multiple problems including keyboard issues & browser hijack attempts

system · 2008-02-15T02:29:46.000Z

part two of deckards

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: RabioBHO - {1C2E5D27-A17C-4D89-85DD-3553C189380D} - C:\Program Files\RABCO\RABCO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O2 - BHO: (no name) - {ECC79C4F-7986-4420-B111-27DBFFEBD2A8} - C:\Program Files\Windows Media Player\qasuza89104.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno\Toolbar.dll
O4 - HKLM..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM..\Run: [TFNF5] TFNF5.exe
O4 - HKLM..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM..\Run: [TPSMain] TPSMain.exe
O4 - HKLM..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM..\Run: [B’sCLiP] C:\PROGRA~1\B’SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM..\Run: [AirCardEnabler] C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [gcasServ] “C:\Program Files\Microsoft AntiSpyware\gcasServ.exe”
O4 - HKLM..\Run: [type32] “C:\Program Files\Microsoft IntelliType Pro\type32.exe”
O4 - HKLM..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM..\Run: [TFncKy] TFncKy.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU..\Run: [SpySweeper] “C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe” /0
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: j2 DllCmd 4.0.lnk = C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: j2 Live Menu 3.2.lnk = C:\Program Files\j2 Messenger 3.2\J2GDllCmd.exe
O4 - Global Startup: j2 Tray Menu 3.2.lnk = C:\Program Files\j2 Messenger 3.2\J2GTray.exe
O4 - Global Startup: j2 Tray Menu 4.0.lnk = C:\Program Files\j2 Messenger 4.0\J2GTray.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page… - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.onerateld.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe

system · 2008-02-15T02:30:27.000Z

part three of deckards

–
End of file - 9838 bytes

– Files created between 2008-01-14 and 2008-02-14 -----------------------------

2008-02-14 09:33:53 0 d-------- C:\Program Files\RABCO
2008-02-14 09:33:23 0 d-------- C:\WINDOWS\system32\wd11
2008-02-14 09:33:23 0 d-------- C:\WINDOWS\system32\kp9
2008-02-14 09:33:11 0 d-------- C:\WINDOWS\system32\vb6
2008-02-14 09:33:11 0 d-------- C:\WINDOWS\system32\bk5
2008-02-14 09:28:48 0 d-------- C:\WINDOWS\system32\nGpxx01
2008-02-10 17:27:38 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-10 17:27:38 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-10 17:27:38 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-10 17:27:38 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-02-09 16:32:52 0 d-------- C:\Documents and Settings\Carrie.housecall6.6
2008-02-05 14:06:00 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-05 14:05:47 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-05 14:05:46 0 d-------- C:\Documents and Settings\Carrie\Application Data\SUPERAntiSpyware.com
2008-02-05 13:56:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-30 03:40:56 0 d-------- C:\Program Files\Trend Micro

– Find3M Report ---------------------------------------------------------------

2008-02-14 15:59:05 0 d-------- C:\Program Files\Microsoft AntiSpyware
2008-02-10 14:40:02 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-05 14:02:24 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-25 19:27:24 0 d-------- C:\Program Files\SpywareBlaster
2008-01-20 01:33:24 0 d-------- C:\Program Files\Winamp
2008-01-09 13:29:10 0 d-------- C:\Program Files\Google
2008-01-05 15:55:20 0 d-------- C:\Program Files\Juno
2007-12-29 16:15:57 0 d–h----- C:\Program Files\InstallShield Installation Information

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{1C2E5D27-A17C-4D89-85DD-3553C189380D}]
01/30/2008 02:02 PM 414992 --a------ C:\Program Files\RABCO\RABCO.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{ECC79C4F-7986-4420-B111-27DBFFEBD2A8}]
02/07/2008 08:07 PM 217088 --a------ C:\Program Files\Windows Media Player\qasuza89104.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“00THotkey”=“C:\WINDOWS\System32\00THotkey.exe” [04/15/2003 11:01 PM]
“000StTHK”=“000StTHK.exe” [06/23/2001 11:28 PM C:\WINDOWS\system32\000StTHK.exe]
“SunJavaUpdateSched”=“C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe” [02/06/2004 07:31 PM]
“AGRSMMSG”=“AGRSMMSG.exe” [04/18/2003 02:20 PM C:\WINDOWS\agrsmmsg.exe]
“SynTPLpr”=“C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [05/30/2003 10:25 PM]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [05/30/2003 10:23 PM]
“TouchED”=“C:\Program Files\TOSHIBA\TouchED\TouchED.Exe” [01/21/2003 09:00 PM]
“TFNF5”=“TFNF5.exe” [07/18/2003 08:41 PM C:\WINDOWS\system32\TFNF5.exe]
“ezShieldProtector for Px”=“C:\WINDOWS\System32\ezSP_Px.exe” [08/20/2002 01:29 PM]
“TPSMain”=“TPSMain.exe” [09/25/2003 01:19 PM C:\WINDOWS\system32\TPSMain.exe]
“Pinger”=“c:\toshiba\ivp\ism\pinger.exe” [10/20/2003 11:39 AM]
“B’sCLiP”=“C:\PROGRA~1\B’SCLI~1\Win2K\BSCLIP.exe” [02/04/2004 08:43 AM]
“PRONoMgr.exe”=“c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe” [12/10/2003 04:36 AM]
“SpyBlocker”=“C:\Program Files\SpyBlocker Software\spyblocker.exe”
“AirCardEnabler”=“C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe” [10/09/2003 04:20 PM]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [08/18/2004 09:34 AM]
“gcasServ”=“C:\Program Files\Microsoft AntiSpyware\gcasServ.exe” [06/24/2005 02:24 PM]
“type32”=“C:\Program Files\Microsoft IntelliType Pro\type32.exe” [06/03/2004 03:51 AM]
“Picasa Media Detector”=“C:\Program Files\Picasa2\PicasaMediaDetector.exe” [02/04/2005 06:32 PM]
“NvCplDaemon”=“C:\WINDOWS\System32\NvCpl.dll” [09/24/2003 09:00 PM]
“SigmaTel StacMon”=“C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe” [08/03/2003 07:01 PM]
“TFncKy”=“TFncKy.exe”
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [12/04/2007 08:00 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“TOSCDSPD”=“C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe” [09/05/2003 06:24 AM]
“SpySweeper”=“C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe”
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [08/04/2004 02:56 AM]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe”
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [06/21/2007 02:06 PM]

C:\Documents and Settings\Carrie\Start Menu\Programs\Startup
RABCO - Auto Update.lnk - C:\Program Files\RABCO\RABCOse.exe [2/14/2008 9:33:27 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [6/13/2004 8:15:19 PM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 4:44:06 AM]
HP Digital Imaging Monitor.lnk.disabled [6/2/2007 6:01:28 PM]
j2 DllCmd 4.0.lnk - C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe [1/20/2006 7:38:46 PM]
j2 Live Menu 3.2.lnk - C:\Program Files\j2 Messenger 3.2\J2GDllCmd.exe [6/10/2004 1:39:44 PM]
j2 Tray Menu 3.2.lnk - C:\Program Files\j2 Messenger 3.2\J2GTray.exe [6/10/2004 1:38:26 PM]
j2 Tray Menu 4.0.lnk - C:\Program Files\j2 Messenger 4.0\J2GTray.exe [1/20/2006 7:38:47 PM]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [8/6/2003 4:23:32 PM]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2/6/2004 7:53:02 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]
“{E180F496-8A4B-44E2-9FE0-0364E345DB7F}”= C:\WINDOWS\system32\hggfgfe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
c:\WINDOWS\System32\LgNotify.dll 12/16/2003 06:49 PM 110592 c:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@=“Service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=“Volume shadow copy”

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
“swg”=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
“spc_w”=“C:\Program Files\JUSearch\juspc.exe” -w

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
“HP Software Update”=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
“CamMonitor”=C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
“TomcatStartup”=C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
“HPLJ Config”=C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe -c Direct -p DOT4_002 -pn “hp LaserJet 1010 Series Driver” -n 0 -l 1033 -sl 120000
“nwiz”=nwiz.exe /installquiet
“Share-to-Web Namespace Daemon”=C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
“StatusClient”=C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

– End of Deckard’s System Scanner: finished at 2008-02-14 21:08:25 ------------

oldman960 · 2008-02-15T03:45:50.000Z

Have you done the avenger yet? If so, may I see the results?

Please submit these files for analysis

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\TEMP\chtOna0119.exe

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: (no name) - {ECC79C4F-7986-4420-B111-27DBFFEBD2A8} - C:\Program Files\Windows Media Player\qasuza89104.dll
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.onerateld.com

Close all other browsers/windows, click fix, close HJT.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\Program Files\Windows Media Player\qasuza89104.dll C:\Program Files\WindowsUpdate\horygyxi22011.exe
Folder::
C:\WINDOWS\system32\wd11
C:\WINDOWS\system32\kp9
C:\WINDOWS\system32\vb6
C:\WINDOWS\system32\bk5
C:\WINDOWS\system32\nGpxx01
C:\TEMP\isgTi19

DirLook::
C:\Program Files\RABCO

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{E180F496-8A4B-44E2-9FE0-0364E345DB7F}”=-

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

note when doing the combofix fix

A window may open with a warning. Type “1” (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Click File, click Exit and answer ‘Yes’ to save changes

edit: forgot the image.

system · 2008-02-15T05:52:46.000Z

Sorry about the avenger log
Not sure how I missed that
Here it is:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\sojijudh

Script file located at: ??\C:\WINDOWS\system32\abhbovjm.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

Beginning to process script file:

Registry key \Registry\Machine\System\CurrentControlSet\Services\catchme not found!
Unload of driver catchme failed!

Could not process line:
catchme
Status: 0xc0000034

File c:\docume~1\carrie\locals~1\temp\catchme.sys not found!
Deletion of file c:\docume~1\carrie\locals~1\temp\catchme.sys failed!

Could not process line:
c:\docume~1\carrie\locals~1\temp\catchme.sys
Status: 0xc0000034

oldman960 · 2008-02-15T06:03:25.000Z

That was strange ??? the darn thing wasn’t there. It didn’t show in either your last combofix log or DSS log, and avenger didn’t get it.

Do the rest of the fixes so far and we’ll see where we stand. Any improvement?

Let me know.

system · 2008-02-15T06:11:06.000Z

no improvement that is permanent ???

i was just about to post the virustotal results for one of the last files you wanted me to scan

File chtOna0119.exe received on 02.15.2008 06:55:55 (CET)

Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED
Result: 15/32 (46.88%)
Loading server information…
Your file is queued in position: 2.
Estimated start time is between 41 and 59 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they’re generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click “request” so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.2.15.11 2008.02.15 -
AntiVir 7.6.0.65 2008.02.14 -
Authentium 4.93.8 2008.02.15 -
Avast 4.7.1098.0 2008.02.14 Win32:Trojano-2873
AVG 7.5.0.516 2008.02.14 -
BitDefender 7.2 2008.02.15 Dropped:Trojan.Downloader.Small.BUY
CAT-QuickHeal None 2008.02.14 -
ClamAV 0.92.1 2008.02.15 Trojan.Downloader-2966
DrWeb 4.44.0.09170 2008.02.14 Trojan.DownLoader.5013
eSafe 7.0.15.0 2008.02.14 Win32.Small.buy
eTrust-Vet 31.3.5538 2008.02.14 -
Ewido 4.0 2008.02.14 -
FileAdvisor 1 2008.02.15 -
Fortinet 3.14.0.0 2008.02.15 -
F-Prot 4.4.2.54 2008.02.14 -
F-Secure 6.70.13260.0 2008.02.15 W32/DLoader.MXM.dropper
Ikarus T3.1.1.20 2008.02.15 Virus.Win32.AdWare
Kaspersky 7.0.0.125 2008.02.15 Trojan-Downloader.Win32.Small.buy
McAfee 5230 2008.02.14 -
Microsoft 1.3204 2008.02.14 Adware:Win32/iSearch.Toolbar
NOD32v2 2877 2008.02.15 Win32/TrojanDownloader.Small.BUY
Norman 5.80.02 2008.02.14 W32/DLoader.MXM.dropper
Panda 9.0.0.4 2008.02.14 Spyware/7r7t
Prevx1 V2 2008.02.15 -
Rising 20.31.30.00 2008.02.14 Trojan.DL.Adservs
Sophos 4.26.0 2008.02.15 CommAd Installer
Sunbelt 2.2.907.0 2008.02.14 -
Symantec 10 2008.02.15 -
TheHacker 6.2.9.220 2008.02.14 -
VBA32 3.12.6.1 2008.02.14 Trojan.Win32.TrojanDownloader.Small.BUY
VirusBuster 4.3.26:9 2008.02.14 -
Webwasher-Gateway 6.6.2 2008.02.14 -
Additional information
File size: 483406 bytes
MD5: c5af7b9231d95f5f6ac82c5bcc0a8174
SHA1: 3151851405fc4662a764a3e003a69fabd7196012
PEiD: -
packers: UPX
packers: UPX, PE_Patch.Upolyx, PE_Patch.UPX, UPX
norman sandbox: [ General information ]

IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD).
File length: 483406 bytes.

[ Changes to filesystem ]

Creates directory C:\WINDOWS\TEMP.
Creates file C:\WINDOWS\TEMP\nsr8999.tmp.
Deletes file C:\WINDOWS\TEMP\nsr8999.tmp.
Creates directory C:\WINDOWS\SYSTEM32\ac1.
Creates file C:\WINDOWS\SYSTEM32\ac1\tliamdll2.exe.
Creates directory C:\WINDOWS\SYSTEM32\vb6.
Creates file C:\WINDOWS\SYSTEM32\vb6\dromdrv3.exe.

[ Signature Scanning ]

C:\WINDOWS\SYSTEM32\ac1\tliamdll2.exe (25105 bytes) : W32/DLoader.MXM.

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Scan another file
VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com

oldman960 · 2008-02-15T08:17:09.000Z

Some improvement from time to time? I’m going to research that catchme fella. It’s just wierd the way it disappeared.

Seeing that you have Avenger we will feed that last file to it.

Files to delete: C:\TEMP\chtOna0119.exe

Just let me know what the results where. Finish up the previous items then we will look deeper.

Download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind35u folder and double-click on WinPFind35U.exe to start the program.
[*]Under Additional Scans click the checkboxes in front of the following items to select them:

Reg - BotCheck

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and attach the log. I will review it when it comes in.

Make the settings look like this except set the time to 60 Days and include the additional scans as indicated above.

http://forum.avast.com/index.php?topic=31261.msg260811#msg260811

system · 2008-02-17T09:47:43.000Z

I was able to paste “CFscript.txt” into Combofix. Also, as you can see, I could also attach the Combofix log, this time

I’m a bit foggy about what to do next…forgive me, my husband and kids are both sick and I have had about an hour of sleep in the last 36 hours. Perhaps I should go to bed and try to pick it up again tomorrow.

I can’t begin to tell you how much I appreciate your help.

oldman960 · 2008-02-17T10:20:03.000Z

Yeah, tell me about the bugs, been fighting it for months now.

Getting more functunality out of your omputer has to be a good sign.

You’re almost caught up, pick up at this point with the avenger script, then do the WinPFind35u

click this link, it will take you there.

http://forum.avast.com/index.php?topic=33048.msg278062#msg278062

system · 2008-02-17T20:53:29.000Z

Here is the log for Avenger
When I opened the computer again this morning it is back to business as usual
However when Avenger tried to restart my computer a window popped up in the lower right hand corner that said some process or other wanted to reboot the computer and there were two check boxes
one to allow and one to override

The name of the program was WINAntispyware which is the original troublemaker I thought Avast had gotten rid of months ago

Anyway here is the avenger log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vjocxwib

Fatal error: integrity of Services key failed verification check! Security may be fatally compromised. Exiting immediately.

Could not open script file! Status: 0xc0000034 Abort!

oldman960 · 2008-02-17T21:07:31.000Z

When you said “business as usual” was that in a good way?

I can’t find the file we gave to Avenger, so I think it got it.

What do you know about this program?

RABCO

Go ahead with the WinPFind35u

I didn’t see any thing in your last log about WINAntispyware

system · 2008-02-17T21:24:23.000Z

Sorry by business as usual I meant that all of the usual problems are back
I did not post anything about WINAntispyware because it has been gone for months
It is malware (a fake virus removal program) and it does not seem to show up in any log
Is it possible that I have virus remnants causing these problems?
I do not know what RABCO is

system · 2008-02-17T21:36:05.000Z

here is the log for winpfind:


WinPFind35 logfile created on: 2/17/2008 4:28:24 PM
WinPFind35U Version Beta52     Folder = C:\Documents and Settings\Carrie\Desktop\WinPFind35u
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
510.92 Mb Total Physical Memory | 180.41 Mb Available Physical Memory | 35.31% Memory free
1.22 Gb Paging File | 0.95 Gb Available in Paging File | 77.74% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.89 Gb Total Space | 35.40 Gb Free Space | 63.34% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CARRIE
Current User Name: Carrie
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: All users

[Processes - Non-Microsoft Only]
s24evmon.exe -> %SystemRoot%\system32\S24EvMon.exe -> Intel Corporation  [Ver = 8, 0, 0, 161 | Size = 311363 bytes | Modified Date = 12/16/2003 6:42:32 PM | Attr =    ]
zcfgsvc.exe -> %SystemRoot%\system32\ZCfgSvc.exe -> Intel Corporation [Ver = 8, 0, 0, 161 | Size = 376832 bytes | Modified Date = 12/16/2003 6:47:42 PM | Attr =    ]
1xconfig.exe -> %SystemRoot%\system32\1XConfig.exe -> Intel [Ver = 8, 0, 0, 161 | Size = 184320 bytes | Modified Date = 12/16/2003 6:43:06 PM | Attr =    ]
aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 17272 bytes | Modified Date = 12/4/2007 9:36:33 AM | Attr =    ]
ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 140664 bytes | Modified Date = 12/4/2007 8:00:16 AM | Attr =    ]
00thotkey.exe -> %SystemRoot%\system32\00THotkey.exe -> TOSHIBA Corp. [Ver = 1, 0, 0, 21 | Size = 258048 bytes | Modified Date = 4/15/2003 11:01:28 PM | Attr =    ]
jusched.exe -> %ProgramFiles%\Java\j2re1.4.2_03\bin\jusched.exe ->  [Ver =  | Size = 32881 bytes | Modified Date = 2/6/2004 7:31:44 PM | Attr =    ]
agrsmmsg.exe -> %SystemRoot%\agrsmmsg.exe -> Agere Systems [Ver = 2.1.28.2 2.1.28.2 04/18/2003 11:20:08 | Size = 88363 bytes | Modified Date = 4/18/2003 2:20:10 PM | Attr =    ]
syntplpr.exe -> %ProgramFiles%\Synaptics\SynTP\SynTPLpr.exe -> Synaptics, Inc. [Ver = 7.5.11 30May03 | Size = 110592 bytes | Modified Date = 5/30/2003 10:25:02 PM | Attr =    ]
syntpenh.exe -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> Synaptics, Inc. [Ver = 7.5.11 30May03 | Size = 614400 bytes | Modified Date = 5/30/2003 10:23:14 PM | Attr =    ]
touched.exe -> %ProgramFiles%\Toshiba\TouchED\TouchED.exe -> TOSHIBA Corporation [Ver = 2, 5, 0, 0 | Size = 126976 bytes | Modified Date = 1/21/2003 9:00:06 PM | Attr =    ]
tfnf5.exe -> %SystemRoot%\system32\TFNF5.exe -> TOSHIBA Corp. [Ver = 2, 2, 0, 0 | Size = 73728 bytes | Modified Date = 7/18/2003 8:41:26 PM | Attr =    ]
ezsp_px.exe -> %SystemRoot%\system32\ezSP_Px.exe -> Easy Systems Japan Ltd. [Ver = 1, 0, 0, 0 | Size = 40960 bytes | Modified Date = 8/20/2002 1:29:26 PM | Attr =    ]
pinger.exe -> %SystemDrive%\TOSHIBA\Ivp\ISM\pinger.exe -> TOSHIBA Corporation [Ver = 3.3 | Size = 159744 bytes | Modified Date = 10/20/2003 11:39:26 AM | Attr =    ]
bsclip.exe -> %ProgramFiles%\B's CLiP\Win2K\BsCLiP.exe ->  [Ver =  | Size = 1409024 bytes | Modified Date = 2/4/2004 8:43:00 AM | Attr =    ]
cfsvcs.exe -> %ProgramFiles%\Toshiba\ConfigFree\CFSvcs.exe -> TOSHIBA CORPORATION [Ver = 4, 50, 0, 2 | Size = 28672 bytes | Modified Date = 12/2/2003 8:05:54 PM | Attr =    ]
network adapter manager.exe -> %ProgramFiles%\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe -> Sierra Wireless Inc. [Ver = 2, 5, 11, 1 | Size = 163840 bytes | Modified Date = 10/9/2003 4:20:32 PM | Attr =    ]
qttask.exe -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 6.5.1 | Size = 98304 bytes | Modified Date = 8/18/2004 9:34:48 AM | Attr =    ]
picasamediadetector.exe -> %ProgramFiles%\Picasa2\PicasaMediaDetector.exe ->  [Ver =  | Size = 135168 bytes | Modified Date = 2/4/2005 6:32:51 PM | Attr =    ]
stacmon.exe -> %ProgramFiles%\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe -> SigmaTel Inc. [Ver = 1, 0, 0, 3 | Size = 86073 bytes | Modified Date = 8/3/2003 7:01:14 PM | Attr =    ]
tfncky.exe -> %ProgramFiles%\Toshiba\TOSHIBA Controls\TFncKy.exe -> TOSHIBA Corporation [Ver = 3.01.01 | Size = 102400 bytes | Modified Date = 8/18/2003 12:51:02 PM | Attr =    ]
ashdisp.exe -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 79224 bytes | Modified Date = 12/4/2007 8:00:23 AM | Attr =    ]
dvdramsv.exe -> %SystemRoot%\system32\DVDRAMSV.exe -> Matsushita Electric Industrial Co., Ltd. [Ver = 2, 0, 7, 0 | Size = 106496 bytes | Modified Date = 5/23/2003 4:38:26 PM | Attr =    ]
toscdspd.exe -> %ProgramFiles%\Toshiba\TOSCDSPD\TOSCDSPD.exe -> TOSHIBA [Ver = 1, 0, 5, 0 | Size = 65536 bytes | Modified Date = 9/5/2003 6:24:46 AM | Attr =    ]
tpsbattm.exe -> %SystemRoot%\system32\TPSBattM.exe -> TOSHIBA Corporation [Ver = 1, 0, 1, 0 | Size = 45056 bytes | Modified Date = 9/25/2003 1:19:10 PM | Attr =    ]
nvsvc32.exe -> %SystemRoot%\system32\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.4562 | Size = 77824 bytes | Modified Date = 9/24/2003 9:00:00 PM | Attr =    ]
regsrvc.exe -> %SystemRoot%\system32\RegSrvc.exe -> Intel Corporation [Ver = 8, 0, 0, 161 | Size = 122880 bytes | Modified Date = 12/16/2003 6:41:40 PM | Attr =    ]
superantispyware.exe -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 6/21/2007 2:06:28 PM | Attr =    ]
swupdtmr.exe -> %SystemDrive%\TOSHIBA\Ivp\Swupdate\swupdtmr.exe ->  [Ver =  | Size = 53248 bytes | Modified Date = 10/21/2003 1:26:14 PM | Attr =    ]
ashmaisv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 247160 bytes | Modified Date = 12/4/2007 7:59:53 AM | Attr =    ]
ashwebsv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 345464 bytes | Modified Date = 12/4/2007 7:59:01 AM | Attr =    ]
winpfind35u.exe -> %UserProfile%\Desktop\WinPFind35u\WinPFind35U.exe -> OldTimer Tools [Ver = 1.0.0.0 | Size = 309760 bytes | Modified Date = 2/16/2008 1:03:26 PM | Attr =    ]

system · 2008-02-17T21:41:05.000Z

[Win32 Services - Non-Microsoft Only]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] → %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe → ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 17272 bytes | Modified Date = 12/4/2007 9:36:33 AM | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] → %ProgramFiles%\Alwil Software\Avast4\ashServ.exe → ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 140664 bytes | Modified Date = 12/4/2007 8:00:16 AM | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] → %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe → ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 247160 bytes | Modified Date = 12/4/2007 7:59:53 AM | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] → %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe → ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 345464 bytes | Modified Date = 12/4/2007 7:59:01 AM | Attr = ]
(CFSvcs) ConfigFree Service [Win32_Own | Auto | Running] → %ProgramFiles%\Toshiba\ConfigFree\CFSvcs.exe → TOSHIBA CORPORATION [Ver = 4, 50, 0, 2 | Size = 28672 bytes | Modified Date = 12/2/2003 8:05:54 PM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] → %SystemRoot%\system32\dmadmin.exe → Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 2:56:48 AM | Attr = ]
(DVD-RAM_Service) DVD-RAM_Service [Win32_Own | Auto | Running] → %SystemRoot%\system32\DVDRAMSV.exe → Matsushita Electric Industrial Co., Ltd. [Ver = 2, 0, 7, 0 | Size = 106496 bytes | Modified Date = 5/23/2003 4:38:26 PM | Attr = ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] → %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe → Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 6/2/2007 7:46:15 PM | Attr = ]
(iPodService) iPod Service [Win32_Own | On_Demand | Stopped] → %ProgramFiles%\iPod\bin\iPodService.exe → Apple Computer, Inc. [Ver = 4.6.0.15 | Size = 401408 bytes | Modified Date = 6/4/2004 11:37:56 AM | Attr = ]
(Macromedia Licensing Service) Macromedia Licensing Service [Win32_Own | On_Demand | Stopped] → %CommonProgramFiles%\Macromedia Shared\Service\Macromedia Licensing.exe → [Ver = 2.42.000 | Size = 68096 bytes | Modified Date = 9/23/2007 11:38:12 PM | Attr = ]
(NVSvc) NVIDIA Driver Helper Service [Win32_Own | Auto | Running] → %SystemRoot%\system32\nvsvc32.exe → NVIDIA Corporation [Ver = 6.14.10.4562 | Size = 77824 bytes | Modified Date = 9/24/2003 9:00:00 PM | Attr = ]
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | On_Demand | Stopped] → %SystemRoot%\system32\hpzipm12.exe → HP [Ver = 7, 0, 0, 0 | Size = 65795 bytes | Modified Date = 8/11/2003 3:07:38 AM | Attr = ]
(RegSrvc) RegSrvc [Win32_Own | Auto | Running] → %SystemRoot%\system32\RegSrvc.exe → Intel Corporation [Ver = 8, 0, 0, 161 | Size = 122880 bytes | Modified Date = 12/16/2003 6:41:40 PM | Attr = ]
(S24EventMonitor) Spectrum24 Event Monitor [Win32_Own | Auto | Running] → %SystemRoot%\system32\S24EvMon.exe → Intel Corporation [Ver = 8, 0, 0, 161 | Size = 311363 bytes | Modified Date = 12/16/2003 6:42:32 PM | Attr = ]
(Swupdtmr) Swupdtmr [Win32_Own | Auto | Running] → %SystemDrive%\TOSHIBA\Ivp\Swupdate\swupdtmr.exe → [Ver = | Size = 53248 bytes | Modified Date = 10/21/2003 1:26:14 PM | Attr = ]

system · 2008-02-17T21:43:48.000Z

part three:
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run →
000StTHK → %SystemRoot%\system32\000StTHK.exe → [Ver = | Size = 24576 bytes | Modified Date = 6/23/2001 11:28:06 PM | Attr = ]
00THotkey → %SystemRoot%\system32\00THotkey.exe → TOSHIBA Corp. [Ver = 1, 0, 0, 21 | Size = 258048 bytes | Modified Date = 4/15/2003 11:01:28 PM | Attr = ]
AGRSMMSG → %SystemRoot%\agrsmmsg.exe → Agere Systems [Ver = 2.1.28.2 2.1.28.2 04/18/2003 11:20:08 | Size = 88363 bytes | Modified Date = 4/18/2003 2:20:10 PM | Attr = ]
AirCardEnabler → %ProgramFiles%\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe → Sierra Wireless Inc. [Ver = 2, 5, 11, 1 | Size = 163840 bytes | Modified Date = 10/9/2003 4:20:32 PM | Attr = ]
avast! → %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe → ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 79224 bytes | Modified Date = 12/4/2007 8:00:23 AM | Attr = ]
B’sCLiP → %ProgramFiles%\B’s CLiP\Win2K\BsCLiP.exe → [Ver = | Size = 1409024 bytes | Modified Date = 2/4/2004 8:43:00 AM | Attr = ]
ezShieldProtector for Px → %SystemRoot%\system32\ezSP_Px.exe → Easy Systems Japan Ltd. [Ver = 1, 0, 0, 0 | Size = 40960 bytes | Modified Date = 8/20/2002 1:29:26 PM | Attr = ]
NvCplDaemon → %SystemRoot%\system32\nvcpl.dll → NVIDIA Corporation [Ver = 6.14.10.4562 | Size = 4861952 bytes | Modified Date = 9/24/2003 9:00:00 PM | Attr = ]
Picasa Media Detector → %ProgramFiles%\Picasa2\PicasaMediaDetector.exe → [Ver = | Size = 135168 bytes | Modified Date = 2/4/2005 6:32:51 PM | Attr = ]
Pinger → %SystemDrive%\TOSHIBA\Ivp\ISM\pinger.exe → TOSHIBA Corporation [Ver = 3.3 | Size = 159744 bytes | Modified Date = 10/20/2003 11:39:26 AM | Attr = ]
PRONoMgr.exe → %ProgramFiles%\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe → Intel(R) Corporation [Ver = 6.1.304.0 | Size = 86016 bytes | Modified Date = 12/10/2003 4:36:16 AM | Attr = ]
QuickTime Task → %ProgramFiles%\QuickTime\qttask.exe → Apple Computer, Inc. [Ver = 6.5.1 | Size = 98304 bytes | Modified Date = 8/18/2004 9:34:48 AM | Attr = ]
SigmaTel StacMon → %ProgramFiles%\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe → SigmaTel Inc. [Ver = 1, 0, 0, 3 | Size = 86073 bytes | Modified Date = 8/3/2003 7:01:14 PM | Attr = ]
SpyBlocker → %ProgramFiles%\SpyBlocker Software\spyblocker.exe → File not found
SunJavaUpdateSched → %ProgramFiles%\Java\j2re1.4.2_03\bin\jusched.exe → [Ver = | Size = 32881 bytes | Modified Date = 2/6/2004 7:31:44 PM | Attr = ]

system · 2008-02-17T21:46:18.000Z

part four:

SynTPEnh → %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe → Synaptics, Inc. [Ver = 7.5.11 30May03 | Size = 614400 bytes | Modified Date = 5/30/2003 10:23:14 PM | Attr = ]
SynTPLpr → %ProgramFiles%\Synaptics\SynTP\SynTPLpr.exe → Synaptics, Inc. [Ver = 7.5.11 30May03 | Size = 110592 bytes | Modified Date = 5/30/2003 10:25:02 PM | Attr = ]
TFncKy → TFncKy.exe → File not found
TFNF5 → %SystemRoot%\system32\TFNF5.exe → TOSHIBA Corp. [Ver = 2, 2, 0, 0 | Size = 73728 bytes | Modified Date = 7/18/2003 8:41:26 PM | Attr = ]
TouchED → %ProgramFiles%\Toshiba\TouchED\TouchED.exe → TOSHIBA Corporation [Ver = 2, 5, 0, 0 | Size = 126976 bytes | Modified Date = 1/21/2003 9:00:06 PM | Attr = ]
TPSMain → %SystemRoot%\system32\TPSMain.exe → TOSHIBA Corporation [Ver = 1, 0, 1, 1 | Size = 278528 bytes | Modified Date = 9/25/2003 1:19:40 PM | Attr = ]
< OptionalComponents [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ →
IMAIL-> Installed = 1 →
MAPI-> Installed = 1 →
MSFS-> Installed = 1 →
< Run [HKEY_CURRENT_USER] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run →
SpySweeper → %ProgramFiles%\Webroot\Spy Sweeper\SpySweeper.exe → File not found
SUPERAntiSpyware → %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe → SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 6/21/2007 2:06:28 PM | Attr = ]
swg → %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe → File not found
TOSCDSPD → %ProgramFiles%\Toshiba\TOSCDSPD\TOSCDSPD.exe → TOSHIBA [Ver = 1, 0, 5, 0 | Size = 65536 bytes | Modified Date = 9/5/2003 6:24:46 AM | Attr = ]
< Run [HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006] > → HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run →
SpySweeper → %ProgramFiles%\Webroot\Spy Sweeper\SpySweeper.exe → File not found
SUPERAntiSpyware → %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe → SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 6/21/2007 2:06:28 PM | Attr = ]
swg → %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe → File not found
TOSCDSPD → %ProgramFiles%\Toshiba\TOSCDSPD\TOSCDSPD.exe → TOSHIBA [Ver = 1, 0, 5, 0 | Size = 65536 bytes | Modified Date = 9/5/2003 6:24:46 AM | Attr = ]

system · 2008-02-17T21:47:08.000Z

< All Users Startup Folder > → C:\Documents and Settings\All Users\Start Menu\Programs\Startup →
%AllUsersProfile%\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk → %CommonProgramFiles%\Adobe\Calibration\Adobe Gamma Loader.exe → Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 98304 bytes | Modified Date = 5/19/2000 12:03:18 AM | Attr = ]
%AllUsersProfile%\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk → %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe → Adobe Systems Incorporated [Ver = 7.0.0.0 | Size = 29696 bytes | Modified Date = 12/14/2004 4:44:06 AM | Attr = ]
→ %AllUsersProfile%\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk → File not found
%AllUsersProfile%\Start Menu\Programs\Startup\j2 DllCmd 4.0.lnk → %ProgramFiles%\j2 Messenger 4.0\J2GDllCmd.exe → j2 Global Communications, Inc. [Ver = 4.0.134.0 | Size = 107008 bytes | Modified Date = 6/23/2005 5:51:58 PM | Attr = ]
%AllUsersProfile%\Start Menu\Programs\Startup\j2 Live Menu 3.2.lnk → %ProgramFiles%\j2 Messenger 3.2\J2GDllCmd.exe → j2 Global Communications, Inc. [Ver = 3.2.0.3 | Size = 17408 bytes | Modified Date = 6/10/2004 1:39:44 PM | Attr = ]
%AllUsersProfile%\Start Menu\Programs\Startup\j2 Tray Menu 3.2.lnk → %ProgramFiles%\j2 Messenger 3.2\J2GTray.exe → j2 Global Communications, Inc. [Ver = 3.2.0.3 | Size = 39936 bytes | Modified Date = 6/10/2004 1:38:26 PM | Attr = ]
%AllUsersProfile%\Start Menu\Programs\Startup\j2 Tray Menu 4.0.lnk → %ProgramFiles%\j2 Messenger 4.0\J2GTray.exe → j2 Global Communications, Inc. [Ver = 4.0.134.0 | Size = 500224 bytes | Modified Date = 6/23/2005 5:53:42 PM | Attr = ]
%AllUsersProfile%\Start Menu\Programs\Startup\RAMASST.lnk → %SystemRoot%\system32\RAMASST.exe → Matsushita Electric Industrial Co., Ltd. [Ver = 1, 0, 9, 0 | Size = 155648 bytes | Modified Date = 3/14/2003 2:38:12 PM | Attr = ]
< Carrie Startup Folder > → C:\Documents and Settings\Carrie\Start Menu\Programs\Startup →
%UserProfile%\Start Menu\Programs\Startup\RABCO - Auto Update.lnk → %ProgramFiles%\RABCO\RABCOse.exe → Rabio [Ver = 1, 0, 0, 26 | Size = 183216 bytes | Modified Date = 1/30/2008 4:19:42 PM | Attr = ]
< Default User Startup Folder > → C:\Documents and Settings\Default User\Start Menu\Programs\Startup →

system · 2008-02-17T21:47:52.000Z

system · 2008-02-17T21:48:28.000Z

< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > → HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ → ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ → ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ → ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ → ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun → 145 →
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\ → ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ → ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ → ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ → ->
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-19] > →
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ → ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ → ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun → 145 →
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-20] > → HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ → ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ → ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun → 145 →
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006] > → HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ → ->
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ → ->
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ → ->
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ → ->
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun → 145 →
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ → ->
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ → ->
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ → ->
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ → ->

system · 2008-02-17T21:53:34.000Z

< HOSTS File > (27 bytes) → C:\WINDOWS\System32\drivers\etc\Hosts →
< Internet Explorer Settings [HKEY_LOCAL_MACHINE] > → ->
HKEY_LOCAL_MACHINE: Main\Default_Page_URL → http://go.microsoft.com/fwlink/?LinkId=69157 →
HKEY_LOCAL_MACHINE: Main\Default_Search_URL → http://go.microsoft.com/fwlink/?LinkId=54896 →
HKEY_LOCAL_MACHINE: Main\Local Page → %SystemRoot%\system32\blank.htm →
HKEY_LOCAL_MACHINE: Main\Search Page → http://go.microsoft.com/fwlink/?LinkId=54896 →
HKEY_LOCAL_MACHINE: Main\Start Page → http://go.microsoft.com/fwlink/?LinkId=69157 →
HKEY_LOCAL_MACHINE: Search\CustomizeSearch → http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm →
HKEY_LOCAL_MACHINE: Search\Default_Search_URL → http://www.google.com/ie →
HKEY_LOCAL_MACHINE: Search\SearchAssistant → http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm →
< Internet Explorer Settings [HKEY_CURRENT_USER] > → ->
HKEY_CURRENT_USER: Main\Local Page → C:\WINDOWS\system32\blank.htm →
HKEY_CURRENT_USER: Main\Search Page → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch →
HKEY_CURRENT_USER: Main\Start Page → http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome →
HKEY_CURRENT_USER: Search\SearchAssistant → http://www.google.com/ie →
HKEY_CURRENT_USER: SearchURL\ → http://www.google.com/search?q=%s[Reg Error: Value provider does not exist or could not be read.] →
HKEY_CURRENT_USER: URLSearchHooks\{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} [HKEY_LOCAL_MACHINE] → %ProgramFiles%\JUSearch\SearchEnh1.dll [URLSearchHook Class] → United Online, Inc. [Ver = 2.1.03 | Size = 102472 bytes | Modified Date = 11/9/2004 3:36:29 AM | Attr = ]
HKEY_CURRENT_USER: ProxyEnable → 0 →
HKEY_CURRENT_USER: ProxyOverride → →
< Internet Explorer Settings [HKEY_USERS.DEFAULT] > → ->
HKEY_USERS.DEFAULT: Main\Search Page → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch →
HKEY_USERS.DEFAULT: Main\Start Page → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome →
HKEY_USERS.DEFAULT: ProxyEnable → 0 →
< Internet Explorer Settings [HKEY_USERS\S-1-5-18] > → ->
HKEY_USERS\S-1-5-18: Main\Search Page → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch →
HKEY_USERS\S-1-5-18: Main\Start Page → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome →
HKEY_USERS\S-1-5-18: ProxyEnable → 0 →
< Internet Explorer Settings [HKEY_USERS\S-1-5-19] > → ->
HKEY_USERS\S-1-5-19: Main\Search Bar → http://www.toshiba.com/search →
HKEY_USERS\S-1-5-19: Main\Start Page → http://www.toshiba.com →
HKEY_USERS\S-1-5-19: ProxyEnable → 0 →
< Internet Explorer Settings [HKEY_USERS\S-1-5-20] > → ->
HKEY_USERS\S-1-5-20: Main\Search Bar → http://www.toshiba.com/search →
HKEY_USERS\S-1-5-20: Main\Start Page → http://www.toshiba.com →
HKEY_USERS\S-1-5-20: ProxyEnable → 0 →
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006] > → ->
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006: Main\Local Page → C:\WINDOWS\system32\blank.htm →
HKEY_USERS\S-1-5-21-142928211-1550766908-524529910-1006: Main\Search Page → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch →

Announcements