [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ →
ipp → Reg Data - Key not found → File not found
msdaipp → Reg Data - Key not found → File not found
< Downloaded Program Files > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ →
{14B87622-7E19-4EA8-93B3-97215F77A6BC} → MessengerStatsClient Class - CodeBase = http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} → - CodeBase = http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} → MSN Photo Upload Tool - CodeBase = http://by137fd.bay137.hotmail.msn.com/resources/MsnPUpld.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} → Java Plug-in 1.4.2_03 - CodeBase = http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
{8E0D4DE5-3180-4024-A327-4DFAD1796A8D} → MessengerStatsClient Class - CodeBase = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
{B8BE5E93-A60C-4D26-A2DC-220313175592} → ZoneIntro Class - CodeBase = http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
{C3F79A2B-B9B4-4A66-B012-3EE46475B072} → MessengerStatsClient Class - CodeBase = http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} → Java Plug-in 1.4.2_03 - CodeBase = http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} → - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
{F6BF0D00-0B2A-4A75-BF7B-F385591623AF} → Solitaire Showdown Class - CodeBase = http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab