Sorry to make another Win32:TratBHO topic... I tried other posts first!

system · January 28, 2008, 8:59am

Hello!

I’ve caught about 9 occurrences of Win32:TratBHO in the last 4 days or so, each of them the .dll files found in the c:/users/jake/appdata/local/temp folder. I’m running Vista by the way. I’ve already disabled my restore point and ran a Hijackthis log. I do apologize for making another topic about this, but it occurred to me that my infection isn’t exactly the same as someone else’s when I noticed my log files were different.

If I’m not going about this the right way, please let me know. (Trying to be as unobtrusive as possible here)

Here’s the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:21 AM, on 1/28/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\ASUS\ASUS Direct Console\LCMP.exe
C:\Program Files\ChkMail\ChkMail\ChkMail.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Windows\ASScrPro.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
F:\Infinite Mind\eyeQ\ARLaunch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashChest.exe
C:\Program Files\iTunes\iTunes.exe
C:\Users\jake\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM..\Run: [GrooveMonitor] “C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM..\Run: [Skytel] Skytel.exe
O4 - HKLM..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM..\Run: [DirectMessenger] “C:\Program Files\ASUS\ASUS Direct Console\LCMP.EXE”
O4 - HKLM..\Run: [ChkMail] C:\Program Files\ChkMail\ChkMail\ChkMail.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM..\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [MSConfig] “C:\Windows\system32\msconfig.exe” /auto
O4 - HKLM..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM..\Run: [Acronis Scheduler2 Service] “C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe”
O4 - HKCU..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU..\Run: [MSServer] rundll32.exe C:\Users\jake\AppData\Local\Temp\ddaax.dll,#1
O4 - HKCU..\Run: [_Alcohol.exe Autorun] D:\Alcohol\Alcohol 120_Alcohol.exe /startup
O4 - HKCU..\Run: [AlcoholAutomount] “D:\Alcohol\Alcohol 120\axcmd.exe” /automount
O4 - HKUS\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘NETWORK SERVICE’)
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MiniEYE-MiniREAD Launch .lnk = F:\Infinite Mind\eyeQ\ARLaunch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

system · January 28, 2008, 9:00am

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NetSign AutoUpdate Service (NsAUSvc) - Litronic, Inc. - c:\Program Files\Litronic\NetSign\NsAUSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - D:\Alcohol\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

–
End of file - 9970 bytes

I really do appreciate any help you fine folks find time to give me.

FreewheelinFrank · January 28, 2008, 9:07am

You may well get help quicker registering on a malware help forum, rather than waiting for somebody from one of those forums to visit here.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix#forums

system · January 28, 2008, 9:25pm

Hi jaketulane. Welcome to the forum.

I don’t see anything in your HJT log that jumps out as the cause of your problem so let’s take a little deeper look at things.

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
Close all other windows before proceeding.
Right-click dss.exe and click Run as Administrator. Allow the program to run if a Vista User Account Control warning pops up, then follow the prompts.

When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A

and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

This tool will duplicate some of the information you’ve already posted but will also give a lot of info HJT doesn’t.

Please also upload this file to Virus Total and post the scan results

C:\Program Files\ATKGFNEX\GFNEXSrv.exe

polonus · January 28, 2008, 10:29pm

Hi jaketulane,

After your computer has been cleansed following up all the instructions Mauserme will present to you,
it is absolutely vital to protect against reinstall of vundo by getting the latest Sun Java version.

Get your newest Sun Java version and download here: http://javadl.sun.com/webapps/download/AutoDL?BundleId=12797

Go to start and configuration screen Software Alter or Delete Programs and delete all older versions of Java ™ there.

If you run XP without the Service Pack2 install, please download that too.

SP2 can also be downloaded online: http://go.microsoft.com/?linkid=3646727

That’s it,

polonus

system · January 28, 2008, 11:39pm

First off, thanks so much to those that offer to help!

Here’s the dss logs.

Main.txt:

Deckard’s System Scanner v20071014.68
Run by jake on 2008-01-29 02:30:03
Computer is in Normal Mode.

Backed up registry hives.
Performed disk cleanup.

System Drive C: has 6.87 GiB (less than 15%) free.

– HijackThis (run as jake.exe) ------------------------------------------------

logfile has no content; running clone.
– HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-01-29 02:32:00
Platform: Windows Vista (6.00.6000)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\dwm.exe
C:\Windows\System32\taskeng.exe
C:\Windows\System32\conime.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\ASUS\ASUS Direct Console\LCMP.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Windows\ASScrPro.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
F:\Infinite Mind\eyeQ\ARLaunch.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Windows\System32\wbem\unsecapp.exe
C:\Windows\explorer.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Users\jake\Desktop\dss.exe
C:\Windows\System32\SearchFilterHost.exe
C:\Users\jake\Desktop\jake.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O4 - HKLM..\Run: [GrooveMonitor] “C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM..\Run: [Skytel] Skytel.exe
O4 - HKLM..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

system · January 28, 2008, 11:41pm

and more…

O4 - HKLM..\Run: [DirectMessenger] “C:\Program Files\ASUS\ASUS Direct Console\LCMP.EXE”
O4 - HKLM..\Run: [ChkMail] C:\Program Files\ChkMail\ChkMail\ChkMail.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM..\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [MSConfig] “C:\Windows\system32\msconfig.exe” /auto
O4 - HKLM..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM..\Run: [Acronis Scheduler2 Service] “C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe”
O4 - HKCU..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU..\Run: [_Alcohol.exe Autorun] D:\Alcohol\Alcohol 120_Alcohol.exe /startup
O4 - HKCU..\Run: [AlcoholAutomount] “D:\Alcohol\Alcohol 120\axcmd.exe” /automount
O4 - HKUS\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘NETWORK SERVICE’)
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MiniEYE-MiniREAD Launch .lnk = F:\Infinite Mind\eyeQ\ARLaunch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NetSign AutoUpdate Service (NsAUSvc) - Litronic, Inc. - C:\Program Files\Litronic\NetSign\NsAUSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\System32\PnkBstrA.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - D:\Alcohol\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

–
End of file - 10046 bytes

File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL “%1”,%*

– Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 timounter (Acronis True Image Backup Archive Explorer) - c:\windows\system32\drivers\timntr.sys <Not Verified; Acronis; Acronis True Image>
R2 litsgt - c:\windows\system32\drivers\litsgt.sys
R2 tansgt - c:\windows\system32\drivers\tansgt.sys
R2 tifsfilter (Acronis True Image FS Filter) - c:\windows\system32\drivers\tifsfilt.sys <Not Verified; Acronis; Acronis True Image>

S2 ghaio - ??\c:\program files\asus\nb probe\spm\ghaio.sys
S3 hamachi_oem (PlayLinc Adapter) - c:\windows\system32\drivers\gan_adapter.sys <Not Verified; Applied Networking Inc.; Hamachi Virtual Network Interface Driver, OEM>

– Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - “c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe” <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 ASLDRService (ASLDR Service) - c:\program files\atk hotkey\asldrsrv.exe <Not Verified; ; ADSMSrv>
R2 ATKGFNEXSrv (ATKGFNEX Service) - c:\program files\atkgfnex\gfnexsrv.exe <Not Verified; ; GFNEXSrv>
R2 RegSrvc (Intel(R) PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel(R) PROSet/Wireless Registry Service>
R2 spmgr - c:\program files\asus\nb probe\spm\spmgr.exe <Not Verified; ; spmgr Module>
R2 StarWindServiceAE (StarWind AE Service) - d:\alcohol\alcohol 120\starwind\starwindserviceae.exe <Not Verified; Rocket Division Software; StarWind Alcohol Edition>

S2 CLTNetCnService (Symantec Lic NetConnect service) - “c:\program files\common files\symantec shared\ccsvchst.exe” /h cccommon (file missing)
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S3 NsAUSvc (NetSign AutoUpdate Service) - c:\program files\litronic\netsign\nsausvc.exe <Not Verified; Litronic, Inc.; NetSign>

– Device Manager: Disabled ----------------------------------------------------

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT*6TO4MP\0000
Manufacturer: Microsoft
Name: 6TO4 Adapter
PNP Device ID: ROOT*6TO4MP\0000
Service: tunnel

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Hawking Wireless-G USB Adapter with Removable Antenna
Device ID: USB\VID_148F&PID_2573\5&329E184C&0&3
Manufacturer: Hawking Technologies, Inc.
Name: Hawking Wireless-G USB Adapter with Removable Antenna #2
PNP Device ID: USB\VID_148F&PID_2573\5&329E184C&0&3
Service: RT73

system · January 28, 2008, 11:43pm

and more…

– Scheduled Tasks -------------------------------------------------------------

2008-01-28 10:00:38 416 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{B44B0CD2-54AD-44DB-98B1-2D0D421B8FF3}.job

– Files created between 2007-12-29 and 2008-01-29 -----------------------------

2008-01-26 11:33:51 0 d-------- C:\VundoFix Backups
2008-01-22 10:59:17 685816 --a------ C:\Windows\system32\drivers\sptd.sys
2008-01-22 10:21:51 533 --a------ C:\Windows\eReg.dat
2008-01-14 01:25:10 392320 --a------ C:\Windows\system32\drivers\timntr.sys <Not Verified; Acronis; Acronis True Image>
2008-01-14 01:25:10 32768 --a------ C:\Windows\system32\drivers\tifsfilt.sys <Not Verified; Acronis; Acronis True Image>
2008-01-14 01:23:52 0 d-------- C:\Program Files\Seagate
2008-01-14 01:23:52 0 d-------- C:\Program Files\Common Files\Seagate

– Find3M Report ---------------------------------------------------------------

2008-01-29 02:28:43 27240 --a------ C:\Users\jake\AppData\Roaming\nvModes.001
2008-01-28 21:01:53 12 --a------ C:\Windows\bthservsdp.dat
2008-01-28 10:12:10 27240 --a------ C:\Users\jake\AppData\Roaming\nvModes.dat
2008-01-22 09:48:10 0 d-------- C:\Program Files\Windows Mail
2008-01-14 01:23:52 0 d-------- C:\Program Files\Common Files
2008-01-11 11:27:29 0 d-------- C:\Users\jake\AppData\Roaming\BitTorrent
2008-01-09 02:19:30 0 d-------- C:\Program Files\Windows Sidebar
2008-01-03 08:35:49 0 d-------- C:\Users\jake\AppData\Roaming\Bioshock
2007-12-30 00:49:12 0 d-------- C:\Program Files\Steam
2007-12-21 22:11:24 0 d-------- C:\Users\jake\AppData\Roaming\Ahead
2007-12-10 14:57:13 0 d-------- C:\Program Files\Alarm Clock
2007-12-09 22:01:35 0 d-------- C:\Users\jake\AppData\Roaming\dvdcss
2007-12-06 07:11:26 0 d-------- C:\Users\jake\AppData\Roaming\BitTorrent DNA
2007-12-05 15:21:26 0 d-------- C:\Program Files\Nidesoft iPod Video Converter v2.0
2007-12-05 15:00:52 0 d–h----- C:\Program Files\InstallShield Installation Information
2007-12-05 14:59:34 0 d-------- C:\Program Files\Litronic
2007-12-05 14:59:34 0 d-------- C:\Program Files\Common Files\Litronic
2007-12-01 19:09:27 0 d-------- C:\Users\jake\AppData\Roaming\Microsoft Games
2007-12-01 17:39:32 0 d-------- C:\Program Files\GameSpy Arcade

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“GrooveMonitor”=“C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe” [10/27/2006 08:47 AM]
“Windows Defender”=“C:\Program Files\Windows Defender\MSASCui.exe” [06/16/2007 02:08 AM]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [03/01/2007 04:24 PM]
“SMSERIAL”=“C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe” [11/21/2006 08:31 PM]
“Skytel”=“Skytel.exe” [08/03/2007 09:22 PM C:\Windows\SkyTel.exe]
“RtHDVCpl”=“RtHDVCpl.exe” [09/10/2007 11:20 PM C:\Windows\RtHDVCpl.exe]
“nwiz”=“nwiz.exe” [08/17/2007 11:23 PM C:\Windows\System32\nwiz.exe]
“NvSvc”=“C:\Windows\system32\nvsvc.dll” [10/01/2007 05:55 AM]
“NvMediaCenter”=“C:\Windows\system32\NvMcTray.dll” [10/01/2007 05:55 AM]
“NvCplDaemon”=“C:\Windows\system32\NvCpl.dll” [10/01/2007 05:55 AM]
“NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [03/26/2007 10:12 PM]
“Kernel and Hardware Abstraction Layer”=“KHALMNPR.EXE” [04/11/2007 11:32 PM C:\Windows\KHALMNPR.Exe]
“JMB36X IDE Setup”=“C:\Windows\RaidTool\xInsIDE.exe” [03/20/2007 10:36 PM]
“InCD”=“C:\Program Files\Nero\Nero 7\InCD\InCD.exe” [03/26/2007 09:42 PM]
“IAAnotif”=“C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe” [02/12/2007 10:37 PM]
“DirectMessenger”=“C:\Program Files\ASUS\ASUS Direct Console\LCMP.EXE” [02/02/2007 05:58 AM]
“ChkMail”=“C:\Program Files\ChkMail\ChkMail\ChkMail.exe” [03/21/2007 01:12 AM]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [12/04/2007 04:00 PM]
“ATKMEDIA”=“C:\Program Files\ASUS\ATK Media\DMEDIA.EXE” [11/02/2006 06:27 PM]
“ASUS Screen Saver Protector”=“C:\Windows\ASScrPro.exe” [06/16/2007 03:09 AM]
“QuickTime Task”=“C:\Program Files\QuickTime\QTTask.exe” [10/20/2007 05:16 AM]
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [11/03/2007 03:36 AM]
“MSConfig”=“C:\Windows\system32\msconfig.exe” [11/02/2006 12:45 PM]
“DiscWizardMonitor.exe”=“C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe” [04/19/2007 09:24 PM]
“AcronisTimounterMonitor”=“C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe” [04/19/2007 09:38 PM]
“Acronis Scheduler2 Service”=“C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe” [04/19/2007 09:29 PM]

system · January 28, 2008, 11:44pm

and more…

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ehTray.exe”=“C:\Windows\ehome\ehTray.exe” [11/02/2006 03:35 PM]
“_Alcohol.exe”=“”
“AlcoholAutomount”=“D:\Alcohol\Alcohol 120\axcmd.exe” [07/02/2007 01:29 PM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 2:44:06 PM]
MiniEYE-MiniREAD Launch .lnk - F:\Infinite Mind\eyeQ\ARLaunch.exe [9/1/2007 9:30:26 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“ConsentPromptBehaviorAdmin”=2 (0x2)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
“Authentication Packages”= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=“Service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@=“Service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@=“Service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@=“Service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@=“Service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@=“Service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@=“Service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@=“Service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@=“Service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@=“Service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@=“Service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=“Volume shadow copy”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@=“IEEE 1394 Bus host controllers”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@=“SBP2 IEEE 1394 Devices”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@=“SecurityDevices”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^CardStart.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CardStart.lnk
backup=C:\Windows\pss\CardStart.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Hawking Wireless Utility.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Hawking Wireless Utility.lnk
backup=C:\Windows\pss\Hawking Wireless Utility.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^MiniEYE-MiniREAD Launch .lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MiniEYE-MiniREAD Launch .lnk
backup=C:\Windows\pss\MiniEYE-MiniREAD Launch .lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
“C:\Users\jake\Program Files\BitTorrent_DNA\dna.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
“C:\Program Files\Steam\Steam.exe” -silent

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
bthsvcs BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{26bd47f5-c8c0-11dc-a666-000e3b091b4b}]
AutoRun\command- H:\OblivionLauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{9292a595-a232-11dc-954e-001bfc9476f2}]
AutoRun\command- F:\JDSecure\Windows\JDSecure20.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{afb3d759-a308-11dc-910a-001bfc9476f2}]
AutoRun\command- F:\setupSNK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

– End of Deckard’s System Scanner: finished at 2008-01-29 02:34:34 ------------

system · January 28, 2008, 11:45pm

Extra.txt results:

Deckard’s System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

– System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium (build 6000)
Architecture: X86; Language: English

CPU 0: Intel(R) Core™2 Duo CPU T7500 @ 2.20GHz
Percentage of Memory in Use: 39%
Physical Memory (total/avail): 2046.69 MiB / 1231.16 MiB
Pagefile Memory (total/avail): 4328.38 MiB / 3268.25 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1928.42 MiB

C: is Fixed (NTFS) - 74.52 GiB total, 6.86 GiB free.
D: is Fixed (NTFS) - 67.69 GiB total, 23.22 GiB free.
E: is CDROM (CDFS)
F: is Fixed (NTFS) - 465.76 GiB total, 142.74 GiB free.
G: is Fixed (NTFS) - 232.88 GiB total, 32.21 GiB free.
H: is CDROM (INCDFS)

\.\PHYSICALDRIVE0 - Hitachi HTS541616J9SA00 - 149.05 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 67.69 GiB - D:

\.\PHYSICALDRIVE1 - SATA ST350063 SCSI Disk Device - 465.76 GiB - 1 partition
\PARTITION0 - Installable File System - 465.76 GiB - F:

\.\PHYSICALDRIVE2 - WD 2500BEVExternal USB Device - 232.88 GiB - 1 partition
\PARTITION0 - Installable File System - 232.88 GiB - G:

– Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FW: ZoneAlarm Firewall v7.1.078.000 (Check Point, LTD.) Disabled
AV: avast! antivirus 4.7.1098 [VPS 080128-0] v4.7.1098 (ALWIL Software)
AS: Spybot - Search and Destroy v1.0.0.4 (Safer Networking Ltd.) Disabled
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
“C:\Program Files\BitTorrent\bittorrent.exe”=“C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent”

– Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\jake\AppData\Roaming
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JAKE-PC
ComSpec=C:\Windows\system32\cmd.exe
configsetroot=C:\Windows\ConfigSetRoot
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\jake
LOCALAPPDATA=C:\Users\jake\AppData\Local
LOGONSERVER=\JAKE-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\ZipGenius 6;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0a
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\jake\AppData\Local\Temp
TMP=C:\Users\jake\AppData\Local\Temp
tvdumpflags=8
USERDOMAIN=jake-PC
USERNAME=jake
USERPROFILE=C:\Users\jake
windir=C:\Windows

– User Profiles ---------------------------------------------------------------

jake
Guest (new local, guest, net ready)

system · January 28, 2008, 11:48pm

and more…

– Add/Remove Programs ---------------------------------------------------------

→ C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
→ C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
→ C:\Windows\NuNInst.exe /UNINSTALL
→ C:\Windows\UNNeroBackItUp.exe /UNINSTALL
→ C:\Windows\UNRecode.exe /UNINSTALL
→ MsiExec /X{85EBB283-65AF-4C53-9EBE-7C0A232762F7}
Ad-Aware 2007 → MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 9 ActiveX → C:\Windows\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player Plugin → C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0 → MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
AGEIA PhysX v7.03.21 → MsiExec.exe /X{85EBB283-65AF-4C53-9EBE-7C0A232762F7}
Alarm Clock v1.0 → “C:\Program Files\Alarm Clock\unins000.exe”
Apple Mobile Device Support → MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update → MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ASUS Direct Console → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{064F2D10-83D0-4040-B5B7-BD22BFEB65A2}\SETUP.EXE” -l0x9
ASUS Virtual Camera → MsiExec.exe /I{4DFA6DA8-75D8-4F2B-A1A0-A5E7A3B779C8}
ATK Generic Function Service → C:\Program Files\InstallShield Installation Information{D3D54F3E-C5C3-443D-978F-87A72E5616E8}\setup.exe -runfromtemp -l0x0009 -removeonly
ATK Hotkey → C:\Program Files\InstallShield Installation Information{3912D529-02BC-4CA8-B5ED-0D0C20EB6003}\SETUP.exe -runfromtemp -l0x0009 -removeonly
ATK Media → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{139B0FFA-187E-4BA1-BCA6-6B56B2B6AB8C}\SETUP.EXE” -l0x9
ATKOSD2 → C:\Program Files\InstallShield Installation Information{5C1DB4ED-E9B4-402D-BB14-D75D97D6C1A6}\SETUP.exe -runfromtemp -l0x0009 -removeonly
avast! Antivirus → rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
BioShock → C:\Program Files\InstallShield Installation Information{E280923D-C5D9-4728-8C79-AC9A0DC75875}\setup.exe -runfromtemp -l0x0009 -removeonly
BitTorrent 5.0.9 → “C:\Program Files\BitTorrent\uninstall.exe”
BitTorrent DNA → “C:\Users\jake\Program Files\BitTorrent_DNA\dna.exe” /UNINSTALL
CCleaner (remove only) → “C:\Program Files\CCleaner\uninst.exe”
CDisplay 1.8 → “C:\Program Files\CDisplay\unins000.exe”
ChkMail → C:\Program Files\InstallShield Installation Information{250F0996-1830-40C8-9B1D-6874D808DD95}\setup.exe -runfromtemp -l0x0009 -removeonly
Combined Community Codec Pack 2007-07-22 → “C:\Program Files\Combined Community Codec Pack\unins000.exe”
DivX Codec → C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader → C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter → C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player → C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player → C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Empire Earth III → C:\Program Files\InstallShield Installation Information{B17E235C-7A3B-4482-B650-21FFDE1D452E}\setup.exe -runfromtemp -l0x0009 -removeonly
eyeQ → MsiExec.exe /I{B41FCFEE-EA00-496C-8387-82E730E334FD}
GameSpy Arcade → C:\PROGRA~1\GAMESP~1\UNWISE.EXE C:\PROGRA~1\GAMESP~1\INSTALL.LOG
Hawking Technologies HWUG1 Wireless-G USB Adapter → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{E91E8912-769D-42F0-8408-0E329443BABC}\setup.exe” -l0x9 -removeonly
HijackThis 2.0.2 → “C:\Users\jake\Desktop\HijackThis.exe” /uninstall
Intel Matrix Storage Manager → C:\Windows\system32\imsmudlg.exe -uninstall
Intel(R) PROSet/Wireless Software → C:\Windows\Installer\iProInst.exe
iTunes → MsiExec.exe /I{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}
JMB36X Raid Configurer → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}\setup.exe” -l0x9 -removeonly
LifeFrame2 → MsiExec.exe /I{1DBD1F12-ED93-49C0-A7CC-56CBDE488158}
LIVE gaming on Windows Runtime Version 1.0.6027 → MsiExec.exe /X{839916F4-D8B5-4407-BE6D-6D4EB9D96AF4}
mCore → MsiExec.exe /I{F5D7FAB5-A1FD-4DD3-983E-4155B09D7102}
mDriver → MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
mHelp → MsiExec.exe /I{8C6BB412-D3A8-4AAE-A01B-35B681789D68}
Microsoft Office Access MUI (English) 2007 → MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 → MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 → “C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe” /uninstall ENTERPRISER /dll OSETUP.DLL
Microsoft Office Enterprise 2007 → MsiExec.exe /X{91120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 → MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 → MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 → MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 → MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 → MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 → MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 → MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 → MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 → MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 → MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 → MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 → MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 → MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 → MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 → MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable → MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable → MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
mMHouse → MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Motorola SM56 Speakerphone Modem → rundll32.exe sm56co6a.dll,SM56UnInstaller
Mozilla Firefox (2.0.0.11) → C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.6) → C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
mPfMgr → MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
MSXML 4.0 SP2 (KB927978) → MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181) → MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) → MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 Parser and SDK → MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
MSXML4 Parser → MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
NB Probe → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{6324A1EF-CEF4-43E3-8BCD-9EF3F67317FD}\setup.exe” -l0x9
Nero 7 Essentials → MsiExec.exe /X{97F32DF8-D66E-446A-A425-C1D7B45C1033}
NetSign → C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{F1530A8A-A7FA-4750-A0E9-6E777EF17F16}
Nidesoft iPod Video Converter v2.0 → “C:\Program Files\Nidesoft iPod Video Converter v2.0\unins000.exe”
NVIDIA Drivers → C:\Windows\system32\NVUNINST.EXE UninstallGUI

system · January 28, 2008, 11:54pm

Oblivion → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{35CB6715-41F8-4F99-8881-6FC75BF054B0}\setup.exe” -l0x9 -removeonly
Portal → “C:\Program Files\Steam\steam.exe” steam://uninstall/400
QuickTime → MsiExec.exe /I{5B09BD67-4C99-46A1-8161-B7208CE18121}
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista → C:\Program Files\InstallShield Installation Information{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\setup.exe -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver → RtlUpd.exe -r -m
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01 → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{59F6A514-9813-47A3-948C-8A155460CC2A}\SETUP.EXE” -l0x9 anything
Rise Of Legends → C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{CADDE354-C78C-46CB-A006-E2B178EFC271}
Rise of Nations → “D:\Program Files\Microsoft Games\Rise of Nations\Uninstal.exe” /runtemp /uninstall
Seagate DiscWizard → MsiExec.exe /X{81A60A13-224D-4637-8203-3EAC03B121A4}
Security Update for CAPICOM (KB931906) → MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) → MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Excel 2007 (KB936509) → msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {A00724F5-82C4-4924-B707-0E5A84B52471}
Security Update for Office 2007 (KB934062) → msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {305D509B-F194-4638-9F0F-D9E4C05F9D33}
Security Update for Office 2007 (KB936514) → msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {C7A78F7F-EF32-4477-BAD7-3439EA7571BF}
Security Update for Publisher 2007 (KB936646) → msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {A32E4BAF-6477-45FA-B8AB-E743FA8D63FF}
Security Update for the 2007 Microsoft Office System (KB936960) → msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {5E5BD655-7AA9-47F9-BB6D-A1D8CE29AC86}
SimCity 4 Deluxe → F:\Games\EAUninstall.exe
Skill Builder DX → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup “E:\Professional Developement\CBT Sec+\Setup\Skillb\Uninstall\setup.exe”
Spybot - Search & Destroy → “C:\Program Files\Spybot - Search & Destroy\unins000.exe”
Star Wars®: Knights of the Old Republic ™ → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{2A9A40C7-6670-4D5F-8F41-D12E2E08B48B}\setup.exe” -l0x9
Steam → MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Synaptics Pointing Device Driver → rundll32.exe “C:\Program Files\Synaptics\SynTP\SynISDLL.dll”,standAloneUninstall
TrueCrypt → “C:\Program Files\TrueCrypt\TrueCrypt Setup.exe” /u C:\Program Files\TrueCrypt
Update for Office 2007 (KB932080) → msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {EDC9CA29-6BC1-471C-828C-7A36109005D7}
Update for Office 2007 (KB934391) → msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {B3091818-7C56-4C45-BE7D-CA23027A5EA5}
Update for Office 2007 (KB934393) → msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {92FBAD46-E7F6-49FA-89B5-C39FC5BFAD15}
Update for Outlook 2007 (KB937608) → msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {CBB2454D-193F-4523-8A31-FEB343B7C30E}
Update for Outlook 2007 Junk Email Filter (kb943597) → msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {A751F0DB-8476-4207-956E-20AEBBA4B1DA}
Update for Word 2007 (KB934173) → msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {C6A89125-5473-45E3-B413-ED8186437475}
USB2.0 UVC 1.3M WebCam → C:\Windows\Uninst.bat
V CAST Music Manager → C:\PROGRA~1\VCASTM~1\Setup.exe /remove /q0
Ventrilo Client → MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
VideoLAN VLC media player 0.8.6c → C:\Program Files\VideoLAN\VLC\uninstall.exe
VistaFeaturePack → C:\Program Files\InstallShield Installation Information{D7E04009-B191-4E9D-9D2D-1BBE57BD8A42}\setup.exe -runfromtemp -l0x0409
Warcraft III → C:\Windows\War3Unin.exe C:\Windows\War3Unin.dat
Warcraft III: All Products → C:\Windows\War3Unin.exe C:\Windows\War3Unin.dat
Windows Media Player Firefox Plugin → MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
WinFlash → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{DE10AB76-4756-4913-BE25-55D1C1051F9A}\setup.exe” -l0x9
WinRAR archiver → C:\Program Files\WinRAR\uninstall.exe
Wireless Console 2 → C:\Program Files\InstallShield Installation Information{83F73CB1-7705-49D1-9852-84D839CA2A45}\SETUP.exe -runfromtemp -l0x0009 -removeonly
World of Warcraft → C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft (2)\Uninstall.exe
ZoneAlarm → C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

– Application Event Log -------------------------------------------------------

Event Record #/Type181165 / Success
Event Submitted/Written: 01/28/2008 09:04:06 PM
Event ID/Source: 5617 / WinMgmt
Event Description:

Event Record #/Type181162 / Success
Event Submitted/Written: 01/28/2008 09:04:05 PM
Event ID/Source: 5615 / WinMgmt
Event Description:

Event Record #/Type181156 / Success
Event Submitted/Written: 01/28/2008 09:03:39 PM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type181142 / Warning
Event Submitted/Written: 01/28/2008 09:01:50 PM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-725837853-939778439-3836315707-1000_Classes:
Process 1100 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-725837853-939778439-3836315707-1000_CLASSES

Event Record #/Type181141 / Warning
Event Submitted/Written: 01/28/2008 09:01:50 PM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
3 user registry handles leaked from \Registry\User\S-1-5-21-725837853-939778439-3836315707-1000:
Process 1100 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-725837853-939778439-3836315707-1000
Process 1548 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-725837853-939778439-3836315707-1000\Software\Policies
Process 1548 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-725837853-939778439-3836315707-1000\Software

– Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

system · January 28, 2008, 11:55pm

– System Event Log ------------------------------------------------------------

Event Record #/Type879191 / Warning
Event Submitted/Written: 01/29/2008 02:07:51 AM
Event ID/Source: 4 / Client Side Rendering Spooler
Event Description:
The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-18\Printers\Connections. The print spooler could not open the registry key. This can occur if the registry key is corrupt or missing, or if the registry recently became unavailable.

Event Record #/Type879190 / Warning
Event Submitted/Written: 01/29/2008 02:07:51 AM
Event ID/Source: 4 / Client Side Rendering Spooler
Event Description:
The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-18\Printers\Connections. The print spooler could not open the registry key. This can occur if the registry key is corrupt or missing, or if the registry recently became unavailable.

Event Record #/Type879179 / Warning
Event Submitted/Written: 01/28/2008 09:53:31 PM
Event ID/Source: 4 / Client Side Rendering Spooler
Event Description:
The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-18\Printers\Connections. The print spooler could not open the registry key. This can occur if the registry key is corrupt or missing, or if the registry recently became unavailable.

Event Record #/Type879178 / Warning
Event Submitted/Written: 01/28/2008 09:53:31 PM
Event ID/Source: 4 / Client Side Rendering Spooler
Event Description:
The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-18\Printers\Connections. The print spooler could not open the registry key. This can occur if the registry key is corrupt or missing, or if the registry recently became unavailable.

Event Record #/Type879169 / Warning
Event Submitted/Written: 01/28/2008 09:08:44 PM
Event ID/Source: 4 / Client Side Rendering Spooler
Event Description:
The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-18\Printers\Connections. The print spooler could not open the registry key. This can occur if the registry key is corrupt or missing, or if the registry recently became unavailable.

– End of Deckard’s System Scanner: finished at 2008-01-29 02:34:34 ------------

Whew. That’s a lot of crap to push through my crappy Iraqi Satellite internet connection. Sigh… still have to post the virustotal results.

system · January 28, 2008, 11:59pm

VirusTotal.com results: (btw… ATK is the abbreviation used by Asus computers for most of their proprietary software. I’m on an Asus laptop, so it explains why there’s so much ATK crap in the logs)

File GFNEXSrv.exe received on 01.18.2008 17:59:28 (CET)
Current status: finished
Result: 0/32 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.1.18.11 2008.01.18 -
AntiVir 7.6.0.48 2008.01.18 -
Authentium 4.93.8 2008.01.17 -
Avast 4.7.1098.0 2008.01.18 -
AVG 7.5.0.516 2008.01.18 -
BitDefender 7.2 2008.01.18 -
CAT-QuickHeal 9.00 2008.01.18 -
ClamAV 0.91.2 2008.01.18 -
DrWeb 4.44.0.09170 2008.01.18 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5467 2008.01.17 -
Ewido 4.0 2008.01.18 -
FileAdvisor 1 2008.01.18 -
Fortinet 3.14.0.0 2008.01.18 -
F-Prot 4.4.2.54 2008.01.17 -
F-Secure 6.70.13260.0 2008.01.18 -
Ikarus T3.1.1.20 2008.01.18 -
Kaspersky 7.0.0.125 2008.01.18 -
McAfee 5211 2008.01.18 -
Microsoft 1.3109 2008.01.18 -
NOD32v2 2806 2008.01.18 -
Norman 5.80.02 2008.01.18 -
Panda 9.0.0.4 2008.01.18 -
Prevx1 V2 2008.01.18 -
Rising 20.27.42.00 2008.01.18 -
Sophos 4.24.0 2008.01.18 -
Sunbelt 2.2.907.0 2008.01.17 -
Symantec 10 2008.01.18 -
TheHacker 6.2.9.189 2008.01.17 -
VBA32 3.12.2.5 2008.01.15 -
VirusBuster 4.3.26:9 2008.01.18 -
Webwasher-Gateway 6.6.2 2008.01.18 -
Additional information
File size: 94208 bytes
MD5: 7c157574a181b19b9dcf5f339e25337e
SHA1: 48cadcf4cb89527cd7e4a770ce561f0e7feed629
PEiD: -

I thank you for all your help and look forward to your reply!

system · January 29, 2008, 1:28pm

Oops - I missed one in your initial log when I first looked at it. Sorry …

Please download the OTMoveIt2 by OldTimer.

[*] Save it to your desktop.
[*] Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select “Run as an Administrator”)
[*]Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\Users\jake\AppData\Local\Temp\ddaax.dl

[*] Return to OTMoveIt2, right click in the “Paste List of Files/Folders to be Moved” window (under the light blue bar) and choose Paste.

[*]Click the red Moveit! button.
[*]A log of files and folders moved will be created in the c:_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply with a fresh HJT log.
[*]Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Whew. That's a lot of crap to push through my crappy Iraqi Satellite internet connection.

Military?

system · January 29, 2008, 4:03pm

File/Folder C:\Users\jake\AppData\Local\Temp\ddaax.dl not found.

OTMoveIt2 v1.0.15 log created on 01292008_185620

i think one of the things you had me use might have cleaned it out when it cleaned temp files.

Yes… military. I’m actually in the computer field and I’d very much like to know if there’s some sort of class or course or any good books out there to bring me up to speed on malware removal and recovery. I think it’d be very helpful in my line of work to know how to do the kind of things you guys do. (I’m a sysadmin for a VERY large network)

system · January 29, 2008, 4:15pm

Nothing I’ve used did any cleaning. But I see you ran VundoFix a couple days ago and this very well may have.

VundoFix created the file C:\VundoFix.txt - please post the contents of that and we’ll have a look.

Geek U at Geeks to Go is one of the best places to learn. Essexboy is a graduate from Geek U; I am a Junior there.

http://www.geekstogo.com/forum/Would-like-to-learn-to-fight-malware-t4817.html

Thank you

system · January 29, 2008, 4:32pm

Vundofix.txt wasn’t found anywhere on my computer, and i have show hidden enabled in my folder options in control panel. I’m wondering if this was cleaned as well.

I actually didn’t see anything come up when I ran this a few days ago, and still found viral remnants of the TratBHO a day or two later. I haven’t had another outbreak of the infected .dll files since i ran combofix (i believe i actually saw it say it was cleaning my temp files at some point, or it may have been another program. i forget).

well, since i can’t seem to find any more infected files, and nothing else scary appears in the log files, i’m thinking this one has been resolved (for now at least). what do you think?

also, thanks for all your help Mauserme. I’ll definitely look into the Geek U training when I have more time
(college + studying for promotion board + 12 hour shift 6 days a week = very little free time)

(don’t thank me for my service, there are far more deserving people getting blown up daily. I just fix computers in an air conditioned building. nice to have your support though!)

system · January 29, 2008, 5:24pm

If you can find C:\ComboFix.txt please post that one.

well, since i can't seem to find any more infected files, and nothing else scary appears in the log files, i'm thinking this one has been resolved (for now at least). what do you think?

Well, I'm not seeing much in the logs you've posted but the ComboFix log might shed some light (if you can find it). I [i]would[/i] like to see it just to know that some sort of cleaning has actually happened. Things that seem to dissapear with no explanation have a habit of coming back.

don't thank me for my service, there are far more deserving people getting blown up daily.

I thank them too - every chance I get.

Sorry to make another Win32:TratBHO topic... I tried other posts first!

Deckard’s System Scanner v20071014.68 Run by jake on 2008-01-29 02:30:03 Computer is in Normal Mode.

Deckard’s System Scanner v20071014.68 Extra logfile - please post this as an attachment with your post.

Announcements

Deckard’s System Scanner v20071014.68
Run by jake on 2008-01-29 02:30:03
Computer is in Normal Mode.

Deckard’s System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.