Strange Virus Fixed but I wonder if I did the right thing...

Slider51Slider51 Michigan USA New
edited April 2009 in Spyware & Virus Removal
A few posts down "Strange New Virus" ...this is the result and I have a funny feeling about the fix..

I took the suggestion of the person who advised me to try CyberDefender. Downloaded the "free" version and scanned my machine ..WOW..right off the bat it said I was infected with a Trojan "Sheur2xlc". But if I wanted to have CyberDefender fix it, I had to buy the software...well it was only $18.50 and after all AVG didn't see the virus, and all my other Spyware stuff was toast. But I didn't want to transmit my credit card number from a machine with a remote networking trojan, so I called the number to pay by phone. The automatic voice mail disconnected the call. So I called the only other number I could find, Tech Support, to try to purchase the $18.50 CyberDefender package.

Got a guy in India (big surprise) who said he could help me but first wanted to know which virus I had. When I told him, he said it was an iteration of the Anti-Virus 2009 virus (I had no idea what that was at the time). He further said that it likely did alot of damage to my file structure as well as the registry...he was right on that one, the trojan had changed my file preferences so I couldn't see hidden files, and disabled the window to get it back. Add to that not being able to see any graphics at all in IE7, and Spyware Doctor, Win Defender, AdAware, and Registry Mechanic were all disabled.

Then the sales pitch started. He could fix my machine remotely, guaranteed, but to do so I had to purchase one year of 24/7 tech support and all the CyberDefender software at $249.99...

Well, here I am a small businessman with my computer down, facing hours of fixing on my own (maybe) a trojan that no other software package detected and I could find nothing about on the internet. At this point, however, the fix sounded awfully good, so I bit down hard and signed up for the service.

Now...the rest of the story is all good - the tech in India DID connect with my machine remotely, and he DID spend nearly 4 hours repairing everything. My machine runs perfectly now, and I do have another 51 weeks of 24/7 online tech support available. At my shop labor rate, this tech earned the $250 on this first fix. BUT...

With everything working again I started trying to find out more about thes "Sheur2XLC" trojan...Google ends up returning nothing by that name. Then I started reading about rogue software....

OK, so the big question....did I just buy a fix to a trojan that CyberDefender put out there? Did I just fall for a scam? I hope not - I pride myself on seeing through most of the garbage out there, but this one had me by the short and curlies...

Now, if CyberDefender (a public corporation traded on Nasdaq as their website shows) truly is the first to have identified and found a fix to a new trojan, and they spent 4 hours legitimately remotely repairing my machine, then I'm happy - I got my money's worth on the first go-around and I still have a year of service backing me up. But if I fell for something I should have seen coming, well, I'm equally impressed by their smoothness and I'll kick myself as I'm contacting my credit card company to try to have the charge reversed.

Who knows out there? I'm sitting down, I can take it....

Slider
«1

Comments

  • KatanaKatana
    edited March 2009
    CyberDefender was listed as a rogue some time ago, mainly due to connections with 2 other rogues, but it was delisted by Eric Howes in 2006.

    http://www.spywarewarrior.com/de-listed.htm#cybdef_note

    I haven't heard of any problems with it for a while, so I suspect they have cleaned up their reputation.

    If you are happy with the service they provided, and the fee they charged then all is well :)

    Without knowing exactly what was on your machine, I can't comment as to whether you needed to pay them or not.
  • Slider51Slider51 Michigan USA New
    edited March 2009
    Katana wrote:
    CyberDefender was listed as a rogue some time ago, mainly due to connections with 2 other rogues, but it was delisted by Eric Howes in 2006.

    http://www.spywarewarrior.com/de-listed.htm#cybdef_note

    I haven't heard of any problems with it for a while, so I suspect they have cleaned up their reputation.

    If you are happy with the service they provided, and the fee they charged then all is well :)

    Without knowing exactly what was on your machine, I can't comment as to whether you needed to pay them or not.
  • Slider51Slider51 Michigan USA New
    edited March 2009
    Thank you very much for your reply, Katana. I really don't know what to think at this point. If Cyber Defender actually found a new trojan on my machine, and through nearly 4 hours of remote repair were able to fix it, kudos to C-D and I am happy as a clam. Not happy that I had to shell out $250, but happy that there was help available. BUT - There are several things that keep nagging at me as very suspicious:

    1. The trojan was a masterpiece - it disabled 4 other malware programs I have and made changes so that I could not see my documents and settings/administrator/local settings folder, that held the temp file containing the two "lult33ih.exe" files. TUT could still see them, but it could not disable or otherwise affect them. The executables were bullet-proof...impossible to delete, move, rename, change attributes, etc., etc. through Windows, or with DOS, in regular or safe modes. In 9 years of taking care of my own virus and spyware issues with a host of anti-malware programs, I have never encountered one I could not eventually find an angle to repair. This was no run of the mill lowlife trojan writer, somebody knew a whole lot about making this one impenetrable.

    2. After uninstalling and re-installing Spyware Doctor, AVG anti-virus, Ad-Aware, Win Defender, and Registry Mechanic on my D: drive and running them on the C:, none of these packages detected the trojan. Only Cyber-Defender found the trojan, and after only 2-3 seconds of scanning.

    3. I now recall that the "Sheur2xlc" name C-D gave the trojan also showed that it was a couple of years old...yet no web searches of the trojan name or the executable files resulted in hits. How is it that Cyber-Defender is the only one in the world that has information on the trojan?

    3. The "free download" of Cyber-Defender that would not fix anything unless I purchased it was not a big surprise, but no mention of scan-only is made on CD's website.

    4. When I tried to purchase the software on the phone at the number for "pay by phone" the call was disconnected 3 times in a row. But call the "premium tech support" 800 number, and you get a salesman - not a tech, but a salesman.

    5. When I asked the salesman to cut through the bull and tell me how much it was going to soct to fix the problem, I was immediately told $250, and no mention was made of the $129 one-time tech support fix they also sell with the software.

    6. The actual Cyber Defender software was never activated until after the trojan was removed....the tech did not use the CD product at all, watching the remote fix taking place, he used MalwareBytes, Trojan Remover, and Super Anti-Spyware, as well as other packages, installing them and then uninstalling them as he went. Makes me wonder if Cyber-Defender actually had any capabilities with this trojan at all....

    After reviewing Cyber-Defender's history on SpywareWarrior's site, I am beginning to think this entire incident is no more than a slicked-up version of a rogue attack, albeit extremely well thought out and executed. I am no expert at all, way far from it, but if your run-of-the-mill user who has to rely only on what others tell them had just had this happen, well, they probably would think everything was just right about what took place. "Gosh I got a bad virus but this really nice guy in India spent 4 hours fixing it and promised that they'll fix anything that happens to my computer for the next year, and all for only $250! "

    I sure hope somone can prove me wrong, but given everything above, I think I got taken advantage of at a very bad and extremely busy moment and Cyber-Defender's technique for extracting money out of even the most tight-fisted worked flawlessly...

    Let's hear it, people, what do you think? Is Cyber-Defender dealing dirty or are they just that much better than all the other anti-malware peddlers out there?

    Slider
  • KatanaKatana
    edited March 2009
    I have to say, after hearing the full story it sounds like CD hasn't changed very much after all.
    There is no excuse for a company to charge you money and then use another companies software to clean your machine.

    Would you mind if I informed the MalwareBytes team about this ?, I'm sure they will be interested to hear your story.
  • Slider51Slider51 Michigan USA New
    edited March 2009
    Katana wrote:
    I have to say, after hearing the full story it sounds like CD hasn't changed very much after all.
    There is no excuse for a company to charge you money and then use another companies software to clean your machine.

    Would you mind if I informed the MalwareBytes team about this ?, I'm sure they will be interested to hear your story.

    Yes, by all means, please do inform them. I would be more than happy to share anything at all with them about this incident. I am just about convinced I have been taken to the cleaners here, for precisely the reasons I listed in my last post.

    Not sure if a Hijack-This log would help now, after the fact, but I will certainly provide one if asked.

    I haven't asked for my money back yet, partly because I know what the answer will be, and partly because I supposedly have a year of 24/7 online support still available. I will undoubtedly pick something up again in the future, and rather than having my own software fix it or fixing it myself, I may just kick it over to CD to see if the rest of their promise is good.

    I know I'm preaching to the choir here, but I am so sick and tired of people doing anything and everything to scam other people out of their hard earned money.

    Thank you once again, Katana, for your replies and your interest.

    Slider
  • KatanaKatana
    edited March 2009
    Thank you once again, Katana, for your replies and your interest.
    The entire security community is interested in information such as this.
    http://hphosts.blogspot.com/2009/03/rogue-company-cyberdefender-uses-mbam.html

    The internet has enough people trying to steal your money without having to watch out for "Security" sites taking you for a ride as well.
    I suppose their defense will be that they cleaned your machine for you.
    ( even if it was with other peoples tools )

    If you wouldn't mind, I would like to run a couple of scans to see if there are any traces of what was installed by them.
  • Slider51Slider51 Michigan USA New
    edited March 2009
    If you wouldn't mind, I would like to run a couple of scans to see if there are any traces of what was installed by them.[/quote]

    Fine with me, I have a little time.

    BTW, just as I was reading the blog, IE flashed a Window that it had to close due to a problem with an add-on...the add-on? The CD dll! When I restarted IE, Spyware Doctor sdid an InelliScan and found Backdoor.Agent.CFC...I let it fix it..

    Fire away!
  • KatanaKatana
    edited March 2009
    Slider51 wrote:
    BTW, just as I was reading the blog, IE flashed a Window that it had to close due to a problem with an add-on...the add-on? The CD dll! When I restarted IE, Spyware Doctor sdid an InelliScan and found Backdoor.Agent.CFC...I let it fix it..

    That's curious ???


    Let's start with a simple diagnostic and see what that shows ...


    Download and Run RSIT
    • Please download Random's System Information Tool by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open:
      • log.txt will be opened maximized.
      • info.txt will be opened minimized.
    • Please post the contents of both log.txt and info.txt.
  • Slider51Slider51 Michigan USA New
    edited March 2009
    OK here are both...



    Logfile of random's system information tool 1.06 (written by random/random)
    Run by Administrator at 2009-03-29 18:27:47
    Microsoft Windows XP Professional Service Pack 3
    System drive C: has 203 GB (85%) free of 238 GB
    Total RAM: 1023 MB (53% free)
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:27:52 PM, on 3/29/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16791)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Administrator\Desktop\RSIT.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    C:\Program Files\Trend Micro\HijackThis\Administrator.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.attbi.com
    R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Administrator\Local Settings\Application Data\CyberDefender\cdmyidd.dll
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
    N3 - Netscape 7: # Mozilla User Preferences
    /* Do not edit this file.
    *
    * If you make changes to this file while the browser is running,
    * the changes will be overwritten when the browser exits.
    *
    * To make a manual change to preferences, you can visit the URL about:config
    * For more information, see http://www.mozilla.org/unix/customizing.html#prefs
    */
    user_pref("aim.session.firsttime", false);
    user_pref("browser.activation.checkedNNFlag", true);
    user_pref("browser.bookmarks.added_static_root", true);
    user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\ADMINISTRATOR\\APPLICATION DATA\\Mozilla\\Profiles\\default\\lxcunvvv.slt");
    user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
    user_pref("browser.startup.homepage_override.mstone", "rv:1.7.2");
    user_pref("dom.disable_open_during_load", true);
    user_pref("intl.charsetmenu.browser.cache", "us-ascii, UTF-8, windows-1252, ISO-8859-1");
    user_pref("mail
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Administrator\Local Settings\Application Data\CyberDefender\cdmyidd.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Administrator\Local Settings\Application Data\CyberDefender\cdmyidd.dll
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096722207781
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140016650656
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = XXX
    O17 - HKLM\Software\..\Telephony: DomainName = XXX
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = XXX
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
    --
    End of file - 8244 bytes
    ======Scheduled tasks folder======
    C:\WINDOWS\tasks\MP Scheduled Scan.job
    ======Registry dump======
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
    AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-03-27 1078552]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
    Yahoo! IE Services Button - C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 198136]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-02 320920]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}]
    MyIdentityDefender - C:\Documents and Settings\Administrator\Local Settings\Application Data\CyberDefender\cdmyidd.dll [2009-03-24 3851592]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
    Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2007-05-21 2403392]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
    Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll [2008-09-11 737776]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
    Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-02 34816]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
    JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-02 73728]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    {2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2007-05-21 2403392]
    {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - MyIdentityDefender - C:\Documents and Settings\Administrator\Local Settings\Application Data\CyberDefender\cdmyidd.dll [2009-03-24 3851592]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "ISTray"=C:\Program Files\Spyware Doctor\pctsTray.exe [2008-12-08 1173384]
    "AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-03-27 1932568]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
    C:\WINDOWS\ALCWZRD.EXE [2004-05-17 2545664]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP []
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
    D:\avgtray.exe []
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\control64]
    defect08.exe []
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CyberDefender Early Detection Center]
    D:\AntiSpyware\ISSIntro.exe [2009-03-24 570696]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Diagnostic Manager]
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2311526804.exe []
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWHeartbeatMonitor]
    []
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
    C:\WINDOWS\system32\HDAudPropShortcut.exe [2004-03-17 61952]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPWOTOOLBOX]
    C:\Program Files\HP\HP Officejet Pro K850 Series\Toolbox\HPWOTBX.exe [2006-11-03 352256]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
    C:\Program Files\Spyware Doctor\pctsTray.exe [2008-12-08 1173384]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lpt]
    wormexe.exe []
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OSSelectorReinstall]
    C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe [2007-02-22 2209224]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Panasonic Device Manager for Multi-Function Station software]
    C:\Program Files\Panasonic\MFStation\PCCMFSDM.exe [2007-05-21 126976]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Panasonic Device Monitor Wakeup]
    C:\Program Files\Panasonic\Device Monitor\dmwakeup.exe [2006-11-02 303104]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Panasonic PCFAX for Multi-Function Station software]
    C:\Program Files\Panasonic\MFStation\KmPcFax.exe [2007-08-28 757760]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
    C:\PROGRA~1\Ahead\NEROPH~1\data\xtras\mssysmgr.exe [2004-05-12 196608]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    C:\Program Files\QuickTime\qttask.exe [2007-06-29 286720]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
    []
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-02 136600]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-08-30 68856]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysSupport]
    DCC_send.exe []
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Resurections]
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lult33ih.exe []
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=3
    "WinDefend"=2
    "ThreatFire"=3
    "sdCoreService"=2
    "sdAuxService"=2
    "Panasonic Trap Monitor Service"=2
    "Panasonic Local Printer Service"=2
    "ose"=3
    "JavaQuickStarterService"=3
    "gusvc"=3
    "C-DillaCdaC11BA"=2
    "AVGEMS"=2
    "Avg7UpdSvc"=2
    "Avg7Alrt"=2
    "ATI Smart"=2
    "APC UPS Service"=2
    "AcrSch2Svc"=2
    "aawservice"=3
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
    C:\WINDOWS\system32\Ati2evxx.dll [2004-04-21 86016]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
    C:\WINDOWS\system32\avgrsstx.dll [2009-03-27 10520]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
    C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "authentication packages"=msv1_0
    relog_ap
    "notification packages"=
    scecli
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "dontdisplaylastusername"=0
    "legalnoticecaption"=
    "legalnoticetext"=
    "shutdownwithoutlogon"=1
    "undockwithoutlogon"=1
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "NoDriveTypeAutoRun"=145
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "HonorAutoRunSetting"=
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "D:\AntiSpyware\cdas8.exe"="D:\AntiSpyware\cdas8.exe:*:Enabled:CyberDefender Internet Security"
    "C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
    "C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    ======File associations======
    .scr - open - "C:\WINDOWS\notepad.exe" "%1"
    .scr - install -
    .scr - config -
    ======List of files/folders created in the last 1 months======
    2009-03-29 18:27:47 ----D---- C:\rsit
    2009-03-27 20:52:56 ----HD---- C:\$AVG8.VAULT$
    2009-03-27 20:07:07 ----A---- C:\WINDOWS\system32\avgrsstx.dll
    2009-03-27 20:06:44 ----D---- C:\Program Files\AVG
    2009-03-27 20:06:43 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
    2009-03-27 18:59:58 ----D---- C:\Program Files\Common Files\PC Tools
    2009-03-27 18:59:53 ----D---- C:\Program Files\Spyware Doctor
    2009-03-24 17:34:59 ----A---- C:\WINDOWS\st_affiliate.ini
    2009-03-24 17:25:33 ----D---- C:\Program Files\CyberDefender
    2009-03-24 17:10:39 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2009-03-24 17:09:27 ----D---- C:\Program Files\SUPERAntiSpyware
    2009-03-24 17:09:27 ----D---- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
    2009-03-24 16:55:31 ----D---- C:\Avenger
    2009-03-24 16:55:31 ----A---- C:\avenger.txt
    2009-03-24 16:37:46 ----D---- C:\WINDOWS\system32\CatRoot2
    2009-03-24 16:37:23 ----D---- C:\WINDOWS\temp
    2009-03-24 16:00:23 ----D---- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
    2009-03-24 16:00:16 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2009-03-24 14:20:54 ----SHD---- C:\WINDOWS\CSC
    2009-03-24 13:49:52 ----A---- C:\WINDOWS\av_affiliate.ini
    2009-03-24 13:49:50 ----A---- C:\WINDOWS\as_affiliate.ini
    2009-03-12 20:55:40 ----A---- C:\WINDOWS\KmPcFax.INI
    2009-03-12 20:31:03 ----A---- C:\WINDOWS\system32\hpz3l42i.dll
    2009-03-11 15:52:11 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
    2009-03-11 15:52:05 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
    2009-03-11 15:51:03 ----HDC---- C:\WINDOWS\$NtUninstallKB959772_WM11$
    ======List of files/folders modified in the last 1 months======
    2009-03-29 18:27:25 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
    2009-03-29 18:20:47 ----D---- C:\WINDOWS\Prefetch
    2009-03-29 17:13:46 ----SD---- C:\WINDOWS\Tasks
    2009-03-29 17:10:50 ----D---- C:\WINDOWS\system32\drivers
    2009-03-29 13:31:48 ----A---- C:\WINDOWS\SchedLgU.Txt
    2009-03-27 20:07:07 ----D---- C:\WINDOWS\system32
    2009-03-27 20:06:44 ----RD---- C:\Program Files
    2009-03-27 20:06:30 ----SHD---- C:\WINDOWS\Installer
    2009-03-27 20:06:25 ----HD---- C:\Config.Msi
    2009-03-27 20:05:25 ----D---- C:\WINDOWS
    2009-03-27 18:59:58 ----D---- C:\Program Files\Common Files
    2009-03-25 01:11:33 ----A---- C:\WINDOWS\NeroDigital.ini
    2009-03-24 20:34:57 ----RSHDC---- C:\WINDOWS\system32\dllcache
    2009-03-24 17:35:32 ----D---- C:\WINDOWS\SoftwareDistribution
    2009-03-24 17:35:32 ----D---- C:\WINDOWS\Help
    2009-03-24 17:35:30 ----HD---- C:\WINDOWS\inf
    2009-03-24 17:23:05 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
    2009-03-24 17:09:12 ----D---- C:\Program Files\Mozilla Firefox
    2009-03-24 16:54:53 ----D---- C:\WINDOWS\security
    2009-03-24 16:38:22 ----D---- C:\WINDOWS\system32\CatRoot
    2009-03-24 16:11:44 ----D---- C:\Program Files\Trend Micro
    2009-03-24 15:36:37 ----ASH---- C:\boot.ini
    2009-03-24 15:36:37 ----A---- C:\WINDOWS\win.ini
    2009-03-24 15:36:37 ----A---- C:\WINDOWS\system.ini
    2009-03-24 14:21:10 ----A---- C:\WINDOWS\ntbtlog.txt
    2009-03-23 19:48:28 ----D---- C:\WINDOWS\WinSxS
    2009-03-23 19:48:28 ----D---- C:\Program Files\Common Files\Microsoft Shared
    2009-03-12 20:28:49 ----D---- C:\Program Files\HP
    2009-03-11 15:52:08 ----A---- C:\WINDOWS\imsins.BAK
    2009-03-11 15:04:36 ----HD---- C:\WINDOWS\$hf_mig$
    2009-03-08 12:49:57 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
    ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
    R1 AvgArCln;Avg Anti-Rootkit Clean Driver; C:\WINDOWS\System32\DRIVERS\AvgArCln.sys [2007-01-18 3968]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-03-27 325640]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-03-27 27656]
    R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-03-27 107912]
    R1 InCDPass;InCDPass; C:\WINDOWS\System32\DRIVERS\InCDPass.sys [2004-09-13 28672]
    R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
    R1 pctgntdi;pctgntdi; \??\C:\WINDOWS\system32\drivers\pctgntdi.sys []
    R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2003-03-31 12032]
    R2 Aspi32;Aspi32; C:\WINDOWS\system32\drivers\Aspi32.sys [2002-08-14 17005]
    R2 CdaC15BA;CdaC15BA; \??\C:\WINDOWS\system32\drivers\CDAC15BA.SYS []
    R2 tifsfilter;Acronis True Image FS Filter; C:\WINDOWS\system32\DRIVERS\tifsfilt.sys [2007-06-20 39712]
    R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
    R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2004-04-21 729088]
    R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\System32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
    R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
    R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2004-05-17 2161792]
    R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
    R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\System32\DRIVERS\ASACPI.sys [2003-03-02 5755]
    R3 MVDCODEC;ATI WDM Specialized MVD Codec; C:\WINDOWS\System32\DRIVERS\atinmdxx.sys [2004-03-18 13824]
    R3 pctplsg;pctplsg; \??\C:\WINDOWS\system32\drivers\pctplsg.sys []
    R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2006-03-29 9856]
    R3 TfNetMon;TfNetMon; \??\C:\WINDOWS\system32\drivers\TfNetMon.sys []
    R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
    R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
    R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
    R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Gigabit Ethernet Controller; C:\WINDOWS\System32\DRIVERS\yk51x86.sys [2004-06-01 178560]
    R4 InCDfs;InCD File System; C:\WINDOWS\system32\drivers\InCDfs.sys [2004-09-13 93440]
    S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
    S3 CDAVFS;CDAVFS; C:\WINDOWS\system32\DRIVERS\CDAVFS.sys [2009-03-24 67424]
    S3 GAGPDrv;GAGPDrv; C:\WINDOWS\system32\drivers\GAGPDrv.sys []
    S3 GVCplDrv;GVCplDrv; C:\WINDOWS\system32\drivers\GVCplDrv.sys [2004-05-02 23040]
    S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\HdAudio.sys [2004-03-17 113664]
    S3 HidBatt;HID UPS Battery Driver; C:\WINDOWS\system32\DRIVERS\HidBatt.sys [2008-04-13 20352]
    S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
    S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\System32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
    S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [2008-04-13 10880]
    S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\System32\DRIVERS\SLIP.sys [2008-04-13 11136]
    S3 streamip;BDA IPSink; C:\WINDOWS\System32\DRIVERS\StreamIP.sys [2008-04-13 15232]
    S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
    S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
    S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
    S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
    S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\System32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
    S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
    S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
    S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
    ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
    R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-03-27 298264]
    R2 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
    R2 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2009-01-21 1095560]
    R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
    R3 ThreatFire;ThreatFire; C:\Program Files\Spyware Doctor\TFEngine\TFService.exe [2008-06-06 66880]
    S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
    S4 aawservice;aawservice; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-07-25 611664]
    S4 AcrSch2Svc;Acronis Scheduler2 Service; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [2007-01-31 407072]
    S4 APC UPS Service;APC UPS Service; C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe [2002-10-15 155770]
    S4 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\System32\Ati2evxx.exe [2004-04-21 397312]
    S4 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2004-04-21 516096]
    S4 C-DillaCdaC11BA;C-DillaCdaC11BA; C:\WINDOWS\system32\drivers\CDAC11BA.EXE [2004-10-09 54784]
    S4 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-05-21 138168]
    S4 JavaQuickStarterService;JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-02 152984]
    S4 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
    S4 Panasonic Local Printer Service;Panasonic Local Printer Service; C:\PROGRA~1\PANASO~1\LocalCom\lmsrvnt.exe [2004-08-03 36864]
    S4 Panasonic Trap Monitor Service;Panasonic Trap Monitor Service; C:\PROGRA~1\PANASO~1\TRAPMO~1\Trapmnnt.exe [2004-02-24 69632]
    S4 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
    EOF

  • Slider51Slider51 Michigan USA New
    edited March 2009
    Sorry Katana I just realized there was a second logfile I missed...here it is..


    info.txt logfile of random's system information tool 1.06 2009-03-29 18:27:57
    ======Uninstall list======
    -->"D:\cdinstx.exe" /u "D:\earlySpam\cdinstx.log" /t "CyberDefender Early Detection Center - AntiSpam"
    -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
    Acronis Disk Director Suite-->MsiExec.exe /X{2300EE96-0A41-4FAB-BD03-989EC44577A0}
    Acronis True Image Workstation-->MsiExec.exe /X{2545228C-6A70-4A01-B936-6DA77984D298}
    Acronis Universal Restore for Acronis True Image Workstation-->MsiExec.exe /X{2FF9C99F-78C6-4788-AEAF-573A5414E6E1}
    Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
    Adobe Acrobat 5.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
    Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
    Adobe Reader 7.0.9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
    APC PowerChute Personal Edition-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5A0C892E-FD1C-4203-941E-0956AED20A6A}\Setup.exe" -l0x9
    Apple Software Update-->MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
    ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
    ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
    ATI Display Driver-->rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_classISPLAY -clean
    AutoCAD 2004-->MsiExec.exe /I{5783F2D7-0201-0409-0002-0060B0CE6BBA}
    AutoCAD Express Tools Volumes 1-9-->MsiExec.exe /X{5783F2D7-0211-0409-0000-0060B0CE6BBA}
    Autodesk CAD Manager Tools 2.0-->MsiExec.exe /I{5783F2D7-0111-0409-0010-0060B0CE6BBA}
    Autodesk Express Viewer-->C:\PROGRA~1\Autodesk\AUTODE~1\Setup.exe /remove
    AVG 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
    AVG Anti-Rootkit Free-->C:\Program Files\GRISOFT\AVG Anti-Rootkit Free\Uninstall.exe
    Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
    CutList Plus 2009-->MsiExec.exe /X{7F352422-4AC3-4AB3-8C00-A639C72F250E}
    CyberDefender Early Detection Center-->D:\cdinstx.exe /u
    FinalBurner Free v1.23.0.113-->"C:\Program Files\FinalBurner\Uninstall.exe" "C:\Program Files\FinalBurner\install.log" -u
    Google Earth-->MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
    Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
    Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
    High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
    HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
    Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
    Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
    Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
    Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
    HP CD Labeler II-->C:\PROGRA~1\HPCDLA~1\UNWISE.EXE C:\PROGRA~1\HPCDLA~1\INSTALL.LOG
    hp deskjet 970c series (Remove only)-->C:\Program Files\hp deskjet 970c series\hpfiui.exe -c -vdivid=HPF -vpnum=95 -vinstport=LPT1: -vproduct=970c -huninstall
    hp deskjet 970c series-->rundll32 hpzcon04.dll,VendorJettison hp deskjet 970c series
    HP Officejet Pro K850 Series-->C:\Program Files\HP\Digital Imaging\{6EEF4388-3422-4885-A137-A29365E8E7BE}\setup\hpzscr01.exe -datfile hpwscr04.dat -forcereboot
    HP PhotoSmart Photo Printing Software-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\HP PhotoSmart\Photo Printing\Uninstall.isu" -c"C:\Program Files\HP PhotoSmart\Photo Printing\HpiUPPrn.dll
    ImgV32-->C:\Program Files\Imgv32\UNINSTAL.EXE
    InCD-->C:\WINDOWS\NuNInst.exe /UNINSTALL
    Java(TM) 6 Update 10-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF}
    Java(TM) 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
    Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
    Java(TM) SE Runtime Environment 6 Update 1-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
    Marvell Miniport Driver-->MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
    Messenger-Control plug-in for Ad-Aware SE-->C:\Program Files\HP CD Labeler II\INSTALL.LOG
    Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
    Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
    Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
    Microsoft Office Basic Edition 2003-->MsiExec.exe /I{91130409-6000-11D3-8CFE-0150048383C9}
    Microsoft Streets and Trips 2005-->MsiExec.exe /I{67E4EE98-59F4-4210-89A6-A20AF5BEC689}
    Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
    Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
    Microsoft Windows XP Video Decoder Checkup Utility-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\DECCHECK.inf,Uninstall
    Moyea FLV to Video Converter Pro 3 Version: 3.1.11.0-->"C:\Program Files\Moyea\FLV to Video Converter Pro 3\unins000.exe"
    Mozilla Firefox (1.5)-->C:\Program Files\Mozilla Firefox\uninstall\uninstall.exe /ua "1.5 (en-US)"
    MSN Music Assistant-->rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
    MyIdentityDefender Toolbar (CyberDefender Corporation)-->C:\Documents and Settings\Administrator\Local Settings\Application Data\CyberDefender\cdinstx.exe /u
    Nero Media Player-->C:\WINDOWS\UNNMP.exe /UNINSTALL
    Nero OEM-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
    Nero PhotoShow Express-->"C:\Program Files\Ahead\Nero PhotoShow\data\Xtras\Uninstall.exe"
    NeroMIX-->C:\WINDOWS\UNNMIX.exe /UNINSTALL
    NeroVision Express 3-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
    Netscape (7.2)-->C:\WINDOWS\NSUninst.exe /ua "7.2 (en)"
    OE/W Messengerctrl plug-in for Ad-Aware SE-->C:\Program Files\HP CD Labeler II\INSTALL.LOG
    Panasonic Multi-Function Station software-->C:\Program Files\InstallShield Installation Information\{53DE4FAD-F853-44F3-AC39-AD2940E5DD53}\Setup.exe -runfromtemp -l0x0009 -l0009 UNINSTALL -removeonly
    Panasonic V1.13.00E Device Monitor-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5061C9FB-BA2D-4498-92B6-5459A0E2F6E3}\Setup.exe" -l0x9 /U
    PCFriendly-->C:\Program Files\PCFriendly\inuninst.exe
    PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
    QuickTime-->MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
    Readiris Pro 7.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{875F2DAB-3B03-11D5-AB3E-000102B0F79A}\Setup.exe" -l0x9
    Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" REMOVE
    RegistryFix v6.2-->"C:\Program Files\RegistryFix\unins000.exe"
    Rhapsody Player Engine-->MsiExec.exe /I{6A136B9A-1895-436F-83F8-30D9C68BB6EA}
    SafeCast Shared Components-->C:\Program Files\Common Files\Macrovision Shared\SafeCast\Install\CDAC13BA.EXE /uninstall
    Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
    Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
    Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
    Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
    Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
    Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
    Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
    Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
    SpellForce-->C:\PROGRA~1\JoWooD\SPELLF~1\unwise.exe C:\PROGRA~1\JoWooD\SPELLF~1\install.log
    Spyware Doctor 6.0-->C:\Program Files\Spyware Doctor\unins000.exe /LOG
    The Ultimate Troubleshooter-->C:\PROGRA~1\ANSWER~1\TROUBL~1\UNWISE.EXE C:\PROGRA~1\ANSWER~1\TROUBL~1\INSTALL.LOG
    Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
    Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
    Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
    Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
    VX2 Cleaner plug-in for Ad-Aware SE-->C:\Program Files\HP CD Labeler II\INSTALL.LOG
    WebEx-->C:\PROGRA~1\MOZILL~1\plugins\atcliun.exe
    WinAVI Video Converter-->"C:\Program Files\WinAVI Video Converter\unins000.exe"
    Windows Defender-->MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
    Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
    Windows Live OneCare safety scanner-->RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
    Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
    Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
    Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
    Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
    Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
    Yahoo! Browser Services-->C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
    Yahoo! Install Manager-->C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
    Yahoo! Internet Mail-->C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
    Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
    =====HijackThis Backups=====
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [2009-03-24]
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) [2009-03-24]
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) [2009-03-24]
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file) [2009-03-24]
    ======Security center information======
    AV: Spyware Doctor with AntiVirus
    AV: AVG Anti-Virus Free
    AV: CyberDefender Internet Security
    ======System event log======
    Computer Name: MJ-STATION1
    Event Code: 3004
    Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.
    For more information please see the following:
    http://go.microsoft.com/fwlink/?linkid=74409
    Scan ID: {EB04E861-8CA2-44BD-B958-AC2556C5B20C}
    User: MJ-STATION1\Administrator
    Name: Unknown
    ID:
    Severity: Not Yet Classified
    Category: Not Yet Classified
    Path Found: regkey:HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Acronis\TrueImageWorkstation\winpe_iso.exe;firewallokfile:HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Acronis\TrueImageWorkstation\winpe_iso.exe;file:C:\Program Files\Acronis\TrueImageWorkstation\winpe_iso.exe
    Alert Type: Unclassified software
    Detection Type:
    Record Number: 24
    Source Name: WinDefend
    Time Written: 20070620202132.000000-240
    Event Type: warning
    User:
    Computer Name: MJ-STATION1
    Event Code: 11165
    Message: The system failed to register host (A) resource records (RRs) for
    network adapter
    with settings:

    Adapter Name : {3716716D-7683-4831-8FCD-00966594532B}
    Host Name : mj-station1
    Primary Domain Suffix : XXX
    DNS server list :
    68.87.77.130, 68.87.72.130
    Sent update to server : <?>
    IP Address(es) :
    192.168.1.100

    The reason the system could not register these RRs was because the
    DNS server contacted refused the update request. The reasons for this
    might be (a) you are not allowed to update the specified DNS domain name,
    or (b) because the DNS server authoritative for this name does not support
    the DNS dynamic update protocol.

    To register the DNS host (A) resource records using the specific DNS
    domain name and IP addresses for this adapter, contact your DNS server
    or network systems administrator.
    Record Number: 23
    Source Name: DnsApi
    Time Written: 20070620195239.000000-240
    Event Type: warning
    User:
    Computer Name: MJ-STATION1
    Event Code: 3004
    Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.
    For more information please see the following:
    http://go.microsoft.com/fwlink/?linkid=74409
    Scan ID: {976AEAE3-9E55-4018-8B8F-B0405C08885F}
    User: MJ-STATION1\Administrator
    Name: Unknown
    ID:
    Severity: Not Yet Classified
    Category: Not Yet Classified
    Path Found: driver:mchInjDrv
    Alert Type: Unclassified software
    Detection Type:
    Record Number: 20
    Source Name: WinDefend
    Time Written: 20070620193719.000000-240
    Event Type: warning
    User:
    Computer Name: MJ-STATION1
    Event Code: 3004
    Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.
    For more information please see the following:
    http://go.microsoft.com/fwlink/?linkid=74409
    Scan ID: {32C1925A-A830-4799-8DCD-069F95B11ADE}
    User: MJ-STATION1\Administrator
    Name: Unknown
    ID:
    Severity: Not Yet Classified
    Category: Not Yet Classified
    Path Found: service:mchInjDrv
    Alert Type: Unclassified software
    Detection Type:
    Record Number: 19
    Source Name: WinDefend
    Time Written: 20070620193719.000000-240
    Event Type: warning
    User:
    Computer Name: MJ-STATION1
    Event Code: 1003
    Message: Your computer was not able to renew its address from the network (from the
    DHCP Server) for the Network Card with network address 00112F2ACF38. The following
    error occurred:
    The semaphore timeout period has expired.
    .
    Your computer will continue to try and obtain an address on its own from
    the network address (DHCP) server.
    Record Number: 5
    Source Name: Dhcp
    Time Written: 20070620193636.000000-240
    Event Type: warning
    User:
    =====Application event log=====
    Computer Name: MJ-STATION1
    Event Code: 1517
    Message: Windows saved user MJ-STATION1\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

    This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
    Record Number: 30732
    Source Name: Userenv
    Time Written: 20070602122143.000000-240
    Event Type: warning
    User: NT AUTHORITY\SYSTEM
    Computer Name: MJ-STATION1
    Event Code: 1517
    Message: Windows saved user MJ-STATION1\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

    This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
    Record Number: 30658
    Source Name: Userenv
    Time Written: 20070530102037.000000-240
    Event Type: warning
    User: NT AUTHORITY\SYSTEM
    Computer Name: MJ-STATION1
    Event Code: 1517
    Message: Windows saved user MJ-STATION1\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

    This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
    Record Number: 30620
    Source Name: Userenv
    Time Written: 20070529121128.000000-240
    Event Type: warning
    User: NT AUTHORITY\SYSTEM
    Computer Name: MJ-STATION1
    Event Code: 1517
    Message: Windows saved user MJ-STATION1\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

    This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
    Record Number: 30601
    Source Name: Userenv
    Time Written: 20070528041437.000000-240
    Event Type: warning
    User: NT AUTHORITY\SYSTEM
    Computer Name: MJ-STATION1
    Event Code: 1517
    Message: Windows saved user MJ-STATION1\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

    This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
    Record Number: 30582
    Source Name: Userenv
    Time Written: 20070528030518.000000-240
    Event Type: warning
    User: NT AUTHORITY\SYSTEM
    ======Environment variables======
    "ComSpec"=%SystemRoot%\system32\cmd.exe
    "Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Autodesk Shared\;C:\Program Files\QuickTime\QTSystem\
    "windir"=%SystemRoot%
    "OS"=Windows_NT
    "PROCESSOR_ARCHITECTURE"=x86
    "PROCESSOR_LEVEL"=15
    "PROCESSOR_IDENTIFIER"=x86 Family 15 Model 3 Stepping 4, GenuineIntel
    "PROCESSOR_REVISION"=0304
    "NUMBER_OF_PROCESSORS"=2
    "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    "TEMP"=%SystemRoot%\TEMP
    "TMP"=%SystemRoot%\TEMP
    "FP_NO_HOST_CHECK"=NO
    "CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
    "QTJAVA"=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
    EOF
  • Slider51Slider51 Michigan USA New
    edited March 2009
    Katana, I am going to have to log off for the evening - will continue tomorrow...
  • KatanaKatana
    edited March 2009
    Just glancing through those logs has given me an information overload as to why you should ask for your money back.

    It's half past midnight here, so I'm going to leave the bulk of my comments until tomorrow so that I can think straight.

    First, uninstall CyberDefender and ask them for your money back.
    Second call your credit card company and ask them to recall the payment.

    You paid for CyberDefender & support,

    There is no justification for ANY paid company to use the free tools of another company to do their job.
    The evidence of these programs being installed is in the log you posted. ( time and date )

    I'll be back tomorrow with some more info and things for you to do.
  • Slider51Slider51 Michigan USA New
    edited March 2009
    Thanks, that's all I needed to hear - I will begin that battle tomorrow, using this guarantee I found on their site. I am extremely upset with myself for having fallen into this trap - can I count on everyone's support to help me recover the money? Reading the blog and judging by other comments I am not the only person inflamed by this...but the exposure of this should help stop these guys...

    Slider

    yellow_box_top.jpgrisk_free.jpgSATISFACTION GUARANTEE: If for any reason you are not happy with your purchase, simply contact customer Support within 30 days, and we'll refund your purchase with no questions asked. CyberDefender is dedicated to client satisfaction and keeping you safe!
    Yes, I would like to receive free email updates, news and special offers from CyberDefender
    yellow_box_bottom.jpg
  • KatanaKatana
    edited March 2009
    Since you are going to try and get your money returned, I won't post any more comments here yet.

    I have removed your logs from view, but they are still on your machine at C:\RSIT\Log.txt should you need them.

    Please keep us informed of your progress, there are a lot of people interested in this issue.
  • Slider51Slider51 Michigan USA New
    edited March 2009
    I am going to give them one opportunity to make good on their "no questions asked" guarantee (above). If I get the runaround or any other gyrations from them, I'll turn everything I have over to you guys and you can make a spectacle of them. Let's see what happens...

    Slider
  • Slider51Slider51 Michigan USA New
    edited March 2009
    After 90 minutes on the phone with an India respresentative the best I could get was a promise to credit my account with $129.99 within 72 hours....I told them it was unacceptable, I felt I had been a victim of a rogue software infection/fix, that I didn't want any CyberDefender software on my computer now or ever again. The representative claims that the difference between the $249.99 and the 129.99 was for the work they did to fix my machine....I said I didn't appreciate them charging me to fix a problem that they likely concocted in the first place. I kept referring to their advertised gurantee of a no questions asked refund (see above) and they said they are living by by refunding me for just the software. Of course my receipt shows I paid $249.99...kept telling me that the gurantee is "only for the software" and not for the technical support they already rendered...

    It remains to be seen whether the $130 refund will show up on my credit card. As far as I'm concerned, I got scammed, and Cyber_defender is just as rogue as they have ever been.

    I welcome any questions or requests for more info - I am sick and tired of people getting in my wallet in any sleazy way they can dream up. Buyer beware!
  • Slider51Slider51 Michigan USA New
    edited March 2009
    Actually, Katana, I have given Cyber Defender their shot at handling this thing in a reasonable way - and the most they were willing to do was refund about half of the money that I paid them. Their "full refund guarantee" is worthless, as I have found out. I was oversold, steered away from less expensive fixes, made to believe that CyberDefender software was going to repair the trojan and then their own tech never used it. I am capable of keeping my machine running pretty clean if given the proper tools and an honest explanation of the problem. I sure as hell didn't need a suite of rogue software taking over my computer when all I wanted in the first place was to activate their "free" edition and have contain or kill the trojan. Any damage after that was up to me and I could have gotten through it.

    CD's comment that Ithe money they're keeping was for service already rendered is bull. At MOST, I could conceivably owe them ten bucks: one twelfth of the $120.00 portion of the money that supposedly was for the "service" portion. One month's worth, even though I only kept the service for 6 days. Bottom line, I hope there will be enough of an outrage about CD's rogue nature that they will do the right thing and refund the rest of my money. So, I guess this is me saying, go ahead, Katana, post whatever your ideas and opinions are regarding my scans, I'd like to know if I need to do more to rid my machine of whatever has taken place. Also feel free to repost the scans and share them as necessary to hopefully show the CD owners that they cannot get away with rogue activities, even with uninformed public such as myself - there are too many great forums and groups of people like Icrontic willing to help keep them out of our machines and our wallets.

    By the way, I'd like to donate any of the money over the $130.00 initial refund once it's recovered to this forum and the tireless people helping us everyday users out...

    Slider
  • KatanaKatana
    edited March 2009
    Slider51 wrote:
    I hope there will be enough of an outrage about CD's rogue nature that they will do the right thing and refund the rest of my money.

    http://hphosts.blogspot.com/2009/03/cyberdefender-want-your-money-back.html

    :)

    I'll post some info on a couple of points that I've noticed in you logs tomorrow, but here is a start ....

    the only saving grace is they seem to have removed any active infection.
    There are quite a few leftovers that in my opinion should have been removed , and there are a few other items that I think should be mentioned.

    The first thing that leaps out is this ......
    AV: Spyware Doctor with AntiVirus
    AV: AVG Anti-Virus Free
    AV: CyberDefender Internet Security
    Not only were you not informed that having more than one Antivirus installed is detrimental, they went and dropped a third on you !!
  • KatanaKatana
    edited March 2009
    Right, let's clean up some of the leftovers and then get another scan

    Backup the Registry
    • Download ERUNT to your desktop
    • Double-click on the file to install the program
    • Untick the NTREGOPT desktop shortcut option
    • Click No when you get the option to run Erunt at Windows startup.
    • During the installation, tick Launch Erunt
    • Accept the defaults for running a backup
    • Erunt will then backup your registry


    Create A Registry File
    Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
    Save it as "All Files" and name it Regfix.reg Please save it on your desktop.
    REGEDIT4

    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\control64]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CyberDefender Early Detection Center]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Diagnostic Manager]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWHeartbeatMonitor]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lpt]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysSupport]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Resurections]
    Make sure there are NO blank lines before REGEDIT4 and ONE blank line at the end/bottom
    Double click on Regfix.reg and click Yes at the prompt




    Kaspersky Online Scanner .
    Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
    NOTE:- This scan is best done from IE (Internet Explorer)
    NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
    Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

    Read the Requirements and limitations before you click Accept.
    Once the database has downloaded, click My Computer in the left pane
    Now go and put the kettle on !
    When the scan has completed, click Save Report As...
    Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


    **Note**

    To optimize scanning time and produce a more sensible report for review:
    • Close any open programs.
    • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

    Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

    Logs/Information to Post in Reply
    Please post the following logs/Information in your reply
    • A Fresh RSIT log (only one will be produced this time)
    • Kaspersky Log
  • Slider51Slider51 Michigan USA New
    edited March 2009
    Sounds good Katana--I'll have to do this later this evening when I have more time. Results to follow...and thank you!

    Slider
  • Slider51Slider51 Michigan USA New
    edited March 2009
    Just an update - getting too late to do the scans today, spent the time I had setting the credit card charge-back into motion...takes a few weeks but they don't get their money in the mean time...and of course no credit to my account has been made yet, even though a $129.99 credit was promised "within 72 hours"...it never ceases to amaze me how quickly they can charge your credit card, and how slow they are at refunding your money... sorry to delay this Katana, but I will give it the proper attention tomorrow...

    Slider
  • KatanaKatana
    edited April 2009
    Slider51 wrote:
    sorry to delay this Katana, but I will give it the proper attention tomorrow...

    Don't worry, I don't charge by the hour :bigggrin:
  • Slider51Slider51 Michigan USA New
    edited April 2009
    Get this - I needed to unistall the CyberDefender mess from my machine, and wanted to do it before I ran any more scans. There IS NO uninstall function! Anywhere in the CD folder! This whole suite is web-dependent via my "account" , it appears that none of this garbage is stand-alone. I logged in to my "account" and left a messgage with "tech support" to forward me uninstall instructions immediately...this reminds me of my first computer and how AOL took over my entire machine...I'm sort of stuck until I hear back from whoever in New Delhi...
  • KatanaKatana
    edited April 2009
    Have you looked in Add/Remove programs ?

    Your log shows that there should be an entry for CD
    CyberDefender Early Detection Center-->D:\cdinstx.exe /u
  • Slider51Slider51 Michigan USA New
    edited April 2009
    Well now that makes me look like a bloody fool, doesn't it? I have gotten incredibly lazy in my old age...Go to Start/My Programs? CyberDefender and just click the uninstall link....if it's not there it must be impossible to uninstall...(sheepish grin)


    Ahem....Cyber Defender has now left the machine...my bad...

    Scans in a few hours...
  • KatanaKatana
    edited April 2009
    Pobody's Nerfect :)
  • Slider51Slider51 Michigan USA New
    edited April 2009
    Here you go Katana...I disabled Spyware Doctor before the Kaspersky scan, then restarted it before I did the new RIS scan.

    Ummmm...wow...I'm beyond my capabilities reading these logs, but I sure hope all the infections in the Kasperky log are just remnants of previous detections and fixes...either way I'm amazed by the report! Slider
    KASPERSKY ONLINE SCANNER 7 REPORT
    Friday, April 3, 2009
    Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner 7 version: 7.0.25.0
    Program database last update: Friday, April 03, 2009 02:08:00
    Records in database: 2002414
    Scan settings:
    Scan using the following database: extended
    Scan archives: yes
    Scan mail databases: yes
    Scan area - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\
    Scan statistics:
    Files scanned: 64732
    Threat name: 14
    Infected objects: 167
    Suspicious objects: 4
    Duration of the scan: 01:46:09

    File name / Threat name / Threats count
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{F6505928-8E1A-4BDA-8C17-68BFDB632DE1}\Microsoft\Outlook Express\Archive - MHW Sent Items.dbx Infected: Email-Worm.Win32.Zafi.b 1
    C:\Documents and Settings\Administrator\My Documents\My Pictures\Melissa\{F6505928-8E1A-4BDA-8C17-68BFDB632DE1}\Microsoft\Outlook Express\Archive - MHW Sent Items.dbx Infected: Email-Worm.Win32.Zafi.b 1
    C:\Documents and Settings\Administrator\Temp\{F6505928-8E1A-4BDA-8C17-68BFDB632DE1}\Microsoft\Outlook Express\Archive - MHW Sent Items.dbx Infected: Email-Worm.Win32.Zafi.b 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\0037195E.htm Infected: Trojan-Downloader.JS.Small.d 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\00524D23.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\032574E4.htm Suspicious: Exploit.HTML.DialogArg 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\08571830.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\09077EDC Infected: Trojan-Downloader.JS.IstBar.k 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\092C5953.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\0A375C82.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\0AFC2355.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\0B4B5D7E.htm Suspicious: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\0E453EE1.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\0E4F1EF9 Infected: Trojan-Downloader.VBS.Psyme.at 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\0EEA31EC.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\0EF42FE1.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\105F2BF2.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\10A073AA.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\10A944D5.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\10FE1B40.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\11155B29.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\11190525.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\11367F05.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\13F734DA.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\140B30C5.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\15960912.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\15A65B00.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\18A95BBF.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\18B427A4.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\18B851A1.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\18F91959.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\18F91959.php Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\196F5338.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\199B69C9.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\19AB3BB7.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\1ACD1D54.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\1B956103 Infected: Trojan-Downloader.JS.IstBar.j 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\1B980AFF Infected: Trojan-Downloader.JS.IstBar.j 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\1CCF4DB2.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\1CDF1FA0.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\1E67314C.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\1FCD4D7F.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\21CD3930.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\21EE5D0C.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\241C3312.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\241C3312.php Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\24853346.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\2559026E.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\2559026E.php Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\25B6055C.htm Suspicious: Exploit.HTML.DialogArg 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\25F42317.htm Suspicious: Exploit.HTML.DialogArg 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\2667552F.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\27043483.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\27384DF9 Infected: Trojan-Downloader.JS.Small.ag 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\276D576B.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\27EC5984.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\27FF556E.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\28100AB8.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\28F25BC0.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\29022DAE.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\2A2B1A67.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\2B794AA0.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\2B8D468B.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\31E36DC1.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\32B241F6.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\32B241F6.php Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\32C53DE0.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\36065036.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\36065036.php Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\36277412.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\36277412.php Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\381E35E9.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\381E35E9.php Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\383058F9.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\38D13B23.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\38DB3919.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\39040210.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\394A4C9E.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\394D1369.htm Infected: Exploit.VBS.Phel.j 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\39FE51D9.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\3AD712B2.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\3AE920D6.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\3AEC4AD2.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\3C6B2824 Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\3CC663D1.htm Infected: Trojan-Downloader.JS.Small.d 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\3F987EA5 Infected: Trojan-Downloader.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\3FC93DB2.htm Infected: Trojan-Downloader.JS.Small.d 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\42732212 Infected: Trojan-Downloader.JS.IstBar.j 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\42764C0E Infected: Trojan-Downloader.JS.IstBar.j 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\4287376A Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\44165B6C.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\44165B6C.php Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\4631355D.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\4923181F.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\4B122D22.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\4BEB0ECD.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\4C797782.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\4CBC0DE7.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\4CC037E3.php Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\4CD21465.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\4DF64C8E.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\4E3F03A4.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\4E3F03A4.php Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\4F1E6BA9.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\4F1E6BA9.php Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\4F2728A4.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\4F2728A4.php Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\4F65064B.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\4F7609F2.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\4F865BE0.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\4FC51690.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\51456250.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\520C6375.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\52780CE9.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\52CA66A4.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\559F4F86.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\55A84D7C.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\573000B9.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\582F66E0.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\58535477.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\58736186.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\58875D70.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\59317B83.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\5A555919.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\5AE14E9E Infected: Trojan-Downloader.JS.IstBar.j 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\5B711BD4 Infected: Email-Worm.Win32.Bagle.dk 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\5B8B5AA7.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\5B9E2E86.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\5BB22A71.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\5C587E0B.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\5D0F7244.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\5DD4458E.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\5DD4458E.php Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\5DD76F8A.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\5DD76F8A.php Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\5DF576F4.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\610E1F24.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\61271A39.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\613A1623.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\615D4134.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\61D77577.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\61E74765.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\63263338.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\63360526.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\637D19AA.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\67295726.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\672D7D44.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\672D7D44.php Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\69634964.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\6977454E.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\6A7968B7 Infected: Trojan-Downloader.VBS.Psyme.av 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\6C960750.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\6C960750.php Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\726541FF Infected: Trojan-Downloader.VBS.Psyme.at 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\726C15F8 Infected: Trojan.Win32.Favadd.l 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\73FC272C.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\73FC272C.php Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\74D13BBE.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\74D80FB6.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\76D82024.htm Infected: Trojan-Downloader.JS.Small.d 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\784833E9.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\784833E9.php Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\78FF2E07.htm Infected: Trojan-Downloader.JS.Small.d 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\7A5F5878.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\7A620274.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\7A6F2A66.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\7A725462.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\7ADC7028.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\7AEB06AF.htm Infected: Exploit.HTML.Mht 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\7B147160.htm Infected: Exploit.VBS.Phel.a 1
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine\7B25434E.htm Infected: Exploit.VBS.Phel.a 1
    The selected area was scanned.
    Logfile of random's system information tool 1.06 (written by random/random)
    Run by Administrator at 2009-04-03 09:58:58
    Microsoft Windows XP Professional Service Pack 3
    System drive C: has 202 GB (85%) free of 238 GB
    Total RAM: 1023 MB (50% free)
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:59:09 AM, on 4/3/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16791)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
    C:\Documents and Settings\Administrator\Desktop\RSIT.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    C:\Program Files\Trend Micro\HijackThis\Administrator.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.attbi.com
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
    N3 - Netscape 7: # Mozilla User Preferences
    /* Do not edit this file.
    *
    * If you make changes to this file while the browser is running,
    * the changes will be overwritten when the browser exits.
    *
    * To make a manual change to preferences, you can visit the URL about:config
    * For more information, see http://www.mozilla.org/unix/customizing.html#prefs
    */
    user_pref("aim.session.firsttime", false);
    user_pref("browser.activation.checkedNNFlag", true);
    user_pref("browser.bookmarks.added_static_root", true);
    user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\ADMINISTRATOR\\APPLICATION DATA\\Mozilla\\Profiles\\default\\lxcunvvv.slt");
    user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
    user_pref("browser.startup.homepage_override.mstone", "rv:1.7.2");
    user_pref("dom.disable_open_during_load", true);
    user_pref("intl.charsetmenu.browser.cache", "us-ascii, UTF-8, windows-1252, ISO-8859-1");
    user_pref("mail
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096722207781
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140016650656
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MANDP.Local
    O17 - HKLM\Software\..\Telephony: DomainName = MANDP.Local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MANDP.Local
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: JavaQuickStarterService - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
    --
    End of file - 7671 bytes
    ======Registry dump======
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
    AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-03-27 1078552]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
    Yahoo! IE Services Button - C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 198136]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-02 320920]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
    Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2007-05-21 2403392]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
    Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll [2008-09-11 737776]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
    Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-02 34816]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
    JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-02 73728]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    {2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2007-05-21 2403392]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-03-27 1932568]
    "ISTray"=C:\Program Files\Spyware Doctor\pctsTray.exe [2008-12-08 1173384]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
    C:\WINDOWS\ALCWZRD.EXE [2004-05-17 2545664]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
    C:\WINDOWS\system32\HDAudPropShortcut.exe [2004-03-17 61952]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPWOTOOLBOX]
    C:\Program Files\HP\HP Officejet Pro K850 Series\Toolbox\HPWOTBX.exe [2006-11-03 352256]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
    C:\Program Files\Spyware Doctor\pctsTray.exe [2008-12-08 1173384]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OSSelectorReinstall]
    C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe [2007-02-22 2209224]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Panasonic Device Manager for Multi-Function Station software]
    C:\Program Files\Panasonic\MFStation\PCCMFSDM.exe [2007-05-21 126976]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Panasonic Device Monitor Wakeup]
    C:\Program Files\Panasonic\Device Monitor\dmwakeup.exe [2006-11-02 303104]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Panasonic PCFAX for Multi-Function Station software]
    C:\Program Files\Panasonic\MFStation\KmPcFax.exe [2007-08-28 757760]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
    C:\PROGRA~1\Ahead\NEROPH~1\data\xtras\mssysmgr.exe [2004-05-12 196608]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    C:\Program Files\QuickTime\qttask.exe [2007-06-29 286720]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-08-30 68856]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=3
    "WinDefend"=2
    "ThreatFire"=3
    "sdCoreService"=2
    "sdAuxService"=2
    "Panasonic Trap Monitor Service"=2
    "Panasonic Local Printer Service"=2
    "ose"=3
    "JavaQuickStarterService"=3
    "gusvc"=3
    "C-DillaCdaC11BA"=2
    "AVGEMS"=2
    "Avg7UpdSvc"=2
    "Avg7Alrt"=2
    "ATI Smart"=2
    "APC UPS Service"=2
    "AcrSch2Svc"=2
    "aawservice"=3
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
    C:\WINDOWS\system32\Ati2evxx.dll [2004-04-21 86016]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
    C:\WINDOWS\system32\avgrsstx.dll [2009-03-27 10520]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
    C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "authentication packages"=msv1_0
    relog_ap
    "notification packages"=
    scecli
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "dontdisplaylastusername"=0
    "legalnoticecaption"=
    "legalnoticetext"=
    "shutdownwithoutlogon"=1
    "undockwithoutlogon"=1
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "NoDriveTypeAutoRun"=145
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "HonorAutoRunSetting"=
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
    "C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    ======File associations======
    .scr - open - "C:\WINDOWS\notepad.exe" "%1"
    .scr - install -
    .scr - config -
    ======List of files/folders created in the last 1 months======
    2009-04-02 20:11:42 ----D---- C:\WINDOWS\ERDNT
    2009-04-02 20:10:47 ----D---- C:\Program Files\ERUNT
    2009-03-29 18:27:47 ----D---- C:\rsit
    2009-03-27 20:52:56 ----HD---- C:\$AVG8.VAULT$
    2009-03-27 20:07:07 ----A---- C:\WINDOWS\system32\avgrsstx.dll
    2009-03-27 20:06:44 ----D---- C:\Program Files\AVG
    2009-03-27 20:06:43 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
    2009-03-27 18:59:58 ----D---- C:\Program Files\Common Files\PC Tools
    2009-03-27 18:59:53 ----D---- C:\Program Files\Spyware Doctor
    2009-03-24 17:34:59 ----A---- C:\WINDOWS\st_affiliate.ini
    2009-03-24 17:25:33 ----D---- C:\Program Files\CyberDefender
    2009-03-24 17:10:39 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2009-03-24 17:09:27 ----D---- C:\Program Files\SUPERAntiSpyware
    2009-03-24 17:09:27 ----D---- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
    2009-03-24 16:55:31 ----D---- C:\Avenger
    2009-03-24 16:55:31 ----A---- C:\avenger.txt
    2009-03-24 16:37:46 ----D---- C:\WINDOWS\system32\CatRoot2
    2009-03-24 16:37:23 ----D---- C:\WINDOWS\temp
    2009-03-24 16:00:23 ----D---- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
    2009-03-24 16:00:16 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2009-03-24 14:20:54 ----SHD---- C:\WINDOWS\CSC
    2009-03-12 20:55:40 ----A---- C:\WINDOWS\KmPcFax.INI
    2009-03-12 20:31:03 ----A---- C:\WINDOWS\system32\hpz3l42i.dll
    2009-03-11 15:52:11 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
    2009-03-11 15:52:05 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
    2009-03-11 15:51:03 ----HDC---- C:\WINDOWS\$NtUninstallKB959772_WM11$
    ======List of files/folders modified in the last 1 months======
    2009-04-03 09:59:00 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
    2009-04-03 09:57:35 ----D---- C:\WINDOWS\system32\drivers
    2009-04-03 00:20:26 ----A---- C:\WINDOWS\SchedLgU.Txt
    2009-04-02 21:09:15 ----D---- C:\WINDOWS\Prefetch
    2009-04-02 20:11:42 ----D---- C:\WINDOWS
    2009-04-02 20:10:47 ----RD---- C:\Program Files
    2009-04-01 01:35:59 ----A---- C:\WINDOWS\NeroDigital.ini
    2009-03-30 21:02:09 ----SD---- C:\WINDOWS\Tasks
    2009-03-27 20:07:07 ----D---- C:\WINDOWS\system32
    2009-03-27 20:06:30 ----SHD---- C:\WINDOWS\Installer
    2009-03-27 20:06:25 ----HD---- C:\Config.Msi
    2009-03-27 18:59:58 ----D---- C:\Program Files\Common Files
    2009-03-24 20:34:57 ----RSHDC---- C:\WINDOWS\system32\dllcache
    2009-03-24 17:35:32 ----D---- C:\WINDOWS\SoftwareDistribution
    2009-03-24 17:35:32 ----D---- C:\WINDOWS\Help
    2009-03-24 17:35:30 ----HD---- C:\WINDOWS\inf
    2009-03-24 17:23:05 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
    2009-03-24 17:09:12 ----D---- C:\Program Files\Mozilla Firefox
    2009-03-24 16:54:53 ----D---- C:\WINDOWS\security
    2009-03-24 16:38:22 ----D---- C:\WINDOWS\system32\CatRoot
    2009-03-24 16:11:44 ----D---- C:\Program Files\Trend Micro
    2009-03-24 15:36:37 ----ASH---- C:\boot.ini
    2009-03-24 15:36:37 ----A---- C:\WINDOWS\win.ini
    2009-03-24 15:36:37 ----A---- C:\WINDOWS\system.ini
    2009-03-24 14:21:10 ----A---- C:\WINDOWS\ntbtlog.txt
    2009-03-23 19:48:28 ----D---- C:\WINDOWS\WinSxS
    2009-03-23 19:48:28 ----D---- C:\Program Files\Common Files\Microsoft Shared
    2009-03-12 20:28:49 ----D---- C:\Program Files\HP
    2009-03-11 15:52:08 ----A---- C:\WINDOWS\imsins.BAK
    2009-03-11 15:04:36 ----HD---- C:\WINDOWS\$hf_mig$
    2009-03-08 12:49:57 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
    ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
    R1 AvgArCln;Avg Anti-Rootkit Clean Driver; C:\WINDOWS\System32\DRIVERS\AvgArCln.sys [2007-01-18 3968]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-03-27 325640]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-03-27 27656]
    R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-03-30 108552]
    R1 InCDPass;InCDPass; C:\WINDOWS\System32\DRIVERS\InCDPass.sys [2004-09-13 28672]
    R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
    R1 pctgntdi;pctgntdi; \??\C:\WINDOWS\system32\drivers\pctgntdi.sys []
    R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2003-03-31 12032]
    R2 Aspi32;Aspi32; C:\WINDOWS\system32\drivers\Aspi32.sys [2002-08-14 17005]
    R2 CdaC15BA;CdaC15BA; \??\C:\WINDOWS\system32\drivers\CDAC15BA.SYS []
    R2 tifsfilter;Acronis True Image FS Filter; C:\WINDOWS\system32\DRIVERS\tifsfilt.sys [2007-06-20 39712]
    R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
    R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2004-04-21 729088]
    R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\System32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
    R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
    R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2004-05-17 2161792]
    R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
    R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\System32\DRIVERS\ASACPI.sys [2003-03-02 5755]
    R3 MVDCODEC;ATI WDM Specialized MVD Codec; C:\WINDOWS\System32\DRIVERS\atinmdxx.sys [2004-03-18 13824]
    R3 pctplsg;pctplsg; \??\C:\WINDOWS\system32\drivers\pctplsg.sys []
    R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2006-03-29 9856]
    R3 TfNetMon;TfNetMon; \??\C:\WINDOWS\system32\drivers\TfNetMon.sys []
    R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
    R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
    R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
    R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Gigabit Ethernet Controller; C:\WINDOWS\System32\DRIVERS\yk51x86.sys [2004-06-01 178560]
    R4 InCDfs;InCD File System; C:\WINDOWS\system32\drivers\InCDfs.sys [2004-09-13 93440]
    S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
    S3 GAGPDrv;GAGPDrv; C:\WINDOWS\system32\drivers\GAGPDrv.sys []
    S3 GVCplDrv;GVCplDrv; C:\WINDOWS\system32\drivers\GVCplDrv.sys [2004-05-02 23040]
    S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\HdAudio.sys [2004-03-17 113664]
    S3 HidBatt;HID UPS Battery Driver; C:\WINDOWS\system32\DRIVERS\HidBatt.sys [2008-04-13 20352]
    S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
    S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\System32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
    S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [2008-04-13 10880]
    S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\System32\DRIVERS\SLIP.sys [2008-04-13 11136]
    S3 streamip;BDA IPSink; C:\WINDOWS\System32\DRIVERS\StreamIP.sys [2008-04-13 15232]
    S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
    S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
    S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
    S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
    S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\System32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
    S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
    S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
    S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
    ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
    R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-03-27 298264]
    R2 JavaQuickStarterService;JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-02 152984]
    R2 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
    R2 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2009-01-21 1095560]
    R3 ThreatFire;ThreatFire; C:\Program Files\Spyware Doctor\TFEngine\TFService.exe [2008-06-06 66880]
    S2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
    S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
    S4 aawservice;aawservice; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-07-25 611664]
    S4 AcrSch2Svc;Acronis Scheduler2 Service; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [2007-01-31 407072]
    S4 APC UPS Service;APC UPS Service; C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe [2002-10-15 155770]
    S4 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\System32\Ati2evxx.exe [2004-04-21 397312]
    S4 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2004-04-21 516096]
    S4 C-DillaCdaC11BA;C-DillaCdaC11BA; C:\WINDOWS\system32\drivers\CDAC11BA.EXE [2004-10-09 54784]
    S4 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-05-21 138168]
    S4 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
    S4 Panasonic Local Printer Service;Panasonic Local Printer Service; C:\PROGRA~1\PANASO~1\LocalCom\lmsrvnt.exe [2004-08-03 36864]
    S4 Panasonic Trap Monitor Service;Panasonic Trap Monitor Service; C:\PROGRA~1\PANASO~1\TRAPMO~1\Trapmnnt.exe [2004-02-24 69632]
    S4 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
    EOF
  • KatanaKatana
    edited April 2009
    There's not actually much to worry about there, most of the items found have already been deleted from a Quarantine folder
    C:\RECYCLER\S-1-5-21-1614895754-1004336348-682003330-500\Dc21\Quarantine
    They should disappear when you empty the Recycle bin


    These are E-Mail Archives that are infected. At least, that is what they look like but they have curious file paths ?

    C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{F6505928-8E1A-4BDA-8C17-68BFDB632DE1}\Microsoft\Outlook Express\Archive - MHW Sent Items.dbx
    C:\Documents and Settings\Administrator\My Documents\My Pictures\Melissa\{F6505928-8E1A-4BDA-8C17-68BFDB632DE1}\Microsoft\Outlook Express\Archive - MHW Sent Items.dbx
    C:\Documents and Settings\Administrator\Temp\{F6505928-8E1A-4BDA-8C17-68BFDB632DE1}\Microsoft\Outlook Express\Archive - MHW Sent Items.dbx

    Unfortunately, you can't just delete the infected e-mail you will need to delete the entire archive.
  • Slider51Slider51 Michigan USA New
    edited April 2009
    I recognize the file path - a half-thought out attempt at storing some keepsake e-mails from my granddaughter in college, in the same folder as her pictures. Time to clean them out anyway, she graduated last year!

    Thanks for everything Katana - I'll do the clean up and run the scans one more time - if I see anything that worries me, I'll throw them up for you to look at.

    That is unless you had any other recommendations for me...I do notice a bit of a lag time in anything through IE, but my ISP's service is getting slower by the month as the price goes up anyway. Everything offline is crisp and quick.

    I want to take this opportunity to thank you personally an everyone at Icrontic for the bang up job you guys do...I would have never known for sure what actually took place with my first and last brush with the likes of CyberDefender if it hadn't been for you great people. It's a real comfort to know that the little guy has an ally out there. As I said before, I'd like to make a donation to help make sure you guys can continue the great work you do...if you'll PM me the details as to how to do that.

    Thanks everyone,

    Slider51
  • KatanaKatana
    edited April 2009
    Just a couple of things left to sort, your log still shows two Antivirus installed
    AVG and SpywareDoctor, I know I mentioned it previously but here is the full story .....

    First you should know that you're actually doing more harm than good by running more than one Anti Virus program.
    When you do this the programs compete for resources, and the end result is none does it's best and can cause system instability.
    It is best to have only ONE AntiVirus installed.

    Next, you need a good Anti-Spyware program ......

    AntiSpyware
      AntiSpyware is
    not the same thing as Antivirus.
    Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
    You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
    Most of the programs in this list have a free (for Home Users ) and paid versions,
    it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
    [*]Spybot - Search & Destroy <<< A must have program
    • It includes host protection and registry protection
    • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites

    [*] MalwareBytes Anti-malware <<< A New and effective program
    [*]a-squared Free <<< A good "realtime" or "on demand" scanner
    [*]superantispyware <<< A good "realtime" or "on demand" scanner


    Slider mentioned previously that he was "a Small Businessman", I have clarified that this is a personal machine that is primarily a Home Computer
    Other Users Please Note:-
    These programs are only Free For Home/Personal use.
    Please read the EULA (end-user license agreement) of any software that you install

    Now, .......

    CyberDefender is still showing in your log, so let's get rid of that.

    Fix With HJT

    Close all other windows and then start HiJack This (C:\Program Files\Trend Micro\HijackThis\Administrator.exe)
    Click Do A System Scan Only
    When it has finished scanning put a check next to the following lines IF still present
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
    Only fix this if you remove AVG8
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    - Close ALL open windows (especially Internet Explorer!)-
    Now click Fix checked
    Click yes to any prompts
    Close HijackThis

    As I said before, I'd like to make a donation to help make sure you guys can continue the great work you do
    The fact that you have posted about the problems you have had with CyberDefender has been an invaluable contribution.
    Any doubts we had about the company have now been proven.
    Many people do not like to admit that they made a mistake, so THANK YOU :)


    Please can you post a final RSIT log in your reply.
Sign In or Register to comment.